1015笔记

最新推荐文章于 2024-07-07 12:14:46 发布
最新推荐文章于 2024-07-07 12:14:46 发布
阅读量108 收藏
点赞数
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/u014794949/article/details/109167329
版权

python基础

1.Python中是如何对变量赋值的?
a = 123
b = 'test'
print (a)
print (b)
2.Python中的字符串变量是如何拼接的
a = 123
b = 'test'
#print (a)
#print (b)
c = 'flag'
d = b+c 
print (d)
3.Python中数字和字符串怎样拼接?
a = 123
b = 'test'
#print (a)
#print (b)
c = 'flag'
d = str(a)+c
print (d)
4.Python中如何打印出来我们的变量?
print (d)
5.Python中的条件判断语句是怎么写的?
a = 123
b = 'test'
#print (a)
#print (b)
#c = 'flag'
#d = str(a)+c
#print (d)
if (a == 123):
print ("ok")
6.Python中的for循环是怎么⽤的?
for i in range(0,10):
print (i)
7.python如何发起⽹络请求?

环境搭建

python -m pip install --upgrade pip
python -m pip install requests

文件上传漏洞

前端验证

⼀般来说,本地⽣成⼀个php⽂件,改名为.jpg
上传,抓包修改名称再放包

在这里插入图片描述

检测content-type
<?php
$is_upload = false;
$msg = null;
if (sset($_POST['submit'])) {#是否存在submit参数
    if (file_exists(UPLOAD_PATH)) {
        if (($_FILES['upload_file']['type'] == 'image/jpeg') || (
$_FILES['upload_file']['type'] == 'image/png') || ($_FILES['uploa
d_file']['type'] == 'image/gif')) {
           $temp_file = $_FILES['upload_file']['tmp_name'];#检查content-type
           $img_path = UPLOAD_PATH . '/' . $_FILES['upload_file'
]['name']
           if (move_uploaded_file($temp_file, $img_path)) {
               $is_upload = true;
           } else {
               $msg = '上传出错!';
           }
       } else {
           $msg = '⽂件类型不正确,请重新上传!';
       }
   } else {
       $msg = UPLOAD_PATH.'⽂件夹不存在,请⼿⼯创建!';
   }
}

1.上传php⽂件,修改content-type为 image/jpg
2.上传jpg后缀,修改⽂件名
在这里插入图片描述

文件后缀黑名单绕过
<?php
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array('.asp','.aspx','.php','.jsp');#定义⼀个数组
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除⽂件名末尾的点 ⽐如123.php.
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为⼩写 PHp 变成php
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空
        if(!in_array($file_ext, $deny_ext)) {//不再array⾥⾯就上传
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file,$img_path)) {
                 $is_upload = true;
                 } else {
                     $msg = '上传出错!';
                 }
             } else {
                 $msg = '不允许上传.asp,.aspx,.php,.jsp后缀⽂件!';
             }
         } else {
             $msg = UPLOAD_PATH . '⽂件夹不存在,请⼿⼯创建!';
        }
}

在这里插入图片描述
除了php3,还有php5,php7,phtml,phps 详情看4

apache分布式配置文件
 <?
 $is_upload = false;
 $msg = null;
 if (isset($_POST['submit'])) {
	 if (file_exists(UPLOAD_PATH)) {
		 $deny_ext = array(".php", ".php5", ".php4", ".php3", ".php2",
			"php1", ".html", ".htm", ".phtml", ".pht", ".pHp", ".pHp5",".pHp4", ".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx", ".jsw", ".jsv", ".jspf", ".jtml", ".jSp", ".jSpx", ".jSpa", ".jSw", ".jS
v",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx"
, ".asmx", ".cer", ".aSp", ".aSpx", ".aSa", ".aSax", ".aScx", ".aShx",".aSmx",".cEr",".sWf",".swf");
		 $file_name = trim($_FILES['upload_file']['name']);
		 $file_name = deldot($file_name);//删除⽂件名末尾的点
		 $file_ext = strrchr($file_name, '.');
		 $file_ext = strtolower($file_ext); //转换为⼩写
		 $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
			 $file_ext = trim($file_ext); //收尾去空
		
			 if (!in_array($file_ext, $deny_ext)) {
			 $temp_file = $_FILES['upload_file']['tmp_name'];
			 $img_path = UPLOAD_PATH.'/'.$file_name;
			 if (move_uploaded_file($temp_file, $img_path)) {
				 $is_upload = true;			
			}
			else {
				 $msg = '上传出错!';				
			}			
		}
			else {
			 $msg = '此⽂件不允许上传!';		
		}		
	}
	else {
		 $msg = UPLOAD_PATH . '⽂件夹不存在,请⼿⼯创建!';		
	}	
}

