- 浏览: 288012 次
文章分类
- 全部博客 (276)
- burp+hydra暴力破解 (1)
- kali linux工具集 (6)
- kali (59)
- linux (54)
- password (14)
- web (63)
- 渗透测试 (50)
- windows (40)
- metasploit (9)
- 信息收集 (32)
- burp suit (4)
- 安全审计 (9)
- https://github.com/secretsquirrel/the-backdoor-factory (0)
- nmap (4)
- arachni (2)
- 工具 (5)
- sql (3)
- 网络 (2)
- 后渗透测试 (10)
- 内网 (5)
- 无线 (2)
- C (3)
- bios (1)
- RoR (12)
- mongodb (1)
- linxu (1)
- gdb (1)
- linux,虚拟化 (1)
- python (4)
最新评论
原文地址:http://www.sec-down.com/wordpress/?p=494
Today I will blog about a SQL Injection vulnerability that were escalated to Remote Code Execution, Escalated to Root Privilege on one of Yahoo servers.
The story started while searching in below domain: http://innovationjockeys.yahoo.net/
while intercepting the POST requests, I found below request that graped my attention with the possibility of SQL Injection.
http://innovationjockeys.yahoo.net/tictac_chk_req.php
POST:
f_id=9631
I started some manual checks and it seems a SQL Injection is flying over there!
Shooting it with SQLMap, I got below POC as a confirmation of a Vulnerability!
http://innovationjockeys.yahoo.net/tictac_chk_req.php
POST:
f_id=-9631′ OR (2777=2777)#
Available Databases: information_schema
innovation******* #Hiding dbnames for Yahoo privacy.
web****
Good, now I’ve a SQL Injection and I can read data as well,
Now, How about finding the admin panel, extracting the administrator Username and Password, login to the administrator panel, trying to find a RCE!
1- Admin panel found on: http://innovationjockeys.yahoo.net/admin/
2- I found the Administrator Password stored in the database and it was encoded as Base64
Good, I’ve decoded the Administrator Password, Logged in to the Admin panel.
Now the next step is to find a place to upload files so I can trigger a Remote Code Execution!
That said, I’ve found a upload page, but after uploading a file with “phpinfo();” function as a content,
I found that my uploaded file was named as: page_d03b042780c5071521366edc01e52d3d.xrds+xml
instead of being page_d03b042780c5071521366edc01e52d3d.php ?!
hmmmm, I then tried to intercept the uploading request to find out the problem, and I found below info:
Screenshot from 2014-09-05 05:59:33Yea, now the reason is clear! it’s due to the “Content-Type” Header!
I tried the same request again, but this time I’ve alternatively renamed the “Content-Type” Header to be “application/php” instead, and Here we Go
Now I’ve triggered the SQLI and the RCE, the last part remains is the Root access on the server,
However, the server kernel were latest updated on 2012! and I had the opportunity to root it with a Local root exploit vulnerability in that non-patched kernel!
Today I will blog about a SQL Injection vulnerability that were escalated to Remote Code Execution, Escalated to Root Privilege on one of Yahoo servers.
The story started while searching in below domain: http://innovationjockeys.yahoo.net/
while intercepting the POST requests, I found below request that graped my attention with the possibility of SQL Injection.
http://innovationjockeys.yahoo.net/tictac_chk_req.php
POST:
f_id=9631
I started some manual checks and it seems a SQL Injection is flying over there!
Shooting it with SQLMap, I got below POC as a confirmation of a Vulnerability!
http://innovationjockeys.yahoo.net/tictac_chk_req.php
POST:
f_id=-9631′ OR (2777=2777)#
Available Databases:
Good, now I’ve a SQL Injection and I can read data as well,
Now, How about finding the admin panel, extracting the administrator Username and Password, login to the administrator panel, trying to find a RCE!
1- Admin panel found on: http://innovationjockeys.yahoo.net/admin/
2- I found the Administrator Password stored in the database and it was encoded as Base64
Good, I’ve decoded the Administrator Password, Logged in to the Admin panel.
