CISP-PTE Explanation of practical exercises

Preface

This time I'll explain to you all the question types of the exam

One 、 Upload files

The problem is very simple , Upload a Trojan horse for ant sword connection

The answer lies in key.php In file

We create a file , Inject a paragraph and a sentence into the Trojan horse , Change to zhi.jpg Upload files
GIF89a?

Write GIF89a? The purpose of this is to prove that it is a picture file

After uploading, you can capture packets and resend them , But you need to change the suffix to .php, And change it to case bypass , Will be eval Change it to Eval That's all right.


Let's open the picture to see if it can be opened
http://150.158.27.164:82/zhi.php

Find that you can open , We use ant sword to connect




The answer is ：key2:adahhsh8

Two 、 Deserialization vulnerability

Deserialization vulnerabilities are some php Some loopholes caused by magic functions , The specific principles and methods have been discussed in my previous course of penetration testing , Again , Everyone should go back and review carefully , I'm not going to do that here .
Next , Let's answer the questions


Let's briefly explain php The cause of deserialization
First of all php The magic functions in are as follows

__construct() Called when an object is created
__destruct() Called when an object is destroyed
__toString() When an object is used as a string
__sleep() Run... Before the object is serialized
__wakeup Will be called immediately after serialization

These are some magic methods we should pay attention to , If the server can receive the string we deserialized 、 And put the variables directly into these magic methods without filtering , It is easy to cause serious loopholes .

At this time, there is no method or array in the code , In this way, it is much simpler ; He has only one unserialize()
unserialize() The function is used to pass serialize() Function to deserialize the serialized object or array , And return the original object structure
We construct it as follows vul.php?str=s:8:“CISP-PTE”;

Code audit , You can see
if (unserialize($str)==="$PTE")
{
echo “$key4”;
}
If you meet this condition, you can output the answer , Add this condition to the back of the website , That's all right.
http://49.232.193.10:84/start/vul.php?str=s:8:“CISP-PTE”;
After retransmission

The answer is ：key4:pw3yx7fa

3、 ... and . Invalid access control

Just look at the title , Administrator user access is required , So to put it bluntly, it is to forge administrator identity and authority ,SSO Ultra vires ？
Without saying , Refresh the browser , Grab the bag

Put... Directly false Change to true; Well username Change the field to admin Corresponding base64 Encoding can

The answer is ：key5:m9gbqjr6

summary

This time, we have summarized several common exam question types , Next, I will explain the second practical exercise for you .