上传绕过
很不错的一种题型,就是文件上传有很多漏洞设法,这里是路径问题,测试发现,不检查类型参数,不检查内容,只检查后缀:
所以文件名怎么都得是“.jpg .gif .png”结尾,但是路径/upload可以做文章,用截取包工具,把/upload改成“/upload/xxx.php ”,然后在hex里面,把末尾修改成00:
你能跨过去吗
伪XSS题,就是把那个提示的链接:
http://www.test.com/NodeMore.jsp?id=672613&page=2&pageCounter=32&undefined&callback=%2b/v%2b%20%2bADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAiAGsAZQB5ADoALwAlAG4AcwBmAG8AYwB1AHMAWABTAFMAdABlAHMAdAAlAC8AIgApADwALwBzAGMAcgBpAHAAdAA%2bAC0-&_=1302746925413
里面弄出来,根据编码经验,URL解密:
http://www.test.com/NodeMore.jsp?id=672613&page=2&pageCounter=32&undefined&callback=+/v+ +ADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAiAGsAZQB5ADoALwAlAG4AcwBmAG8AYwB1AHMAWABTAFMAdABlAHMAdAAlAC8AIgApADwALwBzAGMAcgBpAHAAdAA+AC0-&_=1302746925413
+/v+ 是UTF-7编码,取
“ADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAiAGsAZQB5ADoALwAlAG4AcwBmAG8AYwB1AHMAWABTAFMAdABlAHMAdAAlAC8AIgApADwALwBzAGMAcgBpAHAAdAA+”
做base64解密:
跪倒在burpsuite下。。
PHP大法
还是编码的问题,先根据提示查临时文件
<?php if(eregi("hackerDJ",$_GET[id])) { echo("<p>not allowed!</p>"); exit(); } $_GET[id] = urldecode($_GET[id]); if($_GET[id] == "hackerDJ") { echo "<p>Access granted!</p>"; echo "<p>flag: *****************} </p>"; } ?> <br><br> Can you authenticate to this website?