Now the next step is to find a place to upload files so I can trigger a Remote Code Execution!
That said, I’ve found a upload page, but after uploading a file with “phpinfo();” function as a content,
I found that my uploaded file was named as: page_d03b042780c5071521366edc01e52d3d.xrds+xml
instead of being page_d03b042780c5071521366edc01e52d3d.php ?!
hmmmm, I then tried to intercept the uploading request to find out the problem, and I found below info:
Screenshot from 2014-09-05 05:59:33Yea, now the reason is clear! it’s due to the “Content-Type” Header!
I tried the same request again, but this time I’ve alternatively renamed the “Content-Type” Header to be “application/php” instead, and Here we Go
Now I’ve triggered the SQLI and the RCE, the last part remains is the Root access on the server,
However, the server kernel were latest updated on 2012! and I had the opportunity to root it with a Local root exploit vulnerability in that non-patched kernel!
发表评论
-
linux 安装scrapy
2015-09-07 13:06 602由于scrapy对python3支持不是很好,所以使用pyth ... -
nginx reverse proxy cofinguration
2015-08-28 15:18 417based on our case, we need to h ... -
wpscan
2015-08-01 10:39 435https://www.digitalocean.com/co ... -
[转]Tunneling Data and Commands Over DNS to Bypass Firewalls
2015-07-13 20:44 482https://zeltser.com/c2-dns-tunn ... -
arachni-web-ui使用
2015-06-10 01:04 2146最近在玩儿arachni,想试试arachni-ui-web, ... -
HACKING NODEJS AND MONGODB
2015-06-04 23:52 342http://blog.websecurify.com/201 ... -
php object inject
2015-05-29 00:45 339解释: http://securitycafe.ro/2015 ... -
[转]Forcing XXE Reflection through Server Error Messages
2015-05-19 01:10 453原文地址:https://blog.netspi.com/fo ... -
CVE-2011-2461
2015-03-31 01:19 430http://blog.nibblesec.org/2015/ ... -
[译]从配置错误的web server中dump git数据
2015-03-26 01:07 583原文地址:https://blog.netspi.com/du ... -
[译]解密MSSQL密码
2015-03-26 00:43 2876原文地址: https://blog.ne ... -
自动化Man-in-the-Middle SSHv2攻击
2015-03-18 01:26 1043参考:http://www.david-guembel.de/ ... -
[转]Microsoft Access sqli
2015-03-18 00:57 437https://milo2012.wordpress.com/ ... -
[转]sqlmap注入Microsoft Access
2015-03-18 00:49 1593https://github.com/sqlmapprojec ... -
crossdomain.xml
2015-03-12 01:23 672参考: https://hackerone.com/repor ... -
[译]使用wireshark解密TLS浏览器流量
2015-03-12 00:57 4126原文地址:https://jimshaver.net/2015 ... -
xxe方法
2015-02-01 18:32 849原文地址:http://www.christian-schne ... -
owasp zed--Web Sockets
2015-01-31 01:16 644http://digi.ninja/blog/zap_web_ ... -
memcached
2015-01-25 01:56 0http://www.sensepost.com/blog/4 ... -
[译]linux使用软连接读取本地文件
2015-01-25 00:28 1973原文地址:http://josipfranjkovic.blo ...
相关推荐
Windows 环境下安装 sqli-labs 详细教程 Windows Server 2012 环境下安装 sqli-labs 需要具备一定的基础知识和环境准备。在这里,我们将详细介绍如何在 Windows Server 2012 环境下安装 sqli-labs。 环境准备 在...
SQLi Dumper是一款针对SQL注入漏洞的工具,主要用于从受攻击的系统中提取数据库信息。在标题"SQLi Dumper v.10.2_sqlidumper_"中,我们可以看出这是该工具的第10.2版本,而"sqlidumper"标签进一步确认了工具的名称。...
SQLi Labs是一个专为学习和练习SQL注入技术而设计的在线平台,它提供了多个练习环境和案例,帮助安全人员和渗透测试者深入了解SQL注入原理及防护措施。 首先,关于SQLi Labs平台的使用,需要有一个正确的环境配置。...
