├── config ├── php-pdo.ini ├── nginx.conf └── sshd_config ├── docker └── docker-compose.yaml ├── src ├── connect.php ├── index.php ├── style.css └── query.php ├── service └── docker-entrypoint.sh ├── README.md └── Dockerfile /config/php-pdo.ini: -------------------------------------------------------------------------------- 1 | extension=mysqli 2 | 3 | extension=pdo_mysql 4 | 5 | extension=pdo_odbc 6 | 7 | extension=mysqli 8 | 9 | extension=pdo_mysql 10 | 11 | extension=pdo_odbc -------------------------------------------------------------------------------- /docker/docker-compose.yaml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | services: 3 | test: 4 | build: ../ 5 | environment: 6 | # 仅为测试用flag 7 | FLAG: "flag{a63b4d37-7681-4850-b6a7-0d7109febb19}" 8 | ports: 9 | # 设置了暴露端口 10 | - 9999:22 11 | restart: unless-stopped 12 | -------------------------------------------------------------------------------- /src/connect.php: -------------------------------------------------------------------------------- 1 | setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 11 | $response = array("success" => true); 12 | $_SESSION['dsn']=$dsn; 13 | $_SESSION['db_username']=$db_username; 14 | $_SESSION['db_password']=$db_password; 15 | 16 | echo json_encode($response); 17 | 18 | } catch (PDOException $e) { 19 | $response = array("success" => false, "message" => $e->getMessage()); 20 | echo json_encode($response); 21 | } 22 | ?> -------------------------------------------------------------------------------- /config/nginx.conf: -------------------------------------------------------------------------------- 1 | # daemon off; 2 | 3 | worker_processes auto; 4 | 5 | events { 6 | worker_connections 1024; 7 | } 8 | 9 | http { 10 | include /etc/nginx/mime.types; 11 | default_type application/octet-stream; 12 | sendfile on; 13 | keepalive_timeout 65; 14 | 15 | server { 16 | listen 80; 17 | server_name localhost; 18 | root /var/www/html; 19 | index index.php index.html index.htm; 20 | 21 | location / { 22 | try_files $uri $uri/ /index.php?$args; 23 | } 24 | 25 | location ~ \.php$ { 26 | try_files $uri =404; 27 | fastcgi_pass 127.0.0.1:9000; 28 | fastcgi_index index.php; 29 | include fastcgi_params; 30 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 31 | } 32 | 33 | } 34 | } -------------------------------------------------------------------------------- /service/docker-entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | rm -f /docker-entrypoint.sh 4 | 5 | # Get the user 6 | user=$(ls /home) 7 | 8 | # Check the environment variables for the flag and assign to INSERT_FLAG 9 | # 需要注意,以下语句会将FLAG相关传递变量进行覆盖,如果需要,请注意修改相关操作 10 | if [ "$DASFLAG" ]; then 11 | INSERT_FLAG="$DASFLAG" 12 | export DASFLAG=no_FLAG 13 | DASFLAG=no_FLAG 14 | elif [ "$FLAG" ]; then 15 | INSERT_FLAG="$FLAG" 16 | export FLAG=no_FLAG 17 | FLAG=no_FLAG 18 | elif [ "$GZCTF_FLAG" ]; then 19 | INSERT_FLAG="$GZCTF_FLAG" 20 | export GZCTF_FLAG=no_FLAG 21 | GZCTF_FLAG=no_FLAG 22 | else 23 | INSERT_FLAG="flag{TEST_Dynamic_FLAG}" 24 | fi 25 | 26 | # 将FLAG写入文件 请根据需要修改 27 | echo $INSERT_FLAG | tee /flag 28 | 29 | chmod 770 /flag && chown www-data:www-data /flag 30 | 31 | /etc/init.d/ssh start & 32 | 33 | php-fpm & nginx & 34 | 35 | echo "Running..." 