[N1CTF 2018]eating_cms parse_url function vulnerability

Entering is a login interface. Just enter an account password and take a look

If you find a database statement, try the universal password

1'or'1'='1'#

It is found that it has been filtered. Generally, this kind of question has a register PHP and a place where you can read the source code, we need to find and try

If you find a registration interface, register and log in

Found a user PHP page, there is no echo related to our input. We are concerned about a page parameter. I don't know if it can help us read the source code and try the pseudo protocol directly

?page=php://filter/read=convert.base64-encode/resource=user.php

 

It is found that 200 is returned, but there is no content, indicating that there may be a problem with the read file format. Let's try deleting the suffix

Read the source code and download it all

No upload PHP, this source code is to be used later. It's not clear here (I'm too lazy to delete it)

In user PHP source code interface to find where we can read the source code

Sure enough, it was spliced by itself php suffix, but the focus is not here

Read the source code and sort it out

function Filter($string)
{
    global $mysqli;
    $blacklist = "information|benchmark|order|limit|join|file|into|execute|column|extractvalue|floor|update|insert|delete|username|password";
    $whitelist = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'(),_*`-@=+><";
    for ($i = 0; $i < strlen($string); $i++) {
        if (strpos("$whitelist", $string[$i]) === false) {//The $string character must be a visible character. The strpos function finds the position of the $string string string in the whitelist
            Hacker();
        }
    }
    if (preg_match("/$blacklist/is", $string)) {//After passing the white list, you should also pass the blacklist
        Hacker();
    }
    if (is_string($string)) {//character string
        return $mysqli->real_escape_string($string);//Prevent SQL attacks and escape
    } else {
        return "";
    }
}

A very powerful filter is called in the login and registration interfaces, so you don't need to consider sql injection for the time being. Suspicious points

function filter_directory()//filter
{
    $keywords = ["flag","manage","ffffllllaaaaggg"];
    $uri = parse_url($_SERVER["REQUEST_URI"]);//Parse the url and parse the components
    parse_str($uri['query'], $query);//Parse the query string into a variable. Query is the array name and $uri['query '] represents the incoming parameters
//    var_dump($query);
//    die();
    foreach($keywords as $token)
    {
        foreach($query as $k => $v)
        {
            if (stristr($k, $token))//Find out if $k appears in $token
                hacker();
            if (stristr($v, $token))
                hacker();
        }
    }
}

 parse_url function

Parse the url and use parse_ The str function passes in the key value pair as an associative array into the $query array for filtering. Without $kewords, it will not come out. hacker(); We need to use the following two tips to bypass the source code of flag, but I think we can use them before we read the source code of flag; Fortunately, query parse_ When the url function works, a vulnerability pops up. Let's take a look at the details

parse_ Explanation and bypass of URL function_ q1352483315 blog - CSDN blog_ urlparse function 

Structure into

//user.php?page=php://filter/convert.base64-encode/resource=ffffllllaaaaggg

You can make parse_ The URL function reports an error (the lower version is)

 

Continue reading

When we find out what file it contains, we go directly to the url and find that it is an uploaded file

Use the previous read source code to see

<?php
$allowtype = array("gif","png","jpg");
$size = 10000000;
$path = "./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/";
$filename = $_FILES['file']['name'];
if(is_uploaded_file($_FILES['file']['tmp_name'])){
    if(!move_uploaded_file($_FILES['file']['tmp_name'],$path.$filename)){
        die("error:can not move");
    }
}else{
    die("error:not an upload fileï¼");
}
$newfile = $path.$filename;
echo "file upload success<br />";
echo $filename;
$picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename." | base64 -w 0");
echo "<img src='data:image/png;base64,".$picdata."'></img>";
if($_FILES['file']['error']>0){
    unlink($newfile);
    die("Upload file error: ");
}
$ext = array_pop(explode(".",$_FILES['file']['name']));
if(!in_array($ext,$allowtype)){
    unlink($newfile);
}
?>

It is found that it is different from what we usually do: instead of talking about the directory where the image content is saved, we use the system command to cat, open the $filename file name we passed in and the base64 file content, and then output a string. After filtering, we must use GIF, png and JPG as suffixes. We can just grab the package and modify it. Just send a picture to see the effect

Obviously, we can see the operation channel characters of linux commands

 

We use semicolons to close the previous commands, enter the commands we need, and then comment the following commands

Perform ls / view parent directory

It's useless. Maybe the space or slash has been filtered. It's still the case to use / * * / instead of the space. It seems that the slash has been filtered

How to return to the previous level, because there are; We can execute cd first, Then ls, return to the upper level

Then the cat flag file can be used

Don't understand parse_ How can I bypass the URL? If I can't get around, I read someone else's wp. It's a little late today. I'll test it tomorrow morning

 

 

 

Tags: PHP programming language

Posted by Pig on Sun, 15 May 2022 05:20:02 +0300