Penetration test target combat SQL injection getshell

SQL Inject getshell

1. The host found （ Check the number of surviving addresses in the same network segment ）（ Use kali Tools in zenmap）
   You can see that there are four hosts scanned , among 16 It's physical IP,39 yes kali Of ip,18 It's an unknown host , notice 192.168.197.138 It is a virtual machine host , in the light of 138 Do port probing
   
2. Yes 192.168.197.138 Perform a fast port scan
   You can see that the open ports are ssh22 Ports and http80 port , Ports can be used
   
3. （ Don't go backstage first ） Use the weak password tool to 22 Port simple detection ：
   （ Use the super weak password checking tool ） It can be seen that the password is not scanned , So I can't ssh Connect , So the next normal visit 80 port
   
4. visit ：（ You can see that it is a normal website page ）
   
5. You can find a background login page ： Try weak password cracking
   bp Grab the bag and run to the dictionary
   
6. It can be seen that it is transmitted in clear text , You can try brute force ：
   
7. Put it in repeater You can see that the response status is 302, Indicates a jump
   
   
8. Blasting ：（ You can find , There is no result of explosion ） Try something else
   
   Check whether there are injection points ： First, I see an injection point ：http://192.168.197.138/cat.php?id=1
   Use common ideas and 1=1 and 1=2 Determine if there is an injection point ：
   You can see and 1=1 Return to the normal page , and and1=2 The error page is returned
   
   
9. Use sqlmap To test ：
   
   You can see that the detected database is MySQL database
   
   The existing injection point is id
   
   First try ：
   
   Find no way
   
   Try ：
   
   You can see The current database is ：
   
   Get the database name , Then look up the table name ：
   
   You can find three table names in the database ：
   
   After getting the table name , Find column （users surface ）
   You can see that the column names include id
   
   Run user name and password ：
   You can see the last user name and password
   
   After getting the user name and password, log in backstage ：
   See an upload point ：
   Upload a one sentence Trojan horse ：
   
   open bp Carry out the bag , You can see that uploading is not allowed php file ：
   You can try to modify content-Type：image/jpeg;
   It is found that the modification is still not possible ：
   Try case bypass ： Found upload successful
   
   
   
   But we don't know the upload path , Next, find the path
   See the picture ,f12 Review element ; You can see that there is an absolute path ：
   
   Yes url Splicing ：
   You can see that the whole page is white , It shows that it has succeeded
   
   Use the ant sword to connect ：
   
   
   success getshell
   
   To test ：（ Successfully viewed IP）
   
   summary ： Mainly through sql Inject vulnerability and log in to the background , Then upload the Trojan file , Use case to bypass uploading , Finally, use the ant sword link webshell, Finally, I got shell