网站地图    收藏   

子栏目

主页 > 后端 > 网站安全 >

Grep与web漏洞挖掘 - 网站安全 - 自学php

来源:自学PHP网    时间:2015-04-17 14:47 作者: 阅读:

[导读] 文/SuperHei_[At]_ph4nt0m.org 2006-03-08[a.下面的grep(http://www.interlog.com/~tcharron/grep.html )不支持-r参数,可以使用下面的格式:grep -in /(include/|require/) C:/test/*.php C:/test/admin/......

 

文/SuperHei_[At]_ph4nt0m.org   2006-03-08

[a.下面的grep(http://www.interlog.com/~tcharron/grep.html )不支持-r参数,可以使用下面的格式:
grep -in "/(include/|require/)" C:/test/*.php C:/test/admin/*.php
也可以使用cygwin移植来的grep(http://zhouzhen.eviloctal.org/Look.asp?LogID=814 )
b.多个关键词or模式使用|,如果使用and模式,可以使用下面的管道模式:
grep -in "/select/|$aid" C:/test/read.php |grep -i "from"]


1.包含漏洞
 
关键词: include require
C:/>grep -in "/(include/|require/)" C:/test/*.php
config.php:10:include 'forbid.php';
conn.inc.php:10:include 'forbid.php';
conn.php:10:include 'forbid.php';
global.php:10:include 'forbid.php';
global.php:16:require_once('conn.inc.php');
global.php:17:require_once('conn.php');

2.SQL Injection

关键词: select 变量名

 find . -name '*.php'|xargs grep -niw "select" --colour -5

 find . -name '*.php'|xargs grep -liw "select" --colour -5
C:/>grep -in "/select" C:/test/read.php
15:$query=$db->query("SELECT * FROM ".$tablepre."content WHERE aid=$aid");

C:/>grep -in "/select/|$aid" C:/test/read.php
13:$aid=$_GET['aid'];
14:$db->query("UPDATE ".$tablepre."content SET hits=hits+1 WHERE aid='$aid'");
15:$query=$db->query("SELECT * FROM ".$tablepre."content WHERE aid=$aid");

3.CMD Injection

关键词: exec system popen passthru proc_open 等

C:/>grep -in "/(exec/|system/|popen/|passthru/|proc_open/)" C:/test/phpspy.php
413:    $a = $shell->ShellExecute($_POST['program'],$_POST['prog']);
602:            $program = isset($_POST['program']) ? $_POST['program'] : "c:/wi
nnt/system32/cmd.exe";
613:    $execfuncs = (substr(PHP_OS, 0, 3) == 'WIN') ? array('system'=>'system',
'passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen
','wscript'=>'Wscript.Shell') : array('system'=>'system','passthru'=>'passthru',
'exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen');
615:    $tb->tdbody('选择执行函数: '.$tb->makeselect(array('name'=>'execfunc','o
ption'=>$execfuncs,'selected'=>$execfunc)).' 输入命令: '.$tb->makeinput('command
',$_POST['command'],'','text','60').' '.$tb->makeinput('','Run','','submit'));
620:            if ($execfunc=="system") {
621:                    system($_POST['command']);
622:            } elseif ($execfunc=="passthru") {
623:                    passthru($_POST['command']);

4.Code Injection

关键词:eval preg_replace

C:/>grep -in "/eval/|preg_replace" C:/test/*.php
phpspy.php:1034:                eval('$hexdtime = "' . $hexdtime . '";');

5.变量提交方式

关键词:GET POST COOKIE SERVER REQUEST

C:/>grep -in "_/GET/|POST/|COOKIE/|SERVER/|REQUEST" C:/test/list.php
13:$sid=$_GET['sid'];
14:if($_GET['page']) {
15:     $page=$_GET['page'];

6.cookie和session

关键词: cookie session

C:/>grep -in "/session/|cookie" C:/test/admin/*.php
global.php:16:if(!isset($_COOKIE['IN'])) {
index.php:13:if(!isset($_COOKIE['IN'])) {
job.php:13:if(!isset($_COOKIE['IN'])) {
login.php:22:           setcookie("IN","$admin");
logout.php:11:setcookie("IN","");
main.php:14:isset($_COOKIE) ? $ifcookie="SUCCESS" : $ifcookie="FAIL";

7.文件函数

关键词:readfile fopen upload copy opendir fwrite unlink 等

........
希望大家继续! :)

最新评论

    加载更多~~

    添加评论

    更多文章推荐

    自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

    京ICP备14009008号-1@版权所有www.zixuephp.com

    网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

    添加评论