DragonKnightCTF2024WEB-ezsign复现wp

赛事入口

举办于5.25的DragonKnight CTF落幕，下面是我的复现wp.

ezsign

使用dirsearch扫描如下

dirsearch -u http://challenge.qsnctf.com:31527/

  _|. _ _  _  _  _ _|_    v0.4.3.post1
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: C:\Users\Administrator\reports\http_challenge.qsnctf.com_31527\__24-06-07_09-51-19.txt

Target: http://challenge.qsnctf.com:31527/

[09:51:19] Starting:
[09:51:21] 200 -    6KB - /.DS_Store
[09:51:22] 403 -  288B  - /.ht_wsr.txt
[09:51:22] 403 -  288B  - /.htaccess.bak1
[09:51:22] 403 -  288B  - /.htaccess.save
[09:51:22] 403 -  288B  - /.htaccess.sample
[09:51:22] 403 -  288B  - /.htaccess.orig
[09:51:22] 403 -  288B  - /.htaccess_extra
[09:51:22] 403 -  288B  - /.htaccess_orig
[09:51:22] 403 -  288B  - /.htaccess_sc
[09:51:22] 403 -  288B  - /.htaccessBAK
[09:51:22] 403 -  288B  - /.htaccessOLD2
[09:51:22] 403 -  288B  - /.htaccessOLD
[09:51:22] 403 -  288B  - /.html
[09:51:22] 403 -  288B  - /.htm
[09:51:22] 403 -  288B  - /.htpasswd_test
[09:51:22] 403 -  288B  - /.htpasswds
[09:51:22] 403 -  288B  - /.httr-oauth
[09:51:25] 301 -  339B  - /.vscode  ->  http://challenge.qsnctf.com:31527/.vscode/
[09:51:25] 403 -  288B  - /.vscode/
[09:51:25] 200 -    1KB - /.vscode/launch.json
[09:51:42] 200 -    2KB - /index.php.bak
[09:51:44] 200 -   23B  - /login.php
[09:51:55] 403 -  288B  - /server-status/
[09:51:55] 403 -  288B  - /server-status
[09:52:00] 200 -   30B  - /upload.php
[09:52:00] 301 -  338B  - /upload  ->  http://challenge.qsnctf.com:31527/upload/
[09:52:00] 403 -  288B  - /upload/

Task Completed

锁定两个文件：index.php.bak 和 /upload/，明显是改造版的文件上传。

转到index.php.bak,源码如下：

<?php 
error_reporting(0);
// 检查 cookie 中是否有 token
$token = $_COOKIE['token'] ?? null;

if($token){
    extract($_GET);
    $token = base64_decode($token);
    $token = json_decode($token, true);


    $username = $token['username'];
    $password = $token['password'];
    $isLocal = false;
    
    if($_SERVER['REMOTE_ADDR'] == "127.0.0.1"){
        $isLocal = true;
    }

    if($isLocal){
        echo 'Welcome Back，' . $username . '!';
        //如果 upload 目录下存在$username.png文件，则显示图片
        if(file_exists('upload/' . $username . '/' . $token['filename'])){
            // 显示图片，缩小图片
            echo '<br>';
            echo '<img src="upload/' . $username . '/' . $token['filename'] .'" width="200">';
        } else {
            echo '请上传您高贵的头像。';
            // 写一个上传头像的功能
            $html = <<<EOD
            <form method="post" action="upload.php" enctype="multipart/form-data">
                <input type="file" name="file" id="file">
                <input type="submit" value="Upload">
            </form>
            EOD;
            echo $html;
        }
    } else {
        // echo "留个言吧";
        $html = <<<EOD
        <h1>留言板</h1>
        <label for="input-text">Enter some text:</label>
        <input type="text" id="input-text" placeholder="Type here...">
        <button onclick="displayInput()">Display</button>
        EOD;
        echo $html;
    }
} else {
    $html = <<<EOD
<!DOCTYPE html>
<html>
<head>
    <title>Login</title>
</head>
<body>
    <h2>Login</h2>
    <form method="post" action="./login.php">
        <div>
            <label for="username">Username:</label>
            <input type="text" name="username" id="username" required>
        </div>
        <div>
            <label for="password">Password:</label>
            <input type="password" name="password" id="password" required>
        </div>
        <div>
            <input type="submit" value="Login">
        </div>
    </form>
</body>
</html>
EOD;
    echo $html;
}
?>

<script>
    function displayInput() {
      var inputText = document.getElementById("input-text").value;
      document.write(inputText)
    }
</script>

有一个extract变量覆写漏洞，但传参 /?_SERVER[REMOTE_ADDR]=127.0.0.1 无效，在线等，有缘师傅来解铃~

参考：入口