Grep与web漏洞挖掘-白红宇

Grep与web漏洞挖掘

阅读量：2436 次

发布时间：2019-05-10

本文共 2711 字，大约阅读时间需要 9 分钟。

Grep与web漏洞挖掘

文/SuperHei_[At]_ph4nt0m.org 2006-03-08

[a.下面的grep( )不支持-r参数,可以使用下面的格式:

grep -in "/(include/|require/)" C:/test/*.php C:/test/admin/*.php

也可以使用cygwin移植来的grep( )

b.多个关键词or模式使用|,如果使用and模式,可以使用下面的管道模式:

grep -in "/select/|$aid" C:/test/read.php |grep -i "from"]

1.包含漏洞

关键词: include require

C:/>grep -in "/(include/|require/)" C:/test/*.php

config.php:10:include 'forbid.php';

conn.inc.php:10:include 'forbid.php';

conn.php:10:include 'forbid.php';

global.php:10:include 'forbid.php';

global.php:16:require_once('conn.inc.php');

global.php:17:require_once('conn.php');

2.SQL Injection

关键词: select 变量名

C:/>grep -in "/select" C:/test/read.php

15:$query=$db->query("SELECT * FROM ".$tablepre."content WHERE aid=$aid");

C:/>grep -in "/select/|$aid" C:/test/read.php

13:$aid=$_GET['aid'];

14:$db->query("UPDATE ".$tablepre."content SET hits=hits+1 WHERE aid='$aid'");

15:$query=$db->query("SELECT * FROM ".$tablepre."content WHERE aid=$aid");

3.CMD Injection

关键词: exec system popen passthru proc_open 等

C:/>grep -in "/(exec/|system/|popen/|passthru/|proc_open/)" C:/test/phpspy.php

413: $a = $shell->ShellExecute($_POST['program'],$_POST['prog']);

602: $program = isset($_POST['program']) ? $_POST['program'] : "c:/wi

nnt/system32/cmd.exe";

613: $execfuncs = (substr(PHP_OS, 0, 3) == 'WIN') ? array('system'=>'system',

'passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen

','wscript'=>'Wscript.Shell') : array('system'=>'system','passthru'=>'passthru',

'exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen');

615: $tb->tdbody('选择执行函数: '.$tb->makeselect(array('name'=>'execfunc','o

ption'=>$execfuncs,'selected'=>$execfunc)).' 输入命令: '.$tb->makeinput('command

',$_POST['command'],'','text','60').' '.$tb->makeinput('','Run','','submit'));

620: if ($execfunc=="system") {

621: system($_POST['command']);

622: } elseif ($execfunc=="passthru") {

623: passthru($_POST['command']);

4.Code Injection

关键词:eval preg_replace

C:/>grep -in "/eval/|preg_replace" C:/test/*.php

phpspy.php:1034: eval('$hexdtime = "' . $hexdtime . '";');

5.变量提交方式

关键词:GET POST COOKIE SERVER REQUEST

C:/>grep -in "_/GET/|POST/|COOKIE/|SERVER/|REQUEST" C:/test/list.php

13:$sid=$_GET['sid'];

14:if($_GET['page']) {

15: $page=$_GET['page'];

6.cookie和session

关键词: cookie session

C:/>grep -in "/session/|cookie" C:/test/admin/*.php

global.php:16:if(!isset($_COOKIE['IN'])) {

index.php:13:if(!isset($_COOKIE['IN'])) {

job.php:13:if(!isset($_COOKIE['IN'])) {

logout.php:11:setcookie("IN","");

main.php:14:isset($_COOKIE) ? $ifcookie="SUCCESS" : $ifcookie="FAIL";

7.文件函数

关键词:readfile fopen upload copy opendir fwrite unlink 等

........

希望大家继续! :)

参考(grep使用说明):[下面都是google得到的 :)]

转载地址：http://wammb.baihongyu.com/

你可能感兴趣的文章

Oracle10g New Features(1)