SQLi Dumper v.8.3_sqli_ 是一个专门针对SQL注入漏洞的渗透测试工具,主要用于检测和利用SQL注入漏洞。SQL注入是一种常见的网络安全威胁,攻击者通过在Web应用程序的输入字段中插入恶意SQL代码,以获取未经授权的...
安装phpstudy、sqli-labs 适合人群:小白 安装sqli-labs报错如何解决
sqli-labs是一个专门设计用于学习和练习SQL注入技术的平台,特别适合初学者了解和提升SQL注入防御技能。 首先,要搭建sqli-labs,你需要准备以下工具: 1. PHPstudy:一个集成的Web服务器环境,包括Apache、Nginx、...
标题中的“修改过的sqli1-14”指的是对SQL注入(SQL Injection)教程sqli-labs中的前14个练习进行了调整或更新。SQL注入是一种常见的网络安全漏洞,攻击者通过利用不安全的SQL查询来获取数据库中的敏感信息,甚至...
"sqlilabs过关手册注入天书.pdf"是关于SQL注入学习与实践的一份资料,主要围绕名为sqli-labs的实验室环境进行介绍和讲解。 首先,文档提到了SQL注入和sqli-labs的介绍,强调了SQL注入的危害以及学习SQL注入的重要性...
在这个sqli-lab通关txt文件中,我们预计会找到一系列关于SQL注入攻击的实战教程,主要涵盖了从基础到进阶的10个不同阶段的练习。 SQL注入通常发生在Web应用中,当用户输入的数据没有被正确地过滤或转义,导致这些...
sqli-labs-master是一个专为学习和实践SQL注入漏洞利用而设计的代码环境。这个项目提供了一系列逐步升级的练习,帮助用户了解SQL注入的工作原理、检测方法以及如何修复这些漏洞。 在sqli-labs-master中,你可以探索...
Sqli-labs安装需要安装以下环境 apache+mysql+php Sqli-labs安装 将之前下载的源码解压到web目录下,linux的apache为 /var/www/html下,windows下的wamp解压在www目录下。 修改sql-connections/db-creds.inc文件当中...
sqli-labs提供了多种级别的SQL注入练习,适合初学者到高级安全专家。每个级别都设计了一个具有不同安全漏洞的Web应用,用户可以通过尝试注入SQL语句来解密问题,从而深入理解SQL注入的各种技术和防御策略。 三、PHP...
【标题】"phpstudy+靶场sqli-labs-master下载" 涉及的主要知识点是PHPStudy集成环境和SQL注入漏洞靶场Sqli-Labs。这两个工具是学习和测试Web安全,尤其是SQL注入攻击与防御的重要资源。 PHPStudy是一款集成的PHP...
最新sqli-labs代码,自己也可以到github下载:https://github.com/Audi-1/sqli-labs
"SQLi-DB Reborn" 是一个针对SQL注入(SQL Injection)进行研究和测试的工具。SQL注入是一种常见的网络安全漏洞,攻击者通过在输入字段中插入恶意SQL代码,以获取未经授权的数据访问或对数据库进行非法操作。这个...
标题 "jeakinscheung-sqli-labs-php7-master.zip" 暗示这是一个关于SQL注入(SQL Injection)练习平台的源代码库,专为PHP7优化。在描述中提到,用户在尝试创建数据库连接时遇到问题,可能是因为原始的SQL注入实验室...
网站渗透,爆数据库.Beyond SQLi: Obfuscate and Bypass |=--------------------------------------------------------------------=| |=--------------=[ Beyond SQLi: Obfuscate and Bypass ]=---------------...
对前四道题目进行加强,输出在数据库中构成的查询语句,有利于新手快速入门SQLi;
大家都懂,SQL注入。
`sqli-labs`是一个专门用于学习和实践SQL注入的实验环境,它提供了多种类型的SQL注入漏洞场景,包括但不限于盲注、时间延迟注入、宽字节注入、联合查询注入等。通过这些实验,初学者可以深入了解SQL注入的原理,掌握...