快速查询整理
文件泄漏
.git
.svn
.DS_STOR
vim泄漏 .index.php.swp
常见web文件泄漏:
index.php~
index.phps
www.zip
www.tar.gz
常见危险函数
strcmp:比较函数,数组绕过
extract:从用户可以控制的数组中导出变量时导致变量覆盖
parse_str:函数去变量解析存在带入未初始化的数据,可以进行url编码,变量覆盖漏洞
intval:取整函数绕过,payload:id=1024.1
ereg:%00截断
addslashes:宽字节注入%df吃掉 \
XFF:X-Forwarded-For: client1, proxy1, proxy2
进制比较:16进制转换
curl与parse_url结合ssrf
文献:https://www.anquanke.com/post/id/86527
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
| <?php
function check_inner_ip($url)
{
$match_result=preg_match('/^(http|https)?:\/\/.*(\/)?.*$/',$url);
if (!$match_result)
{
die('url fomat error1');
}
try
{
$url_parse=parse_url($url);
}
catch(Exception $e)
{
die('url fomat error2');
}
$hostname=$url_parse['host'];
echo $url_parse['host'];
$ip=gethostbyname($hostname);
$int_ip=ip2long($ip);
return ip2long('127.0.0.0')>>24 == $int_ip>>24 || ip2long('10.0.0.0')>>24 == $int_ip>>24 || ip2long('172.16.0.0')>>20 == $int_ip>>20 || ip2long('192.168.0.0')>>16 == $int_ip>>16 || ip2long('0.0.0.0')>>24 == $int_ip>>24;
}
function safe_request_url($url)
{
if (check_inner_ip($url))
{
echo $url.' is inner ip';
}
else
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
$output = curl_exec($ch);
$result_info = curl_getinfo($ch);
if ($result_info['redirect_url'])
{
safe_request_url($result_info['redirect_url']);
}
curl_close($ch);
var_dump($output);
}
}
$url = $_POST['url'];
if(!empty($url)){
safe_request_url($url);
}
else{
highlight_file(__file__);
}
?>
|
0E开头的两个字符串弱比较:
md5:
QNKCDZO
240610708
s878926199a
s155964671a
s214587387a
s214587387a
sha1:
aaroZmOk
aaK1STfY
aaO8zKZF
aa3OFF9m
常见技巧
php的两个伪协议:
php://input POST原生数据
文件读取file=php://filter/read=convert.base64-encode/resource=index.php
php伪随机数安全:php_mt_seed工具
MISC
明文攻击
crc32爆破
pkcrack参数:
lsb隐写
F5隐写
最低位隐写