36 | 37 | tail -F /var/log/nginx/access.log /var/log/nginx/error.log -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # VNCTF2024 - OnlyLocalSql 2 | 3 | ## 如何运行 4 | 5 | ```shell 6 | docker compose up -f f docker/docker-compose.yaml up -d --build 7 | ``` 8 | 9 | 如果遇到启动失败,请检查各个参数是否正确,也可以自行修改 `docker-compose.yml` 文件中的参数 10 | 11 | 本容器兼容 `CTFd` 平台与 `GZ::CTF` 平台,如有其他需求请自行修改服务启动脚本 12 | 13 | ## 一些来自出题人急了一整天,最后收获一堆差评的碎碎念 14 | 15 | ~~出于互不侵犯条约,这里的碎碎念已被自主规避~~ 16 | 17 | 这题实质上不难,这里简要给出两种主要思路 18 | 19 | 1. SSH 转发 + 服务探测 + Mysql 恶意服务器 20 | 2. web 源码目录可控 21 | 22 | 在给出普通用户的完整 SSH 情况下,这道题的开放性可以说拉到满了,只是很多选手没有思考过 Docker 能实现多少效果,以及 SSH 究竟有多少种功能 23 | 24 | 只给了一个 SSH,不是只意味着盯着 SSH 看,你完全可以将 Docker 容器视作一个正常的 Linux 系统看待,上面可能会有数据库,会有网站,会有其他服务,不要盯着门口不会走进去 25 | 26 | 不要把 Misc 学成了 Musc,每天沾沾自喜,觉得 Musc 很好玩,自己脑洞大开很牛,不要忘了 Misc 的本质是什么,Misc 说难听一点就是彻底的脑洞大开,不要坐井观天每天都只会盯着考点越来越乱的隐写、编码、套娃,这走下去最终只能走向画地为牢的下场,最终走向大家开着玩笑说的 “学 Misc 以后连工作都找不到”。Misc 本质,就是杂,既是复杂的杂,也是混杂的杂,这次给的是 SSH 去转发 Web 服务,去攻击 PHP 的 pdo_mysql 模块,下一次也可能是其他服务去进行跳跃,不要自己给自己上枷锁 27 | 28 | 学 CTF 挺好的,但是不要目光只放在 Misc 上,面临流量分析的时候你也要接触一定的 PHP 基础,懂得 Webshell 和 Sql 注入等一般网站攻击常规手段;面对取证分析的时候,你也要接触数据库取证解密方案,也要去了解基本的程序逆向流程,这些说是 Web 和 Reverse 的流程,但是 Misc 本来就是主打一个 Misc,不可能 Misc 手生涯中就盯着隐写、编码、套娃不放,Misc 手的生涯,注定是不断学习,不断扩宽自己视野的过程 29 | 30 | 那对于打不下来这道题目,看了题目描述也想不出来解法,最后问卷题气不过就给这道题目打差评的,我只能说,在这里送上一份祝福(感谢赵总嘴替) 31 | 32 | ~~出于互不侵犯条约,这里的温馨祝福已被自主规避~~ 33 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM php:7.3-fpm-bullseye 2 | 3 | # 制作者信息 4 | LABEL auther_template="CTF-Archives" 5 | 6 | # apt更换镜像源,并更新软件包列表信息 7 | RUN sed -i 's/deb.debian.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apt/sources.list && \ 8 | sed -i 's/security.debian.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apt/sources.list 9 | RUN apt-get update 10 | RUN apt-get install -y nginx bash netcat openssh-server 11 | 12 | # 拷贝容器入口点脚本 13 | COPY ./service/docker-entrypoint.sh /docker-entrypoint.sh 14 | RUN chmod +x /docker-entrypoint.sh 15 | 16 | # 复制nginx配置文件 17 | COPY ./config/nginx.conf /etc/nginx/nginx.conf 18 | 19 | # 配置 PHP PDO 相关配置 20 | 21 | COPY ./config/php-pdo.ini /usr/local/etc/php/conf.d/php-pdo.ini 22 | 23 | WORKDIR /usr/src 24 | 25 | RUN docker-php-ext-install pdo pdo_mysql 26 | 27 | # 复制web项目源码 28 | COPY src /var/www/html 29 | 30 | # 重新设置源码路径的用户所有权 31 | RUN chown -R www-data:www-data /var/www/html 32 | 33 | # 设置shell的工作目录 34 | WORKDIR /var/www/html 35 | 36 | RUN useradd -m ctf && echo "ctf:ctf" && \ 37 | echo "ctf:ctf" | chpasswd 38 | 39 | RUN ssh-keygen -A && \ 40 | /etc/init.d/ssh start && \ 41 | chsh -s /bin/bash ctf 42 | 43 | COPY ./config/sshd_config /etc/ssh/sshd_config 44 | 45 | # 设置容器入口点 46 | ENTRYPOINT [ "/docker-entrypoint.sh" ] -------------------------------------------------------------------------------- /src/index.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 数据库连接 5 | 6 | 7 | 8 |
9 |

