在文章的顶部先说明,本文章所介绍的内容以及所附带的脚本仅供学习,如果存在有牟利行为,个人负责!!!仅用于学习娱乐,切勿用于非法用途!请于下载后24小时内删除,使用者承担所有法律责任!一个类似于越权的漏洞,但是利用的方式确实比较特殊
访问漏洞页面获取phpsession
http://x.x.x.x/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0
<img src="https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/d9ca907414ca45b0bc124b7316598c26~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)可以看到我们已经获取到了phpsession,这个时候我们就可以访问他的后台页面了,但是如果页面显示RELOGIN说明存在漏洞但是管理员现在不在线,所以需要等他在线" style=“margin: auto” />
访问后台页面:
http://x.x.x.x/general/
<img src="https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/bc3b5e8b82a0444f899af44474661e22~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)查看本地的绝对路" style=“margin: auto” />
<img src="https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/06fff5e1b68f4213ad769f6db9cb3362~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)新建一个附件目" style=“margin: auto” />
[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/4757686b0db345e89083d70f69057047~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2103%252F210310111840989d549b4191f3.jpg “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2103%2F210310111840989d549b4191