1 | _____ ___ _____ ___ _ _ _____ _ _____ _____ |
NTExOTY1NzM4QHFxLmNvbQ==
互联网时代的知识是零散的,需要有一个写字的地方,把零散的知识汇聚起来,以点连线,以线聚面,一方面能形成一个完整的知识体系,另一方面自己所需之时方便查阅,于是乎就诞生了ca01hの笔记本。
https://github.com/grayddq/GScan
https://github.com/yeyintminthuhtut/Awesome-Red-Teaming
https://github.com/hudunkey/Red-Team-links
https://github.com/CHYbeta/Code-Audit-Challenges
https://github.com/hongriSec/PHP-Audit-Labs
https://wh0ale.github.io/2019/12/04/waf从入门到Bypass/
https://weibo.com/ttarticle/p/show?id=2309404007261092631700#_loginLayer_1579837230756
https://github.com/threedr3am/learnjavabug
https://github.com/bit4woo/python_sec
https://github.com/insightglacier/Dictionary-Of-Pentesting
https://github.com/geekcompany/ResumeSample
https://github.com/zhaoweiho/web-sec-interview
https://github.com/EvilAnne/Pentest_questions
借用一张图简单地记一下
如果SSRF中file://
关键字被禁用,可以使用file:/
或者file:///
来代替。
删除cookie,没有cookie中的SESSIONID就找不到对应的session文件,相应的$_SESSION['var']
就为NULL,相当于传参NULL。
1 | md5(Array()) = null |
从 https://bugs.php.net/bug.php?id=62119 找到了basename()
函数的一个问题,它会去掉文件名开头的非ASCII值:
1 | var_dump(basename("xffconfig.php")); // => config.php |
例题:[Zer0pts2020]Can you guess it?
https://www.cnblogs.com/20175211lyz/p/11741348.html#htaccess-tricks总结
https://mochazz.github.io/2018/03/14/没有concat的updatexml注入
替代函数:make_set(),lpad()、reverse()、repeat()、export_set()
1 | select updatexml(1,make_set(3,'~',(select user())),1); |