数据库连接

10 |
11 |
12 | 13 | 14 | 15 |
16 |
17 | 18 | 19 |
20 |
21 | 22 | 23 |
24 |
25 | 26 | 27 |
28 |
29 | 30 |
31 |
32 |
33 | 34 | -------------------------------------------------------------------------------- /src/style.css: -------------------------------------------------------------------------------- 1 | .container { 2 | max-width: 500px; 3 | margin: 0 auto; 4 | padding: 20px; 5 | text-align: center; 6 | background-color: #f5f5f5; 7 | border-radius: 5px; 8 | box-shadow: 0 0 10px rgba(0, 0, 0, 0.1); 9 | } 10 | 11 | h1 { 12 | margin-bottom: 20px; 13 | color: #333; 14 | } 15 | 16 | form { 17 | margin-bottom: 20px; 18 | } 19 | 20 | .form-group { 21 | margin-bottom: 15px; 22 | } 23 | 24 | label { 25 | display: inline-block; 26 | width: 120px; 27 | text-align: right; 28 | font-weight: bold; 29 | color: #555; 30 | } 31 | 32 | input[type="text"], 33 | input[type="password"] { 34 | width: 300px; 35 | padding: 10px; 36 | border: 1px solid #ccc; 37 | border-radius: 5px; 38 | font-size: 14px; 39 | } 40 | 41 | input[type="submit"] { 42 | padding: 10px 20px; 43 | background-color: #4CAF50; 44 | color: #fff; 45 | border: none; 46 | border-radius: 5px; 47 | font-size: 14px; 48 | cursor: pointer; 49 | } 50 | 51 | .button-secondary { 52 | background-color: #ccc; 53 | } 54 | 55 | .result { 56 | text-align: left; 57 | } 58 | 59 | table { 60 | border-collapse: collapse; 61 | width: 100%; 62 | } 63 | 64 | table td, 65 | table th { 66 | border: 1px solid #ddd; 67 | padding: 10px; 68 | } 69 | 70 | table th { 71 | background-color: #f2f2f2; 72 | font-weight: bold; 73 | color: #333; 74 | } 75 | 76 | .error-message { 77 | color: #ff0000; 78 | font-weight: bold; 79 | margin-top: 10px; 80 | } -------------------------------------------------------------------------------- /src/query.php: -------------------------------------------------------------------------------- 1 | setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 21 | $_SESSION['dsn']=$dsn; 22 | $_SESSION['db_username']=$db_username; 23 | $_SESSION['db_password']=$db_password; 24 | } catch (Exception $e) { 25 | die($e->getMessage()); 26 | } 27 | } 28 | if(!isset($_SESSION['dsn'])){ 29 | die(""); 30 | } 31 | 32 | 33 | ?> 34 | 35 | 36 | 37 | 38 | 执行数据库命令 39 | 40 | 41 | 42 |
43 |

执行数据库命令

44 | 45 |
46 |
47 | 48 | 49 |
50 |
51 | 52 |
53 |
54 | 55 |
56 | 57 | true)); 66 | $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 67 | 68 | $stmt = $pdo->prepare($db_command); 69 | $stmt->execute(); 70 | $result = $stmt->fetchAll(PDO::FETCH_ASSOC); 71 | 72 | if ($result) { 73 | echo "

执行结果:

"; 74 | echo ""; 75 | echo ""; 76 | foreach (array_keys($result[0]) as $column) { 77 | echo ""; 78 | } 79 | echo ""; 80 | foreach ($result as $row) { 81 | echo ""; 82 | foreach ($row as $value) { 83 | echo ""; 84 | } 85 | echo ""; 86 | } 87 | echo "
$column
$value
"; 88 | } else { 89 | echo "

没有结果返回。

"; 90 | } 91 | } catch (Exception $e) { 92 | echo "

执行错误:" . $e->getMessage() . "

