一、描述
难度系数: 4星
题目来源: csaw-ctf-2016-quals
题目描述:暂无
题目场景: http://111.198.29.45:39563
题目附件: 暂无
二、实操
首先构造路径穿越:http://111.198.29.45:39563/post.wtf?post=…/
出现源码泄露,并且发现了对应的登录账号为admin时才能get出flag
<html>
<head>
<link rel="stylesheet" type="text/css" href="/css/std.css" >
</head>
$ if contains 'user' ${!URL_PARAMS[@]} && file_exists "users/${URL_PARAMS['user']}"
$ then
$ local username=$(head -n 1 users/${URL_PARAMS['user']});
$ echo "<h3>${username}'s posts:</h3>";
$ echo "<ol>";
$ get_users_posts "${username}" | while read -r post; do
$ post_slug=$(awk -F/ '{print $2 "#" $3}' <<< "${post}");
$ echo "<li><a href=\"/post.wtf?post=${post_slug}\">$(nth_line 2 "${post}" | htmlentities)</a></li>";
$ done
$ echo "</ol>";
$ if is_logged_in && [[ "${COOKIES['USERNAME']}" = 'admin' ]] && [[ ${username} = 'admin' ]]
$ then
$ get_flag1
$ fi
$ fi
</html>
源码泄露发现有user子目录:http://111.198.29.45:39563/post.wtf?post=…/users/ 发现admin账号
同时发现token值是存储在user目录中的,所以能够进行token伪造
点击进入admin的post请求中
修改参数进行cookies伪造成功发现部分flag:
至此前半部分的flag为:xctf{cb49256d1ab48803
继续在源码中找解析 wtf 文件的代码
max_page_include_depth=64
page_include_depth=0
function include_page {
# include_page pathname
local pathname=$1
local cmd=
[[ ${pathname(-4)} = '.wtf' ]];
local can_execute=$;
page_include_depth=$(($page_include_depth+1))
if [[ $page_include_depth -lt $max_page_include_depth ]]
then
local line;
while read -r line; do
# check if we're in a script line or not ($ at the beginning implies script line)
# also, our extension needs to be .wtf
[[ $ = ${line01} && ${can_execute} = 0 ]];
is_script=$;
# execute the line.
if [[ $is_script = 0 ]]
then
cmd+=$'n'${line#$};
else
if [[ -n $cmd ]]
then
eval $cmd log Error during execution of ${cmd};
cmd=
fi
echo $line
fi
done ${pathname}
else
echo pMax include depth exceeded!p
fi
}
能够解析并执行 wtf 文件,如果还能够上传 wtf 文件并执行的话,就可以达到控制服务器的目的。
于是继续审计代码,发现如下代码给了这个机会:
function reply {
local post_id=$1;
local username=$2;
local text=$3;
local hashed=$(hash_username "${username}");
curr_id=$(for d in posts/${post_id}/*; do basename $d; done | sort -n | tail -n 1);
next_reply_id=$(awk '{print $1+1}' <<< "${curr_id}");
next_file=(posts/${post_id}/${next_reply_id});
echo "${username}" > "${next_file}";
echo "RE: $(nth_line 2 < "posts/${post_id}/1")" >> "${next_file}";
echo "${text}" >> "${next_file}";
# add post this is in reply to to posts cache
echo "${post_id}/${next_reply_id}" >> "users_lookup/${hashed}/posts";
}
这是评论功能的后台代码,这部分也是存在路径穿越的。
这行代码把用户名写在了评论文件的内容中:
echo “
u
s
e
r
n
a
m
e
"
>
"
{username}" > "
username">"{next_file}”;
注册$/usr/bin/get_flag2账号可以,并且添加后门
访问http://111.198.29.45:39563/users_lookup/sh.wtf得到第二部分的flag
三、答案
至此最终的flag为:xctf{cb49256d1ab48803149e5ec49d3c29ca}
#本题难度很大,参考了博文:https://github.com/ernw/ctf-writeups/tree/master/csaw2016/wtf.sh
#还参考了博文: https://blog.cindemor.com/post/ctf-fairy-1.html