rwctf2023-ASTLIBRA

WriteUp 3周前 admin
133 0 0

Intended Solution

  1. After the execution of the $url = addslashes($_POST['URL']); and the preg_replace('/(.*)\{url\}(.*)/is', '${1}'.$url.'${2}', $zep_file);\" will finally convert to \\".
  2. PHP class constructor could be a function with the same name as the class.
  3. Perform SSRF attack on MySQL Server with password using php-curl.

Exploit

  1. Execute python3 protocol_handler.py in a server with public IP.
  2. Modify exploit.py with your IP and Port.
  3. Execute python3 exploit.py.

Other Solutions

Although cblock has been removed by ASTLIBRA/zephir-tunnel/secure.patch, it could still be inserted in the place out of the function scope.

http\");}
__attribute__((constructor)) void exp() {
        ...
        system(xxx);
        ...
};
function tmp(){
    var ch = curl_init();//

 

原文始发于Github:rwctf2023-ASTLIBRA

版权声明:admin 发表于 2023年1月10日 上午8:44。
转载请注明:rwctf2023-ASTLIBRA | CTF导航

相关文章

暂无评论

暂无评论...