File Upload
find the page to upload files ->
(1) lower
direct upload Trojan -> go through chopper server, modify the file, elevated privileges, drag library (win the entire database)
(2) Intermediate
MIME type decision, agent intercepts, modify type -> go through chopper server, modify the file, elevated privileges, drag library (win the entire database)
(3) advanced
string suffix, can upload pictures, create an image with a Trojan, upload -> file contains < in the browser to access, execute the picture with the Trojans, the generated files with Trojan> -> go through chopper server, modify the file, elevated privileges, drag library (win the entire database)
added:
1. upload files
2. Trojan (written pictures)
File contains
1. Upload a picture with Trojan
2. have access to browsers Trojan images, file included, the equivalent of the contents of the picture executed again
Picture Trojans have two words: the first sentence to generate a file, the second sentence is a sentence Trojan
Remote File Inclusion
Remote files: files on other servers
Come have a server
service apache2 start to start the server
We create a Trojan file under var / www / html / path
The purpose of the Trojan file is: When the file is included,
SQL statements
Database connection statement:
mysql -u root -p
123456 (password)
-u the user name
-p password in
To view or edit the database or table:
use dvwa; // switch databases
show databases; // show all databases
show tables; // display a database table
desc users; // display table structure users table
Data Query or edit
select * from users; // users to view all the data in the table
select first_name, avatat from users; // query the users table for all users (each user is a line) of first_name (columns) and avatar (column)
select first_name from users where user_id = 3; // where precise conditions followed by a later query conditions
select * from users order by user_id desc; // query all, displayed in descending order according to user_id
Conditions queries fuzzy query
select * from users where user like 'p%'; // search values of user data in the column beginning with the p
select * from users where user like '% p%'; // user query data included in the p
select * from users where user like '% p'; // query data to the end user of the p
insert
insert into users values (10, 'kj'); // all columns of data to be written
insert into (user_id) values (10); // when column data insertion portion, the insertion of all non-empty column must have
modify
update users set first_name = 'Zhao' where user_id = 10; // not from, set modified value, where the condition
delete
delete from userrs where user_id=10;