文/SuperHei_[At]_ph4nt0m.org 2006-03-08
[a.下面的grep(http://www.interlog.com/~tcharron/grep.html )不支持-r参数,可以使用下面的格式: grep -in "/(include/|require/)" C:/test/*.php C:/test/admin/*.php 也可以使用cygwin移植来的grep(http://zhouzhen.eviloctal.org/Look.asp?LogID=814 ) b.多个关键词or模式使用|,如果使用and模式,可以使用下面的管道模式: grep -in "/select/|$aid" C:/test/read.php |grep -i "from"]
1.包含漏洞 关键词: include require C:/>grep -in "/(include/|require/)" C:/test/*.php config.php:10:include 'forbid.php'; conn.inc.php:10:include 'forbid.php'; conn.php:10:include 'forbid.php'; global.php:10:include 'forbid.php'; global.php:16:require_once('conn.inc.php'); global.php:17:require_once('conn.php');
2.SQL Injection
关键词: select 变量名
find . -name '*.php'|xargs grep -niw "select" --colour -5
find . -name '*.php'|xargs grep -liw "select" --colour -5 C:/>grep -in "/select" C:/test/read.php 15:$query=$db->query("SELECT * FROM ".$tablepre."content WHERE aid=$aid");
C:/>grep -in "/select/|$aid" C:/test/read.php 13:$aid=$_GET['aid']; 14:$db->query("UPDATE ".$tablepre."content SET hits=hits+1 WHERE aid='$aid'"); 15:$query=$db->query("SELECT * FROM ".$tablepre."content WHERE aid=$aid");
3.CMD Injection
关键词: exec system popen passthru proc_open 等
C:/>grep -in "/(exec/|system/|popen/|passthru/|proc_open/)" C:/test/phpspy.php 413: $a = $shell->ShellExecute($_POST['program'],$_POST['prog']); 602: $program = isset($_POST['program']) ? $_POST['program'] : "c:/wi nnt/system32/cmd.exe"; 613: $execfuncs = (substr(PHP_OS, 0, 3) == 'WIN') ? array('system'=>'system', 'passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen ','wscript'=>'Wscript.Shell') : array('system'=>'system','passthru'=>'passthru', 'exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen'); 615: $tb->tdbody('选择执行函数: '.$tb->makeselect(array('name'=>'execfunc','o ption'=>$execfuncs,'selected'=>$execfunc)).' 输入命令: '.$tb->makeinput('command ',$_POST['command'],'','text','60').' '.$tb->makeinput('','Run','','submit')); 620: if ($execfunc=="system") { 621: system($_POST['command']); 622: } elseif ($execfunc=="passthru") { 623: passthru($_POST['command']);
4.Code Injection
关键词:eval preg_replace
C:/>grep -in "/eval/|preg_replace" C:/test/*.php phpspy.php:1034: eval('$hexdtime = "' . $hexdtime . '";');
5.变量提交方式
关键词:GET POST COOKIE SERVER REQUEST
C:/>grep -in "_/GET/|POST/|COOKIE/|SERVER/|REQUEST" C:/test/list.php 13:$sid=$_GET['sid']; 14:if($_GET['page']) { 15: $page=$_GET['page'];
6.cookie和session
关键词: cookie session
C:/>grep -in "/session/|cookie" C:/test/admin/*.php global.php:16:if(!isset($_COOKIE['IN'])) { index.php:13:if(!isset($_COOKIE['IN'])) { job.php:13:if(!isset($_COOKIE['IN'])) { login.php:22: setcookie("IN","$admin"); logout.php:11:setcookie("IN",""); main.php:14:isset($_COOKIE) ? $ifcookie="SUCCESS" : $ifcookie="FAIL";
7.文件函数
关键词:readfile fopen upload copy opendir fwrite unlink 等
........ 希望大家继续! :)