apache分布式配置⽂件
.htaccess

SetHandler application/x-httpd-php

默认只影响当前⽬录

大小写绕过
< ?
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
	if (file_exists(UPLOAD_PATH)) {
			  $deny_ext = array(".php", ".php5", ".php4", ".php3", ".php2",
				".html", ".htm", ".phtml", ".pht", ".pHp", ".pHp5", ".pHp4", ".pHp3", ".p
				Hp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv"
				, ".jspf", ".jtml", ".jSp", ".jSpx", ".jSpa", ".jSw", ".jSv", ".jSpf", ".j
				Html",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".ce
				r",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr","
				.sWf",".swf",".htaccess");
				  $file_name = trim($_FILES['upload_file']['name']);
		  $file_name = deldot($file_name);//删除⽂件名末尾的点
		  $file_ext = strrchr($file_name, '.');
		  $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
			 $file_ext = trim($file_ext); //⾸尾去空
			 if (!in_array($file_ext, $deny_ext)) {
			 $temp_file = $_FILES['upload_file']['tmp_name'];
			 $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
			 if (move_uploaded_file($temp_file, $img_path)) {
				 $is_upload = true;
				
			}
			else {
				 $msg = '上传出错!';
			}
		}
			else {
			 $msg = '此⽂件类型不允许上传!';	
		}
	}
	else {
		 $msg = UPLOAD_PATH . '⽂件夹不存在,请⼿⼯创建!';
		
	}
}
后缀名加空格
< ? php
$is_upload = false;
$msg = null;
  if (isset($_POST['submit'])) {
	 if (file_exists(UPLOAD_PATH)) {
			 $deny_ext = array(".php", ".php5", ".php4", ".php3", ".php2",
				".html", ".htm", ".phtml", ".pht", ".pHp", ".pHp5", ".pHp4", ".pHp3", ".p
				Hp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv"
				, ".jspf", ".jtml", ".jSp", ".jSpx", ".jSpa", ".jSw", ".jSv", ".jSpf", ".j
				Html",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".ce
				r",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr","
				.sWf",".swf",".htaccess");
				7 $file_name = $_FILES['upload_file']['name'];
		 $file_name = deldot($file_name);//删除⽂件名末尾的点
		 $file_ext = strrchr($file_name, '.');
		 $file_ext = strtolower($file_ext); //转换为⼩写
		 $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
			 if (!in_array($file_ext, $deny_ext)) {
			 $temp_file = $_FILES['upload_file']['tmp_name'];
			 $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
			 if (move_uploaded_file($temp_file, $img_path)) {
				 $is_upload = true;
			}
			else {
				 $msg = '上传出错!';
			}
		}
			else {
			 $msg = '此⽂件不允许上传';
		}
	}
	else {
		 $msg = UPLOAD_PATH . '⽂件夹不存在,请⼿⼯创建!';
	}
}
后缀加点
< ?
	$is_upload = false;
    $msg = null;
 if (isset($_POST['submit'])) {
	 if (file_exists(UPLOAD_PATH)) {
		 $deny_ext = array(".php", ".php5", ".php4", ".php3", ".php2",
			".html", ".htm", ".phtml", ".pht", ".pHp", ".pHp5", ".pHp4", ".pHp3", ".p
			Hp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv"
			, ".jspf", ".jtml", ".jSp", ".jSpx", ".jSpa", ".jSw", ".jSv", ".jSpf", ".j
			Html",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".ce
			r",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr","
			.sWf",".swf",".htaccess");
			 $file_name = trim($_FILES['upload_file']['name']);
		 $file_ext = strrchr($file_name, '.');
		 $file_ext = strtolower($file_ext); //转换为⼩写
		 $file_ext = str_ireplace('::$DATA', '', $file_ext);//字符串::$DATA
			$file_ext = trim($file_ext); //⾸
			   if (!in_array($file_ext, $deny_ext)) {
			   $temp_file = $_FILES['upload_file']['tmp_name'];
			   $img_path = UPLOAD_PATH.'/'.$file_name;
			   if (move_uploaded_file($temp_file, $img_path)) {
				   $is_upload = true
			}
			else {
				   $msg = '上传出错!'
			}
		}
			else {
			   $msg = '此⽂件类型不允许上传!'
		}
	}
	else {
		   $msg = UPLOAD_PATH . '⽂件夹不存在,请⼿⼯创建!'
	}
}

