One simple SQL Injection range practice

Preface

In order to consolidate SQL Injection and actual combat practice , Let's do a simple about SQL Injected actual range practice

One 、 Target download

Range download address ：
https://download.vulnhub.com/pentesterlab/from_sqli_to_shell_i386.iso

the reason being that linux System , You should pay attention to the installation of linux Of Debian System , The system can operate normally , Then place in the settings iso CD is OK .

Once installed , We can carry out target penetration

Two 、 Range penetration

1. Port scanning

We enter the target plane , see ip Address

ip by 192.168.171.131, After entering kali Do a full port scan , See which ports are open

Found open 80 port , see 80 Service of port

Open this page , There's no idea , Next , Take a look at the sensitive information or login page of the source code

found id Parameter injection page , You can try injection

Of course , Also found the path of file upload , Click in , It's a picture

When back to uploads Catalog time , It is found that the page has not been safely set , There are files and pictures , You can also guess that it should be the path and location of file upload

When back to admin Catalog time , Discovery is a login page , Failed to use weak password , You can only get the user's information by checking the database

When I checked the source code before, I found id Parameter injection , Whether there is SQL Injection? , So let's test that out , Try putting a single quotation mark
http://192.168.171.131/cat.php?id=1’


Wrong report , Try two more
http://192.168.171.131/cat.php?id=1’’

I found that I also reported wrong , If there is injection , It may not be character injection , But digital injection , There is no single quotation mark , We assume digital injection , Try blind injection with time delay , See if there is SQL Inject

When we type in 1-- when , Back to success
http://192.168.171.131/cat.php?id=1–

We type in
192.168.171.131/cat.php?id=1 and sleep(3)–

Found that the system has been turned 3 Seconds later , And return to another page

Description is digital injection , And there are SQL Inject , To save time , Direct use sqlmap For injection , Get database information

We just use kali Self contained sqlmap Scanned
sqlmap -u http://192.168.171.131/cat.php?id=1 -batch -dbs


Sweep out this library photoblog, Explain that the user information is in this library , Continue to explode table and field information , In order to view all information directly , Enter all the data directly
sqlmap -u http://192.168.171.131/cat.php?id=1 -batch -D photoblog -dump-all


Found to have 3 Tables , The user information is in the middle users In the table

Successfully obtain login account and password
admin/P4ssw0rd
Let's go back to the login page to login


There is a place to upload files in the lower left corner , Go in and have a look

We tried to upload a picture of a one sentence Trojan horse , obtain shell, I just upload a local file

After uploading it , Found an error , Because the file name does not meet the length limit , Let's change the length of the file name


After uploading, I found that php file , Can't upload , So it's filtered .php suffix , We use upper and lower case or double case , Try to bypass .

We change it to hao.php Change it to hao.Php Go around


Successfully uploaded , Next , Find the image path directly , Just connect with ant sword .

Let's click on the picture to see

I found that this URL is not a picture path , But the one mentioned before
http://192.168.171.131/admin/uploads/hao.Php

The picture can be opened , We demonize the connection as soon as we see you , obtain shell


Connect the , Let's open it and have a look

Check successfully , The target plane is officially penetrated here ,, Mainly practice SQL Application of injection and file upload vulnerabilities , I will continue to work hard later .

summary

The target plane experiment is over , Relatively simple , If you have time later , We are doing a target plane experiment combining external network and internal network penetration , everyone , Work together .