Continuing the work of summarizing problem-solving ideas for the securityoverridehacking challenge in the previous article, this time I have completed Advanced. This mainly involves some attack methods about PHP, which can be used as a basis for an in-depth understanding.
3 The ultimate goal is to make $input=="0000". This is easy to handle. In PHP, any numeric string will eventually be converted into a number for comparison, so input can be any number of 0s. However, Filter finally added a regular judgment preg_match
(
"/^[d]{1,}$/D"<span></span>
, <span></span>
$input<span></span>
) <span></span>. This means that it cannot be a pure number. It is also relatively simple, just use the characteristics of 0 (elementary school knowledge: 0 is equal to the negative number of 0), so just enter -0.
<span></span>PS: About PHP’s weak class judgment rules
http://php.net/manual/en/types.comparisons.php
<span></span>
3.2 Obfuscated PHP:
Examine whether the code logic can be sorted out under the premise of obfuscation. There is no shortcut for this problem, manual cleaning is required. After clearing the comments and semicolons, the amount of code is actually not much. Then, by decoding some parts that should be decoded and directly replacing those that should be returned by the function, the code logic can be clarified. After finishing, the code logic is as follows:
session_start(); $_u=array();
$_u[0]='SERVER_ADDQUERY_STRINGREQUEST_METHODHTTP_ACCEPT'; //A string$_u[1] ='substr'; // substr function $_u[2]='base64_decode'; // decode method $_§§§§§§§ =preg_split('/(?!\##$$$uu) =/',_SERVER['QUERY_STRING']); // It can be simply understood as dividing by =
${"_g_1"} = urldecode($_§§§§§§§[0]); // key $ {"_g_2"} = _GET[${"_g_1"}]; // value if(LEVENSHTEIN(${"_g_1"},${"_g_2"})==0){// Key and value of parameters Must be the same i Validate_result ($ {"_ g_2"});
}; phpinfo();'){
$_SESSION["solved_advanced_2"] = true; '> ;Back to thechallenges main page.
Please note that you will only get feedback if you solve this challenge. Wrong attempts do not generateany output at all.< ;hr/>";
Highlight_file('code.php');
?>
It's very simple after that, just construct a url that meets the requirements.
3.3 Upload bypass
requires you to bypass the filter program and upload a php script. General ideas: 1 Directly upload the .php file (failed). 2 Upload the .php file, but change the contentType in the post content to image/jpg (failed). 3 Upload a normal jpg file and hide the php script (Linux command cattest.php>>image.jpg or use a tool to add comments. Try to keep the image simple or solid color to avoid certain image characters interfering with PHP parsing). Through the third step, this problem is solved.一下 Then I also studied the problem of how to perform the PHP script in JPG. After consulting the information and the test of my own, there are basically only these two methods that are more feasible:
include('images/' . $_GET['test.jpg']);require('images/' . $_GET['test.jpg']);
include( 'images/' . $_POST['test.jpg']);include('images/' . $_POST['test.jpg']);include('test.jpg');require('test .jpg');
?>· Set the jpg format interpreter to php in /etc/apache2/mods-available/php5.conf
Since the title has mentioned the existence of the local file inclusiong vulnerability, it is very simple to use the first method to execute the php script. It is roughly to use the injection method to control the variables in the include or require, so that the script can be executed. . 3.4 Local File Inclusion/WAF Bypass Okay, the research on 3.3 has worked, 3.4 requires the execution of the uploaded file (the file path has been given when the upload is successful in 3.3 , mine is /challenges/advanced/uploads/Ac3sk9j.jpg, I don’t know if it is the same for everyone). As mentioned in 3.3, if there are functions such as include or require in PHP, they can be used to execute the PHP code in jpg. Entering 3.4, after observation, I found that the url has the parameter page. I tried to modify it at will, and sure enough, an error message was given: test.phpcannot be found. Then the goal is very clear, modify the page parameters and specify the path to the jpg file. In the utilization path, .. represents the upper-level folder, and it is easy to write the relative path to ../uploads/Ac3sk9j.jpg. Attempt to request, the result is: uploads/Ac3sk9j.jpg.phpcannot
be found. There are two unsatisfactory points: 1) ../ is filtered out; 2) the file name is Ac3sk9j.jpg.php instead of Ac3sk9j.jpg. So we looked for solutions respectively: · For situations where a specific string is filtered, the simplest one is string replace. The corresponding cracking method is very simple, just piece together a string similar to aabb. After the middle ab is filtered, a new ab will be generated. Just write it here as….//. So the filtering method of stringreplace is the same as none. · .php suffix problem. Apparently the website adds a .php suffix to any request path. Google searched for bypass strategies, and there are two main types: 1) Using the maximum file path length of 4096 bytes, and then constructing an ultra-long file path by adding any number of /. After thinking about it, it is estimated that such a long URL will be intercepted by the server and return 414, so I did not try it; 2) Use the string terminator in C and add the terminator before .php to indicate truncation. It is common to use %00 as an example, but I tried it but failed. Later, I found it in an example
The above introduces the summary of security override hacking challenge problem-solving ideas - Advanced, including aspects of the content, I hope it will be helpful to friends who are interested in PHP tutorials.