利⽤windows特性,末尾的.删除

::$DATA
< ? $is_upload = false;
$msg = null;
    if (isset($_POST['submit'])) 
		 if (file_exists(UPLOAD_PATH)) {
		 $deny_ext = array(".php", ".php5", ".php4", ".php3", ".php2",
			".html", ".htm", ".phtml", ".pht", ".pHp", ".pHp5", ".pHp4", ".pHp3", ".p
			Hp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv"
			, ".jspf", ".jtml", ".jSp", ".jSpx", ".jSpa", ".jSw", ".jSv", ".jSpf", ".j
			Html",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".ce
			r",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr","
			.sWf",".swf",".htaccess");
			 $file_name = trim($_FILES['upload_file']['name']);
		 $file_name = deldot($file_name);//删除⽂件名末尾的点
		 $file_ext = strrchr($file_name, '.');
		 $file_ext = strtolower($file_ext); //转换为⼩写
		 $file_ext = trim($file_ext); //⾸
			if (!in_array($file_ext, $deny_ext)) {
			$temp_file = $_FILES['upload_file']['tmp_name'];
			$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
			if (move_uploaded_file($temp_file, $img_path)) {
			       $is_upload = true
			}
			else {
				$msg = '上传出错!'
			}
		}
			else {
			 $msg = '此⽂件类型不允许上传!';
			
		}
	}
		else {
		$msg = UPLOAD_PATH . '⽂件夹不存在,请⼿⼯创建!'
	}
}
替换为空
< ?
$is_upload = false;
$msg = null;
  if (isset($_POST['submit'])
		 if (file_exists(UPLOAD_PATH)) {
		 $deny_ext = array("php", "php5", "php4", "php3", "php2", "html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
		 $file_name = trim($_FILES['upload_file']['name']);
		 $file_name = str_ireplace($deny_ext, "", $file_name);
		 $temp_file = $_FILES['upload_file']['tmp_name'];
		 $img_path = UPLOAD_PATH.'/'.$file_name;
		 if (move_uploaded_file($temp_file, $img_path)) {
			 $is_upload = true;
		}
		else {
			 $msg = '上传出错!';
		}
	}
		else {
		 $msg = UPLOAD_PATH . '⽂件夹不存在,请⼿⼯创建!';
	}
}

双写绕过

00截断
< ?
  $is_upload = false;
  $msg = null;
  if (isset($_POST['submit'])) {
	 $ext_arr = array('jpg', 'png', 'gif');
	 $file_ext = substr($_FILES['upload_file']['name'], strrpos($_FILES['upload_file']['name'], ".") + 1);
	 if (in_array($file_ext, $ext_arr)) {
		 $temp_file = $_FILES['upload_file']['tmp_name'];
		 $img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
			 if (move_uploaded_file($temp_file, $img_path)) {
                 $is_upload = true;
		}
			else {
                 $msg = '上传出错!';
		}
	}
	else {
		 $msg = "只允许上传.jpg|.png|.gif类型⽂件!";		
	}
}

