My friends chose a target for me to practise several days ago, acturallyI never thought that I can succeed because I was totally a green hand . Luckily ,I got the webshell of the website in the end ,I was excited and I knew it meant a lot to me.,so I just wanted to take a note about it and noticed the victim that its website was under high risk .
My target was a website of nextmedia ,which is a famous company of media in HongKong., It was unbelievale that I found an injection point after a general scan , I just could not believe that it really exsited ,especially in such a large and popular website. I sent it to sqlmap but it was intercepted so I had to do it personerly ,I got some sensitive information and got into its backgroud successfully,here’s the capture of the sql injection.


Luck was very importent during the penetest because I found a point where was able to upload files without any restrictions ,as a result I upload my webshell and got the authority of system .I was surprised when I check its database because nextmedia kept all the data without any encryptions, including members’ password ,It was a doubt for me to understand that it was so careless for such a big campany.Well,overall,I never had such a fluent experience like this ,it was so splendid,wasn’t it? I was pleasant to provide a capture of the webshell as below.