Advanced Area
The first question CAT
Told us to enter the domain name, it would just lose a baidu.com, and other half did not return
Ok? ?
Baidu input IP, only to find there to return
Enter 127.0.0.1, find a Ping function. = =
Next attempt can not be used | symbol arbitrary command execution, first try payload: 127.0.0.1 | ls
emmm, Invalid URL, I mean there are illegal characters?
Carefully tried it and found that only can enter numbers, letters and . , That if according to this line of thought, then seemingly arbitrary command execution is not work.
Well, no way, no idea, and I can only go as white look of the wp dalao obediently.
Ah ~, mass participation at the URL? Url = URL encoded input here and beyond 80% can return Django error, ah? why?
Read a lot after that wp = =, URL encoded using hexadecimal, 80 is 128, while the Ascii code only 0-127, the input time 80% of error.
(? Url =% 79 after transcoding can see turned into y,? You can see after url =% 7A transcoding turned into z, back up to% 7F are illegal symbols, returns Invalid URL)
Ascii character table may refer to: http://www.asciitable.com/
OK, continue to do the title, url parameters to pass parameters% 80, Django error, according to the site is given to know the Django development
In conjunction with PHP can be read by injecting @ loopholes in the parameter file, first look at the configuration file settings.py, see if there is useful information relevant.
Payload:?url=@/opt/api/api/settings.py
Get database named database.sqlite3
Then get database contents
Payload:?url=@/opt/api/database.sqlite3
Thank dalao who wrote wp, let me benefit, I have to develop the habit of writing blog QAQ. Ha ha ha
Reference blog: https://blog.csdn.net/zz_Caleb/article/details/95041031
Reference blog: https://blog.csdn.net/stepone4ward/article/details/94615617