1.php版本小于5.3.4的时候就存在00截断
123.php%00.jpg

xss漏洞

0x00

直接

0x01

⾥⾯任何东⻄都会当作⽂本不解析
闭合原来的标签

0x02

11">
闭合标签和属性

0x03

反引号当括号

0x04

<svg/οnlοad=alert(1)>
on系列事件⽀持html实体编码

0x05

在html⾥⾯,正常当注释
//
html的容错性

Ogazaki_aki
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 1
    评论
计算机组成原理笔记(记录
LuuYo5的博客
06-24 2190
计算机组成原理带动图
PAT甲级1015笔记记录 测试点3未通过
qq_41819953的博客
10-27 870
PAT甲级1015笔记记录 测试点3未通过 什么水题啊啊啊啊啊啊啊我错了啊啊啊啊啊啊我过不去第三个点啊啊啊啊啊啊啊啊什么玩意儿啊啊啊啊啊啊啊啊啊为什么第三个过不去啊啊啊啊啊啊啊你是智障嘛啊啊啊啊啊啊 本智障第三个测试点过不去代码如下! #include<stdio.h> #include<string> #include<iostream> #include&l...
pat学习笔记1015
qq_39188851的博客
02-23 122
#include <algorithm> 中的sort排序方法 sort(v[i].begin(),v[i].end(),cmp) cmp为排序方法,返回为1则不交换顺序,返回了0则交换顺序。 结构体定义:在using namespace std后面。 struct node{ } 排序方法定义 int cmp(struct node a,struct node b){ ...
笔记1015
weixin_30711917的博客
10-15 55
1,比较当前时间 if(DateTime.Compare(Convert.ToDateTime(endtimestr), DateTime.Now) > 0) { } 转载于:https://www.cnblogs.com/jonson1126/p/3370211.html
Redis入门笔记
kang_1015的博客
07-07 874
Redis的目标:让键值能够支持更多高级复杂的数据类型。Redis 的核心:提供一系列原生数据类型,帮助我们解决从缓存、队列到事件处理等各种问题。Redis可以将内存中的数据持久化到硬盘中,可以使用复制特性来扩展读性能,还可以使用客户端分片来扩展写性能。所谓分片是将数据分为多个部分的方法,通过对数据分片,用户可以将数据存储到多台机器中,也可以从多台数据中获取数据。
Gamma LUT PG285笔记
leixj的博客
12-29 545
探测器响应为线性亮度或RGB值,而显示器并非线性,需要算法做校正。
小程序笔记
五颜六色的白
01-21 756
   一、小程序文档笔记  默认开发目录 开发目录解析 1.  app.js、app.json、app.wxss 这三个文件必须有不能删掉。    一个小程序主体部分由这三个文件组成,而且必须放在项目的根目录 js后缀的是脚本文件,调用小程序框架提供的 API—— API 文档 json后缀的文件是对整个小程序的全局配置文件——配置详解   微信小程序中的每一个页面的【路径+页...
Hive学习笔记
lzhpo
01-20 545
一、安装/连接Hive 安装Hive 安装都会,所以过程省略… 配置修改如下: driver:驱动 url:数据库连接 username:用户名密码 password:用户名密码 ${system}。。。:一共有三个,都需要修改 doAS:权限认证,改为false,不然无法操作。 &amp;lt;!--url--&amp;gt; &amp;lt;property&amp;gt; &amp;lt;n
MID360+fastlio功能笔记
qq_35598561的博客
02-18 530
前言。
asus 1015p 笔记本图纸
04-23
【标题】"ASUS 1015P笔记本图纸"涉及的是华硕1015P型号笔记本电脑的维修技术资料,通常这类图纸是技术人员在进行设备维护、故障诊断或部件更换时的重要参考。图纸中可能包含有笔记本的结构布局、电路设计、硬件组件...
ST官方翻译的中文应用笔记汇总
08-11
本文将详细解读官方中文应用笔记汇总中涉及的STM32相关知识点。 1. **系统存储器自举模式** (AN2606): 这一应用笔记介绍STM32微控制器如何利用系统存储器执行自举程序。自举是指微控制器在上电或复位后执行的第一段...
ubuntu笔记本X86安装nomachine
07-10
从新建文件夹解压出.tar文件后使用
UTStarcom WNIC1015 802.11b无线网卡驱动
11-29
UTStarcom WNIC1015 802.11b无线网卡驱动是一款专为Windows XP操作系统设计的硬件驱动程序,旨在确保UTStarcom生产的WNIC1015无线网卡能正常运行和发挥最佳性能。802.11b是无线局域网(WLAN)标准之一,它定义了无线...
ASUS_1015B_HD6250显卡_for_WINXP
12-08
标题中的“ASUS_1015B_HD6250显卡_for_WINXP”指的是一款专为华硕1015B笔记本电脑设计的AMD HD6250显卡驱动程序,适用于Windows XP操作系统。这款驱动是用户经过多次尝试后确认稳定且适合游戏运行的版本,而且在华硕...
1111111111111111111111
08-13
1111111111111111
javascript笔试题参考整理(答案)(可编辑修改word版).docx
08-13
javascript笔试题参考整理(答案)(可编辑修改word版)
财务收支表-公式计算查询.xlsx
08-13
工资表,财务报表,对账表,付款申请,财务报告,费用支出表,财务收支 适用人群:学习不同技术领域的小白或进阶学习者;可作为毕设项目、课程设计、大作业、工程实训或初期项目立项。
集团信息化顶层规划 .pptx
最新发布
08-13
集团信息化顶层规划 .pptx
戴尔Dell Vostro 1014/1015笔记本拆机教程全解析
"戴尔Dell Vostro 1014笔记本的官方拆机图解教程,提供了详细的步骤和图片指导,包括如何拆卸光盘驱动器、访问面板和硬盘驱动器部件以及硬盘驱动器支架。" 这篇教程详细介绍了戴尔Dell Vostro 1014笔记本电脑的拆解...
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值