当前位置:网站首页>Cisp-pte practice explanation
Cisp-pte practice explanation
2022-07-06 08:24:00 【Colorful @ star】
CISP-PTE Explanation of practical exercises
List of articles
Preface
This time I'll explain to you all the question types of the exam
One 、 Upload files
The problem is very simple , Upload a Trojan horse for ant sword connection
The answer lies in key.php In file
We create a file , Inject a paragraph and a sentence into the Trojan horse , Change to zhi.jpg Upload files
GIF89a?
Write GIF89a? The purpose of this is to prove that it is a picture file
After uploading, you can capture packets and resend them , But you need to change the suffix to .php, And change it to case bypass , Will be eval Change it to Eval That's all right.
Let's open the picture to see if it can be opened
http://150.158.27.164:82/zhi.php
Find that you can open , We use ant sword to connect
The answer is :key2:adahhsh8
Two 、 Deserialization vulnerability
Deserialization vulnerabilities are some php Some loopholes caused by magic functions , The specific principles and methods have been discussed in my previous course of penetration testing , Again , Everyone should go back and review carefully , I'm not going to do that here .
Next , Let's answer the questions
Let's briefly explain php The cause of deserialization
First of all php The magic functions in are as follows
__construct() Called when an object is created
__destruct() Called when an object is destroyed
__toString() When an object is used as a string
__sleep() Run... Before the object is serialized
__wakeup Will be called immediately after serialization
These are some magic methods we should pay attention to , If the server can receive the string we deserialized 、 And put the variables directly into these magic methods without filtering , It is easy to cause serious loopholes .
At this time, there is no method or array in the code , In this way, it is much simpler ; He has only one unserialize()
unserialize() The function is used to pass serialize() Function to deserialize the serialized object or array , And return the original object structure
We construct it as follows vul.php?str=s:8:“CISP-PTE”;
Code audit , You can see
if (unserialize( s t r ) = = = " str) === " str)==="PTE")
{
echo “$key4”;
}
If you meet this condition, you can output the answer , Add this condition to the back of the website , That's all right.
http://49.232.193.10:84/start/vul.php?str=s:8:“CISP-PTE”;
After retransmission
The answer is :key4:pw3yx7fa
3、 ... and . Invalid access control
Just look at the title , Administrator user access is required , So to put it bluntly, it is to forge administrator identity and authority ,SSO Ultra vires ?
Without saying , Refresh the browser , Grab the bag
Put... Directly false Change to true; Well username Change the field to admin Corresponding base64 Encoding can
The answer is :key5:m9gbqjr6
summary
This time, we have summarized several common exam question types , Next, I will explain the second practical exercise for you .
边栏推荐
- leetcode刷题 (5.29) 哈希表
- 从 CSV 文件迁移数据到 TiDB
- IP lab, the first weekly recheck
- "Designer universe": "benefit dimension" APEC public welfare + 2022 the latest slogan and the new platform will be launched soon | Asia Pacific Financial Media
- 2022 Inner Mongolia latest construction tower crane (construction special operation) simulation examination question bank and answers
- "Friendship and righteousness" of the center for national economy and information technology: China's friendship wine - the "unparalleled loyalty and righteousness" of the solidarity group released th
- Remote storage access authorization
- [untitled]
- 使用 BR 备份 TiDB 集群数据到兼容 S3 的存储
- vulnhub hackme: 1
猜你喜欢
Hungry for 4 years + Ali for 2 years: some conclusions and Thoughts on the road of research and development
IoT -- 解读物联网四层架构
【云原生】手把手教你搭建ferry开源工单系统
How to use information mechanism to realize process mutual exclusion, process synchronization and precursor relationship
Asia Pacific Financial Media | female pattern ladyvision: forced the hotel to upgrade security. The drunk woman died in the guest room, and the hotel was sentenced not to pay compensation | APEC secur
tree树的精准查询
The ECU of 21 Audi q5l 45tfsi brushes is upgraded to master special adjustment, and the horsepower is safely and stably increased to 305 horsepower
Hcip day 16
It's hard to find a job when the industry is in recession
Artcube information of "designer universe": Guangzhou implements the community designer system to achieve "great improvement" of urban quality | national economic and Information Center
随机推荐
[Yugong series] February 2022 U3D full stack class 011 unity section 1 mind map
[cloud native] teach you how to build ferry open source work order system
Day29-t77 & t1726-2022-02-13-don't answer by yourself
Résumé des diagrammes de description des broches de la série ESP
从 CSV 文件迁移数据到 TiDB
Vocabulary notes for postgraduate entrance examination (3)
Analysis of Top1 accuracy and top5 accuracy examples
[secretly kill little partner pytorch20 days -day01- example of structured data modeling process]
3. File operation 3-with
logback1.3. X configuration details and Practice
How to use information mechanism to realize process mutual exclusion, process synchronization and precursor relationship
2. File operation - write
Huawei cloud OBS file upload and download tool class
Migrate data from SQL files to tidb
Yyds dry goods inventory three JS source code interpretation eventdispatcher
【MySQL】日志
IP lab, the first weekly recheck
C语言自定义类型:结构体
Remote storage access authorization
IOT -- interpreting the four tier architecture of the Internet of things