Scan
target machine 192.168.56.107
TCP result
22 | ssh |
80 | http |
139 | netbios-ssn |
445 | netbios-ssn |
UDP
80 / HTTP
Direct access
after try admin/admin
try brute force the path
we can find that there are four directory path can listable, so just see what inside
*/images
this path store the image that in index.php, try download it and see any more info
many information but no one we are interested in.
*/database.sql
the table save user’s info.
*/Username
we can see the file name is john.php, so we can assume that is a actually website.
but it turns us to index page, so let download it and have a look.
this look so similar with index page, in addition the file we downloaded name index.php, so it maybe we need to login to it first.
Back to the index.php, for investigation just now, we have a guess that is maybe have a user names john, so we can use brute force to get his password if we are luck.
after a day, it seems not the right way. but i have anther found, we can SQLI in password from, like this:
but it return it is not a vaild mysql, my query is
‘ or 1=1 and i found that it will warning you when you use ‘ , but if '' or \' , so i guess two possibilities- There has no
'so it will error.
- The script change
'to something else, but i have no idea that how to identify the changed.
I had tried these two ways, but it dose not work.
Hit 1
so, the answer is
'or'1'=' , we just need to use ' to cover connect symbol, why i can’t thought about it….the page we login shows like this
we have his password in writing.
let try use it in SSH
SSH
yes, we can login but seems different with normal ssh
we only can access this path which is current we are.
let try other one robert
same