"; 93 | } 94 | } 95 | ?> 96 |
97 |
98 | 99 | -------------------------------------------------------------------------------- /config/sshd_config: -------------------------------------------------------------------------------- 1 | 2 | # This is the sshd server system-wide configuration file. See 3 | # sshd_config(5) for more information. 4 | 5 | # This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games 6 | 7 | # The strategy used for options in the default sshd_config shipped with 8 | # OpenSSH is to specify options with their default value where 9 | # possible, but leave them commented. Uncommented options override the 10 | # default value. 11 | 12 | Include /etc/ssh/sshd_config.d/*.conf 13 | 14 | # Port and ListenAddress options are not used when sshd is socket-activated, 15 | # which is now the default in Ubuntu. See sshd_config(5) and 16 | # /usr/share/doc/openssh-server/README.Debian.gz for details. 17 | #Port 22 18 | #AddressFamily any 19 | #ListenAddress 0.0.0.0 20 | #ListenAddress :: 21 | 22 | #HostKey /etc/ssh/ssh_host_rsa_key 23 | #HostKey /etc/ssh/ssh_host_ecdsa_key 24 | #HostKey /etc/ssh/ssh_host_ed25519_key 25 | 26 | # Ciphers and keying 27 | #RekeyLimit default none 28 | 29 | # Logging 30 | #SyslogFacility AUTH 31 | #LogLevel INFO 32 | 33 | # Authentication: 34 | 35 | #LoginGraceTime 2m 36 | #PermitRootLogin prohibit-password 37 | #StrictModes yes 38 | #MaxAuthTries 6 39 | #MaxSessions 10 40 | 41 | #PubkeyAuthentication yes 42 | 43 | # Expect .ssh/authorized_keys2 to be disregarded by default in future. 44 | #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 45 | 46 | #AuthorizedPrincipalsFile none 47 | 48 | #AuthorizedKeysCommand none 49 | #AuthorizedKeysCommandUser nobody 50 | 51 | # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 52 | #HostbasedAuthentication no 53 | # Change to yes if you don't trust ~/.ssh/known_hosts for 54 | # HostbasedAuthentication 55 | #IgnoreUserKnownHosts no 56 | # Don't read the user's ~/.rhosts and ~/.shosts files 57 | #IgnoreRhosts yes 58 | 59 | # To disable tunneled clear text passwords, change to no here! 60 | #PasswordAuthentication yes 61 | #PermitEmptyPasswords no 62 | 63 | # Change to yes to enable challenge-response passwords (beware issues with 64 | # some PAM modules and threads) 65 | KbdInteractiveAuthentication no 66 | 67 | # Kerberos options 68 | #KerberosAuthentication no 69 | #KerberosOrLocalPasswd yes 70 | #KerberosTicketCleanup yes 71 | #KerberosGetAFSToken no 72 | 73 | # GSSAPI options 74 | #GSSAPIAuthentication no 75 | #GSSAPICleanupCredentials yes 76 | #GSSAPIStrictAcceptorCheck yes 77 | #GSSAPIKeyExchange no 78 | 79 | # Set this to 'yes' to enable PAM authentication, account processing, 80 | # and session processing. If this is enabled, PAM authentication will 81 | # be allowed through the KbdInteractiveAuthentication and 82 | # PasswordAuthentication. Depending on your PAM configuration, 83 | # PAM authentication via KbdInteractiveAuthentication may bypass 84 | # the setting of "PermitRootLogin without-password". 85 | # If you just want the PAM account and session checks to run without 86 | # PAM authentication, then enable this but set PasswordAuthentication 87 | # and KbdInteractiveAuthentication to 'no'. 88 | UsePAM yes 89 | 90 | #AllowAgentForwarding yes 91 | #AllowTcpForwarding yes 92 | #GatewayPorts no 93 | X11Forwarding no 94 | #X11DisplayOffset 10 95 | #X11UseLocalhost yes 96 | #PermitTTY yes 97 | PrintMotd no 98 | #PrintLastLog yes 99 | #TCPKeepAlive yes 100 | #PermitUserEnvironment no 101 | #Compression delayed 102 | #ClientAliveInterval 0 103 | #ClientAliveCountMax 3 104 | #UseDNS no 105 | #PidFile /run/sshd.pid 106 | #MaxStartups 10:30:100 107 | #PermitTunnel no 108 | #ChrootDirectory none 109 | #VersionAddendum none 110 | 111 | # no default banner path 112 | #Banner none 113 | 114 | # Allow client to pass locale environment variables 115 | AcceptEnv LANG LC_* 116 | 117 | # override default of no subsystems 118 | # Subsystem sftp /usr/lib/openssh/sftp-server 119 | 120 | # Example of overriding settings on a per-user basis 121 | #Match User anoncvs 122 | # X11Forwarding no 123 | # AllowTcpForwarding no 124 | # PermitTTY no 125 | # ForceCommand cvs server --------------------------------------------------------------------------------